***************************************************************
* *
* *
* Phreaks *
* *
* Long Distance Phone Thieves *
* *
* OR *
* *
* The Phreaker's Handbook *
* *
***************************************************************
MCI
MCI is the Queen Mother of the long distance companys. There are
only a handful of companys that are "networked". This means
they've built their system to a point where travelers (or phreaks
can call into a local phone number and be in the "network" even
if they're three thousand miles from home. The exception is when
you're in an area that isn't serviced. Most LD services utilize
800 numbers so that you can connect even if you're out in the
boonies.
Here we have two different code formats, one for the so called
"executive" user, primarily business , the other for the average
person. Executive class entails using the 950-1022 dialup. To
make a call you need to enter no less than thirty two digits. You
dial zero plus the area code and phone number that you want, then
the area code and phone number with a four digit "security code"
at the end. It'll look like this, 9501022 (the dialup)
02125551212 (zero plus the area code and phone number ) then
7045551212xxxx (your area code,phone number and security code).
Many years ago I saw a piece of graffiti on the bathroom wall of
the Cotton Bowl. It went like this, "I've shit in England - I've
shit in France - But before I shit here again - I'll shit in my
pants." I feel the same way about this format. As a businessman,
I wouldn't waste my time trying to dial all this garbage. A real
pain in the ass. Hackers, don't find the format that tough. With
the exception of the user's telephone number and code the rest
are known quantities. You're left with fourteen numbers to hack
out. This can be reduced even further. MCI's 950 codes are good
anywhere in the country. Experienced phreaks pick an area that is
known to have an extremely high population density. New York City
is a case in points, area code 212. The number of digits has just
been reduced to eleven. The phreak will choose a prefix that is
occupied predominantly by business and cut the number down to
eight digits, which is one less than Sprint's code. I've seen
425,943,344,964,269,422,820,227,635,747,486,668,686,233,248,532,
732,306,938,255,925,678,and 564 posted on hacker boards. It seems
that Wall Street is a juicy target. The interesting thing about
hacking MCI's 950 numbers is that the phreak also gets the number
of the person who's going to be getting the bill. It's not
unusual for the hacker to call the victim on some pretense just
to find out who it is. If it's a large company who might not
notice a few additional phone calls, he'll use the code sparingly
so as not to attract attention. The end result will be years of
free long distance.
MCI's second format is pretty standard. A local dialup and a five
digit code followed by the area code and number you wish to speak
with. They've recently instituted a new "security measure". One
phreak hacked out eight codes in about an hour. He let them sit a
day before he got around to using one of them, some phreaks let
them sit as long as a month. In that twenty four hour period all
but one of them went bad. It isn't unusual to see codes go bad. A
few of them fall by the wayside due to natural attrition, people
not paying their bills or cancelling service. To see seven fall
with one blow is mathematically improbable. It means they've
been reprogramming the computers to scan the dialups and check
for activity. If a node has an activity average of fifty calls
an hour and the hacker pumps the actual amount over that
average, it'll trigger a feature in the programming that'll
generate an activity report for a system operator to read.
Furthermore, the computer will list all the phone numbers called
and the codes that connected them to the system. If the phone
numbers are identical it can safely be assumed they're being
telephucked. The report will also show a time lag of about
fifteen seconds between calls. Isn't technology wonderful?
The hacker's solution to their solution is obvious. Don't keep
dialing the same phone number over and over. The first generation
of hacker programs did (and still do) use a one number
destination. Consequently, they've set a pattern that, after
four or five years, the phone companies have finally noticed. It
takes about twenty minutes of reprogramming to beat it. Hacks
have now started using large files dialups similar to the one in
the appendix. It's not too difficult to blitz the call counter
feature either. MCI doesn't publish their dialup numbers except
to their customers and then they only give them one at a time.
Their ratio seems to be figured at around one dialup for two
hundred thousand of population. To find other dialups all one
needs to do is scan the prefix surrounding a known node. Hacks
are now rewriting their software to spread their hacks out over a
wider area. Fifty to one hundred hacks on one node and then they
move to another. The five digit code hacked on a local dialup is
good only on that node. A New York code won't be good in
Cleveland. It took MCI several years and a ton of money in losses
and programming time to come up with this little security wonder.
It'll take a fifteen year old phreak twenty minutes of
reprogramming at a cost of zero bucks to bust it. Kinda makes you
wonder doesn't it?
What of the one code that was still good? The hacker didn't touch
it. He realized the system had detected him. It wouldn't be hard
recognize his pattern of calling. He knew the good code might be
"trapped". Any activity on it would have been traced (illegally).
If he stayed on the code long enough for the security department
to process the necessary paperwork he would undoubtedly be
busted. He decided that it was wiser to protect himself and those
that he called by not using it. He noted the number just in case
he should hack it out again at a later date.
Some psychologists say that names can affect the development of a
child. I knew two kids when I was in school who's names are
etched in my memory forever, Jock Strap and Harry Balls. Their
parents should have been shot. The president of MCI is Orville
Wright. Orville has his work cut out for him.
GTE SPRINT
Sprint is owned by General Telephone. If you've ever lived in a
GTE area you can attest to the absolute crapola you've received
as service. Sprint has advertised good connections and rightly
so. Their international access is equal to AT&T. Like MCI and all
the other LD services, they don't go everywhere. They've
concentrated building their network in the metropolitan areas
where the money is so you country bumpkins are going to have to
wait a little longer.
I recently spoke with Sprint's security department. They have a
service oriented philosophy. They don't want any restrictions on
data line users. A study indicated a respectable percentage of
Sprint customers were computer operators. Sprint maintains a
considerable number of dialup ports. I estimate the ratio is one
port for each forty thousand of population. As of this writing,
Sprint has not completed it's national 950-0777 setup.
Consequently, she still has a large number of local dialups in
the system. Scanning to either side of a local non 950 dialup
will yield a wealth of unpublished nodes.
Sprint's code format runs 9 digits in length and also uses
prefix qualifiers . In this case a three digit coding identifies
the physical area of the country the code has been assigned to.
The next 4 digits are presumably it's record place within their
computer system. Therefore, xxxXXXXxx would translate to a three
digit prefix, followed by a four digit record number, with the
remaining two digits being what used to be a travel code.
Hackers report success rates of one per 300 hacks using the
random number approach, a bit on the shabby side. Success ratios
on MCI are around seven percent, or seven per hundred
hacks,actually pretty good. On Metro three to four percent is
about right. Essentially, Sprint is spreading their valid
accounts out over a wider area, keeping the density low, thus
making them harder to find. The hacker can increase his return
ratios by using the prefix and suffix technique. His first time
on the system he'll use a random hack, searching for a nine digit
code. Then use the first three digits of the code as a prefix,
and the last to digits as a suffix. All he needs then to hack is
the four digits in between. The return rate is currently one per
two hundred hacks using this approach, a 33% increase in
efficiency.
Sprint has achieved a reputation for vigorously prosecuting
phreaks. Yet, they are as limited as all the other companies.
They rely mainly on fear. Occasionally, they'll snare some kid
who overstayed his welcome. They make a big deal giving the
impression they're busting thousands a day. This just isn't so.
Phreaks only get caught when they get stupid or lazy. You can't
blame Sprint for capitalizing on some phreak's lack of brains.
Conversely, you can't blame the phreak for cashing in on Sprint's
lack of smarts.
As an update, Sprints 950 dialups require 9 digits. Local nodes
used to come in at 7 and 8 digits. As the local dialups disappear
the 9 will become the norm. Sprint still has no specialized
security systems. The rumors of profound phreak snaring abilities
are basically untrue.
They win a few and lose a few, although it appears they lose more
than they win.
Allnet Communications
Allnet is a run of the mill telecom company. They utilize the
standard 6 digit format and can be found at 950-1044. They appear
to have developed or purchased software for analyzing their data
much the same way Mci has. Furthermore, they seem to have
established a customer profile with which to compare current
hacking activities against the record of past calling habits.
A hacked code will remain valid for three days. It seems to take
that long to run the programming.
Additionally, a code that connects for only a few seconds will be
invalidated within 24 hours. The obvious solution is stay
connected for several minutes. It works. On the user profile
strategy, there is no means of defeating it except to rape the
hell out of the code from the minute one lays hands on it. Those
that adhere to the I C's Rules of Phreaking wouldn't care since
they don't stay on a code more than three days any way.
Itt is Internation Telephone and Telegraph and operates out of
Seacacus New Jersy. They've been the the telcomunications
business for many years and have specialized in telix type
services.
Itt's connections aren't particularly terrific for data
transmissions. Phreaks have complained of excessive line loss
over relatively short distances. The company's strong point is
and will continue to be their telix activities.
The code format for this service is different. In an obvious
attempt to deter phreaking, they've departed from the usual node,
code, number arrangement. Instead they utilize a reverse
arrangement, node, area code and number, then the code. From a
practical point of view there is little difference. From an
operational viewpoint the phreak must chain together his dialing
sting instead of using just one. I others words, instead of
punching one macro to output his call, two are required.
The coding uses a prefix and suffix as area qualifiers. The first
two digits of the code refer to the area of the country the code
has been assigned. Consequently, most phreaks prefer to use the
prefix in their hack attempts. The object is, of course, to
improve effieciency.
Itt has no special security considerations as far as traces and
traps go. They have instead emphasized getting the phreak
disconnected as quickly as possible. Most Itt's will go bad in
three days (See Chapter on Updates). Hense it is impossible for a
phreak to be on the system long enough to require concern about
traps and traces.
Itt is expanding it's overseas network and is offering services
to Singapore as well as the regular European countries.
ITT LOCAL DIALUPS
201-463-0900 305-545-8895 513-228-6506 717-234-0718
201-589-6343 305-764-4522 513-651-1823 717-299-4796
202-565-4110 312-364-6020 515-284-5040 717-347-9135
203-324-1172 312-922-1013 518-462-2068 717-825-2761
203-333-2722 313-662-2041 602-257-8200 803-233-1351
203-527-7389 313-964-2843 608-258-8900 803-256-3060
203-787-0170 314-656-0800 609-338-0340 803-573-7639
203-794-1085 315-471-2900 609-989-1631 803-577-6728
203-866-8411 316-267-1088 612-375-0690 804-355-1433
209-445-9300 317-637-5223 614-224-0024 804-380-9038
212-248-0151 401-273-8263 615-327-2511 804-627-3596
214-651-0609 404-525-0714 615-521-7600 805-395-0123
215-376-4864 405-525-7731 615-697-7000 813-223-5380
215-433-2166 408-280-1301 616-458-2472 817-338-4749
215-563-3256 412-261-4930 617-357-5562 904-358-8522
216-375-9040 414-933-5680 702-323-7191 913-371-1300
216-621-0490 415-495-2816 704-375-4311 916-448-6606
219-237-1700 415-858-2750 713-862-5067 918-585-5001
302-654-2809 502-589-9360 714-973-8032 919-378-9489
303-861-4411 504-566-8300 716-325-1180 919-725-3532
305-425-7791 512-474-4397 716-845-5150 919-832-9438
Listing of Cities Serviced by ITT
Allentown Anaheim Annapolis
Athens Atlanta Baltimore
Boston Brooklyn Cambridge
Camden Charlotte Chicago
Compton Dallas El Monte
Elk Grove Fort Worth Fort Lauderdale
Gainesville Galveston Garden City
Gardena Gary Glendale
Greensboro Greensville Hackensack
Houston Inglewood Jacksonville
Joliet Kankakee La Plata
Long Beach Los Angeles Lynchburg
Miami Morristown New Brunswick
New York Newark Newport News
Norfolk Norristown Northbrook
Oak Brook Oakland Orlando
Palo Alto Philadelphia Reading
Richmond Rochester Rome
Rosenberg Sacramento San Jose
Santa Monica Santa Ana Scranton
Sherman Oaks Spartanburg St. Petersburg
Tampa Thousand Oaks Trenton
Van Nuys Washington West Palm Beach
White Plains Wilkes-Barre Wilmington
Winston-Salem
Western Union Metrophone
Metro was everyone's whore. Metro never said no. Any too bit
phreak could bang a metro code. The system was of interest to
business primarily due to there method of billing breakdowns.
Metro has been raped to the tune of tens of millions in phreak
related losses.
Metro is currently, for phreaking purposes, offline. It's unknown
whether she has changed her code format or has simply closed
shop. Her previous code format was a standard 6 digit affair. The
equipment used was old and had very poor line quality. This was
apparent in 1200 baud data communications but would not
necessarily have been noticed on voice transmissions. The listing
for her networked dialups is included below.
201-427-1100
201-487-3155
201-531-7900
201-643-2227
201-825-8852
201-828-8660
202-737-2051
203-222-1148
203-323-1468
203-522-0003
203-748-0770
206-382-0910
212-732-7430
212-950-0220
213-202-6117
213-404-4100
213-618-0231
213-624-8884
213-629-1026
214-595-4282
214-742-4500
215-351-0100
215-770-8940
216-374-1001
216-861-5163
219-237-4805
219-420-0011
219-882-8901
301-659-7700
302-429-9439
303-623-5356
305-326-3300
305-462-3530
312-356-4480
312-396-2550
312-450-5875
312-480-8901
312-496-2431
312-578-3900
312-679-8120
312-844-6981
312-853-4700
312-888-5580
312-891-8083
312-981-8870
312-986-0566
313-963-4847
313-996-8900
314-342-1130
315-474-3911
317-635-6284
401-272-0356
402-422-1120
404-223-1000
405-232-9011
408-947-7606
409-833-9331
412-261-5720
414-277-1805
414-633-3636
415-499-8086
415-579-6001
415-676-1062
415-724-3170
415-794-4800
415-833-9200
415-836-6900
415-852-0900
415-956-0162
419-243-1046
502-561-0900
504-566-8500
512-224-9600
512-474-6057
513-228-1576
513-241-1747
516-933-9700
516-950-0220
518-436-6200
602-254-2930
602-323-0502
606-231-8961
608-251-9596
609-338-0100
609-641-0004
609-989-1900
612-370-9000
614-224-0577
616-242-9580
617-950-1020
618-235-8870
619-233-0327
702-329-1025
707-584-4931
713-224-9417
714-527-7055
714-591-9351
714-594-9311
714-877-6641
714-972-9515
716-852-9200
716-950-1020
717-238-4731
717-348-4300
717-846-6304
718-950-0220
804-225-1920
804-623-9004
805-968-0700
806-379-8271
806-762-0004
815-966-2401
816-471-1999
817-322-1422
817-338-1639
817-565-9202
817-757-2002
818-350-1028
818-954-8699
818-992-8282
913-621-3186
914-684-0268
915-532-0025
915-561-5481
915-658-2943
915-676-0078
916-443-6921
918-587-6770
Thrifty Telephone Exchange
TTE is an example of a mom and pop telephone company. It services
a very small area and utilizes 800 as its sole source of out of
the area access for its customers. The 800's are also more
expensive for the customer.
TTE offers two dialups in the 818 area, 902-0950 and 908-0951.
These are located in Van Nuys, California, a part of the City of
Los Angeles. She utilizes the standard 6 digit format.
TTE is a good example of a company hackers just won't mess with.
Not because of any great security measure or because of some
ultra sophisticated phreak catching ability, but simply for the
reason they don't have enough customers (valid codes) to make the
effort worthwhile. TTE has a rough road to hoe. It seems too
small to be of interest for a larger company to gobble up and is
unable to compete on the grander scales of Mci or Sprint. She's
bound to belly up sooner or later. This situation is not unique
in the industry.
Access Communications
Access is a company in the genre of TTE with the major exception
it appears to have the benefit of more capitalization. There
operate out of the 801 area and offer a local dialup at 801-359-
3900 as well as national access at 800-548-0003. The code length
is identical to ITT, 7 digits. The prefix may safely assume the
use of prefix qualifiers.
Access' format is standard with one minor exception. Node + code
+ 1 + area code and destination number. Like ITT's reverse
format, the minor deviation from the norm is bound to save the
telco money. The problem all these companies have is they must
make the format easy enough for an idiot to operate and the MUST
make the dialups and formats public knowledge. In doing both they
make their systems vulnerable.
U.S. Telecom
U.S. Telecom was known as the "Metro" of the 950's. Codes were
easily hacked and density varyed in direct proportion to the
population of the area serviced. The Director of "Code Abuse" is
a fellow named "Frank Porko". It seems one of the prerequisites
of being in telecommunications is you have an odd name. Frank
was recently promoted to this exaulted position. U.S. Tel isn't
making money, so the company has been swallowed up by a bigger
fish, Sprint. Frank didn't strike me as overly bright on the
subject of phreaking. The company has tried the "Carrier Blast"
only to find it worked for a couple of days and the phreaks by
passed it. It can still be found at the end of the dialing
sequence for their 950. Their latest security gizzy is to limit a
caller to four tries before it routes him to a dummy line. Sound
familiar? Sprint does it with two tries and it doesn't work for
them either. Ironically, phreaks in the military are hurting
USTel much worse than the civilian poplulation. It appears
government computers are being put to uses other than those
intended. U.S. Tel's 950-1033 dialup is already famous among
phreaks. They've placed qualifiers on the codes, even so the
return rate runs around five per hundred hacks. Five percent -
not bad. The node uses the standard six digit format. I spoke
with one of their chief programmers who was trying to hack out
codes. He complained the only code he could find was his own.
This explains why the company's response time is so pathetic.
Phreaks and computer engineers thinking at different levels. This
supports the old saying of "Set a Theif to Catch a Thief".
U.S. Tel sports two 800 numbers, 800-345-0008 and 800-245-0033.
These babies are infamous. The 345 number used to have codes
packed like sardines, every tenth (fifteenth at the most) number
was a good code. How could you lose? After several years of
getting their asses kicked they finally changed the format and
wised up a bit and went to a 14 digit code, ie. AT&T format. The
format is constructed of two sets of three digits followed by two
sets of four digits, XXX-XXX-XXXX-XXXX. We can assume the first
sets of three are area qualifiers, actually area codes. USTel
doesn't use the actual area code as do AT&T and MCI. Area codes
818 and 714 return as 527 and 662 respectively. Additionally, the
three digit prefix and suffix are also bastardized. Hackers have
deduced this is the product of a mathematical formula indexed
from the users area code and phone number. The four digit
"security code" is obtained by the same formula. A group of
hackers who call themselves the IC (Inner Core) are working on
cracking this coding. There are fifty of them. This translates to
fifty intellegent people, fifty computers all dedicated to
breaking the MCI/Ustel code. It would seem it is only a matter
of time before they succeed. It's their belief they will also
reap the AT&T formula in the bargain. This stems primarily from
the fact MCI "borrowed" AT&T's format.
Hackers love a challenge and will rise to one almost at the
dropping of a pin. Code cracking is what they love best. I have
no doubt that the IC will succeed.
Update
The 14 digit format is being used for new accounts. Older
customers still have their 6 digit codes. US Tel has never had
terrific connections and under Sprint this has not improved.
Two digit prefix qualifers are used. The calling areas are very
small. Sprint is still the best bet for away from home phreaking.
SBS SKYLINE
Each long distance company tries to promote itself in different
ways. Skyline's approach is two fold, first price (so what's
new), and secondly the fact they use satellites to get their
calls to their destinations. This isn't terribly impressive.
Never the less, they obviously feel enough people will be
impressed it's worth mentioning. Point in fact, most of the LD's
use satellites. It would be impractical, not to mention
expensive, to use AT&T's network for 100% of their traffic.
Skyline has a well established dialup at 950-1088. Her format is
the standard 6 digits. Hacks report it is a fairly easy system.
It appears she has divided the country in areas which are rather
large geographically. A code that originates in one area will be
workable two to three hundred miles from its point of origin. The
six digit code will also work on her 800-446-4462 dialup. There
are reports she also uses a seven digit format collateral to the
six.
Skyline has a reputation for vigorously calling the destination
numbers after more than ten calls have been placed. This is the
most they can realistically do. One must assume they will score
a certain percentage of people who are willing to give them
information about the origin of the calls. Yet, as far as
experienced hacks and phreaks go, you can be equally sure the
trail will stop there and the possibility of back tracking is
nil, if not impossible. This problem is not unique to Skyline.
She appears to be your run of the mill long distance carrier
without much to make it especially noteworthy. Like all other
services, she isn't making money and is playing the merger game.
I predict by 1988 you will have three majors in the business,
AT&T, MCI, and Sprint. The rest are fish bait waiting to be
gobbled up by the larger fish. See Updates for further
information.
Alliance Teleconferencing
Alliance is a service of At&t. It provides people, usually
business with what is essentially a party line; several people
can join in the same conversation at the same time. It's an
outstanding tool for business. The phreak approaches Alliance
essentially from the same perspective, except that phreakery is
the business.
As a service of At&t, Alliance is approached indirectly through a
PBX or a diverter. The origination phone number of all calls
place to Alliance is supplied by the ANI - Automatic Number
Identifier. Placing the call through a PBX insures the ANI, and
the people receiving the bill, will be someone other than the
phreak.
AT&T offers two basic conference services, Alliance 1000 and
Alliance 2000. The former is your basic voice communication and
the later has special graphic abilities. The service operates in
all fifty states, Mexico, Canada, Puerto Rico, Bermuda and the
Virgin Islands.
To make a conference call the phreak will need to have the phone
numbers of all the parties. Since this is not always desireable,
the controller can route the call through a number of loops, thus
insuring the location of the phreak remains unknown (See Loops).
The controller will then call 0+700+456-1000 for an audio
conference. He'll then dial in the phone numbers as you would any
At&t call. When the party answers, he'll tell him to hold on
while he connects the rest of the group. He'll hit the # button
to continue adding people or the * to cancel his input. He can
resume adding callers at any time by hitting the # button. Ending
a conference is easy, everyone hangs up.
A national conference was held after the 415 bust to discuss
added security measures to counteract the sting techniques used
by the Fremont Police Department. Elite phreaks from coast to
coast were dialed in. The phreaks saw the need for immediate
discussion to plan their future actions and to discuss the
details of the bust. One of the parties to the conference had
actually seen the hacker known as Trask as he was being arrested.
Trask's down fall held vital concern to many on that conference
as he held many personal phone numbers and names in his data
base. The police did not obtain that information nor did Trask
make a deal with them. Needless to say he was prosecuted. Other
hackers involved in the 415 bust did make bargains with law
enforcement which resulted in wide spread arrests. The Fremont
Sting has successfully been used in Texas and there is every
indication it will be used elsewhere.
Alliance provided the means for these hacks to meet and discuss
their vital concerns. Some company with a PBX was billed for the
calls. It would be accurate to say that while the 415 conference
was called under "emergency" conditions, most conferences are
little more than bullshit sessions. Some pranksters like to play
games like dialing six or seven operators and listening to the
say, "Operator", "Operator", "No I'm the operator can I help
you?". This can go on for five or six minutes before they realize
they've been cross connected. Others like to call their favorite
software company and taunt them as to how they've cracked their
latest security measures. These applications are rather juvenile.
At&t Security is a feared aspect of the phreak's existence. With
the exception of the PBX and the Diverter, Ma Bell holds all the
cards. Tracing is a snap. Even so, At&t doesn't appear to be a
mean mother in the tracking down of her Alliance phreaks. The
company with the PBX is going to be stuck with the bill and it
appears the phone company has little incentive to follow the
scent.
Phreaks of fifteen to twenty years pass used to place calls and
have them billed to phone booths. ESS has made that game
obsolete. However, Ma Bell didn't sit still for the theft. They
dropped the billing on the party who received the call. If then
didn't pay, they lost their phone service. The obvious option was
to give them the name and location of the person that really was
responsible for the call. There are no reports that this
collection device is still being used. From the phreak's vantage
point, Alliance is pretty safe.
Another old method of phreaking from payphones, and purported to
have dome from Abby Hoffman, was to place a call from a payphone
and to reverse the handset of an adjacent payphone to signal the
operator that money was being dropped. As the phreak dropped the
coins into the phone he wasn't placing the call from, the clinks
and cur-chunks would signal her the correct amount had been
deposited. This was corrected by simply making the telephone
cords shorter.
Cur-chunks are out and tones are in. So the technique now has a
new twist called the Red Box. the box is a simple, handheld,
battery operated tone generator that duplicates the tones used to
signal the operator the money has actually been placed into the
payphone. Utilizing 1700 hz and 2200 hz (Duel Multi Frequency
Tones), the box signals that a nickel has been dropped by pulsing
the frequencies at 66ms one time. A dime is recognized by 66ms on
once, off once, and on again. This produces two "beeps". The
quarter is shown at 33 ms off and on five times.
The newest phone technology also brinks greater phreaking
opportunities. The Cordless telephone is one example. These units
use two frequencies, one to send and the other to receive. the
FCC restricts the number of frequencies available so that a trial
and error approach in hacking is feasible. Most people don't
realize a cordless signal can carry for miles enabling others to
hear every word of their conversations. A properly equipped
techno-phreak can zero in on the signal, locate the source, and
screw around until he find the correct "in" level. The result is
a Godzilla of a phone bill for the unsuspecting owner of the
cordless phone. Most phreaks wouldn't go to this kind of trouble.
Your technoelectrical wiz kids will.
Ess, while being the scourge of phreakdom, has also enabled him
some benefits. The payphone games and 950 phreaking are just two
examples. ESS has, however, completely obliterated the use of the
infamous Blue Box. Phone company computers are programmed to be
sensitive to the 2600 hz tone needed to seize a trunk line. And
818 system operator (an adult) boxed one call on ESS. He was
detected and traced but not arrested. The second time he box, he
had a knock on the door and was arrested by the local police who
had been accompanied by telco security. It's estimated by the mid
1990's the entire country will be on ESS. Today, only the major
metropolitan areas utilize the service. Crossbar is still the
norm for the boonies.
Ess is a technological marvel, a logical step in the ever
evolving future of the phone industry. Yet, it has some very
scary aspects. The ability for abuse is tremendous. In the movies
you see the cop saying "We didn't have enough time for the
trace." Not any longer. Traces, wire taps and much more can be
programmed to be automatic. An operator at a console can push a
few buttons and Zap, no civil rights. I knew a woman who's
brother was a highly placed official in Pac Tel. Her boyfriend
had broken up with her and she was livid. The boyfriend's
communications were traced and tapped as a "courtesy" by the
brother. There is a history of past abuse which spawned the few
laws designed to protect the consumer. However, just as there are
laws against wire fraud, there are plenty of phreaks breaking
those laws. The phreak can hide behind the technology of the
computer and use it to break the law. So can your phone company.
Murphy's law is applicable here, if it can happen it will.
Government has a philosophy of regulating and controlling the
hell out of small and medium sized business. Large politically
powerful corporations are afforded the convenience of policing
themselves. A classic case of the fox watching the hen house. If
the public were even remotely aware of the capabilities of ESS
the uproar would shatter Washington. Phone services have been
taken for granted. The combination of ESS and the Data Services
who sell their information over the network makes it impossible
for anyone to have true privacy. TRW is a prime target of the
hacking community. Hacks abuse that data service and others for
their own informational needs. It logically follows that any
agency with the inclination could use those services to create
non existent people or to kill the electronic lives of real ones.
The computer gives spying an entirely new dimension. Believe it,
Big Brother really is Watching!
with the bill and it appears the phone company has little
incentive to follow the scent.
THE IC'S RULES OF PHREAKING
These are the standards of hacking employed by the Inner Core.
The text comes from a data file written by and for IC members.
HACK YOUR OWN CODES.
Don't leech from someone else. Having codes is like having sex,
if you don't protect yourself you'll end up with a venereal
disease. You have no idea where a code has been before you got
your hands on it, when it was hacked or how long it's been in
circulation. Time is a very important factor, the longer a code
has been in use, the greater the risk.
DON'T STAY ON A CODE MORE THAN THREE DAYS.
Don't give the suckers an even break. To run a trace, MCI needs
to shuffle a lot of papers. Ain't that nice. Paper work takes
time, and it's highly unlikely they could accomplish the feat in
three days. It's even more unlikely they would even know
they've been phreaked for at least a week. All company's have
thirty day billing cycles, if you started using the code the day
after the bills went out, you'd have twenty nine days left to
play with it. The customer gets his billing and bitches up a
storm. The company now has the option of setting up a trap, but
alas, they notice you haven't used the code in three weeks and
have no destination number to PIN. If you phreaked the code one
day before the billing cycle ends, the customer may notice
right away. Figure you have two days for it to reach the
customer. If he yells right away it takes a few more days for
the security department to process the paperwork for the trace.
By that time you're long gone.
DON'T STAY ON A NODE MORE THAN THREE DAYS.
If you insist on burning the same company, you're going to
develop a pattern. You call your girl friend in Alaska every
damned day using the same company. It doesn't take a genius to
predict what you're going to do tomorrow. They know where you
enter their system and where you're going to. You've given them
everything they need to run a good trace. Spread the wealth a
little. Use US Telecom, then ITT, Lexitel, Skyline, Metro and a
few of the 800's if you like. Spread it out. These people have
no way of comparing. So you can screw Peter, Paul and the rest
of the Apostles with no worry. Just don't be a dip stick and get
lazy.
Everyone is worried about THE TRACE. Don't be. It's no big deal
for AT&T, after all it is their network, but for the leech
services it's an entirely different matter. This is why we don't
mess around with AT&T except through secondary accesses like
PBX's or Diverters. This is the scenario MCI's security
department will run down. They call up a number you've
called.......
"Hello, this is Inspector Bullshit with MCI. Did you receive a
phone call from the 212 area code on November 22, 1945 at 4:00
A. M.? "
"You didn't?"
"We've traced fourteen calls to this number in the last
two weeks, by the way, who am I speaking with?"
"Well Mrs. Blabbermouth, perhaps someone else in your household
received the calls? "
"I see, your daughter has a boyfriend in New York.
"I'm afraid he's in some serious trouble Mrs. B. If
you'll cooperate with me we won't pursue this matter with your
daughter."
"That's correct, little Susie Blabbermouth won't be involved. It
would be a shame to cause you folks trouble, after all she
didn't actually make the calls.""
All I need is the boy's name and phone number."
"Let me see if I have that right."Jimmy Phreaker at
212-555-1212?"
"Thank you Mrs. B you've been very helpful."
The point is, if Bullshit had really run traces he wouldn't be
calling to con the information. The exchange is typical of those
used by most phone companys and illustrate several important
issues.
Make sure the person you're calling is cool and there's no
chance someone else could rat on you. It is very unlikely MCI
will make such a call if you use the IC's Rules of Phreaking.
Yet, if it were to occur these are your friend's options...
1. HANGUP
2. "FUCK YOU"...THEN HANG UP
3. "I WAS WATCHING MIAMI VICE AND YOU INTERRUPT ME WITH
THIS CRAP. FUCK YOU"....HANG UP.
4. If you want to be nice about it; "I don't know what you're
talking about.....HANG UP.
The problem is now resolved. Remember these guys are like
rabid dogs in heat, they're excellent con artists. Believe
nothing you hear. You don't have to talk to them. If they had
anything on you they'd be standing at your door with a search
warrant. Their abilities in this area are very restricted. They
operate by manipulating your fear and you have nothing to fear
but your own fear. Don't try to come up with some lame
explanation, you know you received the call and they know it. So
don't make an ass out of yourself trying to explain away the
obvious - HANG UP!
What happens if your are caught?
Congratulate yourself on being an asshole. The number of phreaks
caught are so small you have now qualified for membership in a
really elite group of jerks.
Inspector Bullshit now has several options.
Grab your computer......... this will be done no matter what.
Grab your data files and any hard copy you have laying around.
This to help identify other subversives and also to supply
incriminating information about you.
Try to scare you into a confession. Standard operating procedure
- keep your fucking mouth shut. You have nothing to gain by
talking and a much to lose.
If you're a minor you can forget about jail time, an adult
is looking at a couple of weeks in the slam - may-be.
Realize this, they don't really want your ass as much as they
want THE MONEY. That's right boys and girls the buck talks loud
and clear.
If you're caught, you've broken every one of the IC's
rules. At worst you're looking at a couple of thousand in phone
bills. Get a lawyer to do your talking for you, that'll be about
a five hundred dollar retainer. If the company is willing to
settle for the money, and your computer, pay it - it's cheaper
in the long run. If they want you in the calaboose then fight
it. As a first time offender the odds of you actually getting
time are slim. Incidentally, Inspector Bullshit will drop a
little extra on the bill for good measure. Have the attorney
demand they produce their records of all "alleged phone
conversations".
In fighting a phreaking case you'll want to have a jury trial.
The technology behind the running of a trace is so
complicated even a halfassed lawyer could confuse the
average layman. He can make Inspector Bullshit describe
switching down to atomic subparticles if he wants and by the
time he gets to how a trace works the jury would be so confused
you'd skate on a "reasonable doubt". It would be
interesting to see if a sharp shark could subpoena the actual
equipment used to run the trace. I don't think MCI would
care to have one of their computers offline for the time it
would take to have "independent" examiners checking out the
functionality of the switching mechanisms.
To phreak or not to phreak. It's a question only you can answer
for yourself.
The following are electronic BBS conversations at a Hacker
Bulletin Board. They have been left intact (misspellings too)with
the exception of codes and phone numbers which could conceiveably
get my ass in hot water.
The Hacker network of communication is loosely knit but extremely
effective in getting information circulated quickly.
Lady G (Lady Godiva) is the only female I've ever seen on a hack
board. Amazingly she conned her way inside, yet turned out not to
be a threat to hackers even though she is employed by government.
While not to much to say just heres a sprint
(Code Deleted)
Also Bill the Cat do you know some people down in Florida like
Blackbeard or been on some off my Conferences?? Let me know.
Where i live here in Green Bay Wi, they are busting our town for
illegal use of the phone. The number they are getting kids
(leeches on) is 1-800-437-7010 it is GCI of Ancrage <-spelled
wrong Alaska and so far they have busted 400 people from one
school and have questioned 1500 its like a bad dream oh
who cares not me. Just be careful and dont use it unless you fell
lucky. All the codes used are in the 467xxxxx area so may be
other areas are safe.
later
bb
Bobo,
Leave me mail. Id like to get a
sprint Code(New). I got a new Pbx,
maybe old. but it works fine..
Ak
Bobo- Why are you so worried About
Lady G? Does she know alot about you
or something?
I can run CNA's in 415, Give me e-mail and I'll find out whatever
you want to find out about her BOBO. Have you spoken with her?
How do you really know this person is over 30 etc......
Enter the name of the person you wish
to send mail to:
What is the subject of this letter?
Mail:
You may enter up to 100 lines of text.
Press CTRL-A or CTRL-Q when done.
The numbers for Lady G are 415-(Deleted) and
415-(Deleted).
She is over 30 because
1. She's uses expressions that are 15 years out of date.
2. I recoginize this becuase I too am 15 years out of date.
I don't like people getting busted. She pirates
but that's about it. I wonder why she's on so many hack boards.
Motor City went down right about the time she logged on.
I might be totally wrong, BUT, I want to check it out just to be
safe.
You can call me Mr. Paranoia. She rattles my cage and
it makes me nervous.
Let me know what pops.
Here is an interesting story:
AUSTIN,TX--Law enforcement officials here have joined a growing
number of police agencies nationwide running "sting" operations
to catch persons using bulletin boards for illegal purposes.
Based on information posted on a bulletin board it operated, The
Austin Police Department said it has been able to turn off two
pirate boards here and expects shortly to make a number of
arrests for misdemeanor violations of Texas' newly enacted
computer crime law.
For more than two years, the police department secretly ran a
board called the Underground Tunnel, which was set up to appear
as a normal BBS run by a Sysop called "Pluto". But late last
month - to the surprise of the board's more than 1,000 users -
Pluto was revealed as Sgt. Robert Ansley, a seven-year veteran of
the Austin Police Department!
"Most of the users were people interested primarily in several
on-line fantasy games or in electronic messaging." Ansley said.
"To get to the levels where people posted information on how to
crash corporate sysems, the user had to ask for increased
access. We were very careful not to solicit or entrap anyone
into leaving illegal information."
The Austin Police Department disclosure caught most of the BBS's
users by surprise. "I liked the board's electronic messaging
capabilities," said user Michael Whalen, the managing editor of
the Daily Texan, the student newspaper of the University of
Texas, here. "I was really surprised at how the officer was able
to pull this off."
What the police found, according to Ansley, included access codes
belonging to the world's largest credit reporting organization,
TRW Information Services Systems Division of Orange, California.
"Most offenders seem to be real big on TRW," said Ansley.
Sting and intelligence gathering bulletin board operations are on
the rise throughout the country, according to law enforcement
officials. Several police departments nationwide have already
used bulletin boards to track down and arrest microcomputer
users who post illegally obtained calling card codes, mainframe
access procedures and passwords, or other confidential
information. According to one high-level West Coast law
enforcement officer who declined to be identified, federal
officials are now joining local authorities in running b5lletin
boards (BBSs) in several key metropolitan areas.
"You better believe law enforcement agencies are interested and
in in some cases, running bulletin boards," said Dan Pasquale, a
sergeant with the Fremont, California, police department. Last
month, police in Fremont, capped three and a half months of
bulletin board operations by arresting eight individuals for
alleged credit card fraud, misuse of telephone credit
card operations, and technical trespass. Pasquale said most
corporations whose passwords or calling card numbers were posted
on Fremont's BBS were unaware that their information had been
compromised.
** Hackers Note Here** Pasquale actively solicited the posting of
codes, passwords, credit cards. Qualifying as entrapment. More
experienced hacks pulled out before he sprang his trap. More than
200 people were arrested coast to coast. Only one was elite and
he beat the rap. The rest were rodents.
Although police are pleased with their results, some users say
they feel the sting bulletin boards are unfair to both the
innocent users and the suspected criminals alike. Whalen said
students at the University of Texas used the board extensively,
andhe claimed that some people accused of posting access codes
and other information on the board felt they had been entrapped
when they discovered that the BBS was a police sting operation.
Whalen also said that some users were concerned about the privacy
and sanctity of electronic mail left on the board. "Ansley said
users are foolish if they don't think a sysop reads the mail on
the board," he added.
Indeed, as police turn increasingly to bulletin boards to catch
suspected criminals, the issue of entrapment has also become a
growing concern, one to which police are sensitive.
"At no time did the police department urge users to leave access
codes, applications, or passwords for corporate computers on The
Tunnel," Ansley said.
To prove entrapment, a suspect would have to clearly show that
the government agent offered some type of inducement to promote
criminal activity, said Jim Harrington, the legal director of
the Texas Civil Liberties Union here. "The whole area of police
gaining information on [criminal activities] by reading
electronic mail is very interesting."
Fremont police held a series of meetings with a district attorney
before they started a board, according to Pasquale. "We
established a point where entrapment began and made sure we
never crossed that point, and in fact, messages on the board
were scripted in conjunction with the district attorney's
of
Ahem, let me hasten to point out the Gemini System is NOT a
police BBS!
Well I don't know if anyone has heard this but,
I have heard that Infocom will start (or may have started)
calling AE lines to see if they contain any infocom software.
If so they download it and check the serials, and bingo if a
pirated version then plain and simple YOU IS BUSTED!
oh well anyone else know of anything more, I picked it up under
discussion at a bbs.
In The News
Press reports of hacker misdeeds seem to be written in flavors
which border upon awe to contempt. It depends on the publication.
Newspapers ten to permit more editorializing. Between the two
extremes there is a point of reason. I've often wondered, "If a
fifteen year old kid can break into a 'secure' government
computer, what could a fully trained enemy agent do?" It's a
reasonable question.
Virginia - A fourteen year old hacker who called himself Phineas
Phreak was the first to be prosecuted under the state's computer
trespassing law. Arrested for hacking at a Bulletin Board, he was
placed on one year's probation and ordered to pay $300.00 in
compensation to the board's operator, Allen Knapp.
Milwaukee - A hacker group who called themselves the 414's after
their area code were arrested by FBI agents and found to have
access to more than 60 computer databases. These included a
California Bank, a cancer center and the Los Alamos Scientific
Laboratory.
California - Stanley Rifkin a computer consultant for Security
Pacific Bank, stole the bank's passwords and liberated 10 million
dollars from the institution. He then erased the electronic
records of the transactions. While Rifkin was not a hacker, he
hold the distinction of being the country's number one computer
thief. His arrest was not the result of his computerized
misdeeds, but instead, his lack of expertise at being a thief.
Washington - The United States Government has become the nation's
leading user of computers. As such, they are a target of internal
thieves who have used their systems to divert funds for their own
uses. A number of arrests of computer related theft has led the
government to believe they haven't scratched the surface yet.
It's estimated that only one in 22,000 computers crimes will ever
be prosecuted.
San Diego - A computer hacker, Bill Landreth pleaded guilty to
tapping the GTE Telemail network in Vienna, Virginia. Known as
"The Cracker" he agreed to cooperate with Federal Investigators
in a larger investigation. Four teenagers from Irvine, California
were subsequently arrested and named Landreth as their source of
information on hacking. Landreth has since written a book "Out of
the Inner Circle". The four kids from Irvine don't receive
royalties.
TRW - Hackers armed with stolen passwords broke into the TRW
credit system and reviewed information on employment records,
bankruptcies, loans, social security numbers and credit cards.
The password was stolen from a Sears and Roebuck and was
reportedly in circulation for the better part of a year. The
credit card numbers, expiration dates and credit limits of card
holders were used to make fraudulent purchases. TRW changed the
password.
Atlanta - Edward Johnson took exception to Jerry Falwell's fund
raising activities. His mother had a thing for T.V. preachers and
often gave money to Falwell's Liberty Foundation. Mr. Falwell's
collectors were oblivious to the fact the elderly lady lived on
social security and couldn't afford the donations. On a previous
occasion she had attempted to give the family farm to Jimmy
Swaggart. Johnson adjusted his phreaker program into a phone
cranker to auto dial Falwell's 800 and tie up the line for 30
seconds a call. Falwell's people reported they lost one million
in donations from the activity. Southern Bell finally trace the
calls and gave Johnson two choices, stop or lose his phone line -
he stopped. After all, it was "God's will".
Washington - Representative William Hughes from New Jersey has
introduced a bill to make computer theft of data and certain
"kinds of hacking activities" federal felonies.
New Jersey - Seven teenagers were arrested on charges of credit
card fraud, phreaking and hacking. An investigation into credit
card purchases led local police to the operator of a hacker bbs.
Armed with a search warrant the police seized his computer and
all related data. Inspection of same led to the arrests of the
other six. Now known in hack circles as the New Jersey Seven,
they reportedly had the ability to change the attitude of a
government satellite. The Inner Core reports they consider it
unlikely the kids knew they had the capability.
In my research, I've noted government and business to be at
greater risk from their own employees than from hackers. Credit
card fraud is the leading hacker crime. The pales beside the
reported cases of computer theft from internal sources. The
Rifkin case is the most noted. However, thousand of unreported
thefts occur every year.
MAKING MONEY WITH YOUR CODES
Ok, phreaking will save you money, that's fine. Wouldn't you
rather make some bucks off these jokers? No biggy. You sell your
codes. Is it illegal? You bet, but your the adverturesome type
with avarice in your heart...this is how it works.
Abdul wants to call the Middle East so he can talk with his
camel. No problem. Call the international operator and ask how
much it costs for an hour to Jordon. Charge the raghead fifty
percent of the cost for hooking him up and let him talk as long
as he likes. MCI and Sprint both access the Middle East so you're
in business. Foreigners are good to deal with. They're extremely
paranoid anyway so tell them you have to make the calls from a
phone booth. This isn't true BUT, you're covering your own ass.
There are a variety of good reasons why a phone booth is called a
fortress, this is one. DO NOT SELL THE CODES. Abdul knows nothing
about phreaking. The dumbshit will stay on the code too long and
will end up getting his ass traced. The telcos don't give two
shits about this guy. THEY WANT YOU!. You're the guy costing them
the big bucks. Abdul will make a deal and your tit will be in the
ringer. So keep control of the codes. If you want to be a nice
guy and hand out codes to your phriends fine. Just be sure they
don't have big mouths and that they know the IC's Rules of
Phreaking. You'll find a list of the countrys MCI and Sprint
access in the appendix. You'll also notice there are a lot of
places that they don't go. India for one. The only way to book
passage to India is on AT&T. You'll need to bag a PBX or a
Diverter for that action.
Equal Access
What does equal access mean to you? Not much. Access was the
issue that permitted Mci to break up At&t. The result was the
sudden emergence of the companies you'll find listed in this
chapter. At&t still retains an 85%+ share of the
telecommunications market. The rest of the business enterprises
are basically parasites attempting to feed off of Ma Bell's
network.
Equal Access means you get to pay 2 to 5 dollars a month for
"access" to the long distance network, whether you want it or
not. It means your local telco can go begging to the Public
Utilities commissions claiming the need for rate increases in the
wake of the break up. Pacfic Tel was hurt so much they posted
sales recently of one billion dollars. I first in the company's
history.
There is one small advantage to equal access. Ustel (950-1033)
customers can crossover to the Sprint Network (950-0777) and make
international calls. By appending the equal access code to the
customer code the call will be cross connected.
In short, equal access means this..."Bend over and smile
America". If you thought you were getting screwed before, well
you ain't seen nothing yet.
Equal Access Codes
10824 ATC Directline
10482 Access America
10939 Access Long Distance
10282 Action Telecom
10444 Allnet
Americall
10002 Americall LDC Inc.
10053 American Network
10366 American Telco
10050 American Telephone Exchange
10080 Amtel
Amertel
10824
ATC Communications
10287 ATS Communications
10272 Bell of Pa
10606 Biz-Tel
10300 Call America
10221 Capitol Telecommunications Inc.
10987 Clay Desta Communications
10266 Com Systems
10885 Communigroup of Kansas City
10733 Comp-Data Communications
Compute a Call
Comtel of Pine Bluff
10203 Cytel10233 Delta Communications
10339 Dial USA
Directline
Discount Long Distance
EO Tech10054 Eastern Telephone Systems
10634 Econo Line of Midland
Econo-line of Waco
10256 Execuline
10393 Execulines of Florida
Garden State Telco
10235 Inteleplex
10884 ITI
10488 Itt
10535 LDL - Long Distance for Less
10084 LDS
LDX
LTS
10066 Lexitel
10852 Line One
10036 Long Distance Savers
10537 Long Distance Service of Washington
Long Distance Telephone Savers
Max Long Distance
10222 Mci
10021 Mercury Long Distance
10622 Metro America Communications
National Telecommunications of Austin
Network I/Metromedia
10855 Network Plus
10638 Northwest Telecom Ltd.
10785 Olympia Telecom
10808 Phone America of Colorado
10936 R - Comm
10211 RCI
10787 STS/Star Tel
10800 Satelco
10888 Skyline
10087 Southernnet
10321 Southland Systems
10777 Sprint
10889 St. Joseph10787 STS/Star Tel
10007 TMC of Arkansas
10021 TMC of Chattanooga
10007 TMC of El Paso
10007 TMC of Miami
10007 TMC of S.E. Florida
TMI of Oklahoma
10826 Tel AMCO
Tel-Central Inc of Oklahoma
10330 Tel-Share
10626 Tel/man
10007 Telemarketing Communications
10899 Telephone Express
10331 Texustel
10850 Tollkall
10824 Transcall
10333 US Telecom
10859 Valu-Line of Longview
Valu-Line of Wichita Falls
10687 WTS Communicatons
10085 Westel
10220 Western Union
10995 Wylon
ESS
The following is a file taken from a Hack Board. I think it is
intellegently written and accurate.
+====================================+
+ ELECTRONIC SWITCHING SERVICE V1. +
+====================================+
THERE WAS OF COURSE NO WAY OF KNOWING
WETHER YOU WERE BEING WATCHED AT ANY
GIVEN MOMENT. HOW OFTEN, OR ON WHAT
SYSTEM, THE THOUGHT POLICE PLUGGED IN ON
ANY INDIVIDUAL WIRE WAS GUESSWORK. IT
WAS EVEN CONCEIVABLE THAT THEY WATCHED
EVERYBODY ALL THE TIME. BUT AT ANY RAT
E THEY COULD PLUG IN YOUR WIRE WHENEVER
THEY WANTED TO. YOU HAD TO LIVE--DID L
IVE, FROM HABIT THAT BECAME INSTICT--IN
THE ASSUMPTION THAT EVERY SOUND YOU MAD
E WAS OVERHEARD, AND, EXCEPT IN
DARKNESS, EVERY MOVEMENT SCRUTINIZED.
'FROM NINETEEN EIGHTY-FOUR'
ESS IS THE BIG BROTHER OF THE BELL
FAMILY. ITS VERY NAME STRIKES FEAR AND
APPREHENSION INTO THE HEARTS OF MOST
PHREAKERS, AND FOR A VERY GOOD REASON.
ESS (ELECTRONIC SWITCHING SYSTEM) KNOWS
THE FULL STORY ON EVERY TELEPHONE
HOOKED INTO IT. WHILE IT MAY BE PARANO
ID TO SAY THAT ALL PHREAKING WILL COME
TO A SCREECHING HALT UNDER ESS, IT'S
CERTAINLY REALISTIC TO ADMIT THAT ANY
PHREAK WHOSE CENTRAL OFFICE TURNS TO
ESS WILL HAVE TO BA A LOT MORE CAREFUL.
HERE'S WHY.
WITH ELECTRONIC SWITCHING, EVERY
SINGLE DIGIT DIALED IS RECORDED. THIS
IS USEFUL NOT ONLY FOR NAILING PHREAKS
BUT FOR SETTLING BILLING DISPUTES. IN
THE PAST, THERE HAS BEEN NO EASY WAY
FOR THE PHONE COMPANY TO SHOW YOU WHAT
NUMBERS YOU DIALED LOCALLY. IF YOU
PROTESTED LONG ENOUGH AND LOUD ENOUGH,
THEY MIGHT HAVE PUT A PEN REGISTER ON
YOUR LINE TO RECORD EVERYTHING AND
PROVE IT TO YOU. UNDER ESS, THE ACTUAL
PRINTOUT (WHICH WILL BE DUG OUT OF A
VAULT SOMEWHERE IF NEEDED) SHOWS EVERY
LAST DIGIT DIALED.
EVERY 800 CALL, EVERY CALL TO DIRECTORY
ASSISTANCE, REPAIR SERVICE, THE
OPERATOR, EVERY RENDITION OF THE 1812
OVERTURE, EVERYTHING! HERE IS AN
EXAMPLE OF A TYPICAL PRINTOUT, WHICH
SHOWS TIME OF CONNECT, LENGTH OF
CONNECT, AND NUMBER CALLED.
DATE TIME LENGTH UNITS NUMBER
0603 1518 3 1 456-7890
0603 1525 5 3 345-6789
0603 1602 1 0 000-4011
0603 1603 1 0 800-555-1212
0603 1603 10 2.35* 212-345-6789
0603 1624 1 0 000-000-0000
(TSPS)
A THOUSAND CALLS TO "800" WILL SHOW
UP AS JUST THAT--A THOUSAND CALLS TO
"800"! EVERY TOUCH TONE OR PULSE IS
KEPT TRACK OF AND FOR MOST PHREAKS,
THIS IN ITSELF WON'T BE VERY PRETTY.
SOMEWHERE IN THE HALLOWED HALLS OF 19
5 BROADWAY, A TRAFFIC ENGINEER DID AN
EXHAUSTIVE STUDY OF ALL 800 CALLS OVER
THE PAST FEW YEARS, AND REACHED THE
FOLLOWING CONCLUSIONS: (1) LEGITIMATE
CALLS TO 800 NUMBERS LAST AN AVERAGE OF
3 MINUTES OR LESS. OF THE ILLEGAL (I.E
PHREAKERS) CALLS MADE VIA 800 LINES,
MORE THAN 80% LASTED 5 MINUTES/LONGER;
(2) THE AVERAGE RESIDENTIAL TELEPHONE
SUBSCRIBER MAKES FIVE SUCH CALLS TO AN
800 NUMBER PER MONTH. WHENEVER
PHREAKERS ARE BEING WATCHED, THAT
NUMBER WAS SIGNIFICANTLY HIGHER. AS A
RESULT OF THIS STUDY, ONE FEATURE OF
ESS IS A DAILY LOG CALLED THE "800
EXCEPTIONAL CALLING REPORT."
UNDER ESS, ONE SIMPLY DOES NOT PLACE
A 2600 HZ TONE ON THE LINE, UNLESS OF
COURSE, THEY WANT A TELCO SECURITY
REPRESENTATIVE AND A POLICEMAN AT THEIR
DOORWITHIN AN HOUR! THE NEW GENERICS
OF ESS (THE #5) NOW IN PRODUCTION, WITH
AN OPERATING PROTOTYPE IN GDNZFA, nILL,
ALLOW THE SYSTEM TO SILENTLY DETECT ALL
"FOREIGN" TONES NOT AVALABLE ON THE
CUSTOMER'S PHONE. YOU HAVE EXACTLY 12
BUTTONS ON YOUR TOUCH-TONE (R) PHONE.
ESS KNOWS WHAT THEY ARE, AND YOU HAD
BEST NOT SOUND ANY OTHER TONES ON THE
LINE, SINCE THE NEW #5 IS PROGRAMMED
TO SILENTLY NOTIFY A HUMAN BEING IN THE
CENTRAL OFFICE, WHILE CONTINUING WITH
YOUR CALL AS THOUGH NOTHING WERE WRONG!
SOMEONE WILL JUST PUNCH A FEW KEYS ON
THEIR TERMINAL, AND THE WHOLE SORDID
STORY WILL BE RIGHT IN FRONT OF THEM, &
PRINTED OUT FOR ACTION BY THE SECURITY
REPRESENTATIVES AS NEEDED.
TRACING OF CALLS FOR WHATEVER REASON
(ABUSIVE CALLS, FRAUD CALLS, ETC.) IS
DONE BY MERELY ASKING THE COMPUTER
RIGHT FROM A TERMINAL IN THE SECURITY
DEPARTMENT. WITH ESS, EVERYTHING IS RI
GHT UP FRONT, NOTHING HIDDEN OR
CONCEALED IN ELECTROMECHANICAL FRAMES,
ETC. IT'S MERELY A SOFTWARE PROGRAM!
AND A PROGRAM DESIGNED FOR EASE IN
OPERATION BY THE PHONE COMPANY. CALL
TRACING HAS BECOME VERY SOPHISTICATED A
ND IMMEDIATE. THERE'S NO MORE RUNNING
IN THE FRAMES AND LOOKING FOR LONG PERI
ODS OF TIME. ROM CHIPS IN COMPUTERS
WORK FAST, AND THAT IS WHAT ESS IS ALL
ABOUT.
PHONE PHREAKS ARE NOT THE ONLY REASON
FOR ESS, BUT IT WAS ONE VERY IMPORTANT
ONE. THE FIRST AND FOREMOST REASON FOR
ESS IS TO PROVIDE THE PHONE COMPANY
WITH BETTER CONTROL ON BILLING AND
EQUIPMENT RECORDS, FASTER HANDLING OF
CALLS (I.E. LESS EQUIPMENT TIED UP IN
THE OFF ICE AT ANY ONE TIME), & TO HELP
AGENCIES SUCH AS THE FBI KEEP BETTER
ACCOUNT OF WHO WAS CALLING WHO FROM
WHERE,ETC. WHEN THE FBI FINDS OUT THAT
SOMEONE WHOSE CALLS THEY WANT TO TRACE
IS ON A ESS EXCHANGE, THEY ARE THRILLED
BECAUSE IT'S SO MUCH EASIER FOR THEM
THEN.
THE UNITED STATES WON'T BE 100% ESS
UNTIL SOMETIME IN THE MID 1990'S. BUT
IN REAL PRACTICE, ALL PHONE OFFICES IN
ALMOST EVERY CITY ARE GETTING SOME OF
THE MOST BASIC MODIFICATIONS BROUGHT
ABOUT BY ESS. "911" SERVICE IS AN ESS
FUNCTION. SO IS ANI (AUTOMATIC NUMBER
IDENTIFICATION) ON LONG DISTANCE CALLS.
"DIAL TONE FIRST" PAY PHONES ARE ALSO
AN ESS FUNCTION. NONE OF THESE THINGS
WERE AVAILABLE PRIOR TO ESS. THE AMOUNT
OF PURE FRAUD CALLING VIA BOGUS CREDIT
CARD, THIRD NUMBER BILLING, ETC. ON
BELL'S LINES LED TO THE DECISION TO
RAPIDLY INSTALL THE ANI, FOR EXAMPLE,
EVEN IF THE REST OF THE ESS WAS SEVERAL
YEARS AWAY IN SOME CASES.
DEPENDING ON HOW YOU CHOOSE TO LOOK
AT THE WHOLE CONCEPT OF ESS, IT CAN BE
EITHER ONE OF THE MOST ADVANTAGEOUS
INNOVATIONS OF ALL TIME OR ONE OF THE
SCARIEST. THE SYSTEM IS GOOD FOR
CONSUMERS IN THAT IT CAN TAKE A LOT OF
ACTIVITY AND DO LOTS OF THINGS THAT OLD
ER SYSTEMS COULD NEVER DO. FEATURES
SUCH AS DIRECT DIALING OVERSEAS, CALL
FORWARDING (BOTH OF WHICH OPEN UP NEW
WORLDS OF PHREAKING WHICH WE'LL EXPLORE
IN LATER ISSUES), AND CALL HOLDING ARE
STEPS FORWARD, WITHOUT QUESTION. BUT
AT THE SAME TIME, WHAT DO ALL OF THE
NASTY IMPLICATIONS MENTIONED FURTHER
BACK MEAN TO THE AVERAGE PERSON ON THE
SIDEWALK? THE SYSTEM IS PERFECTLY
CAPABLE OF MONITORING ANYONE, NOT JUST
PHONE PHREAKS! WHAT WOULD HAPPEN IF
THE NICE FRIENDLY GOVERNMENT WE HAVE
SOMEHOW GOT OVERTHROWN AND A MEAN NASTY
ONE TOOK ITS PLACE? WITH ESS, THEY
WOULDN'T HAVE TO DO TOO MUCH WORK, JUST
COME UP WITH SOME NEW SOFTWARE. IMAGINE
A PHONE SYSTEM THAT COULD TELL
AUTHORITIES HOW MANY CALLS YOU PLACED
TO CERTAIN TYPES OF PEOPLE, I.E. BLACKS
COMMUNISTS, LAUNDROMAT SERVICE
EMPLOYEES... ESS COULD DO IT, IF SO
PROGRAMMED.
---------------------------------------
GAMES PHONE COMPANIES PLAY
Some phone companies have come up with clever little tricks to
fuck up the phreaks hacking activities. One of these is the
CARRIER BLAST. Simply put, they shoot a 300/1200 baud answer tone
across the phone line right before you connect with your
destination. This move makes your computer THINK it's connected
with the computer you're calling. The attempt is laughable. All
you need do is to take the modem offline for that period of
seconds when the carrier is blasting. For the Hayes and the
Hayes compatible modems you work this command into the dialing
sequence, "+++,". Each modem in the AT mode permits you to take
the modem offline and "idle". The function is programable so you
can use any keyboard character. The "+++" puts the modem in idle,
the comma is a timing element you've preprogrammed. If you want a
five second delay, you will have programmed "ATS8=5" or "ATS8=10"
for a ten second delay. After your delay the modem will continue
to execute the dialing sequence. You'll now use "ATO" to put the
modem back on line. The whole routine will look like
this,"+++,ATO". Consult your modem manuals if you don't have a
Hayes Compatible. Each manufacturer has "borrowed" the same
features from Hayes. The result will be the same even if your
commands may differ.
Another little gimmick has been borrowed from the PBX. After
entering your code you have to enter "9" to get out. No big deal.
Just use nine as a suffix.
If you've ever tried hacking an AT&T credit card (and I recommend
that you don't) you'd notice that you can dump the entire dialing
sequence all at once. This is a classy system. Not so with MCI or
UStel. After you've entered the 0 and the area code of your
destination the system beeps you that it has received the proper
format. While this beeping is going on you can't dial over it.
The solution is simple, insert the "comma delay to wait for the
"beeper" to get done. The one problem you may encounter depends
on the size of you modem's buffer. The Hayes compatible can
accept forty five digits. The MCI/UStel format requires a full 44
digits. You have one to spare. If your buffer size is smaller,
you'll have to break the dialing sequence in two separate
routines. A bit of a bitch but liveable for the return.
Code format bastardizations are a nice change. The telco's hope
that in deviating from the norm, it will be less advantageous for
the hacker, who like anyone else develops habits, to whack away
at their systems. Itt's reverse arrangement is a prime example. The Pbx
The Pbx (Public Branch Exchange) is a switching station. In the
old days an operator would stick a plug into a slot and connect
with an incoming call and another plug to a second slot to
establish a connection with the destination. The equipment is the
same in theory except, today the microchip has eliminated the
human operator.
The phreak is interested in the board's dial in/out capability.
The legitimate users of the Pbx can call into a number, enter a
code + a routing number and have an At&t line to dial out with.
Pbx's afford the hack indirect access to Ma Bell without exposing
him to the risk of a trace. There are two principle uses,
Teleconferencing and Overseas calls to area only At&t services.
To find a Pbx the hack scans a local prefix. This is also known
as War Dialing after the movie War Games. To find the unit the
hack must be equipped with a modem capable of recognizing a dial
tone. The Hayes modem can not. The Apple Cat is considered the
ideal phreaking modem. Not only can it recognize dial tones it
can generate the frequencies needed to emulate a blue box. The
Cat is not one of Ma Bell's favorites. The Hayes user is forced
to sit and listen to the dialing if he wants a Pbx. Most phreaks
will usually make a deal with a cat owner for pbx locations.
The phreak will recognize the Pbx when he hears a second dial
tone. He'll now start playing around looking for the code. Many
switchboards have simple and easy to remember 4 digit codes like
1234. The hack will always go for the obvious. Code lengths can
be any where from zero to eight digits. Pbx's are very user
friendly. When you screw up it'll beep at you to let you know.
This is a worksheet for Pbx hacking
1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2
3 3 3 3 3 3 3 3
4 4 4 4 4 4 4 4
5 5 5 5 5 5 5 5
6 6 6 6 6 6 6 6
7 7 7 7 7 7 7 7
8 8 8 8 8 8 8 8
9 9 9 9 9 9 9 9
The hack will now enter a number from the far left column. If it
beeps at him he knows he's guessed wrong so he disconnects and
redials. With an autodialer that's no big deal. He goes back to
work on the first column. He will eventually it a number which
doesn't generate an error message. He circles it and proceeds to
the next column. When he's succeeded in hacking out the code, he
will hear another dial tone. This is his At&t line out. Most
phreaks will test the line by dialing information, local to the
Pbx.
Some units require an additional out code. Would you believe 9 ?
Actually the Pbx will accept any preprogrammed 2 digit code, like
85. Nine has become a habit and many virgins have lost their
cherry to a phreak by doing the obvious. I've seen units that
required no code, only the 9 to get outside.
It's impossible to make a Pbx secure. If a hacker want's it, and
he's willing to work on it, he'll get it. The only option
available to the business is to disconnect the in/out dialups and
supply their outside personnel with long distance travel cards.
Loops
Loops are mildly interesting in the hack/phreak world. They
consist of two telephone numbers that, when connected, permit
callers to hold conversations with strangers or friends whom
they've met by appointment.
A loop has a high side and a low side, meaning one of the pair of
numbers emits a tone while the other is quiet. Loops in 213 and
818 areas can be found by dialing any prefix and 1118 or 1119.
Pacific Telephone has injected a rather annoying "click" into the
line which makes data transfers impossible and voice
communication tedious. This situation doesn't exist in other
areas of the country.
At first glance, loops may not appear to have any practical
value. To the hacker it has two uses. It enables him to voice
with people he doesn't want to have his phone number and it's
useful in conferencing (see Alliance). Many hacks refuse to make
their personal information available to those who are not long
standing bbs acquaintances. Loops make safe voicing possible.
A Few Loops
201-531-9929,9930 201-938-9929,9930
206-827-0018,0019 206-988-0020,0022
212-283-9977,9997 208-862-9996,9997
209-732-0044,0045 212-529-9900,9906
212-283-9977,9979 212-352-9900,9906
212-220-9977,9979 212-365-9977,9979
212-562-9977,9979 212-986-9977,9979
213-549-1118,1119 214-299-4759,4757
214-291-4759,4757 307-468-9999,9998
308-357-0004,0005 402-779-0004,0007
406-225-9902,9903 714-884-1118,1119
These loops were taken from a Hack Board and are for the 808
area.
(((((((((((((((((((((((((((((((((((
( (
( (
( (
( Here are some loops for ya. (
( (
( (
( (
( (808) = 1 (
( (9907)= Loud (
( (9908)= Silent (
( (
( (
( (
( (
( 1 328 (Loud) (Silent) (
( " 322 """"""""""""""" (
( " 572 """"""""""""""" (
( " 261 """"""""""""""" (
( " 239 """"""""""""""" (
( " 668 """"""""""""""" (
( " 885 """"""""""""""" (
( " 961 """"""""""""""" (
( " 245 """"""""""""""" (
( " 332 """"""""""""""" (
( " 335 """"""""""""""" (
( " 623 """"""""""""""" (
( " 624 """"""""""""""" (
( " 959 """"""""""""""" (
( " 742 """"""""""""""" (
( " 879 """"""""""""""" (
( " 882 """"""""""""""" (
( " 329 """"""""""""""" (
( " 247 """"""""""""""" (
( " 235 """"""""""""""" (
((((((((((((((((((((((((((((((((((((((
The Loop master (Merauge) was here
DIVERTERS
Diverters are privately owned call forwarding machines. They'll
be found almost exclusively in areas that don't have call
forwarding. This also means ESS isn't operational in your
area. This is how it works...
You may not realize it, but the sounds of a call connecting are
permanently etched on your subconscience mind. Whether it's the
sounds of tones or clicks, you know when your call has
connected. Pay attention next time, you'll see what I mean. A
call going to a diverter makes two connections. First to the
number you called and second to the number that the diverter
called. When you hear this second connection, you'll know that
you've bagged a diverter. The call will be connected to a person
you have absolutely no interest in talking to. Tell the person
that you have the wrong number, click the rocker on your phone,
and wait for HIM to hang up. Your call is now in a never never
land between the first number you dialed and the number that the
diverter called. Wait about two minutes. You'll hear a faint
dial tone in the back ground. That's your AT&T line out. You can
now dial anywhere in the world.
Since you're dealing with a real human on the other end, be
prepared for the unexpected. I called one diverter recently and
had a fellow answer the phone. I used the wrong number routine
and clicked the rocker, but HE DIDN'T HANG UP. Hey, I'm cool, a
dummied up and waited. After five minutes HE STILL WOULDN'T HANG
UP. Not only that, he started making lewd suggestions that he
and I get together for a date. I like girls and this joker was
grossing me out. I said,"Jesus fucking Christ" very disgustedly
(for emphasis) and clicked the rocker arm again. THE SON OF A
BITCH STILL WOULDN'T HANG UP. I gave up and went to a PBX.
This is the moral of this story. This fellow had been burned
before. He knew the flaw in his diverter and he knew what to do
about it. Plus the guy gets 10 points for have some style. He
knew what I was trying to do to him and he played the game out
all the way. A good show. Manufacturers of diverters are hip to
the game. Their newer machines have disconnect features that
restrict a phreaks call out abilities. Never the less, there are
hundreds of thousands of the older machines still out there with
their cherries intact. Firms that use a diverter are too cheap
to hire and answering service. For this reason alone they won't
be too quick to upgrade their systems. They'll get a little
incentive after they receive a several thousand dollar phone
bill.
I spoke with a phreak not too long ago who received a 2 thousand
dollar phone bill for conferance calls he'd made with a
diverter.
Explained the steps he'd taken in its use. I asked him if the
second dial tone he received was as loud as the first. I
informed him as kindly as possible, "You dumb shit, that was
your dial tone not the diverter". There's a moral in there
somewhere.
The Black Box
Another credible file on box building. Note the black will work
under Crossbar or Step by Step but not with ESS.
***************************************
* *
* HOW TO BUILD A BLACK BOX *
* *
***************************************
A BLACK BOX
IS A DEVICE THAT IS HOOKED UP TO YOUR
FONE THAT FIXES YOUR FONE SO THAT WHEN
YOU GET A CALL, THE CALLER DOESN'T GET
CHARGED FOR THE CALL. THIS IS GOOD FOR
CALLS UP TO 1/2 HOUR, AFTER 1/2 HOUR
THE FONE CO. GETS SUSPICOUS, AND THEN
YOU CAN GUESS WHAT HAPPENS.
THE WAY IT WORKS:
WHAT THIS LITTLE BEAUTY DOES IS
KEEP THE LINE VOLTAGE FROM DROPPING TO
10V WHEN YOU ANSWER YOUR FONE. THE
LINE IS INSTED KEPT AT 36V AND IT WILL
MAKE THE FONE THINK THAT IT IS STILL
RINGING WHILE YOUR TALKING. THE REASON
FOR THE 1/2 HOUR TIME LIMIT IS THAT THE
FONE CO. THINKS THAT SOMETHING IS WRONG
AFTER 1/2 AN HOUR OF RINGING.
ALL PRTS ARE AVAILABLE RADIO
SHACK. USING THE LEAST POSSIBLE PARTS
AND ARANGEMENT, THE COST IS $0.98 !!!!
AND THAT IS PARTS FOR TWO OF THEM!
TALK ABOUT A DEAL! IF YOU WANT TO
SPLURGE THEN YOU CAN GET A SMALL PC
BOARD, AND A SWITCH. THERE ARE TWO
SCHEMATICS FOR THIS BOX, ONE IS FOR
MOST NORMAL FONES. THE SECOND ONE IS
FOR FONES THAT DON'T WORK WITH THE
FIRST. IT WAS MADE FOR USE WITH A BELL
TRIMLINE TOUCH TONE FONE.
** SCHEMATIC 1 FOR MOST FONES **
** LED ON: BOX ON **
FROM >--------------------GREEN-> TO
LINE >--! 1.8K LED !---RED--> FONE
!--/\/\/\--!>--!
! !
------>/<-------
SPST
PARTS: 1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 SPST SWITCH
YOU MAY JUST HAVE TWO WIRES WHICH YOU
CONNECT TOGETHER FOR THE SWITCH.
** SCHEMATIC 2 FOR ALL FONES **
** LED ON: BOX OFF **
FROM >---------------GREEN-> TO
LINE >------- ---RED--> FONE
! LED !
-->/<--!>--
! !
---/\/\/---
1.8K
PARTS: 1 1.8K 1/2 WATT RESISTOR
1 1.5V LED
1 DPST SWITCH
HERE IS THE PC BOARD LAYOUT THAT I
RECOMMEND USING. IT IS NEAT AND IS
VERY EASY TO HOOK UP.
SCHEMATIC #1 SCHEMATIC #2
************** ****************
* * * ------- *
* ----- * * ! ! *
* ! ! * * ! *
* RESISTOR ! * * ! ! ! *
* ! ! * * ! ! / *
* -------- ! * * ! ! \ *
* ! ! * * ! ! / *
* --SWITCH-- * * ! ! \ *
* ! ! * * ! ! / *
L * ! ! * F L * ! ! ! * F
I>RED- -RED>O I>RED- ---RED>O
N>-----GREEN---->N N>-----GREEN------>N
E * H * E E * * E
************** ****************
ONCE YOU HAVE HOOKED UP ALL THE
PARTS, YOU MUST FIGURE OUT WHAT SET OF
WIRES GO TO THE LINE AND WHICH GO TO
THE FONE. THIS IS BECAUSE OF THE FACT
THAT LED'S MUST BE PUT IN, IN A CERTAIN
DIRECTION. DEPENDING ON WHICH WAY YOU
PUT THE LED IS WHAT CONTROLS WHAT WIRES
ARE FOR THE LINE & FONE.
HOW TO FIND OUT:
HOOK UP THE BOX IN ONE DIRECTION
USING ONE SET OF WIRES FOR LINE AND THE
OTHER FOR FONE.
*NOTE* FOR MODEL I SWITCH SHOULD BE OFF.
*NOTE* FOR MODEL ][ SWITCH SHOULD BE
SET TO SIDE CONNECTING THE LED.
ONCE YOU HAVE HOOKED IT UP, THEN
PICK UP THE FONE AND SEE IF THE LED IS
ON. IF IT IS, THE LED WILL BE LIT. IF
IS DOESN'T LIGHT THEN SWITCH THE WIRES
AND TRY AGAIN. ONCE YOU KNOW WHICH ARE
WHICH THEN LABEL THEM. *NOTE* - IF
NEITHER DIRECTIONS WORKED THEN YOUR
SWITCH WAS IN THE WRONG POSITION. NOW
LABLE THE SWITCH IN ITS CURRENT
POSITION AS BOX ON.
HOW TO USE IT:
THE PURPOSE OF THIS BOX IS NOT TO
POEPLE WHO CALL YOU SO IT WOULD MAKE
SENCE THAT IT CAN ONLY BE USED TO
RECEIVE! CALLS. WHEN THE BOX IS *ON*
THEN YOU MAY ONLY RECIEVE CALLS. YOUR
FONE WILL RING LIKE NORMAL AND THE LED
ON THE BOX WILL FLASH. IF YOU ANSWER
THE FONE NOW, THEN THE LED WILL
LIGHT AND THE CALLER WILL NOT BE CHARGED.
HANG UP THE FONE AFTER YOU ARE DONE
TALKING LIKE NORMAL. YOU WILL NOT BE
ABLE TO GET A DIAL-TONE OR CALL WHEN
THE BOX IS ON, SO TURN THE BOX *OFF*
FOR NORMAL CALLS. I DON'T RECOMMEND
YOU DON'T WANT IT TO ANSWER WHEN MA BELL
CALLS!
Incidentally, never let it be said that all hackers are literate.
Just knowing thieves.
The Infamous Blue Box
The follwoing appears to be a credible set of plans for the
Captain Crunch machine.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$ $
$ BLUE BOX PLANS! $
$ --------------- $
$ $
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
This file will explain the construction, troubleshooting,
andadjustmentof a Blue Box.
We all know that the touch tone frequencies are composed of 2
tones (2 different freqs.) so that is the reason why we have 2
VCO's (Voltage Controlled Oscilators). We'll call them VCO#1 and
VCO#2.If you have noticed VCO#1 and VCO#2 are exactly the same
type of circuits. That is why only 1 was drawn. But remember
that whatever goes for VCO#1 also goes for VCO#2. Both VCO'S are
composed of a handfull of parts. One chip, two capacitors,2
resistors and five potentionmeters. All of this will give you
(when properly calibrated) one of the freqencies necessary (the
other one will come fromVCO#2) for the operation of $ the Blue
Box. Both of these freqs. will bemixed in the speaker to form the
required tone.
This is one of the most sophisticated designs I have ever made.
Why? Because other designs will drain the battery after 10 calls.
This design will make them last 10 months!!!!!! But
nevertheless, don'tforget to put in aswitch for on and off. Ok
let's build the two VCO'S andcalibrate the unit before we get to
the keyboard construction.
VCO CONSTRUCTION
TOOLS REQUIRED
1 ocilliscope(optional but not req)
1 Freq. counter (REQUIRED)
1 Volt meter " " "
Electronics tools (Pliers, drll, screwdrivers, etc.)
PARTS
R1 1.5K RESISTOR 5%
R2 1K RESISTOR 5%
C1 .1uf ELECTROLYTIC CAPACITOR 16VDC
C2 .01uf " " (MYLQR) 16VDC
C1 2207 VCO CHIP BY EXAR ELECTRONICS
Remember the above only says VCO#1 but the same is for VCO#2
R3-R4 150 OHM RESISTORS 5% .
C3-C4 .1 uf ELECTROLITIC CAPACITOR .
10VDC .
P1-P10 200K TRIMMER POT - 20 TURNS DIODES USED IN THE KEYBOARD
ARE 1N914 TYPE(40 OF THEM) & 13 SWITCHES FOR THE KEYBOARD SPST
MOMENTARY.
SPKR YOU CAN USE A TELEPHONE SPEAKER FOR THIS (IT WORKS BEST) BUT
REMEMBER TOTAKE OUT THE DIODE THAT IS CONNECTED ACCROSS IT.
IMPORTANT NOTES
1. DO NOT USE ANYTHING ELSE OTHER THAN A MYLAR CAPACITOR FORC2.
2. PINS 10,9,8 SHOULD BE TIED TOGETHER AND BE LEFT FLOATING.
3. ALL RESISTORS SHOULD BE 5%! NOTHING ELSE!
4. A TELEPHONE SPEAKER GIVES THE BEST RESULTS.
TROUBLE SHOOTING
By now you should have constructed the two VCO'S on a bread board
or anything that pleases you. Check for cold solder
joints,broken wires,polarity of the battery, etc. Before we
apply power to the VCO'S we have to adjust the pots for their
half way travel point. This is done by turning them 21 turns to
the right and then 10 turns to the left. Do the same for all ten
of them.
Now apply power to the unit check to see that you have power in
the chips by putting the positive lead of your volt meter on pin
7 andthe negative lead on pin 12. If you do not have anything
there turn off the unit and RECHECK THE WIRING.
When you get the right voltages on the chips, connect a diode to
a piece of wire (look at fig. 2 for the orientation of the diode)
from round to any pot at point T (look carefully at the schematic
for point T it is labeled T1-T10 for all pots). You should be
able to hear a tone, if not disconnect the lead and place the
speaker close to your ear and if you hear a chirp-like sound,
this means that the two VCO'S are working if you don't,
it means that either one or both of the VCO'S are dead. So in
this case it is always good to have an ocilloscope on hand.
Disconnect the speaker from the circuit and hook the ocilliscope
to 1 of the leads of the speaker & the ground from the scope to
the ground of the battery. Connect again the ground lead with the
diode connected to it from ground to any pot on the VCO that you
are checking and you should see a triangle wave if not turn the
pot in which you are applying the ground to until you see it.
When you do see it do the the same for the other VCO to makesure
it is working. (amplitude is about 2VAC). When you get the two
VCO's working you are set for the adjustment of the individual
spots.
ADJUSTMENT
Disconnect the speaker from the circuit and connect a freq.
counter (the positive lead of the counter to one of the speakers
leads that belongs to VCO#1 or connect it to pin 14.
Connect the negative lead to the battery negative and connect the
jumperlead with the diode from ground to pot number 1.T1 (the
first pot number 1 point T1). If you got it working you should
hear a tone and get a reading on the counter. Adjust the pot for
a freq. of 1700hz and continue doing the same for pots 2-5
except that they get different freqs. which are:
: $$$$$$$$$$$$$$ :
: $ $ :
: $ P1 1700hz $ :
: $ P2 1300hz $ :
: $ P3 1100hz $ :
: $ P4 900hz $ :
: $ P5 1500hz $ :
: $ $ :
: $$$$$$$$$$$$$$ :
Now disconnect the freq. counter from the speaker lead of VCO#1
or from pin (which ever you had it attached to at the beginning)
and connect it to the speaker lead of VCO#2 or to pin 14 of VCO#2
and make the same adjustments toP6-10.:
: $$$$$$$$$$$$$$$ :
: $ $ :
: $ P6 1100hz $ :
: $ P7 700hz $ :
: $ P8 900hz $ :
: $ P9 2600hz $ :
: $ P10 1500hz $ :
: $ $ :
: $$$$$$$$$$$$$$$ :
When you finish doing all of the pots go back and re-check
them.
KEYBOARD
IF YOU LOOK AT FIG-2 YOU WILL SEE THAT THE KEYS ARE
SIMPLE SWITCHES. CONNECTED TO A GROUND AND TWO DIODES ON THE
OTHER END. THESE DIODES ARE USED TO SIMPLIFY THE CONSTRUCTION OF
THE KEYBOARD BECAUSE OTHERWISE THE DISTRIBUTION OF THE GROUND
SIGNAL FOR BOTH VCO'S WOULD HAVE BEEN DONE MECHANICALLY. THE
DIODE WILL GO TO VCO#1 AND THE OTHER WILL GO TO VCO#2. FIG-3
SHOWS THE ARRANGEMENT OF THE KEYS ON THE KEYBOARD.
BELOW IS A TABLE THAT WILL HELP YOU CONNECT THE KEYS TO THE
REQUIRED VCO'SPOTS.
<------------------------------------->
< >
< (-FIG 2-) >
< >
<-----!-----!--------!--------!------->
< ! ! ! ! >
< TO ! TO ! FREQ ! FREQ ! KEY >
< POT ! POT ! OUT: ! OUT: ! >
< ON ! ON ! ! ! >
< VCO1! VCO2! ! ! >
<-----!-----!--------!--------!------->
< 1 ! 06 ! 1700hz ! 1100hz ! C >
< 2 ! 10 ! 1300hz ! 1500hz ! 0 >
< 1 ! 10 ! 1700hz ! 1100hz ! E >
< 4 ! 07 ! 0900hz ! 0700hz ! 1 >
< 3 ! 07 ! 1100hz ! 0700hz ! 2 >
< 3 ! 08 ! 1100hz ! 0900hz ! 3 >
< 2 ! 07 ! 1300hz ! 0700hz ! 4 >
< 2 ! 08 ! 1300hz ! 0900hz ! 5 >
< 2 ! 06 ! 1300hz ! 1100hz ! 6 >
< 5 ! 07 ! 1500hz ! 0700hz ! 7 >
< 5 ! 08 ! 1500hz ! 0900hz ! 8 >
< 5 ! 06 ! 1500hz ! 1100hz ! 9 >
< - ! 09 ! ------ ! 2600hz ! X >
< ! ! ! ! >
<------------------------------------->
REMEMBER THAT IN FIG-2 IT'S THE SAME FOR EACH KEY EXCEPT THE "X"
KEY, WHICH ONLY TAKES ONE DIODE.
All Nodes
This is the most comprehensive list of dialups ever published.
Sprint, Metro, Itt and Mci are represented. Mci makes it's nodes
known only to customers. Therefore, 100% of the Mci dialups come
from hackers and are usually the product of war dialing
(scanning) local prefixes in their areas. All things are subject
to change. As Sprint installs her 950 systems the local dialups
are no longer active. They're there but can only be accessed
through the 950 switch.
201-333-0042 SPRINT
201-427-1100 METRO
201-455-0600 SPRINT
201-463-0300 SPRINT
201-463-0900 ITT
201-472-8700 SPRINT
201-487-3155 METRO
201-494-3250 SPRINT
201-499-8410 MCI
201-530-7072 SPRINT
201-531-7900 METRO
201-589-6343 ITT
201-592-7550 SPRINT
201-642-0061 MCI
201-643-2227 METRO
201-666-7844 SPRINT
201-672-0633 SPRINT
201-825-8852 METRO
201-828-8660 METRO
201-862-1990 SPRINT
202-565-4110 ITT
202-737-2051 METRO
202-950-0777 SPRINT
202-955-0020 SPRINT
203-222-1148 METRO
203-222-1585 SPRINT
203-223-3478 SPRINT
203-322-0606 SPRINT
203-323-1468 METRO
203-324-1172 ITT
203-333-2722 ITT
203-443-1134 MCI
203-444-6646 MCI
203-522-0003 METRO
203-525-0155 SPRINT
203-525-0455 SPRINT
203-527-7389 ITT
203-579-1525 SPRINT
203-748-0770 METRO
203-755-8193 SPRINT
203-787-0170 ITT
203-787-9964 SPRINT
203-794-1085 ITT
203-797-8076 SPRINT
203-866-8411 ITT
205-320-2000 SPRINT
205-431-6600 SPRINT
205-832-9800 SPRINT
206-382-0910 METRO
206-950-0777 SPRINT
207-761-0700 SPRINT
208-342-2671 SPRINT
209-334-5900 SPRINT
209-445-9001 SPRINT
209-445-9300 ITT
209-575-1730 SPRINT
209-583-6010 SPRINT
209-625-2762 SPRINT
209-943-2111 SPRINT
212-248-0151 ITT
212-732-7430 METRO
212-950-0220 METRO
212-950-0777 SPRINT
213-202-6117 MCI
213-202-6117 METRO
213-329-8600 SPRINT
213-404-4100 METRO
213-456-0010 SPRINT
213-618-0231 METRO
213-624-8884 METRO
213-628-9902 SPRINT
213-629-1026 METRO
213-637-8883 SPRINT
213-640-3111 SPRINT
213-690-5301 SPRINT
213-855-7600 SPRINT
214-595-4282 METRO
214-597-3306 SPRINT
214-651-1400 MCI
214-654-0609 ITT
214-742-4500 METRO
214-744-2019 MCI
214-747-9422 MCI
214-748-3400 MCI
214-950-0777 SPRINT
215-351-0100 METRO
215-376-4864 ITT
215-433-2166 ITT
215-563-3256 ITT
215-665-8700 MCI
215-770-8940 METRO
215-950-0777 SPRINT
216-255-2072 SPRINT
216-261-9103 MCI
216-277-0009 SPRINT
216-374-1001 METRO
216-375-9040 ITT
216-375-9240 SPRINT
216-394-7700 SPRINT
216-455-4147 SPRINT
216-575-1900 SPRINT
216-621-0490 ITT
216-621-7505 MCI
216-621-7507 MCI
216-621-7518 MCI
216-746-3128 SPRINT
216-861-5163 METRO
217-398-4350 SPRINT
217-429-8110 SPRINT
217-788-5900 SPRINT
219-237-1010 MCI
219-237-1020 MCI
219-237-1030 MCI
219-237-1040 MCI
219-237-1060 MCI
219-237-1070 MCI
219-237-1080 MCI
219-237-1090 MCI
219-237-1099 MCI
219-237-1700 ITT
219-237-1776 SPRINT
219-237-4805 METRO
219-420-0011 METRO
219-436-4500 SPRINT
219-882-8901 METRO
219-886-8700 SPRINT
301-263-7660 SPRINT
301-659-5500 SPRINT
301-659-7700 METRO
301-950-0777 SPRINT
302-429-9439 METRO
302-654-2809 ITT
302-950-0777 SPRINT
303-224-9700 SPRINT
303-351-8230 SPRINT
303-544-0184 SPRINT
303-623-5356 METRO
303-623-5646 SPRINT
303-630-8700 SPRINT
303-651-6040 SPRINT
303-861-4411 ITT
303-920-3900 SPRINT
304-344-4002 SPRINT
304-525-8408 SPRINT
305-326-3300 METRO
305-425-7791 ITT
305-462-3100 SPRINT
305-462-3530 MCI
305-462-3530 METRO
305-545-8895 ITT
305-756-2400 SPRINT
305-764-4522 ITT
305-950-0777 SPRINT
307-266-1512 SPRINT
307-634-0358 SPRINT
309-637-0650 SPRINT
312-356-4480 METRO
312-364-6020 ITT
312-396-2550 METRO
312-450-5875 METRO
312-480-8901 METRO
312-496-2431 METRO
312-578-3900 METRO
312-679-8120 METRO
312-844-6981 METRO
312-853-4700 METRO
312-888-5580 METRO
312-891-8083 METRO
312-922-1013 ITT
312-950-0777 SPRINT
312-981-8870 METRO
312-986-0566 METRO
313-237-0600 MCI
313-257-2700 SPRINT
313-332-2312 MCI
313-332-8711 MCI
313-471-1213 SPRINT
313-479-4540
313-643-9060 SPRINT
313-662-2041 ITT
313-752-5959 SPRINT
313-775-8755 SPRINT
313-961-7090 SPRINT
313-963-4847 METRO
313-964-2843 ITT
313-977-0200 MCI
313-978-8100 MCI
313-981-3579 MCI
313-996-0006 MCI
313-996-0056 MCI
313-996-0096 MCI
313-996-8800 SPRINT
313-996-8900 METRO
314-342-1130 METRO
314-342-8900 SPRINT
314-656-0800 ITT
314-925-0980 SPRINT
315-422-6341 SPRINT
315-471-2900 ITT
315-474-3911 METRO
316-262-4002 MCI
316-262-8290 MCI
316-267-1088 ITT
316-267-6910 MCI
316-269-1190 SPRINT
317-286-4342 SPRINT
317-455-2220 SPRINT
317-635-0119 SPRINT
317-635-6284 METRO
317-637-5223 ITT
317-644-3274 SPRINT
317-950-0777 SPRINT
318-269-4900 SPRINT
318-425-0300 SPRINT
318-494-7500 SPRINT
319-324-9568 SPRINT
319-362-1177 SPRINT
401-272-0356 METRO
401-273-8263 ITT
401-274-0130 SPRINT
402-422-0281 MCI
402-422-0282 MCI
402-422-0710 MCI
402-422-0711 MCI
402-422-0906 Mci
402-422-1120 METRO
402-474-7040 SPRINT
402-592-6000 SPRINT
404-223-1000 METRO
404-223-1520 MCI
404-327-2770 SPRINT
404-525-0062 SPRINT
404-525-0714 ITT
404-950-0777 SPRINT
405-232-9011 METRO
405-236-8901 SPRINT
405-525-7731 ITT
408-280-1301 ITT
408-425-1950 SPRINT
408-458-1700 MCI
408-754-2000 SPRINT
408-947-7606 METRO
408-995-6701 SPRINT
409-832-7171 SPRINT
409-833-9331 METRO
412-261-4930 ITT
412-261-5720 METRO
412-950-0777 SPRINT
413-950-0777 SPRINT
414-276-1804 SPRINT
414-277-1805 METRO
414-435-1000 SPRINT
414-632-8383 SPRINT
414-633-3636 METRO
414-652-6334 SPRINT
414-933-5680 ITT
414-950-0777 SPRINT
415-348-7700 SPRINT
415-449-1014 SPRINT
415-477-0200 SPRINT
415-495-2816 ITT
415-499-0250 SPRINT
415-499-8086 METRO
415-540-4700 MCI
415-541-9555 SPRINT
415-577-0200 SPRINT
415-579-6001 METRO
415-676-1062 METRO
415-724-0604 SPRINT
415-724-3170 METRO
415-778-4700 SPRINT
415-791-5151 MCI
415-791-5559 MCI
415-794-4800 METRO
415-794-7920 SPRINT
415-832-5016 SPRINT
415-833-9200 METRO
415-836-6900 METRO
415-852-0900 METRO
415-856-1626 SPRINT
415-858-2750 ITT
415-944-5000 SPRINT
415-956-0162 METRO
417-831-1442 SPRINT
419-243-1046 METRO
419-243-4227 SPRINT
419-522-0857 SPRINT
501-374-1001 SPRINT
502-259-0680 SPRINT
502-561-0900 METRO
502-581-0376 MCI
502-589-0680 SPRINT
502-589-9360 ITT
503-295-8300 SPRINT
503-341-6310 SPRINT
503-371-5400 SPRINT
503-758-2220 SPRINT
504-346-5900 SPRINT
504-566-4321 MCI
504-566-8300 ITT
504-566-8500 METRO
504-566-8900 MCI
504-950-0777 SPRINT
505-765-0000 MCI
505-848-0000 SPRINT
507-288-0270 SPRINT
509-456-5120 SPRINT
512-224-9110 SPRINT
512-224-9600 METRO
512-474-4397 ITT
512-474-6057 METRO
512-474-7773 SPRINT
512-576-1154 MCI
512-578-8183 MCI
512-722-3676 SPRINT
512-887-8090 SPRINT
513-228-1576 METRO
513-228-6506 ITT
513-228-8015 SPRINT
513-241-1747 METRO
513-241-5690 SPRINT
513-322-0794 SPRINT
513-423-8304 SPRINT
513-651-1823 ITT
515-233-5904
515-233-5910
515-243-3480 SPRINT
515-284-5040 ITT
516-933-9700 METRO
516-950-0220 METRO
516-950-0777 SPRINT
517-484-0333 SPRINT
518-436-6200 METRO
518-455-7011
518-462-2068 ITT
518-462-8200 SPRINT
601-960-0000 SPRINT
602-254-2930 METRO
602-257-8200 ITT
602-271-9445 SPRINT
602-323-0502 METRO
602-622-2372 MCI
602-629-9000 MCI
602-629-9015 MCI
602-778-6800 SPRINT
602-792-2635 SPRINT
602-884-7710 MCI
602-929-9020 MCI
603-668-9259 SPRINT
603-881-9955 SPRINT
605-335-8053 SPRINT
606-223-8015 SPRINT
606-231-8961 METRO
607-773-0422 SPRINT
608-251-9596 METRO
608-256-6782 SPRINT
608-258-8900 ITT
609-261-6550 MCI
609-261-8930 MCI
609-338-0100 METRO
609-338-0340 ITT
609-348-3880 SPRINT
609-452-0100 SPRINT
609-541-5028 SPRINT
609-641-0004 METRO
609-645-0533 MCI
609-728-1067 MCI
609-728-2067 MCI
609-728-7423 MCI
609-890-0525 SPRINT
609-987-8000 MCI
609-989-1631 ITT
609-989-1900 METRO
612-370-9000 METRO
612-375-0690 ITT
614-224-0024 ITT
614-224-0577 METRO
614-224-3735 SPRINT
615-248-1900 MCI
615-248-6000 SPRINT
615-327-2511 ITT
615-521-7600 ITT
615-525-1342 SPRINT
615-697-7000 ITT
615-757-9600 SPRINT
616-242-9580 METRO
616-388-4800 SPRINT
616-458-2472 ITT
616-459-1800 SPRINT
617-357-5562 ITT
617-458-4138 MCI
617-863-1333 MCI
617-950-0777 SPRINT
617-950-1020 METRO
618-235-8870 METRO
618-398-8710 MCI
618-398-8766 MCI
618-463-1850 SPRINT
619-233-0327 METRO
619-237-1009 SPRINT
619-340-4800 SPRINT
619-340-9300 MCI
619-340-9436 MCI
619-346-2133 MCI
619-484-4442 SPRINT
619-489-0414 SPRINT
619-723-7411 SPRINT
619-753-0438 SPRINT
701-232-2838 SPRINT
702-322-1512 SPRINT
702-323-6822 MCI
702-323-7191 ITT
702-329-1025 METRO
702-387-7000 SPRINT
703-344-8850 SPRINT
703-950-0777 SPRINT
704-375-4311 ITT
704-376-8085 SPRINT
704-861-9114 SPRINT
707-446-7032 SPRINT
707-576-7950 SPRINT
707-584-4931 METRO
707-778-1901 SPRINT
707-944-1350 SPRINT
712-258-0930 SPRINT
713-224-9417 METRO
713-225-1444 SPRINT
713-237-1822 MCI
713-862-5067 ITT
713-993-6533 MCI
714-493-0806 SPRINT
714-527-7055 METRO
714-541-1915 MCI
714-550-7466 MCI
714-591-9351 METRO
714-594-9311 METRO
714-778-4011 SPRINT
714-824-7430 SPRINT
714-877-6641 METRO
714-972-9515 METRO
714-973-2900 SPRINT
714-973-4707 MCI
714-973-8032 ITT
714-986-1762 SPRINT
716-262-5000 SPRINT
716-325-1180 ITT
716-845-5150 ITT
716-852-9200 METRO
716-950-0777 SPRINT
716-950-1020 METRO
717-233-9031 SPRINT
717-234-0718 ITT
717-238-4731 METRO
717-247-9135 ITT
717-291-4524 SPRINT
717-299-4796 ITT
717-346-0131 SPRINT
717-348-4300 METRO
717-822-7161 SPRINT
717-825-2761 ITT
717-846-6304 METRO
717-848-5700 SPRINT
718-950-0220 METRO
718-950-0777 SPRINT
800-221-1950 ITT
800-322-1415 MCI
800-327-9488 ITT
800-538-0007
801-226-1128 SPRINT
801-363-2294 SPRINT
801-546-7000 SPRINT
802-863-8800 SPRINT
803-232-1356 SPRINT
803-233-1351 ITT
803-254-6039 SPRINT
803-256-3060 ITT
803-573-7639 ITT
803-577-6728 ITT
803-585-6211 SPRINT
803-723-0242 SPRINT
804-225-1920 METRO
804-355-1433 ITT
804-380-9038 ITT
804-623-9004 METRO
804-627-3596 ITT
804-950-0777 SPRINT
805-257-3028 SPRINT
805-395-0123 ITT
805-395-1301 SPRINT
805-496-0010 SPRINT
805-656-4800 SPRINT
805-968-0700 METRO
806-376-4836 SPRINT
806-379-8271 METRO
806-762-0004 METRO
806-763-0116 SPRINT
808-244-6000 SPRINT
808-525-5000 SPRINT
808-528-5000 SPRINT
808-969-6000 SPRINT
812-232-1616 SPRINT
812-332-8130 SPRINT
812-464-2003 SPRINT
813-221-3111 SPRINT
813-223-5380 ITT
813-371-1550 SPRINT
813-797-1986 SPRINT
814-453-7811 SPRINT
814-942-8103 SPRINT
815-950-0777 SPRINT
815-966-2401 METRO
815-966-3429 SPRINT
816-364-1291 SPRINT
816-471-1999 METRO
816-474-1850 SPRINT
816-474-4850 SPRINT
817-322-1422 METRO
817-338-1321 MCI
817-338-1428 MCI
817-338-1639 METRO
817-338-1659 MCI
817-338-1961 MCI
817-338-4749 ITT
817-565-0102 SPRINT
817-565-9202 METRO
817-756-7960 SPRINT
817-757-2002 METRO
817-877-1140 MCI
817-950-0777 SPRINT
818-350-1028 METRO
818-575-1411 SPRINT
818-954-8699 METRO
818-965-1391 SPRINT
818-989-0921 SPRINT
818-992-1999 SPRINT
818-992-8282 METRO
818-995-1002 MCI
818-995-1156 MCI
818-995-1166 MCI
818-995-1184 MCI
818-995-1185 MCI
818-995-4418 MCI
901-529-1800 SPRINT
904-354-3020 SPRINT
904-358-8522 ITT
904-434-9282 SPRINT
912-435-2166 SPRINT
912-741-0000 SPRINT
913-271-1300 ITT
913-354-4191 SPRINT
913-621-3186 METRO
914-684-0268 METRO
914-950-0777 SPRINT
915-448-1361 SPRINT
915-532-0025 METRO
915-561-5481 METRO
915-562-5801 SPRINT
915-657-7511 SPRINT
915-658-2943 METRO
915-672-1733 SPRINT
915-676-0078 METRO
915-950-0777 SPRINT
916-443-6921 METRO
916-448-4179 MCI
916-448-6606 ITT
916-577-9400 SPRINT
916-758-6841 SPRINT
916-961-1044 SPRINT
918-584-6030 SPRINT
918-585-5001 ITT
918-587-6770 METRO
919-286-0006 SPRINT
919-373-8633 SPRINT
919-378-9489 ITT
919-721-0704 SPRINT
919-725-3532 ITT
919-832-9396 SPRINT
919-832-9438 ITT
919-889-2366 SPRINT
919-929-7912 SPRINT
950-950-0220 METRO
950-950-0223 TDX
950-950-0488 ITT
950-950-0777 SPRINT
950-950-1003 RCI
950-950-1007 TMC
950-950-1022 MCI
950-950-1033 US SPRINT
950-950-1044 ALLNET
950-950-1088 SKYLINE
950-950-1220 METRO
The Compuserve Network
The following is the current list of Compuserve Dialups for the
nation. The obvious use is as destination numbers. Most
experienced phreaks use file between 10 and 20 numbers in length.
Networks are constantly taking nodes down and putting others up.
Consequently a small file is easier to check. Destination numbers
are usually verified every couple of months
Bayonne NJ CS 201 624-6565
Elizabeth NJ CS 201 624-6565
Greenbrook NJ CS 201 968-9000
Hackensack NJ CS 201 489-0111
Hackettstown NJ CS 201 852-8070
Hackettstown NJ CS 201 852-8502
Jersey City NJ CS 201 624-6565
Montclair NJ CS 201 783-5400
Newark NJ CS 201 624-6565
Parsippany NJ CS 201 898-1935
Ridgewood NJ CS 201 444-3913
Tom's River NJ CS 201 244-7722
Union NJ CS 201 624-6565
Union City NJ CS 201 624-6565
Wayne NJ CS 201 633-5030
Woodbridge NJ CS 201 906-0960
Bridgeport CT CS 203 926-0001
Danbury CT CS 203 797-1815
Fairfield CT CS 203 926-0001
Greenwich CT CS 203 967-4589
Hartford CT CS 203 728-0633
Milford CT CS 203 926-0001
New Haven CT CS 203 467-3489
New London CT CS 203 444-2509
North Haven CT CS 203 467-3489
Norwalk CT CS 203 967-4589
Stamford CT CS 203 967-4589
Waterbury CT CS 203 574-0500
Westport CT CS 203 222-1748
Westport CT CS 203 226-2704
Bessemer AL CS 205 879-2250
Bessemer AL CS 205 879-2280
Birmingham AL CS 205 879-2250
Birmingham AL CS 205 879-2280
Huntsville AL CS 205 536-4405
Mobile AL CS 205 478-0688
Montgomery AL CS 205 262-0010
Olympia WA CS 206 786-6666
Seattle WA CS 206 241-7023
Seattle WA CS 206 241-9111
Tacoma WA CS 206 922-1790
Portland ME CS 207 879-0005
Boise ID CS 208 384-5660
Boise ID CS 208 384-5666
Pocatello ID CS 208 232-9452
Fresno CA CS 209 252-1892
Stockton CA CS 209 465-7251
New York NY CS 212 422-8820
New York NY CS 212 758-2090
New York NY CS 212 758-4114
Beverly Hills CA CS 213 739-0371
Beverly Hills CA CS 213 739-8906
Culver City CA CS 213 216-0010
Culver City CA CS 213 390-9617
Inglewood CA CS 213 739-0371
Inglewood CA CS 213 739-8906
Long Beach CA CS 213 591-8392
Los Angeles CA CS 213 739-0371
Los Angeles CA CS 213 739-8906
San Fernando CA CS 213 739-0371
San Fernando CA CS 213 739-8906
Torrance CA CS 213 542-4311
West L.A. CA CS 213 739-0371
West L.A. CA CS 213 739-8906
Dallas TX CS 214 761-0599
Dallas TX CS 214 761-9040
Allentown PA CS 215 776-6960
King of Prussia PA CS 215 279-5811
Philadelphia PA CS 215 977-9758
Reading PA CS 215 375-4850
Upper Darby PA CS 215 977-9758
Akron OH CS 216 867-1237
Akron OH CS 216 867-1243
Canton OH CS 216 455-2126
Canton OH CS 216 455-2516
Cleveland OH CS 216 771-0723
Cleveland OH CS 216 771-6860
Euclid OH CS 216 771-0723
Euclid OH CS 216 771-6860
North Canton OH CS 216 867-1237
North Canton OH CS 216 867-1243
Parma OH CS 216 771-0723
Parma OH CS 216 771-6860
Youngstown OH CS 216 743-4992
Springfield IL CS 217 522-5101
Elkhart IN CS 219 293-1593
Ft. Wayne IN CS 219 447-0510
Gary IN CS 219 769-0081
Osceola IN CS 219 674-6951
Annapolis MD CS 301 266-7530
Baltimore MD CS 301 254-7113
Dundalk MD CS 301 254-7113
Dundalk MD CS 301 254-7311
Hyattsville MD CS 301 559-0200
Hyattsville MD CS 301 559-8000
Newark DE CS 302 652-8732
Wilmington DE CS 302 652-8732
Aspen CO CS 303 925-5892
Aurora CO CS 303 629-5563
Boulder CO CS 303 629-5563
Colorado Sprngs CO CS 303 596-0910
Denver CO CS 303 629-0668
Denver CO CS 303 629-5563
Dillon CO CS 303 668-0991
Fort Collins CO CS 303 493-8601
Glenwood Spring CO CS 303 945-0424
Grand Junction CO CS 303 241-1885
Grand Junction CO CS 303 241-1889
Lakewood CO CS 303 629-5563
Vail CO CS 303 476-8700
Charleston WV CS 304 768-9700
Huntington WV CS 304 736-2331
Parkersburg WV CS 304 485-4225
Wheeling WV CS 304 233-9470
Boynton Beach FL CS 305 684-9051
Deerfield Beach FL CS 305 428-6104
Ft. Lauderdale FL CS 305 771-8074
Ft. Lauderdale FL CS 305 772-3240
Longwood FL CS 305 273-8780
Longwood FL CS 305 273-8805
Miami FL CS 305 266-0231
Orlando FL CS 305 273-8780
Orlando FL CS 305 273-8805
Vero Beach FL CS 305 778-0550
W. Palm Beach FL CS 305 684-9051
Casper WY CS 307 234-6914
Peoria IL CS 309 685-2543
Arlington Hts. IL CS 312 332-7382
Arlington Hts. IL CS 312 443-1250
Aurora IL CS 312 859-1557
Chicago IL CS 312 443-1250
Cicero IL CS 312 332-7382
Cicero IL CS 312 443-1250
Lombard IL CS 312 953-9680
Oak Park IL CS 312 332-7382
Oak Park IL CS 312 443-1250
Skokie IL CS 312 332-7382
Skokie IL CS 312 443-1250
St. Charles IL CS 312 859-1557
Ann Arbor MI CS 313 663-3934
Detroit MI CS 313 255-9207
Flint MI CS 313 238-6202
Troy MI CS 313 362-2540
E. St. Louis IL CS 314 241-3101
E. St. Louis IL CS 314 241-3102
Florissant MO CS 314 241-3101
Florissant MO CS 314 241-3102
St. Louis MO CS 314 241-3101
St. Louis MO CS 314 241-3102
Syracuse NY CS 315 458-6016
Wichita KS CS 316 689-8585
Wichita KS CS 316 689-8765
Indianapolis IN CS 317 638-2517
Indianapolis IN CS 317 638-2762
Lafayette IN CS 317 742-6578
Muncie IN CS 317 284-3812
Richmond IN CS 317 935-0061
Lafayette LA CS 318 233-1150
Monroe LA CS 318 387-0879
Shreveport LA CS 318 424-5380
Cedar Rapids IA CS 319 365-9363
Davenport IA CS 319 323-7388
Providence RI CS 401 941-6900
Lincoln NE CS 402 474-1006
Omaha NE CS 402 895-5288
Edmonton AB CS 403 466-4501
Atlanta GA CS 404 237-3003
Atlanta GA CS 404 237-8113
Augusta GA CS 404 733-0346
Martinez GA CS 404 733-0346
Bethany OK CS 405 946-4799
Bethany OK CS 405 946-4860
Norman OK CS 405 946-4799
Norman OK CS 405 946-4860
Oklahoma City OK CS 405 946-4799
Oklahoma City OK CS 405 946-4860
Billings MT CS 406 245-0863
Cupertino CA CS 408 988-8762
Los Altos CA CS 408 988-8762
Monterey CA CS 408 375-9931
Mt. View CA CS 408 988-8762
San Jose CA CS 408 988-8762
Santa Clara CA CS 408 988-8762
Sunnyvale CA CS 408 988-8762
Butler PA CS 412 285-8187
Penn Hills PA CS 412 391-7732
Penn Hills PA CS 412 391-8818
Pittsburgh PA CS 412 391-7732
Pittsburgh PA CS 412 391-8818
Amherst MA CS 413 256-8591
Chicopee MA CS 413 734-7362
Holyoke MA CS 413 734-7362
Springfield MA CS 413 734-7362
Brookfield WI CS 414 258-5616
Milwaukee WI CS 414 258-5616
Alameda CA CS 415 531-3700
Berkeley CA CS 415 531-3700
Castro Valley CA CS 415 581-2631
Concord CA CS 415 682-2633
Hayward CA CS 415 581-2631
Livermore CA CS 415 443-9202
Oakland CA CS 415 531-3700
Pacheco CA CS 415 682-2633
Palo Alto CA CS 415 591-5591
Palo Alto CA CS 415 591-5846
Pleasant Hills CA CS 415 682-2633
San Carlos CA CS 415 591-5591
San Carlos CA CS 415 591-5846
San Francisco CA CS 415 956-4191
San Francisco CA CS 415 956-4281
San Mateo CA CS 415 591-5591
San Mateo CA CS 415 591-5846
Walnut Creek CA CS 415 682-2633
Toronto ON CS 416 865-1451
Toledo OH CS 419 244-0073
Little Rock AR CS 501 224-9311
Louisville KY CS 502 581-9526
Portland OR CS 503 232-1072
Portland OR CS 503 232-4026
Baton Rouge LA CS 504 273-0184
New Orleans LA CS 504 734-8150
Albuquerque NM CS 505 265-1263
Los Alamos NM CS 505 662-4122
Spokane WA CS 509 326-0515
Austin TX CS 512 444-7234
Corpus Christi TX CS 512 887-2983
San Antonio TX CS 512 435-3883
Cincinnati OH CS 513 771-1630
Dayton OH CS 513 461-1064
Montreal PQ CS 514 842-3684
Des Moines IA CS 515 270-1581
Des Moines IA CS 515 270-9410
Hicksville NY CS 516 681-7240
Hicksville NY CS 516 681-7347
Lake Grove NY CS 516 981-0880
Williston Park NY CS 516 294-1482
East Lansing MI CS 517 321-2388
Lansing MI CS 517 321-2388
Saginaw MI CS 517 893-1161
Albany NY CS 518 439-7491
Schenectady NY CS 518 439-7491
Troy NY CS 518 439-7491
Jackson MS CS 601 948-6411
Mesa AZ CS 602 256-2951
Phoenix AZ CS 602 256-2951
Phoenix AZ CS 602 267-0623
Scottsdale AZ CS 602 256-2951
Tempe AZ CS 602 256-2951
Tucson AZ CS 602 748-2004
Tucson AZ CS 602 748-2009
Yuma AZ CS 602 782-7191
Nashua NH CS 603 883-5551
Vancouver BC CS 604 738-5157
Rapid City SD CS 605 341-3733
Lexington KY CS 606 259-3446
Madison WI CS 608 256-6525
Atlantic City NJ CS 609 645-1258
Camden NJ CS 609 665-7555
Cherry Hill NJ CS 609 665-7555
Pennsaukin NJ CS 609 665-7555
Princeton NJ CS 609 683-4770
Princeton NJ CS 609 683-4776
Minneapolis MN CS 612 342-2207
St. Paul MN CS 612 342-2207
Athens OH CS 614 594-8364
Columbus OH CS 614 457-2105
Columbus OH CS 614 876-2116
Granville OH CS 614 587-0932
Chattanooga TN CS 615 877-5804
Gatlinburg TN CS 615 436-2001
Knoxville TN CS 615 584-9902
Nashville TN CS 615 366-1947
Oak Ridge TN CS 615 483-2292
Grand Rapids MI CS 616 459-9891
Kalamazoo MI CS 616 344-2298
Kalamazoo MI CS 616 344-5312
Arlington MA CS 617 542-1796
Arlington MA CS 617 542-3792
Boston MA CS 617 542-1796
Boston MA CS 617 542-3792
Brockton MA CS 617 588-3222
Brookline MA CS 617 542-1796
Brookline MA CS 617 542-3792
Burlington MA CS 617 667-4266
Cambridge MA CS 617 542-1796
Cambridge MA CS 617 542-3792
Concord MA CS 617 371-0354
Framingham MA CS 617 875-3814
Georgetown MA CS 617 352-7596
Hudson MA CS 617 568-8019
Lawrence MA CS 617 975-0451
Maynard MA CS 617 897-4746
Medfield MA CS 617 359-7603
Medford MA CS 617 542-1796
Medford MA CS 617 542-3792
Medway MA CS 617 533-2722
Mendon MA CS 617 478-0653
Newton MA CS 617 542-1796
Newton MA CS 617 542-3792
Quincy MA CS 617 542-1796
Quincy MA CS 617 542-3792
Waltham MA CS 617 542-1796
Waltham MA CS 617 542-3792
Westboro MA CS 617 366-2617
Worcester MA CS 617 792-2512
Cathedral City CA CS 619 325-4584
Palm Springs CA CS 619 325-4584
Rancho Bernardo CA CS 619 471-0960
San Diego CA CS 619 283-6021
San Diego CA CS 619 283-6091
San Diego CA CS 619 569-0697
Solana Beach CA CS 619 481-3527
Las Vegas NV CS 702 878-0056
Reno NV CS 702 786-5308
Reno NV CS 702 786-5356
Alexandria VA CS 703 352-7500
Alexandria VA CS 703 841-9834
Arlington VA CS 703 841-9834
Bethesda MD CS 703 352-7500
Bethesda MD CS 703 841-9834
Fairfax VA CS 703 352-7500
Manassas VA CS 703 368-5707
Roanoke VA CS 703 563-8421
Washington DC CS 703 352-7500
Washington DC CS 703 841-9834
Charlotte NC CS 704 333-6654
Charlotte NC CS 704 333-7155
Houston TX CS 713 225-2330
Houston TX CS 713 225-2550
Anaheim CA CS 714 520-9724
Anaheim CA CS 714 520-9733
Irvine CA CS 714 851-0145
Newport Beach CA CS 714 851-0145
Pomona CA CS 714 623-2651
Riverside CA CS 714 359-7801
San Bernadino CA CS 714 881-1583
San Bernadino CA CS 714 881-1871
Buffalo NY CS 716 874-3751
Rochester NY CS 716 458-3460
Rochester NY CS 716 458-3465
Tonawanda NY CS 716 694-6263
Harrisburg PA CS 717 657-9633
York PA CS 717 845-7631
Provo UT CS 801 377-1120
Salt Lake City UT CS 801 521-2890
Salt Lake City UT CS 801 521-2915
Burlington VT CS 802 862-1575
Charleston SC CS 803 763-0090
Columbia SC CS 803 783-5484
Greenville SC CS 803 255-4686
Myrtle Beach SC CS 803 238-8625
Chesapeake VA CS 804 461-6128
Chesapeake VA CS 804 461-6167
Hampton VA CS 804 722-0016
Midlothian VA CS 804 358-8274
Norfolk VA CS 804 461-6128
Norfolk VA CS 804 461-6167
Portsmouth VA CS 804 461-6128
Portsmouth VA CS 804 461-6167
Richmond VA CS 804 358-8274
Virginia Beach VA CS 804 461-6128
Virginia Beach VA CS 804 461-6167
Bakersfield CA CS 805 323-7691
Santa Barbara CA CS 805 682-2331
Thousand Oaks CA CS 805 499-0371
Thousand Oaks CA CS 805 499-0566
Ventura CA CS 805 643-0177
Amarillo TX CS 806 379-8411
Lubbock TX CS 806 763-5081
Kailua HI CS 808 263-6670
Evansville IN CS 812 479-0165
Ft. Myers FL CS 813 939-7060
Sarasota FL CS 813 355-9331
St. Petersburg FL CS 813 525-0378
Tampa FL CS 813 237-8189
Erie PA CS 814 453-7538
Somerset PA CS 814 443-6402
Rockford IL CS 815 968-3412
Independence MO CS 816 474-3770
Kansas City KS CS 816 474-3770
Kansas City MO CS 816 474-3770
Mission KS CS 816 474-3770
Shawnee KS CS 816 474-3770
Shawnee Mission KS CS 816 474-3770
Ft. Worth TX CS 817 870-2461
Ft. Worth TX CS 817 870-2468
Canoga Park CA CS 818 902-0932
Canoga Park CA CS 818 902-0934
Hollywood CA CS 818 982-1813
N. Hollywood CA CS 818 982-1813
Sherman Oaks CA CS 818 902-0932
Sherman Oaks CA CS 818 902-0934
Sierra Madre CA CS 818 303-2563
Sierra Madre CA CS 818 303-2681
Van Nuys CA CS 818 902-0932
Van Nuys CA CS 818 902-0934
Memphis TN CS 901 452-1710
Memphis TN CS 901 452-8530
Daytona Beach FL CS 904 257-5019
Jacksonville FL CS 904 396-7105
Panama City FL CS 904 871-4775
Pensacola FL CS 904 434-3911
Tallahassee FL CS 904 222-4144
Tallahassee FL CS 904 224-6021
Albany GA CS 912 435-9420
Poughkeepsie NY CS 914 473-2617
White Plains NY CS 914 428-9270
White Plains NY CS 914 949-4510
El Paso TX CS 915 565-4661
El Paso TX CS 915 565-4670
Midland TX CS 915 697-8211
Sacramento CA CS 916 971-4681
Tulsa OK CS 918 749-8801
Tulsa OK CS 918 749-8850
Burlington NC CS 919 584-2971
Davidson NC CS 919 725-1550
Durham NC CS 919 682-6239
Greensboro NC CS 919 373-1635
Raleigh NC CS 919 878-8570
Resch. Triangle NC CS 919 682-6239
Winston-Salem NC CS 919 725-1550
National Phone Areas
NPAS
201 202 203 204 205 206 207 208 209 212 213 214 215 216 217 218
219 301 302 303 304 305 306 307 308 313 314 315 316 318 319 401
402 404 405 406 408 409 412 413 414 415 416 417 419 501 502 503
504 505 506 507 509 512 513 514 515 516 517 518 519 601 602 603
604 605 606 607 608 609 612 613 614 615 616 617 618 619 701 702
703 704 705 706 707 709 712 713 714 715 716 717 801 802 803 804
805 806 807 808 812 813 814 815 816 817 818 819 901 902 904 905
906 907 912 913 914 915 916 918 919
This is a listing of the current area codes in use by At&t. The
obvious phreaking related use is as prefix qualifiers relative to
the 14 digit code format.
International Calling Codes
International Calls are made by dialing 011 + the Country Code +
the City Code + the local number. Calls made to Canada are the
same as made within the U.S. 1 + Area Code + Number.
m and s after the Country Code indicates service by Sprint and
Mci. At&t is assumed
Algeria 213m
American Samoa 684
Andorra 33
Argentina 54ms Buenos Aires 1
Cordoba 51
La Plata 21
Rosario 41
Aruba 297
Ascension Island 247
Australia 61ms Adelaide 8
Brisbane 7
Melbourne 3
Sydney 2
Austria Graz 316
Linz Donau 732
Vienna 222
Bahrain 973
Bangladesh 880 Barisal 431
Chittacong 31
Dhaka 2
Khulna 41
Belgium 32m Antwerp 3
Brussels 2
Ghent 91
Liege 41
Belize 501 Corozal Town 04
Punta Gorda 07
Benin 229
Bolivia 591 Cochabamba 42
La Paz 2
Santa Cruz 33
Brazil 55m Belo Horizonte 31
Rio De Janeiro 21
Sao Paulo 11
Brunei 673 Brunei City 2
Kuala Belait 3
Tutong 4
Bulgaria 379 Plovdiv 32
Rousse 82
Sofia 2
Varna 52
Cameroon 237
Chile 56s Concepcion 41
Santiago 2
Valparaiso 32
China (Red) 86 Fuzhou 591
Jinan 531
Nanchang 791
Nanjing 25
Peking 1
Shanghai 21
Columbia 57 Barranquilla 5
Bogota 1
Greece 30m Athens 1
Crete 81
Larissa 41
Piraeus 1
Guadeloupe 590
Guam 671s
Guantanamo Bay,Cuba 53
Guatemala 502 Antigua 9
Guatemala City 2
Quezaltenango 9
Guyana 502 Bartica 5
Georgetown 2
New Amsterdam 3
Haiti 509 Cap Hatien 3
Cayes 5
Gonaive 2
Port Au Prince 1
Honduras 504
Hong Kong 852ms Hong Kong 5
Kowloon 3
New Territories 0
Hungary 36 Budapest 1
Derbrecen 52
Gyor 96
Miskolc 46
Iceland 354 Akureyir 6
Keflavic 2
Reykjavik 1
India 91 bombay 22
Calcutta 33
Madras 44
New Delhi 11
Indonesia 62 Jakarta 22
Medan 61
Semarang 24
Iran 98 Isfahan 31
Mashad 51
Tabriz 41
Teheran 21
Ireland 353 Cork 21
Dublin 1
Galway 91
Limerick 61
Israel 972 Haifa 4
Jerusalem 2
Ramat Gan 3
Tel Aviv 3
Italy 39 Florence 55
Genoa 10
Milan 2
Naples 81
Rome 6
Ivory Coast 225
Japan 81s Kyoto 75
Osaka 6
Sapporo 11
Tokyo 3
Yokohama 45
Jordan 962m Amman 6
Irbib 2
Jerash 4
Karak 3
Ma'am 3
Kenya 254ms Kisumu 35
Mombasa 11
Nairobi 2
Nakuru 37
Korea Rep of 82 Incheion 32
Pusan 51
Seoul 2
Taegu 53
Kuwait 965m Ahmadi 398
Kuwait City 24
Rigga 394
Lesotho 266 Leibe 3
Mafeteng 6
Maseru 1
Roma 21
Liberia 231
Libya Who gives a damn about libya?
Liechtenstein 41 All Cities 75
Luxembourg 352
Macao 853s
Malawi 265ms Domasi 531
Makwasa 474
Zomba 50
Malasia 60 Ipoh 5
Johor Bahru 7
Kajang 3
Kuala Lumpur 3
Mexico 52 Acapulco 748
Cancun 988
Celaya 461
Cordoba 271
Culiacan 671
Guadaljara 36
Hermosillo 621
Jalapa 281
Leon 471
Merida 992
Mexico City 5
Monterrey 83
Tampico 121
Toluca 721
Torreon 171
Veracruz 293
Monaco 33 All 93
Morocco 212 Agadir 8
Beni-Mellal 48
Casablanca 34
Namibia 264 Grootfontein 673
Keetmanshoop 631
Mariental 661
Netherlands 31 Amsterdam 20
Rotterdam 10
The Haque 70
New Caldonia 687
New Zealand 64ms Auckland 9
Christchurch 3
Dunedin 24
Hamilton 71
Nicaragua 505 Chinandega 341
Diriamba 42
Leon 311
Managua 2
Nigeria 234 Lagos 1
Norway 47 Bergen 5
Oslo 2
Stavanger 4
Trondheim 7
Oman 968ms
Pakistan 92 Islambad 51
Karachi 21
Lahore 42
Panama 507
Papua New Guinea 675ms
Paraguay 595 Asuncion 21
Concepcion 31
Peru 51 Arequipa 54
Callao 14
Lima 14
Trujillo 44
Philippines 63 Cebu 32
Davao 35
Lloilo 33
Manila 2
Poland 48 Crakow 12
Gdansk 58
Warsaw 22
Portugal 351 Coimbra 39
Lisbon 1
Porto 2
Setubal 65
Qatar 974ms
Romania 40 Bucharest 0
Cluj-Napoca 51
Constanta 16
Saipan 670 Susupe 234
Rota 532
Tinian 433
San Marino 39 All 541
Saudi Arabia 966m Hofuf 3
Jeddah 2
Mecca 2
Riyady 1
Senegal 221m
Singapore 65
South Africa 27m Cape Town 21
Durban 31
Johannesburg 11
Spain 34 Barcelona 3
Madrid 1
Seville 54
Valencia 6
Sri Lanka 94m Colombo 1
Kandy 8
Kotte 1
St Pierre/Miguelon 508
Suriname 597
Swaziland 268
Sweden 46m Goteborg 31
Malmo 40
Stockholm 8
Vasteras 21
Switzerland 41 Basel 61
Berne 31
Geneva 22
Zurich 1
Taiwan 886ms Kaosiung 7
Tainan 6
Taipei 2
Tanzania 255ms Dar Es Salaam 51
Dodoma 61
Mwanza 68
Tanga 53
Thailand 66ms Bangkok 2
Burirum 44
Chanthaburi 39
Togo 228
Tunisia 216ms Bizerte 2
Kairouan 7
Msel Bourguiba 2
Tunis 1
Turkey 90 Adana 711
Ankara 41
Istanbul 1
Iamir 51
Uganda 256 Entebee 42
Jinja 43
Kampala 41
Kyambobo 41
United Arab Emirate 971ms Abu Dhabi 2
Al Ain 3
Dubai 4
Sharjah 6
United Kingdom 44ms Belfast 232
Birmingham 21
Glasgow 41
London 1
Uruguay 598 Canelones 332
Mercedes 532
Montevideo 2
Vatican City 39
Venezuela 58 Barquisimeto 51
Caracas 2
Maracaibo 61
Valencia 41
Yemen 967 Amran 2
Sana 2
Taiz 4
Yarim 4
Yugoslavia 38 Belgrade 11
Sarajevo 71
Zagreb 41
Zaire 243 Kinshasal 12
Lubumbashi 2
Zambia 260 Chingola 2
Kitwe 2
Luanshya 2
Lusaka 1
Ndola 26
Zimbabwe 263 Bulawayo 9
Harare 0
Mutare 20
------------------------------------------------
Caribbean 1s 809+Number
Updates
Since my first writing of this piece the telco's have instituted
a number of anti-phreak techniques. All can be by passed! Some
are clever, some aren't and some have been very expensive to
implement.
In the summer of 1986 Mci began turning to their own database for
help. They instituted a port monitoring program that kept an eye
on the number of times a port was called and whether or not a
good code had been received. The typical hacking scenario had
been node, code and destination number...over and over again.
This permitted Mci to count certain items. Hacking activity was
detected if the code was wrong and the same destination number
had been used more than a few times. I also reported a good
chance contacts with the node were being recorded and compared to
an average figure for the time of day. If Mci wasn't doing this,
they should have.
In either case, the hacker's solution was operative within a few
days. Multinode and multidestination hacking was instituted. In
not hacking at the same node constantly one flag of the Mci
system was avoided. By using a file of Compuserve dialups the
second flag was rendered useless.
Multinode hacking now being norm had a drawback. Theoretically,
there should be no difference in the return rates for or against ÜjÜ
a company. This proved inaccurate. Multinode hacking reduces the
percentage of hits on a given node. A mathematical analysis will
show the theory to be true, yet the practice is another matter. I
believe the fault lays in how the random number generator picks
its next number. While the hacking attempts were concentrated on
one node, as with the first generation phreaking program, the RND
function of the personal computer hit certain numbers which were
agreeable to the particular company more often. For instance Mci
codes have a wide range of prefixes, never the less, in my
travels around phreak and hack bbs's I've noted the numbers 5 and
8 appear more often. With a company using prefix qualifiers this
will undoubtedly be the cause of low return rations.
Mci's latest security measure set them back a few bucks. Once a
code has been hacked they actively monitor its use. Originally,
if you made 15 calls in a 20 minute period the code was suspended
until you called their 800 number and verified you actually made
the call. The figure has since been reduced to around 7 or 8
calls per 20 minutes. This rules our long distance wardialing,
but then most phreaks scan their local prefixes. The fact of the
matter is Mci now has the ability to monitor in real time what is
happening on the system. Even so they're still hampered by the
necessity of sorting the bugs from their regular customers.
Most phreaks don't care to bother with the 14 digit format. It
really isn't hard once you realize you're only whacking 8 digits
(See Chapter Mci)
Allnet is another company who has turned to their data bases for
help. They're looking for the quick disconnect you find with a
hacking program. Once the program has detected the carrier it
auto disconnects and continues hacking away. The obvious solution
is to stay connected. 25,000 for next loops will eat up about 3
minutes and will render the feature useless.
Skyline instituted the carrier blast soon after Mci's takeover in
1986. The only modem that's impervious to it is the Apple Cat.
However, it isn't unbeatable. It takes from 24 to 32 seconds for
a long distance call to connect. Skyline shoots the blast about
10 seconds into the dialing sequence thereby grabbing the modem
and telling the program it has found a code. The result is you
can't tell the forest from the trees. Good codes are mixed in
with tons of bad ones.
The solution is to record the connect times and shoot the code
and the time to a file. A quick look at the file will sort out
the bogus connects from the goodies.
Itt has gone to their data bases also. While it is impossible to
know for sure, I believe they've established a user profile. When
a customer starts making calls to area codes he hasn't called in
the past, they get nervous and kill the code in 3 days. I figure
it takes two days for them to find it and one to contact the
customer. Any hack who adheres to the IC's three day rule won't
be bothered by this since they wouldn't have been on the code
longer anyway.
As with any scenario involving the analysis of the telco data
bases, they can and are being beaten by 15 and 16 year old
phreaks daily. Other companies are bound to institute variations
of the protection schemes, all are doomed to failure because they
do not address the real problem. Short of going off line, there
is only one way to stop phreaking, and that boys and girls can be
bought from me. Have no fear, telco's don't pay. They steal or
legislate but they never pay.....unless it's to a phreak.
A word on Metro. I haven't been in close contact with many
hackers lately and I'm a bit out of touch. However, I've heard of
no one getting any codes from Metrophone in the recent future.
The company has either bellied up (unlikely) or they've changed
their format. Sooner or later the news will surface in the
grapevine.