Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: nfx_001.txt

New Fone Xpress #1

      The newsletter of the Society for the Freedom of Information (SFI)

                    T H E   N E W   F O N E   E X P R E S S

                              Electronic Edition
                Central distribution site is Secret Society BBS
                      (314) 831-9039, WWIVNet 3460, 24hrs


The publisher, SFI, distribution site(s), and authors contributing  to  the  NFX
are protected by the Bill of Rights in the U.S. Constitution, which specifically
permits freedom of speech and freedom of the press.

We    accept    article    submissions    of    nearly    any    sort,     about
hack/phreak/anarchy/gov't/etc.  Send mail to the publisher (The Cavalier) at any
of these addresses:

WWIVnet  [120@3460]
VMB      (301) 771-1151. hit #, then 140.
The Internet address is temporarily closed.

The printed edition of the newsletter may  be  available  soon.  The  info  will
appear here as soon as possible.  To be quite honest, the printed version  looks
a hell of a lot better; but as of now, only the members of SFI receive it.


Highlights for Issue #1/Jun 1991
Signaling System 7 Special Issue

   * Dialup List
     (see ref on page 2 top)

   * Reference of Recent Telco Terms
     (see ref on page 2 middle)

   * Signaling System 7 Updates
     (see ref on page 3 middle)
     * SUPPLEMENT: Known areas with Signaling System 7

   * Caller ID .. What does it mean to you?
     (see ref on page 4 top)

   * The State of Surveillance
     (see ref on page 4 middle)

   * Trend Watcher
     (see ref on page 5)

   * Editorial
     (see ref on page 5 middle)

                   National Dialup Table (updated 05/18/91)

Phone Number       Owned by       Status        Descript
(800) 369-3100     MCI            Dangerous          6N/7N
(800) 753-9900     ?              ? (new)            7N
(800) 657-9600     Access         Billing            7N
(800) 635-1167     ? (SDN?)       ? (new)            6N
(800) 327-9488     ITT/Metro      Safe/?            13I
(800) 950-0070     ?              ?                  6N
(800) 433-4778     ? (SDN)        ?                 10N
(800) 225-5946     ? (SDN)        ?                 10N
(800) 833-2808     ? (SDN)        ?                 10N
(800) 321-0264     ? (SDN)        ?                 10N
(800) 426-6565     ? (SDN)        ?                 10N
(800) 882-4913     ? (SDN)        ?                 10N
(800) 553-7149     ? (SDN)        ?                 10N
(800) 284-8277     ?              ?                  7N
(800) 228-4512     ?              ?                  7I
(800) 476-3636     ? (Sprint?)    Uncer., watch it   6N

* Notes on the above table:

    Description format is this standard: <Code Length><Code Format>, i.e. 7I is
a dialup that is ACN+7 digits.  6N is 6 digits+ACN.
    SDN is a type of system.  It is suspected AT&T, however some of these
dialups may be owned by other LD companies.
    The regional 950-XXXX dialups have been left out; they differ from LATA to
LATA (roughly an area code), and often the codes on them are regional.  However,
a few of them are 950-1407, 950-0511, 950-1011, etc.  1407 seems to be reliable
in CA.  I don't really recommend the use of 950s in particular - I will probably
have a table of 950s coming out in the future.
    Several people have had good results with 800-635-1167.

    By the way, any changes/additions/alerts are accepted.  Contact me or call
the SFI VMB.  PLEASE do not post any codes/etc on this box, just vague updates.

Telco Term Reference

     I strongly recommend you review this list before reading the article on
Signaling System 7.  These are by far not all of them, just essential ones
needed to deal with the article below.
SS7 - Signaling System 7.  See article.  Note: You need the DMS switch to run
CCS - Common Channel Signaling.  Basically, sending call information across the
same line as voice.  A major part of SS7.
CO - Central Office.  The building(s) in your city that house the local
switching equipment.  Your telephone line is connected to one.
RBOC - Regional Bell Operating Company.  The seven companies that AT&T was split
up in the early '80s.  Also known as RHCs, or Regional Holding Companies.
ONA - Open Network Architecture.  A plan to open the telephone network up to
ESPs, who will provide services beyond basic switching.  Such services might be
cable TV, fast computer data channels, etc.  See ISDN, ESP, SS7.
ESP - Enhanced Service Provider.  See ONA definition.  The ESPs, who will
provide services such as computer linkups and cable TV when ONA is implemented,
are frustrated at the limitations of the RBOCs' ONA plans.  Some ESPs are the
major long-distance companies.
PSC - Public Service Commission.  The bureaucrats who set tariffs and decide on
exactly what your local Telco can do.
CLASS - Custom Local Area Signaling Services.  Part of the RBOC's SS7 plans,
these services, for example, include Caller ID, automatic call return and call
LATA - Local Access Transport Area.  Roughly synonymous with area codes.  Your
LATA is defined by where you can call locally without having to call
long-distance.  In certain areas, like the Northeast, this may comprise three to
four area codes.
Call Control Options - Services such as call trace and call blocking that do not
need to be run using SS7.  They can be utilized on 5ESS switches.
DMS - Digital Multiplex Switch.  One of the most advanced phone company switches
on the market, this switch is necessary for SS7.  It is produced by Northern
ISDN - Integrated Services Digital Network.  A critical part of ONA, this is
basically a plan to provide optical fiber interconnects to households.  It will
allow much more than just a telephone conversation; it will also allow (among
other things) cable TV signals and SS7 communications.                    ><

Signaling System Seven Update

    Once again, your intrepid editor is back with the current compilation of
information regarding Signaling System Seven, or SS7.  If you haven't heard
about SS7 recently, or at all, here's your chance to catch up.  First, the
technical notes:

    SS7 is an international high-speed telecommunications network signaling
standard publicly announced in 1988.  It is a protocol for digital communication
between COs, ESPs and telephone subscribers.  It is made up of four basic
levels:  the bottom three (Signaling Data Link Functions, Signaling Link
Functions, and Signaling Network Functions) control the message transfer part,
and the top layer (Signaling Connection Control) controls additional services.

    The message transfer part controls the network itself, which is
packet-switched.  It handles all call control functions, and enables COs and
ESPs to transparently switch the call internally.  For example, if AT&T's SS7
software had been working properly, the network crash on 15 Jan 1990 would
probably have had negligible effects.  The network would have been able to route
the call around the malfunctioning switch while it reset.

    The signaling connection control part supports other services that may be
provided; such as call forwarding, caller ID, call trace, etc.  This layer is
the one that will be utilized by the ESPs when ONA is implemented; the message
transfer part is controlled by the RBOCs.

    The architecture of SS7 will bring the telecommunications network into
tomorrow, and coupled with broadband ISDN and ONA, is the network of the future.
However, this will also insure that the RBOCs have a major part in this future.
Not to mention the fact that this will put the RBOCs in control of everything
that comes down the cable.

    Now, what SS7 really means:

    Signaling System Seven will basically allow the phone company to route your
call information from point to point until your final destination.  In other
words, in 1991 (in most regions), if you wanted to make sure a system didn't
trace you back, you could call through a few diverters, PABXs, etc.  However,
when SS7 is installed throughout the nation, your call information will be
routed from diverter to PABX to system instead of stopping at the first
diverter.   Us common people can buy this feature too -- see "Caller ID - What
does it mean to me?" below.

                         Areas with SS7 as of 04/17/91
All of New Jersey            United & NJ Bell
Las Vegas, Nevada            Centel
Northeast Virginia           Bell Atlantic?
Washington, D.C.             Bell Atlantic?
Austin, Texas                Southwestern Bell
Kentucky (unknown where)     GTE
Olathe, Kansas               Southwestern Bell
    As with all our tables, any additions/corrections? Let us know.

Caller ID ... what does it mean to me?

    Caller ID is probably the most anticipated and feared part of Signaling
System 7.  This service, only available in SS7 areas (see above table), keeps
track of the last 10 numbers that called and the time and date they did so.
Example:  Let's say you are in an SS7 area.  You call a friend with a Caller ID
device (generally costing about $40).  Between the first and second ring, they
have your number.  It's as easy as that.  The problem is, when SS7 goes
nationwide, ANY system you hack/phreak/phuck/whatever pegs you within 5 seconds
of your call.  I can hear you say, "What about diverters, and stuff like that?"
Well, for one thing, there won't BE too many diverters left after this goes
worldwide.  The second thing is that if the system is serious enough about
getting your number, it can pick the call information straight up off layer 4 of
the call -- in other words, your call information, instead of stopping stone
cold at the diverter, was passed from node to node up to your intended system.
Cute, eh? .. but only if you're BEHIND the trigger.  So, what can be done about
it?  Well, I am told that PSCs around the nation have been requiring that your
local RBOC provide per-call blocking of Caller ID whenever they decide to go
install SS7.  This is good: You dial something like *67 and then the number, and
the information is blocked.  However, the Telco still gets the call info (but
then again, they always have..).  Also, you hardware people out there, I suggest
you work on finding out more about Caller ID - and figure out where in the
bandwidth this info is... sigh..                                       ><

The State of Surveillance
(part one of a series)

    I figured it was about time for an update on government and private
surveillance techniques and what you can do about them.  First, we'll start off
with ways to spy, if you will.  The all-time favorite technique seems to be
tapping the telephone in some way - whether it be from wiring your phone for an
infinity transmitter, wiring your junction box, induction tapping your wires, or
taps at the local CO, the phone line is one of the most commonly tapped items.
An infinity transmitter, aka a harmonica bug, has to be installed inside your
phone.  It works by intercepting all calls into the house and looking for a tone
around the first ring.  It then uses the microphone on the handset to pick up
what's going on inside the house, while the phone is on the hook.  What the
person would do is call your house, and while the phone is ringing, he would
send a tone down through the line.  You wouldn't hear that first ring because
the bug traps it, and he could listen to anything going on in the house.  The
way to check for one of these is to either open up your phone or to call a tone
sweep, available in most areas.  At a certain frequency, the bug would kick in
and your phone would start either ringing or making strange noises.

    Another popular technique is wiring junction boxes, aka pedestals or cans.
This is the large, 6 foot green box with the Bell logo on it with 1000
connections inside, or the small, 3 or 4 foot green box with the Bell logo on it
with 7 through 60 connections.  These boxes contain rows of wire pairs.  Your
adversary could open one of these up, find your wire pair with an ANI, and hook
up some sort of recording device or jumper cable to it.  In effect, it is like
picking up an extension outside the building.  The way to detect it is to either
look for a marked impedance drop on your phone, notice that people sound softer,
or go outside and find your pedestal and examine it.

    The perennial inductance tap is a relatively secure tap - unless you catch
your 'bugger' outside near your phone wires doing strange things, it's
undetectable.  Basically, a coil of wire and an amplifier are hooked together
and brought near your telephone wires somewhere -- he doesn't have to splice
them.  Through the principles of electric induction, he can hear everything said
on that line.  As I said, this bug is very hard to detect.

    And finally, perhaps the hardest bug to detect at all: the telephone CO bug.
If the Feds are really serious about tapping you, they won't hook up
crude-as-hell wiretaps -- they'll go to your local central office and monitor
your line from there.  It is virtually undetectable if done right; if done
wrong, you have no way of proving they did it...

    The next installment will cover non-telephone audio bugs.               ><

Trend Watcher

    This column will cover small interesting bits of information and trends that
either I or any of you notice.  Have any?  Let me know.

AT&T makes money selling 5ESS switches to other countries.
MCI 800 ANI network pegs your number in under one minute in xESS areas.
18-Gigahertz transmission is now economically feasible; radio waves at that
frequency act like light.
In a vote of 5-0, the FCC approves an independently-developed stage of ONA to
the dismay of the Baby Bells, opening up the fiber network to ESPs of all kinds.
Las Vegas telephone network is the most advanced in the nation.
In 1989, the FCC busted 144 pirate radio station operators, both medium-wave and
shortwave, and charged a total of $347,000 in fines.                     ><

"Too much to say, and not enough space to say it in"

    Well, you're almost at the end of our first issue.  Do you like it?  Can you
write better articles? (Which won't be hard, considering I wrote all of them in
this issue..)  By all means, send them to me.  An article on IBM Phonemail? Or
maybe a doc on how the gov't is really putting one over on us this time?  I'll
take it.  You know how to get in touch with me... A slower way to do so is to
use the VMB, at 301-771-1151 box #140. You might have to press the pound key
first, I don't remember.  But in any case, don't put anything illegal on the SFI
box, like codes, etc - just news and messages to me.  By the way, if you stumble
upon a small bit of news that's important, call it and leave it there..

    The reason that our first issue is on Signaling System Seven is because this
will be one of the most important phone company developments since the invention
of the ESS switch.  Read the set of articles that are on it and maybe you will
understand why.  Loss of privacy and profiteering of the phone networks just so
Domino's Pizza can route a call from a WATS number to the closest Domino's
location nearest you so you don't have to go through the mental and physical
anguish of looking it up in the telephone book.  Brighten up, men, this is
progress at work!

    In any case, what I can leave you with are these thoughts: support the
Electronic Frontier Foundation, the Free Software Foundation, the League for
Programming Freedom, and any organization that supports open thought.  Fight the
secret policies and projects of a dishonest government that perpetuates
hypocrisy, and keep looking over your shoulder for Big Brother.         ><

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH