Over the past few years TCP sequence number prediction attacks have become a
real threat against unprotected networks, taking advantage of the inherent
trust relationships present in many network installations. TCP sequence
number prediction attacks have most commonly been implemented by opening a
series of connections to the target host, and attempting to predict the
sequence number which will be used next. Many operating systems have
therefore attempted to solve this problem by implementing a method of
generating sequence numbers in unpredictable fashions. This method does
not solve the problem.
This advisory introduces an alternative method of obtaining the initial
sequence number from some common trusted services. The attack presented here
does not require the attacker to open multiple connections, or flood a port
on the trusted host to complete the attack. The only requirement is that
source routed packets can be injected into the target network with fake
source addresses.
This advisory assumes that the reader already has an understanding of how
TCP sequence number prediction attacks are implemented.
The impact of this advisory is greatly diminished due to the large number of
organizations which block source routed packets and packets with addresses
inside of their networks. Therefore we present the information as more of
a 'heads up' message for the technically inclined, and to re-iterate that
the randomization of TCP sequence numbers is not an effective solution
against this attack.
Technical Details
~~~~~~~~~~~~~~~~~
The problem occurs when particular network daemons accept connections
with source routing enabled, and proceed to disable any source routing
options on the connection. The connection is allowed to continue, however
the reverse route is no longer used. An example attack can launched against
the in.rshd daemon, which on most systems will retrieve the socket options
via getsockopt() and then turn off any dangerous options via setsockopt().
An example attack follows.
Host A is the trusted host
Host B is the target host
Host C is the attacker
Host C initiates a source routed connection to in.rshd on host B, pretending
to be host A.
Host C spoofing Host A <SYN> --> Host B in.rshd
Host B receives the initial SYN packet, creates a new PCB (protocol
control block) and associates the route with the PCB. Host B responds,
using the reverse route, sending back a SYN/ACK with the sequence number.
Host C spoofing Host A <-- <SYN/ACK> Host B in.rshd
Host C responds, still spoofing host A, acknowledging the sequence number.
Source routing options are not required on this packet.
Host C spoofing Host A <ACK> --> Host B in.rshd
We now have an established connection, the accept() call completes, and
control is now passed to the in.rshd daemon. The daemon now does IP
options checking and determines that we have initiated a source routed
connection. The daemon now turns off this option, and any packets sent
thereafter will be sent to the real host A, no longer using the reverse
route which we have specified. Normally this would be safe, however the
attacking host now knows what the next sequence number will be. Knowing
this sequence number, we can now send a spoofed packet without the source
routing options enabled, pretending to originate from Host A, and our
command will be executed.
In some conditions the flooding of a port on the real host A is required
if larger ammounts of data are sent, to prevent the real host A from
responding with an RST. This is not required in most cases when performing
this attack against in.rshd due to the small ammount of data transmitted.
It should be noted that the sequence number is obtained before accept()
has returned and that this cannot be prevented without turning off source
routing in the kernel.
As a side note, we're very lucky that TCP only associates a source route with
a PCB when the initial SYN is received. If it accepted and changed the ip
options at any point during a connection, more exotic attacks may be possible.
These could include hijacking connections across the internet without playing
a man in the middle attack and being able to bypass IP options checking
imposed by daemons using getsockopt(). Luckily *BSD based TCP/IP stacks will
not do this, however it would be interesting to examine other implementations.
Impact
~~~~~~
The impact of this attack is similar to the more complex TCP sequence
number prediction attack, yet it involves fewer steps, and does not require
us to 'guess' the sequence number. This allows an attacker to execute
arbitrary commands as root, depending on the configuration of the target
system. It is required that trust is present here, as an example, the use
of .rhosts or hosts.equiv files.
Solutions
~~~~~~~~~
The ideal solution to this problem is to have any services which rely on
IP based authentication drop the connection completely when initially
detecting that source routed options are present. Network administrators
and users can take precautions to prevent users outside of their network
from taking advantage of this problem. The solutions are hopefully already
either implemented or being implemented.
1. Block any source routed connections into your networks
2. Block any packets with internal based address from entering your network.
Network administrators should be aware that these attacks can easily be
launched from behind filtering routers and firewalls. Internet service
providers and corporations should ensure that internal users cannot launch
the described attacks. The precautions suggested above should be implemented
to protect internal networks.
Example code to correctly process source routed packets is presented here
as an example. Please let us know if there are any problems with it.
This code has been tested on BSD based operating systems.
u_char optbuf[BUFSIZ/3];
int optsize = sizeof(optbuf), ipproto, i;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) &&
optsize != 0) {
for (i = 0; i < optsize; ) {
u_char c = optbuf[i];
if (c == IPOPT_LSRR || c == IPOPT_SSRR)
exit(1);
if (c == IPOPT_EOL)
break;
i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
}
}
One critical concern is in the case where TCP wrappers are being used. If
a user is relying on TCP wrappers, the above fix should be incorporated into
fix_options.c. The problem being that TCP wrappers itself does not close
the connection, however removes the options via setsockopt(). In this case
when control is passed to in.rshd, it will never see any options present,
and the connection will remain open (even if in.rshd has the above patch
incorporated). An option to completely drop source routed connections will
hopefully be provided in the next release of TCP wrappers. The other option
is to undefine KILL_IP_OPTIONS, which appears to be undefined by default.
This passes through IP options and allows the called daemon to handle them
accordingly.
Disabling Source Routing
~~~~~~~~~~~~~~~~~~~~~~~~
We believe the following information to be accurate, however it is not
guaranteed.
--- Cisco
To have the router discard any datagram containing an IP source route option
issue the following command:
no ip source-route
This is a global configuration option.
--- NetBSD
Versions of NetBSD prior to 1.2 did not provide the capability for disabling
source routing. Other versions ship with source routing ENABLED by default.
We do not know of a way to prevent NetBSD from accepting source routed packets.
NetBSD systems, however, can be configured to prevent the forwarding of packets
when acting as a gateway.
To determine whether forwarding of source routed packets is enabled,
issue the following command:
# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt
The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.
Forwarding of source routed packets can be turned off via:
# sysctl -w net.inet.ip.forwsrcrt=0
Forwarding of all packets in general can turned off via:
# sysctl -w net.inet.ip.forwarding=0
--- BSD/OS
BSDI has made a patch availible for rshd, rlogind, tcpd and nfsd. This
patch is availible at:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1
OR via their patches email server <patches@bsdi.com>
The patch number is
U210-037 (normal version)
D210-037 (domestic version for sites running kerberized version)
BSD/OS 2.1 has source routing disabled by default
Previous versions ship with source routing ENABLED by default. As far as
we know, BSD/OS cannot be configured to drop source routed packets destined
for itself, however can be configured to prevent the forwarding of such
packets when acting as a gateway.
To determine whether forwarding of source routed packets is enabled,
issue the following command:
# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt
The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.
Forwarding of source routed packets can be turned off via:
# sysctl -w net.inet.ip.forwsrcrt=0
Forwarding of all packets in general can turned off via:
# sysctl -w net.inet.ip.forwarding=0
--- OpenBSD
Ships with source routing turned off by default. To determine whether source
routing is enabled, the following command can be issued:
# sysctl net.inet.ip.sourceroute
The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on. If source routing has been turned on, turn off via:
# sysctl -w net.inet.ip.sourceroute=0
This will prevent OpenBSD from forwarding and accepting any source routed
packets.
--- FreeBSD
Ships with source routing turned off by default. To determine whether source
routing is enabled, the following command can be issued:
# sysctl net.inet.ip.sourceroute
The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on. If source routing has been turned on, turn off via:
# sysctl -w net.inet.ip.sourceroute=0
--- Linux
Linux by default has source routing disabled in the kernel.
--- Solaris 2.x
Ships with source routing enabled by default. Solaris 2.5.1 is one of the
few commercial operating systems that does have unpredictable sequence
numbers, which does not help in this attack.
We know of no method to prevent Solaris from accepting source routed
connections, however, Solaris systems acting as gateways can be prevented
from forwarding any source routed packets via the following commands:
# ndd -set /dev/ip ip_forward_src_routed 0
You can prevent forwarding of all packets via:
# ndd -set /dev/ip ip_forwarding 0
These commands can be added to /etc/rc2.d/S69inet to take effect at bootup.
--- SunOS 4.x
We know of no method to prevent SunOS from accepting source routed
connections, however a patch is availible to prevent SunOS systems from
forwarding source routed packets.
This patch is availible at:
ftp://ftp.secnet.com/pub/patches/source-routing-patch.tar.gz
To configure SunOS to prevent forwarding of all packets, the following
command can be issued:
# echo "ip_forwarding/w 0" | adb -k -w /vmunix /dev/mem
# echo "ip_forwarding?w 0" | adb -k -w /vmunix /dev/mem
The first command turns off packet forwarding in /dev/mem, the second in
/vmunix.
--- HP-UX
HP-UX does not appear to have options for configuring an HP-UX system to
prevent accepting or forwarding of source routed packets. HP-UX has IP
forwarding turned on by default and should be turned off if acting as a
firewall. To determine whether IP forwarding is currently on, the following
command can be issued:
# adb /hp-ux
ipforwarding?X <- user input
ipforwarding:
ipforwarding: 1
#
A response of 1 indicates IP forwarding is ON, 0 indicates off. HP-UX can
be configured to prevent the forwarding of any packets via the following
commands:
# adb -w /hp-ux /dev/kmem
ipforwarding/W 0
ipforwarding?W 0
^D
#
--- AIX
AIX cannot be configured to discard source routed packets destined for itself,
however can be configured to prevent the forwarding of source routed packets.
IP forwarding and forwarding of source routed packets specifically can be
turned off under AIX via the following commands:
To turn off forwarding of all packets:
# /usr/sbin/no -o ipforwarding=0
To turn off forwarding of source routed packets:
# /usr/sbin/no -o nonlocsrcroute=0
Note that these commands should be added to /etc/rc.net
If shutting off source routing is not possible and you are still using
services which rely on IP address authentication, they should be disabled
immediately (in.rshd, in.rlogind). in.rlogind is safe if .rhosts and
/etc/hosts.equiv are not used.
Attributions
~~~~~~~~~~~~
Thanks to Niels Provos <provos@physnet.uni-hamburg.de> for providing
the information and details of this attack. You can view his web
site at http://www.physnet.uni-hamburg.de/provos
Thanks to Theo de Raadt, the maintainer of OpenBSD for forwarding this
information to us. More information on OpenBSD can be found at
http://www.openbsd.org
Thanks to Keith Bostic <bostic@bsdi.com> for discussion and a quick
solution for BSD/OS.
Thanks to Brad Powell <brad.powell@west.sun.com> for providing information
for Solaris 2.x and SunOS 4.x operating systems.
Thanks go to CERT and AUSCERT for recommendations in this advisory.
You can contact the author of this advisory at oliver@secnet.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----
Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories
You can browse our web site at http://www.secnet.com
You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"
Source:
CODE
http://www.extrememhz.com/dlcomp-p1.shtml
Since the introduction of double layer DVD writers, the interest has been quite overwhelming and is why we keep bringing you reviews of these highly popular drives. The anticipation has now turned into down right obsession and it has become a key component in any current or new system build, thanks to the declining prices and continued media hype. Manufacturers are quite aware of the fascination and is why they have each been releasing their own products which excel in at least one area of the testing methodology used in most reviews. This has led to some confusion as to which drive is best suited for the individuals needs. Today, we compare four 16x double layer drives and highlight both the strong and weak points in order to give you a better idea of which drive is best suited for you.
In this comparison guide, we will be looking at four of the top 16x drives to hit the market, the Pioneer DVR-108, NEC ND3500A, Lite-On SOHW-1633s and the new LG GSA-4160B. We will cover everything from design and features to performance and price. Let's begin with a quick look at each of these drives.
As far as the front bezel design goes, the LG-GSA4160B is by far the most attractive drive of the bunch. However, for those who are looking for a headphone jack, the Lite-On drive is the only DL writer offering a headphone jack, as well as volume control. The Pioneer and NEC drives, in my opinion, are the ugliest drives, with a very plain look that just wants to make you hide the drive period. Although we only obtained the 4160B in black, all these drives are offered with both white and black bezels. If you opt for the more expensive Pioneer "XL" model, it has the most impressive looks of any drive in the market. However, this will come at a very hefty price tag, considering they contain different firmware as well that offer a few extra features.
So, we have determined which is the sexiest-looking drive, but what about performance? I've done some extensive testing on each model to determine which is indeed the most impressive of the bunch. But before we show you performance results, let's briefly look at the features and what they have to offer.
Features
Each one of these drives has there disappointments when it comes to features. Let's compare each to see what they really offer.
DVD Writing
DVD+R DVD-R DVD+RW DVD-RW
LG GSA-4160B 16x 8x 4x 4x
Lite-On SOHW-1633s 16x 8x 4x 4x
NEC ND-3500A 16x 16x 4x 4x
Pioneer DVR-108 16x 16x 4x 4x
While all these drives are indeed 16x models, only two will write to both formats at this speed. The LG GSA-4160B and the Lite-On SOHW-1633s only support 8x DVD-R writing. So if you are one who only prefers this format, the NEC or Pioneer would be the best choice. All of these drives support writing to DVD re-writable media at 4x.
DVD+R9 Double Layer Writing
Write Speed
LG GSA-4160B 2.4x
Lite-On SOHW-1633s 2.4x
NEC ND-3500A 4x
Pioneer DVR-108 4x
The major disappointment with both the LG and the Lite-On 16x drives is the lack of 4x double layer writing support. Pioneer and NEC seem to be the only manufacturers to jump in and release second generation double layer drives supporting much faster 4x writing. In fact, the jump from 2.4x to 4x is quite substantial as we will show you a bit later in this comparison.
DVD-RAM Support
Supported Read Write
LG GSA-4160B YES 5x 5x
Lite-On SOHW-1633s NO NO NO
NEC ND-3500A NO NO NO
Pioneer DVR-108 YES 2x NO
Now this is where both the LG GSA-4120B and GSA-4160B shine above the rest. In fact, it is what has made these drives the most popular DVD writers on the market. Unlike the rest in the roundup, it is a triple format burner, offering full support for DVD-RAM media. The other drives do not support it, with the exception of the Pioneer DVR-108 which supports reading of DVD-RAM discs at 2x. I personally don't see the point in offering only read capabilities, but it's at least one extra feature added to distinguish it from the rest. Fast 5x support of the LG GSA-4160 will actually be tested a bit later in this article.
CDR Writing
CDR CDRW
LG GSA-4160B 40x 24x
Lite-On SOHW-1633s 48x 24x
NEC ND-3500A 48x 24x
Pioneer DVR-108 32x 24x
The fastest CDR writers of the bunch are the Lite-On SOHW-1633s and the NEC ND-3500A. With their support for 48x writing, they make a great all-in-one drive for many users. The only drive lacking in this lineup is the Pioneer DVR-108. Why they opted for only 32x writing is still quite puzzling and is actually why I have found that many are choosing the NEC over the Pioneer. The LG GSA-4160B should not be left out of consideration though. We will show you later that the difference in write times between 40x and 48x is not much to brag about.
Bitsetting Support
One feature I've found that is most important for many users is bitsetting support. Let's compare these drives and see what they offer.
DVD+R/RW Support DVD+R DL Support
LG GSA-4160B NO NO
Lite-On SOHW-1633s YES NO
NEC ND-3500A NO YES
Pioneer DVR-108 NO YES
The LG GSA-4160B does not offer bitsetting support out of the box. However, it is very likely that you will be able to obtain support through an excellent third-party tool called DVDInfo Pro. Right now, they only support the GSA-4120B, but I'm confident with the author that support for this drive will be likely. LG firmware is very hard to hack, however some select few have been able to do so. Using Lite-On's booktype utility, you can change the booktype of DVD+R/RW media, however, the firmware does not automatically change booktype of DVD+R DL discs to DVD-ROM like the NEC and Pioneer models do.
Additional Features
As far as other features go, all these drives have a 2MB buffer but offer some sort of buffer under-run protection, which all work exceptionally well. This is especially useful if you will be burning discs at 16x, which I personally don't recommend just yet. As our individual tests of these drives revealed, burning at this speed is quite unstable, with the exception of the Lite-On SOHW-1633s.
Zen and the Art of Fone Phreaking `97
bi: CbeRpHreAk and DTMF of 4matt producti0nz
b4 i get started, just remember i did not rite this phile
so you people can learn preform telecommunications fraud!
contrary to popular beleafs phreaking is still an art form.
phreaking is a form of intelectual advancement. is just like
hacking, if u think of it this way: when hacking you type
certain commands in phreaking, you play certain MHz tones.
blue boxing is just like gaining r00t access of a unix sys.
by gaining r00t access you be come the 'system operator'.
the blue box utelizes 'system operator' tones. see what i'm sayn?
just cuz phreaking is intelectual it dousnt mean it cant be fun.
_`'-.,_,.-'`_`'-.,_,.-> [ definitions ] <-.,_,.-'`_`'-.,_,.-'`_
Phreak ["free"k] Verb--1. The act of "Phreaking"
2. The act of making telephone calls without paying money
[the word phreak is a combination of phone, freak, and free]
Phreaker ["free"-k-er] Noun--1. One who engages in the act of
"Phreaking" 2.One who makes telephone calls without paying
money
_`'-.,_,.-'`_`'-.,_,.-> [fone systems in the world today] <-.,_,.-'`_`'-.,_,.-'`_
[1] Step by Step
[2] Crossbar
[3] ESS Electronic Switching System
Step by Step
~~~~~~~~~~
First switching system used in America, adopted in 1918 and until
1978 Bell had over 53% of all exchanges using Step by Step [SxS].
A long,and confusing train of switches is used for SxS switching.
[> Disadvantages <]
[A] The switch train may become jammed : Blocking call.
[B] No DTMF [Dual-Tone Multi-Frequency]["Touch-tone"].
[C] Much maintanance and much electricity.[0;36;40m
[D] Everything is hardwired
+> Identification<+
[A] No pulsing digits after dialing or DTMF.
[B] Phone Company sounds like many typewriters.
[C] No: Speed calling, Call forwarding, and other services.
[D] Pay-phone wants money first before dial-tone.
Crossbar
~~~~~~~
Crossbar has been Bell's primary switcher after 1960. Three
types of Crossbar switching exist: Number 1 Crossbar [1XB],
Number 4 Crossbar [4XB], and Number 5 Crossbar [5XB]. A
switching matrix is used for all the phones in an area.When
someone calls, the route is determined and is met up with the
othr fone.The matrix is set-up in horizontal and vertical paths.
There are no definite distinguishing features of Crossbar
switching.
ESS
~~~
ESS is the big brother of the Bell family. Its very name strikes
fear and apprehension into the hearts of most who have this
knowlege, for a good reason. ESS [electronic switching System]
knows the full story on every telephone hooked into it. While
it may be paranoid to say that all telecomunications loop holes
may come to a screeching hault under ESS, it is certainly
realistic to think that everyone must be a little more careful
under ESS. Heres why:
With ESS, every single digit dialed is recorded. This is useful
not only for nailing telecomunications frauders but settling
billing disputes. In the past, there has been no easy way for
the phone company to show you what numbers you have dialed locally.
If you protested long enough, and loud enough, they might have put
a pen register on your line to record everything and prove it to
you. Under ESS, the actual printout [which will be dragged out of
of a vault somewhere if needed] shows every last digit you dialed,
Every 800 call, every directory assistance, repair service, the
operator, every rendation of the 1812 overture, everything! Here
is a typical example of an ESS print out, which shows time of
connect, and a number called:
DATE TIME LENGTH UNITS NUMBER NOTE
---- ---- ------ ----- ------ ----
0403 1517 3 1 264-9021 none
0403 1523 5 3 576-1303 H,P,V,C,A
0403 1600 1 0 800-555-1212 none
0403 1612 10 2.25* 716-221-3184 none
0403 01629 1 0 000-000-0000 O
[TSPS]
Now your probally asking, "What are those letters under
"NOTE?" Well, those letters stand for cretain words or
phrases that the Telco/phone company serches for. For
instance: O may stand for Overthrow. From here on, every
time you dial that number, the ESS may tap the line! And
this IS Legal! It is legal because they may think you are
planning to "Overthrow" the Government or something!
You never know.
A thousand calls to "800" will show up on the Ess print out.
Every touch tone or pulse is kept track off along with every
foreign signal. A traffic engineer did an exhausting study of 800 calls
over the past few years and came to these conclusions:
1] Legit made calls to 800 numbers last up to an average
of three minutes or less. Of the illegal calls via 800
lines, more than 80% lasted 5 minutes or longer.
2] The average residential telephone subscriber dials five
calls per month to an 800 number. Persons making illegal
calls via 800 numbers average significantly higher number.
Under ESS, one simply does not place a 2600 MHz on the line,
unless of course, they want a Telco security representative
and a FBI/Police man at their door with in the hour!
Tracing calls, for reasons such as fraud or abusive calls, is done
from a computer terminal in a security department. Within Ess,
nothing is hidden or concealed in electromechanical frames, etc.
It is merely a software program designed for ease in operation by the
Telco. Call tracing has become very sophisticated and immediate.
There is no more "running in the frames" or looking for long periods
of time. ROM Chips in ESS computers work quickly. That's what ESS
is all about.
Minimizing telecommunications fraud is not the only reason for ESS,
but is a very important one. The first and foremost reason for the
ESS is to provide the Teleco with better control on billing and
equipment records, faster handling of calls [i.e. less equipment
tied up in the office at one time], and to help agencies such as
the F.B.I. keep better account of who was calling who from where.
When the F.B.I. finds out that someone who's calls they want to trace
is on an ESS exchange, they are thrilled because it is so much easier
for them to trace.
The United States won't be 100% ESS until sometime around 2010.
But, in real practice, phone offices in almost every city, are getting
some of the basic modifications brought about by ESS. "911" service
is an ESS function. So is ANI [ Automatic Number Identification] on
long distance calls. "Dial Tone First" payphones are also an ESS
function. None of these things were available prior to ESS. The
amount of pure fraud calling via bogess calling card numbers,
third party dialing, colored boxing, etc. on the ESS lines led to
the decision to rapidly install the ANI, for example, even if the
rest of the ESS was several years away in some cases.
Depending on how you you choose to look at the whole concept of ESS,
it can be either one of the most advantageous inventions of all time,
or one of the terrifying. The system is good for consumers in that
it can take a lot of activity and do lots of things that older
systems could never do. Features such as direct dialing overseas,
call forwarding, and call holding are steps forward without question.
But at the same time, what do all of the nasty implications mentioned
further back mean to the average person on the sidewalk? This system
is perfectly capable of monitoring anyone , not just telecommunication
frauders. What would happen if the nice, friendly government we have
somehow got overthrown and a mean nasty one took its place? With ESS,
they wouldn't have to do much work, just come up with some new software.
Imagine a phone system that could tell authorities how many calls you
placed to certain types of people: i.e. African Americans, Hispanics,
Communists, known Anacharists, laundromat service employees....ESS
could do it if so programmed.
_`'-.,_,.-'`_`'-.,_,.-> [ History of the Art of phreaking ] <-.,_,.-'`_`'-.,_,.-'`_
the age of blue boxing began, not with a bang, but with a whistle. In
1972,a man named John Draper, a slightly scraggly engineer at a national
semiconductor, found a small blue whistle in a box of "Captain Crunch"
Cereal. The whistle was deformed and had an odd extra hole. Draper found
that when the regular hole was covered the whistle created a perfect 2600hz
cycle. Draper, who now refers to himself as "Cap'n Crunch", toyed with the
whistle until he created his first basic PCI-Board construction of the Blue box.
After receiving a university file which contained information on all operator
tones, the Cap'n created the new version of the blue box which utilizes all
operator tones.
_`'-.,_,.-'`_`'-.,_,.-> [ Colored Boxing ] <-.,_,.-'`_`'-.,_,.-'`_
The bulk of phreaking was (and still is to some extent) committed
by a technological piece known as a colored box. Most colored boxes
function by using certain Megahurtz tones/ combinations of Megahurtz
tones . The next section gives a list and short description of all colored boxes.
What is a Red Box?
When a coin is inserted into a payphone, the payphone emits a set of
tones to ACTS (Automated Coin Toll System). Red boxes work by fooling
ACTS into believing you have actually put money into the phone. The
red box simply plays the ACTS tones into the telephone microphone.
ACTS hears those tones, and allows you to place your call. The actual
tones are:
Nickel Signal 1700+2200hz 0.060s on
Dime Signal 1700+2200hz 0.060s on, 0.060s off, twice repeating
Quarter Signal 1700+2200hz 33ms on, 33ms off, 5 times repeating
Canada uses a variant of ACTSD called N-ACTS. N-ACTS uses different
tones than ACTS. In Canada, the tones to use are:
Nickel Signal 2200hz 0.060s on
Dime Signal 2200hz 0.060s on, 0.060s off, twice repeating
Quarter Signal 2200hz 33ms on, 33ms off, 5 times repeating
How do I build a Red Box?
Red boxes are commonly manufactured from modified Radio Shack tone
dialers, Hallmark greeting cards, or made from scratch from readily
available electronic components.
To make a Red Box from a Radio Shack 43-141 or 43-146 tone dialer, open
the dialer and replace the crystal with a new one. The purpose of the
new crystal is to cause the * button on your tone dialer to create a
1700Mhz and 2200Mhz tone instead of the original 941Mhz and 1209Mhz
tones. The exact value of the replacement crystal should be 6.466806 to
create a perfect 1700Mhz tone and 6.513698 to create a perfect 2200mhz
tone. A crystal close to those values will create a tone that easily
falls within the loose tolerances of ACTS. The most popular choice is
the 6.5536Mhz crystal, because it is the easiest to procure. The old
crystal is the large shiny metal component labeled "3.579545Mhz." When
you are finished replacing the crystal, program the P1 button with five
*'s. That will simulate a quarter tone each time you press P1.
Where can I get a 6.5536Mhz crystal?
Your best bet is a local electronics store. Radio Shack sells them, but
they are overpriced and the store must order them in. This takes
approximately two weeks. In addition, many Radio Shack employees do not
know that this can be done.
Or, you could order the crystal mail order. This introduces Shipping
and Handling charges, which are usually much greater than the price of
the crystal. It's best to get several people together to share the S&H
cost. Or, buy five or six yourself and sell them later. Some of the
places you can order crystals are:
Digi-Key
701 Brooks Avenue South
P.O. Box 677
Thief River Falls, MN 56701-0677
(800)344-4539
Part Number:X415-ND /* Note: 6.500Mhz and only .197 x .433 x .149! *\
Part Number:X018-ND
JDR Microdevices:
2233 Branham Lane
San Jose, CA 95124
(800)538-5000
Part Number: 6.5536MHZ
Tandy Express Order Marketing
401 NE 38th Street
Fort Worth, TX 76106
(800)241-8742
Part Number: 10068625
Alltronics
2300 Zanker Road
San Jose CA 95131
(408)943-9774 Voice
(408)943-9776 Fax
(408)943-0622 BBS
Part Number: 92A057
Mouser
(800)346-6873
Part Number: 332-1066
Blue Saguaro
P.O. Box 37061
Tucson, AZ 85740
Part Number: 1458b
Unicorn Electronics
10000 Canoga Ave, Unit c-2
Chatsworth, CA 91311
Phone: 1-800-824-3432
Part Number: CR6.5
Which payphones will a Red Box work on?
Red Boxes will work on telco owned payphones, but not on COCOT's
COCOT is an acronym for Customer Owned Coin Operated Telephones.
COCOT's are the payphones that you see in front/inside of restraunts
that don't dial directly into the ESS, they first dial into the
operating phone system of the store/restraunt in which it is located.
Red boxes work by fooling ACTS (Automated Coin Toll System) into
believing you have put money into the pay phone. ACTS is the
telephone company software responsible for saying "Please deposit XX
cents" and listening for the coins being deposited.
COCOT's do not use ACTS. On a COCOT, the pay phone itself is
responsible for determining what coins have been inserted.
How do I make local calls with a Red Box?
Payphones do not use ACTS for local calls. To use your red box for
local calls, you have to fool ACTS into getting involved in the call.
One way to do this, in some areas, is by dialing 10288-xxx-xxxx. This
makes your call a long distance call, and brings ACTS into the
picture.
In other areas, you can call Directory Assistance and ask for the
number of the person you are trying to reach. The operator will give
you the number and then you will hear a message similar to "Your call
can be completed automatically for an additional 35 cents." When this
happens, you can then use ACTS tones.
What is a Blue Box?
Blue boxes use a 2600hz tone to size control of telephone switches
that use in-band signaling. The caller may then access special
switch functions, with the usual purpose of making free long distance
phone calls, using the tones provided by the Blue Box.
Do Blue Boxes still work?
This FAQ answer is excerpted from a message posted to Usenet by
Marauder of the Legion of Doom:
Somewhere along the line I have seen reference to something
similar to "Because of ESS Blue boxing is impossible". This is
incorrect. When I lived in Connecticut I was able to blue box
under Step by Step, #1AESS, and DMS-100. The reason is simple,
even though I was initiating my call to an 800 number from a
different exchange (Class 5 office, aka Central Office) in each
case, when the 800 call was routed to the toll network it would
route through the New Haven #5 Crossbar toll Tandem office. It
just so happens that the trunks between the class 5 (CO's) and
the class 4 (toll office, in this case New Haven #5 Xbar),
utilized in-band (MF) signalling, so regardless of what I
dialed, as long as it was an Inter-Lata call, my call would
route through this particular set of trunks, and I could Blue
box until I was blue in the face. The originating Central
Offices switch (SXS/ESS/Etc..) had little effect on my ability
to box at all. While the advent of ESS (and other electronic
switches) has made the blue boxers task a bit more difficult,
ESS is not the reason most of you are unable to blue box. The
main culprit is the "forward audio mute" feature of CCIS (out of
band signalling). Unfortunately for the boxer 99% of the Toll
Completion centers communicate using CCIS links, This spells
disaster for the blue boxer since most of you must dial out of
your local area to find trunks that utilize MF signalling, you
inevitably cross a portion of the network that is CCIS equipped,
you find an exchange that you blow 2600hz at, you are rewarded
with a nice "winkstart", and no matter what MF tones you send at
it, you meet with a re-order. This is because as soon as you
seized the trunk (your application of 2600hz), your Originating
Toll Office sees this as a loss of supervision at the
destination, and Mutes any further audio from being passed to
the destination (ie: your waiting trunk!). You meet with a
reorder because the waiting trunk never "hears" any of the MF
tones you are sending, and it times out. So for the clever
amongst you, you must somehow get yourself to the 1000's of
trunks out there that still utilize MF signalling but
bypass/disable the CCIS audio mute problem. (Hint: Take a close
look at WATS extenders).
What is a Black Box?
A Black Box is a resistor (and often capacitor in parallel) placed in
series across your phone line to cause the phone company equipment to be
unable to detect that you have answered your telephone. People who call
you will then not be billed for the telephone call. Black boxes do not
work under ESS.
What do all the colored boxes do?
Acrylic Steal Three-Way-Calling, Call Waiting and programmable
Call Forwarding on old 4-wire phone systems
Aqua Drain the voltage of the FBI lock-in-trace/trap-trace
Beige Lineman's hand set
Black Allows the calling party to not be billed for the call
placed
Blast Phone microphone amplifier
Blotto Supposedly shorts every phone out in the immediate area
Blue Emulate a true operator by seizing a trunk with a 2600hz
tone
Brown Create a party line from 2 phone lines
Bud Tap into your neighbors phone line
Chartreuse Use the electricity from your phone line
Cheese Connect two phones to create a diverter
Chrome Manipulate Traffic Signals by Remote Control
Clear A telephone pickup coil and a small amp used to make free
calls on Fortress Phones
Color Line activated telephone recorder
Copper Cause crosstalk interference on an extender
Crimson Hold button
Dark Re-route outgoing or incoming calls to another phone
Dayglo Connect to your neighbors phone line
Diverter Re-route outgoing or incoming calls to another phone
DLOC Create a party line from 2 phone lines
Gold Dialout router
Green Emulate the Coin Collect, Coin Return, and Ringback tones
Infinity Remotely activated phone tap
Jack Touch-Tone key pad
Light In-use light
Lunch AM transmitter
Magenta Connect a remote phone line to another remote phone line
Mauve Phone tap without cutting into a line
Neon External microphone
Noise Create line noise
Olive External ringer
Party Create a party line from 2 phone lines
Pearl Tone generator
Pink Create a party line from 2 phone lines
Purple Telephone hold button
Rainbow Kill a trace by putting 120v into the phone line (joke)
Razz Tap into your neighbors phone
Red Make free phone calls from pay phones by generating
quarter tones
Rock Add music to your phone line
Scarlet Cause a neighbors phone line to have poor reception
Silver Create the DTMF tones for A, B, C and D
Static Keep the voltage on a phone line high
Switch Add hold, indicator lights, conferencing, etc..
Tan Line activated telephone recorder
Tron Reverse the phase of power to your house, causing your
electric meter to run slower
TV Cable "See" sound waves on your TV
Urine Create a capacitative disturbance between the ring and
tip wires in another's telephone headset
Violet Keep a payphone from hanging up
White Portable DTMF keypad
Xero Portable silver box
Yellow Add an extension phone
What is an ANAC number?
An ANAC (Automatic Number Announcement Circuit) number is a telephone
number that plays back the number of the telephone that called it. ANAC
numbers are convenient if you want to know the telephone number of a pair
of wires.
What is the ANAC number for my area?
How to find your ANAC number:
Look up your NPA (Area Code) and try the number listed for it. If that
fails, try 1 plus the number listed for it. If that fails, try the common
numbers like 311, 958 and 200-222-2222. If you find the ANAC number for
your area, please let us know.
Note that many times the ANAC number will vary for different switches insame city. The geographic naming on the list is not intended to be an
accurate reference for coverage patterns, it is for convenience only.
Many companies operate 800 number services which will read back to you the
number from which you are calling. Many of these require navigating a
series of menus to get the phone number you are looking for.
(800)238-4959 A voice mail system
(800)328-2630 A phone sex line
(800)568-3197 Info Access Telephone Company's Automated Blocking Line
(800)571-8859 A phone sex line
(800)692-6447 (800)MY-ANI-IS
(800)455-3256 Unknown
An non-800 ANAC that works nationwide is 404-988-9664. The one catch with
this number is that it must be dialed with the AT&T Carrier Access Code
10732.
Another non-800 nationwide ANAC is Glen Robert of Full Disclosure
Magazine's number, 10555-1-708-356-9646.
Please use local ANAC numbers if you can, as abuse or overuse kills 800
ANAC numbers.
NPA ANAC number Geographic area
--- --------------- ---------------------------------------------
201 958 Hackensack/Jersey City/Newark/Paterson, NJ
202 811 District of Columbia
203 970 CT
205 300-222-2222 Birmingham, AL
205 300-555-5555 Many small towns in AL
205 300-648-1111 Dora, AL
205 300-765-4321 Bessemer, AL
205 300-798-1111 Forestdale, AL
205 300-833-3333 Birmingham
205 557-2311 Birmingham, AL
205 811 Pell City/Cropwell/Lincoln, AL
205 841-1111 Tarrant, AL
205 908-222-2222 Birmingham, AL
206 411 WA (Not US West)
207 958 ME
209 830-2121 Stockton, CA
209 211-9779 Stockton, CA
210 830 Brownsville/Laredo/San Antonio, TX
212 958 Manhattan, NY
213 114 Los Angeles, CA (GTE)
213 1223 Los Angeles, CA (Some 1AESS switches)
213 211-2345 Los Angeles, CA (English response)
213 211-2346 Los Angeles, CA (DTMF response)
213 760-2??? Los Angeles, CA (DMS switches)
213 61056 Los Angeles, CA
214 570 Dallas, TX
214 790 Dallas, TX (GTE)
214 970-222-2222 Dallas, TX
214 970-611-1111 Dallas, TX (Southwestern Bell)
215 410-xxxx Philadelphia, PA
215 511 Philadelphia, PA
215 958 Philadelphia, PA
216 200-XXXX Akron/Canton/Cleveland/Lorain/Youngstown, OH
216 331 Akron/Canton/Cleveland/Lorain/Youngstown, OH
216 959-9892 Akron/Canton/Cleveland/Lorain/Youngstown, OH
217 200-xxx-xxxx Champaign-Urbana/Springfield, IL
219 550 Gary/Hammond/Michigan City/Southbend, IN
219 559 Gary/Hammond/Michigan City/Southbend, IN
301 958-9968 Hagerstown/Rockville, MD
310 114 Long Beach, CA (On many GTE switches)
310 1223 Long Beach, CA (Some 1AESS switches)
310 211-2345 Long Beach, CA (English response)
310 211-2346 Long Beach, CA (DTMF response)
312 200 Chicago, IL
312 290 Chicago, IL
312 1-200-8825 Chicago, IL (Last four change rapidly)
312 1-200-555-1212 Chicago, IL
313 200-200-2002 Ann Arbor/Dearborn/Detroit, MI
313 200-222-2222 Ann Arbor/Dearborn/Detroit, MI
313 200-xxx-xxxx Ann Arbor/Dearborn/Detroit, MI
313 200200200200200 Ann Arbor/Dearborn/Detroit, MI
314 410-xxxx# Columbia/Jefferson City/St.Louis, MO
315 953 Syracuse/Utica, NY
315 958 Syracuse/Utica, NY
315 998 Syracuse/Utica, NY
317 310-222-2222 Indianapolis/Kokomo, IN
317 559-222-2222 Indianapolis/Kokomo, IN
317 743-1218 Indianapolis/Kokomo, IN
334 5572411 Montgomery, AL
334 5572311 Montgomery, AL
401 200-200-4444 RI
401 222-2222 RI
402 311 Lincoln, NE
404 311 Atlanta, GA
404 940-xxx-xxxx Atlanta, GA
404 990 Atlanta, GA
405 890-7777777 Enid/Oklahoma City, OK
405 897 Enid/Oklahoma City, OK
407 200-222-2222 Orlando/West Palm Beach, FL
408 300-xxx-xxxx San Jose, CA
408 760 San Jose, CA
408 940 San Jose, CA
409 951 Beaumont/Galveston, TX
409 970-xxxx Beaumont/Galveston, TX
410 200-6969 Annapolis/Baltimore, MD
410 200-555-1212 Annapolis/Baltimore, MD
410 811 Annapolis/Baltimore, MD
412 711-6633 Pittsburgh, PA
412 711-4411 Pittsburgh, PA
412 999-xxxx Pittsburgh, PA
413 958 Pittsfield/Springfield, MA
413 200-555-5555 Pittsfield/Springfield, MA
414 330-2234 Fond du Lac/Green Bay/Milwaukee/Racine, WI
415 200-555-1212 San Francisco, CA
415 211-2111 San Francisco, CA
415 2222 San Francisco, CA
415 640 San Francisco, CA
415 760-2878 San Francisco, CA
415 7600-2222 San Francisco, CA
419 311 Toledo, OH
502 2002222222 Frankfort/Louisville/Paducah/Shelbyville, KY
502 997-555-1212 Frankfort/Louisville/Paducah/Shelbyville, KY
503 611 Portland, OR
503 999 Portland, OR (GTE)
504 99882233 Baton Rouge/New Orleans, LA
504 201-269-1111 Baton Rouge/New Orleans, LA
504 998 Baton Rouge/New Orleans, LA
504 99851-0000000000 Baton Rouge/New Orleans, LA
508 958 Fall River/New Bedford/Worchester, MA
508 200-222-1234 Fall River/New Bedford/Worchester, MA
508 200-222-2222 Fall River/New Bedford/Worchester, MA
508 26011 Fall River/New Bedford/Worchester, MA
509 560 Spokane/Walla Walla/Yakima, WA
510 760-1111 Oakland, CA
512 830 Austin/Corpus Christi, TX
512 970-xxxx Austin/Corpus Christi, TX
515 5463 Des Moines, IA
515 811 Des Moines, IA
516 958 Hempstead/Long Island, NY
516 968 Hempstead/Long Island, NY
517 200-222-2222 Bay City/Jackson/Lansing, MI
517 200200200200200 Bay City/Jackson/Lansing, MI
518 511 Albany/Schenectady/Troy, NY
518 997 Albany/Schenectady/Troy, NY
518 998 Albany/Schenectady/Troy, NY
603 200-222-2222 NH
606 997-555-1212 Ashland/Winchester, KY
606 711 Ashland/Winchester, KY
607 993 Binghamton/Elmira, NY
609 958 Atlantic City/Camden/Trenton/Vineland, NJ
610 958 Allentown/Reading, PA
610 958-4100 Allentown/Reading, PA
612 511 Minneapolis/St.Paul, MN
614 200 Columbus/Steubenville, OH
614 571 Columbus/Steubenville, OH
615 200200200200200 Chatanooga/Knoxville/Nashville, TN
615 2002222222 Chatanooga/Knoxville/Nashville, TN
615 830 Nashville, TN
616 200-222-2222 Battle Creek/Grand Rapids/Kalamazoo, MI
617 200-222-1234 Boston, MA
617 200-222-2222 Boston, MA
617 200-444-4444 Boston, MA (Woburn, MA)
617 220-2622 Boston, MA
617 958 Boston, MA
618 200-xxx-xxxx Alton/Cairo/Mt.Vernon, IL
618 930 Alton/Cairo/Mt.Vernon, IL
619 211-2001 San Diego, CA
619 211-2121 San Diego, CA
703 811 Alexandria/Arlington/Roanoke, VA
704 311 Asheville/Charlotte, NC
707 211-2222 Eureka, CA
708 1-200-555-1212 Chicago/Elgin, IL
708 1-200-8825 Chicago/Elgin, IL (Last four change rapidly)
708 200-6153 Chicago/Elgin, IL
708 724-9951 Chicago/Elgin, IL
708 356-9646 Chicago/Elgin, IL
713 380 Houston, TX
713 970-xxxx Houston, TX
713 811 Humble, TX
714 114 Anaheim, CA (GTE)
714 211-2121 Anaheim, CA (PacBell)
714 211-2222 Anaheim, CA (Pacbell)
716 511 Buffalo/Niagara Falls/Rochester, NY (Rochester Tel)
716 990 Buffalo/Niagara Falls/Rochester, NY (Rochester Tel)
717 958 Harrisburg/Scranton/Wilkes-Barre, PA
718 958 Bronx/Brooklyn/Queens/Staten Island, NY
802 2-222-222-2222 Vermont
802 200-222-2222 Vermont
802 1-700-222-2222 Vermont
802 111-2222 Vermont
805 114 Bakersfield/Santa Barbara, CA
805 211-2345 Bakersfield/Santa Barbara, CA
805 211-2346 Bakersfield/Santa Barbara, CA (Returns DTMF)
805 830 Bakersfield/Santa Barbara, CA
806 970-xxxx Amarillo/Lubbock, TX
810 200200200200200 Flint/Pontiac/Southfield/Troy, MI
812 410-555-1212 Evansville, IN
813 311 Ft. Meyers/St. Petersburg/Tampa, FL
815 200-xxx-xxxx La Salle/Rockford, IL
815 290 La Salle/Rockford, IL
817 211 Ft. Worth/Waco, TX
817 970-611-1111 Ft. Worth/Waco, TX (Southwestern Bell)
818 1223 Pasadena, CA (Some 1AESS switches)
818 211-2345 Pasadena, CA (English response)
818 211-2346 Pasadena, CA (DTMF response)
903 970-611-1111 Tyler, TX
904 200-222-222 Jackonsville/Pensacola/Tallahasee, FL
906 1-200-222-2222 Marquette/Sault Ste. Marie, MI
907 811 AK (All)
908 958 New Brunswick, NJ
910 200 Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
910 311 Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
910 988 Fayetteville/Greensboro/Raleigh/Winston-Salem, NC
914 990-1111 Peekskill/Poughkeepsie/White Plains/Yonkers, NY
915 970-xxxx Abilene/El Paso, TX
916 211-2222 Sacramento, CA (Pac Bell)
916 461 Sacramento, CA (Roseville Telepohone)
919 200 Durham, NC
919 711 Durham, NC
Canada:
204 644-4444 Manitoba
306 115 Saskatchewan, Canada
403 311 Alberta, Yukon and N.W. Territory
403 908-222-2222 Alberta, Yukon and N.W. Territory
403 999 Alberta, Yukon and N.W. Territory
416 997-xxxx Toronto, Ontario
506 1-555-1313 New Brunswick
514 320-xxxx Montreal, Quebec
519 320-xxxx London, Ontario
604 1116 British Columbia, Canada
604 1211 British Columbia, Canada
604 211 British Columbia, Canada
613 320-2232 Ottawa, Ontario
705 320-4567 North Bay/Saulte Ste. Marie, Ontario
Australia:
+61 03-552-4111 Victoria 03 area
+612 19123 All major capital cities
+612 11544
United Kingdom:
175
Israel:
110
What is a ringback number?
A ringback number is a number that you call that will immediately ring the
telephone from which it was called.
In most instances you must call the ringback number, quickly hang up the
phone for just a short moment and then let up on the switch, you will then
go back off hook and hear a different tone. You may then hang up. You will
be called back seconds later.
What is the ringback number for my area?
An 'x' means insert those numbers from the phone number from which you are
calling. A '?' means that the number varies from switch to switch in the
area, or changes from time to time. Try all possible combinations.
If the ringback for your NPA is not listed, try common ones such as
951-xxx-xxxx, 954, 957 and 958. Also, try using the numbers listed for
other NPA's served by your telephone company.
Note: These geographic areas are for reference purposes only. Ringback
numbers may vary from switch to switch within the same city.
NPA Ringback number Approximate Geographic area
--- --------------- ---------------------------------------------
201 55?-xxxx Hackensack/Jersey City/Newark/Paterson, NJ
202 958-xxxx District of Columbia
203 99?-xxxx CT
206 571-xxxx WA
208 99xxx-xxxx ID
213 1-95x-xxxx Los Angeles, CA
215 811-xxxx Philadelphia, PA
216 551-xxxx Akron/Canton/Cleveland/Lorain/Youngstown, OH
219 571-xxx-xxxx Gary/Hammond/Michigan City/Southbend, IN
219 777-xxx-xxxx Gary/Hammond/Michigan City/Southbend, IN
301 579-xxxx Hagerstown/Rockville, MD
301 958-xxxx Hagerstown/Rockville, MD
303 99X-xxxx Grand Junction, CO
304 998-xxxx WV
305 999-xxxx Ft. Lauderdale/Key West/Miami, FL
312 511-xxxx Chicago, IL
312 511-xxx-xxxx Chicago, IL
312 57?-xxxx Chicago, IL
315 98x-xxxx Syracuse/Utica, NY
317 777-xxxx Indianapolis/Kokomo, IN
317 yyy-xxxx Indianapolis/Kokomo, IN (y=3rd digit of phone number)
319 79x-xxxx Davenport/Dubuque, Iowa
334 901-xxxx Montgomery, AL
401 98?-xxxx RI
404 450-xxxx Atlanta, GA
407 988-xxxx Orlando/West Palm Beach, FL
412 985-xxxx Pittsburgh, PA
414 977-xxxx Fond du Lac/Green Bay/Milwaukee/Racine, WI
414 978-xxxx Fond du Lac/Green Bay/Milwaukee/Racine, WI
415 350-xxxx San Francisco, CA
417 551-xxxx Joplin/Springfield, MO
501 221-xxx-xxxx AR
501 721-xxx-xxxx AR
502 988 Frankfort/Louisville/Paducah/Shelbyville, KY
503 541-XXXX OR
504 99x-xxxx Baton Rouge/New Orleans, LA
504 9988776655 Baton Rouge/New Orleans, LA
505 59?-xxxx New Mexico
512 95X-xxxx Austin, TX
513 951-xxxx Cincinnati/Dayton, OH
513 955-xxxx Cincinnati/Dayton, OH
513 99?-xxxx Cincinnati/Dayton, OH (X=0, 1, 2, 3, 4, 8 or 9)
516 660-xxx-xxxx Hempstead/Long Island, NY
601 777-xxxx MS
609 55?-xxxx Atlantic City/Camden/Trenton/Vineland, NJ
610 811-xxxx Allentown/Reading, PA
612 511 Minneapolis/St.Paul, MN
612 999-xxx-xxxx Minneapolis/St.Paul, MN
614 998-xxxx Columbus/Steubenville, OH
615 920-XXXX Chatanooga/Knoxville/Nashville, TN
615 930-xxxx Chatanooga/Knoxville/Nashville, TN
616 946-xxxx Battle Creek/Grand Rapids/Kalamazoo, MI
619 331-xxxx San Diego, CA
619 332-xxxx San Diego, CA
703 958-xxxx Alexandria/Arlington/Roanoke, VA
708 511-xxxx Chicago/Elgin, IL
714 330? Anaheim, CA (GTE)
714 33?-xxxx Anaheim, CA (PacBell)
716 981-xxxx Rochester, NY (Rochester Tel)
718 660-xxxx Bronx/Brooklyn/Queens/Staten Island, NY
719 99x-xxxx Colorado Springs/Leadville/Pueblo, CO
801 938-xxxx Utah
801 939-xxxx Utah
802 987-xxxx Vermont
804 260 Charlottesville/Newport News/Norfolk/Richmond, VA
805 114 Bakersfield/Santa Barbara, CA
805 980-xxxx Bakersfield/Santa Barbara, CA
810 951-xxx-xxxx Pontiac/Southfield/Troy, MI
813 711 Ft. Meyers/St. Petersburg/Tampa, FL
817 971 Ft. Worth/Waco, TX (Flashhook, then 2#)
906 951-xxx-xxxx Marquette/Sault Ste. Marie, MI
908 55?-xxxx New Brunswick, NJ
908 953 New Brunswick, NJ
913 951-xxxx Lawrence/Salina/Topeka, KS
914 660-xxxx-xxxx Peekskill/Poughkeepsie/White Plains/Yonkers, NY
Canada:
204 590-xxx-xxxx Manitoba
416 57x-xxxx Toronto, Ontario
416 99x-xxxx Toronto, Ontario
416 999-xxx-xxxx Toronto, Ontario
506 572+xxx-xxxx New Brunswick
514 320-xxx-xxxx Montreal, Quebec
519 999-xxx-xxxx London, Ontario
613 999-xxx-xxxx Ottawa, Ontario
705 999-xxx-xxxx North Bay/Saulte Ste. Marie, Ontario
Australia: +61 199
Brazil: 109 or 199
Holland: 99-xxxxxx
New Zealand: 137
Sweden: 0058
United Kingdom: 174 or 1744 or 175 or 0500-89-0011
(Italic indicates updated ringbacks, while bold indicates new ringbacks.)
What is a loop?
This FAQ answer is excerpted from: ToneLoc v0.99 User Manual by Minor
Threat & Mucho Maas
Loops are a pair of phone numbers, usually consecutive, like 836-9998 and
836-9999. They are used by the phone company for testing. What good do
loops do us? Well, they are cool in a few ways. Here is a simple use of. Each loop has two ends, a 'high' end, and a 'low' end. One end gives
a (usually) constant, loud tone when it is called. The other end is silent.
Loops don't usually ring either. When BOTH ends are called, the people that
called each end can talk through the loop. Some loops are voice filtered
and won't pass anything but a constant tone; these aren't much use to you.
Here's what you can use working loops for: billing phone calls! First, call
the end that gives the loud tone. Then if the operator or someone calls the
other end, the tone will go quiet. Act like the phone just rang and you
answered it ... say "Hello", "Allo", "Chow", "Yo", or what the fuck ever.
The operator thinks that she just called you, and that's it! Now the phone
bill will go to the loop, and your local RBOC will get the bill! Use this
technique in moderation, or the loop may go down. Loops are probably most
useful when you want to talk to someone to whom you don't want to give your
phone number.
What is a loop in my area?
Many of these loops are no longer functional. If you are local to any of
these loops, please try them out an e-mail me the results of your research.
NPA High Low
------- ------- ------
201 666-9929 666-9930
206 827-0018 827-0019
206 988-0020 988-0022
208 862-9996 862-9997
209 732-0044 732-0045
201 666-9929 666-9930
210 993-9929 993-9930
210 330-9929 330-9930
210 333-9929 333-9930
210 376-9929 376-9930
210 467-9929 467-9930
212 220-9977 220-9979
212 283-9977 283-9979
212 283-9977 283-9997
212 352-9900 352-9906
212 365-9977 365-9979
212 529-9900 529-9906
212 562-9977 562-9979
212 986-9977 986-9979
213 360-1118 360-1119
213 365-1118 365-1119
213 455-0002 455-xxxx
213 455-0002 455-xxxx
213 546-0002 546-xxxx
213 546-0002 546-xxxx
213 549-1118 549-1119
305 778-9952 778-9951
305 964-9951 964-9952
307 468-9999 468-9998
308 357-0004 357-0005
310 365-1118 365-1119
310 445-0002 445-????
310 455-0002 455-????
310 545-0002 545-????
310 546-0002 546-????
312 262-9902 262-9903
313 224-9996 224-9997
313 225-9996 225-9997
313 234-9996 234-9997
313 237-9996 237-9997
313 256-9996 256-9997
313 272-9996 272-9997
313 273-9996 273-9997
313 277-9996 277-9997
313 281-9996 281-9997
313 292-9996 292-9997
313 299-9996 299-9997
313 321-9996 321-9997
313 326-9996 326-9997
313 356-9996 356-9997
313 362-9996 362-9997
313 369-9996 369-9997
313 388-9996 388-9997
313 397-9996 397-9997
313 399-9996 399-9997
313 445-9996 445-9997
313 465-9996 465-9997
313 471-9996 471-9997
313 474-9996 474-9997
313 477-9996 477-9997
313 478-9996 478-9997
313 483-9996 483-9997
313 497-9996 497-9997
313 526-9996 526-9997
313 552-9996 552-9997
313 556-9996 556-9997
313 561-9996 561-9997
313 569-9996 569-9996
313 575-9996 575-9997
313 577-9996 577-9997
313 585-9996 585-9997
313 591-9996 591-9997
313 621-9996 621-9997
313 626-9996 626-9997
313 644-9996 644-9997
313 646-9996 646-9997
313 647-9996 647-9997
313 649-9996 649-9997
313 663-9996 663-9997
313 665-9996 665-9997
313 683-9996 683-9997
313 721-9996 721-9997
313 722-9996 722-9997
313 728-9996 728-9997
313 731-9996 731-9997
313 751-9996 751-9997
313 776-9996 776-9997
313 781-9996 781-9997
313 787-9996 787-9997
313 822-9996 822-9997
313 833-9996 833-9997
313 851-9996 851-9997
313 871-9996 871-9997
313 875-9996 875-9997
313 886-9996 886-9997
313 888-9996 888-9997
313 898-9996 898-9997
313 934-9996 934-9997
313 942-9996 942-9997
313 963-9996 963-9997
313 977-9996 977-9997
315 673-9995 673-9996
315 695-9995 695-9996
402 422-0001 422-0002
402 422-0003 422-0004
402 422-0005 422-0006
402 422-0007 422-0008
402 572-0003 572-0004
402 779-0004 779-0007
406 225-9902 225-9903
517 422-9996 422-9997
517 423-9996 423-9997
517 455-9996 455-9997
517 563-9996 563-9997
517 663-9996 663-9997
517 851-9996 851-9997
609 921-9929 921-9930
609 994-9929 994-9930
616 997-9996 997-9997
708 724-9951 724-????
713 224-1499 759-1799
713 324-1499 324-1799
713 342-1499 342-1799
713 351-1499 351-1799
713 354-1499 354-1799
713 356-1499 356-1799
713 442-1499 442-1799
713 447-1499 447-1799
713 455-1499 455-1799
713 458-1499 458-1799
713 462-1499 462-1799
713 466-1499 466-1799
713 468-1499 468-1799
713 469-1499 469-1799
713 471-1499 471-1799
713 481-1499 481-1799
713 482-1499 482-1799
713 484-1499 484-1799
713 487-1499 487-1799
713 489-1499 489-1799
713 492-1499 492-1799
713 493-1499 493-1799
713 524-1499 524-1799
713 526-1499 526-1799
713 555-1499 555-1799
713 661-1499 661-1799
713 664-1499 664-1799
713 665-1499 665-1799
713 666-1499 666-1799
713 667-1499 667-1799
713 682-1499 976-1799
713 771-1499 771-1799
713 780-1499 780-1799
713 781-1499 997-1799
713 960-1499 960-1799
713 977-1499 977-1799
713 988-1499 988-1799
805 528-0044 528-0045
805 544-0044 544-0045
805 773-0044 773-0045
808 235-9907 235-9908
808 239-9907 239-9908
808 245-9907 245-9908
808 247-9907 247-9908
808 261-9907 261-9908
808 322-9907 322-9908
808 328-9907 328-9908
808 329-9907 329-9908
808 332-9907 332-9908
808 335-9907 335-9908
808 572-9907 572-9908
808 623-9907 623-9908
808 624-9907 624-9908
808 668-9907 668-9908
808 742-9907 742-9908
808 879-9907 879-9908
808 882-9907 882-9908
808 885-9907 885-9908
808 959-9907 959-9908
808 961-9907 961-9908
810 362-9996 362-9997
813 385-9971 385-xxxx
908 254-9929 254-9930
908 558-9929 558-9930
908 560-9929 560-9930
908 776-9930 776-9930
What is a CNA number?
CNA stands for Customer Name and Address. The CNA number is a phone number
for telephone company personnel to call and get the name and address for a
phone number. If a telephone lineman finds a phone line he does not
recognize, he can use the ANI number to find it's phone number and then
call the CNA operator to see who owns it and where they live.
Normal CNA numbers are available only to telephone company personnel.
Private citizens may now legally get CNA information from private
companies. Two such companies are:
Unidirectory (900)933-3330
Telename (900)884-1212
Note that these are 900 numbers, and will cost you approximately one dollar
per minute.
If you are in 312 or 708, AmeriTech has a pay-for-play CNA service
available to the general public. The number is 796-9600. The cost is
$.35/call and can look up two numbers per call.
If you are in 415, Pacific Bell offers a public access CNA service at
(415)781-5271.
What is the telephone company CNA number for my area?
203 (203)771-8080 CT
312 (312)796-9600 Chicago, IL
506 (506)555-1313 New Brunswick
513 (513)397-9110 Cincinnati/Dayton, OH
516 (516)321-5700 Hempstead/Long Island, NY
518 (518)471-8111 Albany/Schenectady/Troy, NY
614 (614)464-0123 Columbus/Steubenville, OH
813 (813)270-8711 Ft. Meyers/St. Petersburg/Tampa, FL
(Italic indicates updated CNA's, while bold indicates new CNA's.)
What are some numbers that always ring busy?
216 xxx-9887 Akron/Canton/Cleveland/Lorain/Youngstown, OH
303 431-0000 Denver, CO
303 866-8660 Denver, CO
316 952-7265 Dodge City/Wichita, KS
501 377-99xx AR
719 472-3773 Colorado Springs/Leadville/Pueblo, CO
805 255-0699 Bakersfield/Santa Barbara, CA
818 885-0699 Pasadena, CA
906 632-9999 Marquette/Sault Ste. Marie, MI
906 635-9999 Marquette/Sault Ste. Marie, MI
914 576-9903 Peekskill/Poughkeepsie/White Plains/Yonkers, NY
What are some numbers that temporarily disconnect phone service?
314 511 Columbia/Jefferson City/St.Louis, MO (1 minute)
404 420 Atlanta, GA (5 minutes)
405 953 Enid/Oklahoma City, OK (1 minute)
407 511 Orlando/West Palm Beach, FL (1 minute)
512 200 Austin/Corpus Christi, TX (1 minute)
516 480 Hempstead/Long Island, NY (1 minute)
603 980 NH
614 xxx-9894 Columbus/Steubenville, OH
805 119 Bakersfield/Santa Barbara, CA (3 minutes)
919 211 or 511 Durham, NC (10 min - 1 hour)
What is a Proctor Test Set?
A Proctor Test Set is a tool used by telco personell to diagnose problems
with phone lines. You call the Proctor Test Set number and press buttons on
a touch tone phone to active the tests you select.
What is a Proctor Test Set in my area?
805 111 Bakersfield/Santa Barbara, CA
909 117 Tyler, TX
913 611-1111 Lawrence/Salina/Topeka, KS
What is scanning?
Scanning is dialing a large number of telephone numbers in the hope of
finding interesting carriers (computers) or tones.
Scanning can be done by hand, although dialing several thousand telephone
numbers by hand is extremely boring and takes a long time.
Much better is to use a scanning program, sometimes called a war dialer or
a demon dialer. Currently, the best war dialer available to PC-DOS users is
ToneLoc from Minor Threat and Mucho Maas. ToneLoc can be FTPed from
ftp.paranoia.com.
A war dialer will dial a range of numbers and log what it finds at each
number. You can then only dial up the numbers that the war dialer marked as
carriers or tones.
Is scanning illegal?
Excerpt from: 2600, Spring 1990, Page 27:
In some places, scanning has been made illegal. It would be hard,
though, for someone to file a complaint against you for scanning since
the whole purpose is to call every number once and only once. It's
not likely to be thought of as harassment by anyone who gets a single
phone call from a scanning computer. Some central offices have been
known to react strangely when people start scanning. Sometimes you're
unable to get a dialtone for hours after you start scanning. But
there is no uniform policy. The best thing to do is to first find out
if you've got some crazy law saying you can't do it. If, as is
likely, there is no such law, the only way to find out what happens is
to give it a try.
It should be noted that a law making scanning illegal was recently passed
in Colorado Springs, CO. It is now illegal to place a call in Colorado
Springs without the intent to communicate.
Where can I purchase a lineman's handset?
Contact East
335 Willow Street
North Andover, MA 01845-5995
(508)682-2000
Jensen Tools
7815 S. 46th Street
Phoenix, AZ 85044-5399
Time Motion Tools
12778 Brookprinter Place
Poway, CA 92064
(619)679-0303
What are the DTMF frequencies?
DTMF stands for Dual Tone Multi Frequency. These are the tones you get when
you press a key on your telephone touchpad. The tone of the button is the
sum of the column and row tones. The ABCD keys do not exist on standard
telephones.
1209 1336 1477 1633
697 1 2 3 A
770 4 5 6 B
852 7 8 9 C
941 * 0 # D
What are the frequencies of the telephone tones?
Type Hz On Off
---------------------------------------------------------------------
Dial Tone 350 & 440 --- ---
Busy Signal 480 & 620 0.5 0.5
Toll Congestion 480 & 620 0.2 0.3
Ringback (Normal) 440 & 480 2.0 4.0
Ringback (PBX) 440 & 480 1.5 4.5
Reorder (Local) 480 & 620 3.0 2.0
Invalid Number 200 & 400
Hang Up Warning 1400 & 2060 0.1 0.1
Hang Up 2450 & 2600 --- ---
What are all/most of the * codes?
Local Area Signalling Services (LASS) and Custom Calling Feature Control
Codes:
(These appear to be standard, but may be changed locally)
Service Tone Pulse/rotary Notes
--------------------------------------------------------------------------
Assistance/Police *12 n/a [1]
Cancel forwarding *30 n/a [C1]
Automatic Forwarding *31 n/a [C1]
Notify *32 n/a [C1] [2]
Intercom Ring 1 (..) *51 1151 [3]
Intercom Ring 2 (.._) *52 1152 [3]
Intercom Ring 3 (._.) *53 1153 [3]
Extension Hold *54 1154 [3]
Call Redial *55 n/a
Customer Originated Trace *57 1157
Selective Call Rejection *60 1160 (or Call Screen)
Selective Distinct Alert *61 1161
Selective Call Acceptance *62 1162
Selective Call Forwarding *63 1163
ICLID Activation *65 1165
Call Return (outgoing) *66 1166
Number Display Blocking *67 1167 [4]
Computer Access Restriction *68 1168
Call Return (incoming) *69 1169
Call Waiting disable *70 1170 [4]
No Answer Call Transfer *71 1171
Usage Sensitive 3 way call *71 1171
Call Forwarding: start *72 or 72# 1172
Call Forwarding: cancel *73 or 73# 1173
Speed Calling (8 numbers) *74 or 74# 1174
Speed Calling (30 numbers) *75 or 75# 1175
Anonymous Call Rejection *77 1177 [5] [M: *58]
Call Screen Disable *80 1160 (or Call Screen) [M: *50]
Selective Distinct Disable *81 1161 [M: *51]
Select. Acceptance Disable *82 1162
Select. Forwarding Disable *83 1163 [M: *53]
ICLID Disable *85 1165
Call Return (cancel out) *86 1186 [6] [M: *56]
Anon. Call Reject (cancel) *87 1187 [5] [M: *68]
Call Return (cancel in) *89 1189 [6] [M: *59]
Notes:
[C1] - Means code used for Cellular One service
[1] - for cellular in Pittsburgh, PA A/C 412 in some areas
[2] - indicates that you are not local and maybe how to reach you
[3] - found in Pac Bell territory; Intercom ring causes a distinctive
ring to be generated on the current line; Hold keeps a call
connected until another extension is picked up
[4] - applied once before each call
[5] - A.C.R. blocks calls from those who blocked Caller ID
(used in C&P territory, for instance)
[6] - cancels further return attempts
[M: *xx] - alternate code used for MLVP (multi-line variety package)
by Bellcore. It goes by different names in different RBOCs.
In Bellsouth it is called Prestige. It is an arrangement of
ESSEX like features for single or small multiple line groups.
The reason for different codes for some features in MLVP is that
call-pickup is *8 in MLVP so all *8x codes are reaasigned *5x
What frequencies do cordless phones operate on?
Here are the frequencies for the first generation 46/49mhz phones.
Channel Handset Transmit Base Transmit
------- ---------------- -------------
1 49.670mhz 46.610mhz
2 49.845 46.630
3 49.860 46.670
4 49.770 46.710
5 49.875 46.730
6 49.830 46.770
7 49.890 46.830
8 49.930 46.870
9 49.990 46.930
10 49.970 46.970
The new "900mhz" cordless phones have been allocated the frequencies
between 902-228MHz, with channel spacing between 30-100KHz.
Following are some examples of the frequencies used by phones currently on
the market.
Panasonic KX-T9000 (60 Channels)
base 902.100 - 903.870 Base frequencies (30Khz spacing)
handset 926.100 - 927.870 Handset frequencies
CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET
-- ------- ------- -- ------- ------- -- ------- -------
01 902.100 926.100 11 902.400 926.400 21 902.700 926.700
02 902.130 926.130 12 902.430 926.430 22 902.730 926.730
03 902.160 926.160 13 902.460 926.460 23 902.760 926.760
04 902.190 926.190 14 902.490 926.490 24 902.790 926.790
05 902.220 926.220 15 902.520 926.520 25 902.820 926.820
06 902.250 926.250 16 902.550 926.550 26 902.850 926.850
07 902.280 926.280 17 902.580 926.580 27 902.880 926.880
08 902.310 926.310 18 902.610 926.610 28 902.910 926.910
09 902.340 926.340 19 902.640 926.640 29 902.940 926.940
10 902.370 926.370 20 902.670 926.670 30 902.970 926.970
31 903.000 927.000 41 903.300 927.300 51 903.600 927.600
32 903.030 927.030 42 903.330 927.330 52 903.630 927.630
33 903.060 927.060 43 903.360 927.360 53 903.660 927.660
34 903.090 927.090 44 903.390 927.390 54 903.690 927.690
35 903.120 927.120 45 903.420 927.420 55 903.720 927.720
36 903.150 927.150 46 903.450 927.450 56 903.750 927.750
37 903.180 927.180 47 903.480 927.480 57 903.780 927.780
38 903.210 927.210 48 903.510 927.510 58 903.810 927.810
39 903.240 927.240 49 903.540 927.540 59 903.840 927.840
40 903.270 927.270 50 903.570 927.570 60 903.870 927.870
V-TECH TROPEZ DX900 (20 CHANNELS)
905.6 - 907.5 TRANSPONDER (BASE) FREQUENCIES (100 KHZ SPACING)
925.5 - 927.4 HANDSET FREQUENCIES
CH BASE HANDSET CH BASE HANDSET CH BASE HANDSET
---- --------- -------------- ---- -------- --------------- ---- -------- ---------------
01 905.600 925.500 08 906.300 926.200 15 907.000 926.900
02 905.700 925.600 09 906.400 926.300 16 907.100 927.000
03 905.800 925.700 10 906.500 926.400 17 907.200 927.100
04 905.900 925.800 11 906.600 926.500 18 907.300 927.200
05 906.000 925.900 12 906.700 926.600 19 907.400 927.300
06 906.100 926.000 13 906.800 926.700 20 907.500 927.400
07 906.200 926.100 14 906.900 926.800
OTHER 900 MHZ CORDLESS PHONES
AT&T #9120 - - - - - 902.0 - 905.0 & 925.0 - 928.0 MHZ
OTRON CORP. #CP-1000 902.1 - 903.9 & 926.1 - 927.9 MHZ
SAMSUNG #SP-R912- - - 903.0 & 927.0 MHZ
What is Caller-ID?
This FAQ answer is stolen from Rockwell:
Calling Number Delivery (CND), better known as Caller ID, is a telephone
service intended for residential and small business customers. It allows
the called Customer Premises Equipment (CPE) to receive a calling party's
directory number and the date and time of the call during the first 4
second silent interval in the ringing cycle.
Parameters
The data signalling interface has the following characteristics:
Link Type: 2-wire, simplex
Transmission Scheme: Analog, phase-coherent FSK
Logical 1 (mark) 1200 +/- 12 Hz
Logical 0 (space) 2200 +/- 22 Hz
Transmission Rate: 1200 bps
Transmission Level: 13.5 +/- dBm into 900 ohm load
Protocol
The protocol uses 8-bit data words (bytes), each bounded by a start bit and
a stop bit. The CND message uses the Single Data Message format shown
below.
| Channel | Carrier | Message | Message | Data | Checksum |
| Seizure | Signal | Type | Length | Word(s) | Word |
| Signal | | Word | Word | | |
Channel Siezure Signal
The channel seizure is 30 continuous bytes of 55h (01010101) providing a
detectable alternating function to the CPE (i.e. the modem data pump).
Carrier Signal
The carrier signal consists of 130 +/- 25 mS of mark (1200 Hz) to condition
the receiver for data.
Message Type Word
The message type word indicates the service and capability associated with
the data message. The message type word for CND is 04h (00000100).
Message Length Word
The message length word specifies the total number of data words to follow.
Data Words
The data words are encoded in ASCII and represent the following
information:
* The first two words represent the month
* The next two words represent the day of the month
* The next two words represent the hour in local military time
* The next two words represent the minute after the hour
* The calling party's directory number is represented by the remaining
words in the data word field
If the calling party's directory number is not available to the terminating
central office, the data word field contains an ASCII "O". If the calling
party invokes the privacy capability, the data word field contains an ASCII
"P".
Checksum Word
The Checksum Word contains the twos complement of the modulo 256 sum of the
other words in the data message (i.e., message type, message length, and
data words). The receiving equipment may calculate the modulo 256 sum of
the received words and add this sum to the reveived checksum word. A result
of zero generally indicates that the message was correctly received.
Message retransmission is not supported.
Example CNS Single Data Message
An example of a received CND message, beginning with the message type word,
follows:
04 12 30 39 33 30 31 32 32 34 36 30 39 35 35 35 31 32 31 32 51
04h= Calling number delivery information code (message type word)
12h= 18 decimal; Number of data words (date,time, and directory
number words)
ASCII 30,39= 09; September
ASCII 33,30= 30; 30th day
ASCII 31,32= 12; 12:00 PM
ASCII 32,34= 24; 24 minutes (i.e., 12:24 PM)
ASCII 36,30,39,35,35,35,31,32,31,32= (609) 555-1212; calling
party's directory number
51h= Checksum Word
Data Access Arrangement (DAA) Requirements
To receive CND information, the modem monitors the phone line between the
first and second ring bursts without causing the DAA to go off hook in the
conventional sense, which would inhibit the transmission of CND by the
local central office. A simple modification to an existing DAA circuit
easily accomplishes the task.
Modem Requirements
Although the data signalling interface parameters match those of a Bell 202
modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps
modem receiver may be used to demodulate the Bell 202 signal. The ring
indicate bit (RI) may be used on a modem to indicate when to monitor the
phone line for CND information. After the RI bit sets, indicating the first
ring burst, the host waits for the RI bit to reset. The host then
configures the modem to monitor the phone line for CND information.
Signalling
According to Bellcore specifications, CND signalling starts as early as 300
mS after the first ring burst and ends at least 475 mS before the second
ring burst
Applications
Once CND information is received the user may process the information in a
number of ways.
1. The date, time, and calling party's directory number can be displayed.
2. Using a look-up table, the calling party's directory number can be
correlated with his or her name and the name displayed.
3. CND information can also be used in additional ways such as for:
1. Bulletin board applications
2. Black-listing applications
3. Keeping logs of system user calls, or
4. Implementing a telemarketing data base
References
For more information on Calling Number Delivery (CND), refer to Bellcore
publications TR-TSY-000030 and TR-TSY-000031.
To obtain Bellcore documents contact:
Bellcore Customer Service
60 New England Avenue, Room 1B252
Piscataway, NJ 08834-4196
(908) 699-5800
How do I block Caller-ID?
Always test as much as possible before relying on any method of blocking
Caller-ID. Some of these methods work in some areas, but not in others.
Dial *67 before you dial the number. (141 in the United Kingdom)
Dial your local TelCo and have them add Caller-ID block to your line.
Dial the 0 Operator and have him or her place the call for you.
Dial the call using a pre-paid phone card.
Dial through Security Consultants at (900)PREVENT for U.S. calls
($1.99/minute) or (900)STONEWALL for international calls ($3.99/minute).
Dial from a pay phone. :-)
What is a PBX?
A PBX is a Private Branch Exchange. A PBX is a small telephone switch owned
by a company or organization. Let's say your company has a thousand
employees. Without a PBX, you would need a thousand phone lines. However,
only 10% of your employees are talking on the phone at one time. What if
you had a computer that automatically found an outside line every time one
of your employees picked up the telephone. With this type of system, you
could get by with only paying for one hundred phone lines. This is a PBX.
What is a VMB?
A VMB is a Voice Mail Box. A VMB is a computer that acts as an answering
machine for hundreds or thousands of users. Each user will have their own
Voice Mail Box on the system. Each mail box will have a box number and a
pass code.
Without a passcode, you will usually be able to leave messages to users on
the VMB system. With a passcode, you can read messages and administer a
mailbox. Often, mailboxes will exist that were created by default or are no
longer used. These mailboxes may be taken over by guessing their passcode.
Often the passcode will be the mailbox number or a common number such as
1234.
What are the ABCD tones for?
The ABCD tones are simply additional DTFM tones that may be used in any way
the standard (0-9) tones are used. The ABCD tones are used in the U.S.
military telephone network (AutoVon), in some Automatic Call Distributor
(ACD) systems, for control messages in some PBX systems, and in some
amateur radio auto-patches.
In the AutoVon network, special telephones are equipped with ABCD keys. The
ABCD keys are defined as such:
A - Flash
B - Flash override priority
C - Priority communication
D - Priority override
Using a built-in maintenance mode of the Automatic Call Distributor (ACD)
systems once used by Directory Assistance operators, you could connect two
callers together.
The purpose of the Silver Box is to create the ABCD tones.
_`'-.,_,.-'`_`'-.,_,.-> [ DTMF's phucking with the operators ] <-.,_,.-'`_`'-.,_,.-'`_
Ever get an operator who gave you a hard time, cuz u kept calling
back talking, asking dumb questionz, or cussig at her and you didn't no
what to du? Well if the operator hears you use a little Bell jargon, she might
wise up. Here is a little diagram (excuse the artwork) of the structure of
operators
/-----------\ /------\ /------\
!Operator!-- > ! S.A. ! --->! BOS !
\-----------/ \------/ \------/
!
!
V
/-----------------\
! Group Chief !
\-----------------/
Now most of the operators are not bugged, so they can curse at you, if they
do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not
report to her (95% of them are hers) but they will solve most of your problems.
She MUST give you her name as she connects & all of these calls are bugged. If
the SA gives you a rough time get her BOS (Business Office Supervisor) on the
line. S/He will almost always back her girls up, but sometimes the SA will get
tarred and feathered. The operator reports to the Group Chief, and S/He will
solve 100% of your problems, but the chances of getting S/He on the line are
nill.
If a lineman (the guy who works out on the poles) or an installation man
gives you the works ask to speak to the Installation Foreman, that works
wonders.
Here is some other bell jargon, that might come in handy if you are having
trouble with the line. Or they can be used to lie your way out of
situations....
An Erling is a line busy for 1 hour, used mostly in traffic studies A
Permanent Signal is that terrible howling you get if you disconnect, but don't
hang up.
Everyone knows what a busy signal is, but some idiots think that is the
*Actual* ringing of the phone, when it just is a tone "beeps" when the phone is
ringing, wouldn't bet on this though, it can (and does) get out of sync.
When you get a busy signal that is 2 times as fast as the normal one, the
person you are trying to reach isn't really on the phone, (he might be), it is
actually the signal that a trunk line somewhere is busy and they haven't or
can't reroute your call. Sometimes you will get a Recording, or if you get
nothing at all (Left High & Dry in fone terms) all the recordings are being
used and the system is really overused, will probably go down in a little
while. This happened when the bomb went off @ the olimpix, the system just
couldn't handle the calls. By the way this is called the "reorder signal"
and the trunk line iz "blocked".
One more thing, if an overseas call isn't completed and doesn't generate
any money for AT&T, is is called an "Air & Water Call".
_`'-.,_,.-'`_`'-.,_,.-> [ who/what the hell is 4matt ] <-.,_,.-'`_`'-.,_,.-'`_
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
_A_HACKING_PHREAKING_AND_ANARCHY_KLUB_
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
/ /\ / /\ / \ / \ / / \ /___ ___//__ __/\
/ /_/__/ /_/ / \ / \ / / \ \ __/ / /__\\__/ / /__\/
/_____ __/ \ / /\ /\ \ / / / \ \ / / / / / /
\____ / / \_\ / / / | \_ / | \ \/ /__\ \ / / / / / /
/_/ / /_ / / \/__\/ \ \ _\ ______/_ / / /_/ /
\_\/ \ _\/ \/_/ ______\_\/ \_\/
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
_4_MODERN_ANARCHIST'S_TICKING-OFF_TELCO'S_
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
CURRENT MEMBERS:
(***) CbeRpHreAk ( Head of Phreaking )
(**) DTMF
(**) Lord Sommer ( Head of Hacking )
(***) DOS DestroeR
(*) V-A-P-O-R
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
(***) = the elite hybrids who started all the madness
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
our home on the world wide web: http://4matt.home.ml.org/
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
_`'-.,_,.-'`_`'-.,_,.-> [ Sources of this grate phile ] <-.,_,.-'`_`'-.,_,.-'`_
alt.2600/#hack-FAQ
The Phreakers Manual
DTMF's phucking with the operators
Marauder of the Legion of Doom
and
_`'-.,_,.-'`_`'-.,_,.-> [ the phreax @ 4matt producti0nz ] <-.,_,.-'`_`'-.,_,.-'`_
