Copy Link
Add to Bookmark
Report
f41th Issue 09
[ D4RKCYDE ]
yyyyyssssyyyy yyyyssssyyyy yyyy yyyy
|lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy
:|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$
:||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$
:::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS
::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l
.:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::|
[ F41TH ISSUE NINE: AUGUST 1999 ]
-o[ D4RKCYDE ]o- L0RDZ 0F THE BAUD
-o[ hybrid ]o- http://darkcyde.phunc.com #darkcyde efnet.
-o[ zomba ]o- http://hybrid.dtmf.org/files/faith/faith(x).zip/txt.
-o[ downtime ]o-
-o[ digiphreq ]o- ' technology has turned reality into a paradox,
-o[ lowtek ]o- forms are not always as they seem. '
-o[ shadowx ]o-
-o[ jasun ]o- - fear factory. remanufacture (demanufacture)
-o[ microwire ]o-
-o[ bodie ]o-
-o[ shylock ]o- ' 0WNED ' - ?
-o[ force ]o-
-o[ sintax ]o-----------------------------------------------------------
" Hi, I'm Helen firth "
-hellfire
-o[ sh0utz ]o-
Shouts to all that went to DNScon, the organisers, john, savy, darkcyde,
psyclone, abattis, coldfire, b00ger, hellfire, cyborg, crashd, backardi.
Also shouts 9x, b4b0, substance, oclet, knight, phunc, ch1ckie, gr1p, epoc,
kryptus, simmeth, dgtlfokus, voltage, tip, phix, siezer, oeb, infidel, phace,
katkilla, aktiver, typeo, essgurl, port, euk, 5O5, #darkcyde.
-o[ contents ]o-
-o[ editorial ]o- -o[ hybrid ]o-
-o[ E911 news/update II ]o- -o[ digiphreq ]o-
-o[ D4RKCYDE at secondary DNScon, Blackpool'99 ]o- -o[ h,j,z,b,s ]o-
-o[ overview of meridian hacking ninja style ]o- -o[ hybrid ]o-
-o[ review of.. ANTISOCIAL magazine... ]o- -o[ hybrid ]o-
-o[ a short guide to the evolution of switching ]o- -o[ hybrid ]o-
-o[ f41th CNID advisory/bug ]o- -o[ f41thless ]o-
-o[ digiphreq's trip to a 5ESS CentralOffice ]o- -o[ digiphreq ]o-
-o[ BTs lite ADSL technology/proposed test area ]o- -o[ sonicborg ]o-
-o[ xDSL local loop access technology ]o- -o[ exphunged ]o-
-o[ introduction to the workings of a cellphone ]o- -o[ downtime ]o-
-o[ underground BellAtlantic secure vaults ]o- -o[ degauss ]o-
-o[ .gov radio freqency listing/info ]o- -o[ digiphreq ]o-
-o[ defeating CLI with simple but effective stealth ]o- -o[ hybrid ]o-
-o[ outness/general imph0 ]o- -o[ hybrid ]o-
ARTICLES: hybrid@dtmf.org zomba@phunc.com digiphreq@webcrunchers.com
MAILTO: hybrid@dtmf.org zomba@phunc.com digiphreq@webcrunchers.com
US/PHONE: 1-877-873-7454 (toll-free) comments/suggestions/questions/phonebone
US/FAX: 1-877-873-7454 (toll-free) comments/suggsetions/questions/faxbone
-o[ editorial ]o-
-o[ D4RKCYDE ]o-
-o[ by hybrid <hybrid@dtmf.org> ]o-------------------------------------------
Welcome to f41th issue 9, this time editited/hosted by yours truely :> f41th
8 was like huge, well over 3OOk of text, so dont expect us to pull somthing
like that off in a while. When I started f41th, back at christmas 98, the
idea was mainly to give D4RKCYDE a kind of purpose, or somthing to focus on.
Now f41th has grown into a modest sized zine, with loads of 'modern' info.
We never even thought that we would manage to get f41th even past issue 4,
but it seems the zine is just getting better all the time; We've also noticed
a massive increase in the amount of people that read the zine, for example
when f41th 7 was released at one point it was being downloaded more than
15 times a minute for a steady period of over 24 hours. That may not sound
like much, but to us that's great, I'd like to say thanks to everyone who
takes the time to read f41th each time we release it.
This issue we have decided to take extra care with the content of the zine
because we have recieved various comments through the mail that f41th is
getting a little bit ascii packed and the irc logs etc take up to much space.
Personaly I think the irc logs are hilarious, but thats my opinion, and after
all this is a public zine designed for public readers, so the customer is
always right, so to speak. So from now on, expect f41th to be more
interesting to read, and packed full with more technical/contempory info than
ever before.
As I was saying before, we have noticed a colosal increase in the f41th issue
downloads from the servers that host f41th. When we release a new issue, it
is only uploaded to one server, so we can get an idea of who and how many
people are reading it. That is why we ask for people that wish to host f41th
on there own box/server that they contact us in advance before doing so. In
other words, please do not host f41th unless you have emailed us and asked us
first. We will then be able to send distrobutors of f41th the new issues
within 2 hours of it actualy being released. I'd like to state that the [C]
at the end of each issue means somthing, just ask before you decide to
distro, thanks.
Again, it seems f41th is being read/monitored by certain oganisations, for
what purpose is a mistery to us. Perhaps they want skooling or somthing. For
example, here are some of the shady looking host's that downloaded f41th8.
scully.mugu.navy.mil - - [14/Jul/1999:12:30:34 -0500] "GET /faith8.txt
shiva-isp144.nctsw.navy.mil - - [21/Jul/1999:10:02:32 -0500] "GET /faith8.txt
puck.pnl.gov - - [08/Jul/1999:14:56:34 -0500] "GET /faith8.txt
firewall.camcnty.gov.uk - - [17/Jul/1999:08:14:33 -0500] "GET /faith8.txt
mailhost.dera.gov.uk - - [18/Jul/1999:16:10:05 -0500] "GET /faith8.txt
security.mi5.gov.uk - - [24/Jul/1999:15:04:01 -0500] "GET /faith8.txt
Looks like someone out there has DNS 0wning technique, lol, dera.gov.uk and
mi5.gov.uk.. Somehow I dont think they would be that obvious about their
intellegence garthering, if they are, it would be obvious that the UK .gov
have no stealth. ;> WTF are the navy doing reading f41th? - beats me, maybee
they get bored in the middle of the ocean and need something to read, heh.
There is just one thing I'd like to add to my editorial. Lately we've had so
many comments from people saying things like, 'you guys think your leet',
and things like 'you wont get any respect from people if you flame them all
the time in f41th'. The fact is, we don't care what people think of f41th!
It's mearly a produce from D4RKCYDE, all we are doing is writting a zine
based from our knowledge as a h/p group. Also, we only flame people we think
deserve it, for example.. PhoneLOOSERS-uk/england, they rip other peoples
stuff off, so we dont like them, big deal, take a look for yourselves, goto:
http://www.ple.8m.com.. heh, we even put a little advertising in there for
them, where not all that bad, heh. Anywayz, enough from me. We hope you enjoy
this issue of f41th, take it easy.
hybrid <hybrid@dtmf.org>
-o[ News - Regarding Wireless E911 ]o-
-o[ D4RKCYDE ]o-
-o[ Digiphreq <digiphreq@webcrunchers.com> ]o--------------------------------
I was cruising around and came across this. I wrote an article a while back
regarding Wireless E911 so i figured i might update things. Anyway I found
this so I'll republish it here. I take no credit for writing this and so on
and so on.
Bell Labs Geolocation Technology Pinpoints Wireless 911 Calls Within 15 Feet.
WHIPPANY, NJ (June 30, 1999)-- Researchers at Lucent Technologies' (NYSE: LU)
Bell Labs have developed the most sensitive technology yet for pinpointing
the location of wireless 911 emergency calls. The approach is accurate within
15 feet when users are outdoors and 100 feet when they are indoors.
The Bell Labs geolocation technology offers marked improvements over
currently deployed systems for locating wireless 911 emergency calls.
Moreover, it provides network operators the double benefit of meeting a 2001
federal mandate while opening opportunities for new service revenues. For
example, pinpointing a customer's location could yield such services as
detailed driving directions and local traffic information, especially when
combined with improved data services expected two years from now.
"We intend to pursue standardization of this geolocation technology so that
it can be widely and inexpensively deployed," said John Freidenfelds,
director of wireless technology applications at Lucent's Wireless Networks
Group.
The Bell Labs technology works with all of today's global digital networks
and also will be compatible with next-generation (3G) broadband wireless
networks, which will provide a broad assortment of location-based services,
as well as high-speed, Internet-based multimedia services.
The driving force for the Bell Labs research has been a U.S. Federal
Communications Commission mandate stating that by October 2001, all wireless
911 calls must be pinpointed within 410 feet. Currently, wireless 911 calls
can be pinpointed within only a three- to six-square mile service area on
average.
The Bell Labs geolocation technology would provide more precise location
information to police, which is especially helpful when callers are
unfamiliar with their whereabouts, and also would allow 911 calls to be
routed more quickly to the appropriate rescue squad.
The Bell Labs approach involves both the wireless handset and network
infrastructure. Global positioning system (GPS) units are placed throughout a
wireless network. As the units keep track of GPS satellites orbiting the
Earth, they pass along key satellite information - including estimated time
of the signal's arrival - to nearby wireless handsets, which are equipped
with scaled-down GPS units. Then, based on time differences between when the
network's GPS units and the handsets receive signals from the satellites,
it's possible to precisely pinpoint the handset's location.
"With the information boost that the network gives the handset, our approach
is 100 times more sensitive than the handset approach for wireless
geolocation that involves putting an entire conventional GPS unit into each
handset," said Bell Labs researcher Giovanni Vannucci. Besides providing very
poor performance indoors, those handsets are costly, bulky and are a drain on
portable batteries.
Another common wireless geolocation technology is solely network-based, but
that approach requires expensive base-station equipment, is imprecise, and
does not perform well in hilly areas. The Bell Labs researchers also have
enhanced their geolocation approach by developing a method to estimate
handset location, which shortens the handset's initial search for a satellite
signal. A software program, based on the wireless signals that a handset
receives from several base station antennas, helps to estimate a handset's
location.
Other researchers working on the Bell Labs geolocation technology include Bob
Richton, T.C. Chiang, Richard Leung, Ren Da, and others in Whippany and
Naperville, Ill.
This information is based on a press release written by Sam Gronner and Steve
Eisenberg of Bell Labs Media Relations.
-o[ D4RKCYDE at DNScon Blackpool UK ]o-
-o[ D4RKCYDE ]o-
-o[ by hybrid zomba bodie jasun & sonicborg ]o-------------------------------------------
On Friday 13th August a few of us decided to take a trip to the computer
security/hacker convention D-N-S in Blackpool (www.dnscon.org). The con was
split into 2 sections: Various things such as 'hack the flag' and 'hacker
jeopardy' arranged by Manchester 26OO & AntiSocial Magazine. The second half
was a series of lectures related to computer security mostly from a defense
perspective.
We arrived in Blackpool on Friday night, and joined the other DNScon ppl in
a pub, then later procceded to blackpool pleasure beach (where hybrid got
lost) then later to a bar where we departed from the DNS crowd and went off
to do our own thing. We spent most of the night in some club where we got
sonicborg drunx0red on 3 pints of finest blackpool watered down beer.
The next morning we went to the actual DNScon...
The con was littered with advertisment flyers for AntiSocial magazine, one of
which made us laugh.. " STILL PAYING FOR YOUR PHONE CALLS - read A-S mag "...
Like, they must be giving out free calling cards or somthing. HEH.
Hack the flag competition:
This was the fun part.. a 'network' set up by AntiSocial magazine where the
goal of the competition was to own the AntiSocial suse 6.1 box at the other
end of the network. To prove that you had done so, you had to take a keyfile
from the root directory of the target box. Participents of the game, also had
to have a keyfile in the root directory of there own boxes which other
participents of the game had to try and claim aswell.
We configured our laptop ready to connect to the AS mag network, but where
unable to connect to the 'network' because the AS team where unable to
network 3 or 4 486 boxes to an ethernet hub in the space of 6 hours. So...
Q. how can you root a box if you cant get a network connection to it?
A. wait until AS magazine attend a unix security lecture (to be skooled),
walk over to the target box (which was left un-attended, loged in as
ROOT for over 1 hour at a hacker convention).
O dear o dear o dear... AS mag have obviously never heard of physical access
security before, and decicided to leave the target box in a root shell,
running multiple screens.. why? -beats us.. its common sense, you dont leave
an un-attended box loged in as root slap bang in the middle of a hacker
convention@%^! (but they did)
So we walked into the room and decicided to go take a look at the box we
where supposed be be 0wning (if AS mag ever managed to set the network up)..
so hybrid sat down infront of the target terminal..
" OMG!, SHIET!, <LOL>.. its fuckin loged in as root! "
-hybrid
About 10 minutes later (after all 5 of us managed to stop rolling round on
the floor in sheer histerics at AS magazines unix security teqn1q) a few
un-savoury things 'happend' to the AS mag box... we copied the keyfile/flag-
file to the /floppy drive, changed its access permissions and made multiple
copys of the file in hidden public-accessable directorys, added multiple
users with root shells, etc etc, then finaly backdoored it (incase the realy
knowledgable AS mag team managed to get the 'network' up) They did'nt even
notice that the box had a distinct lack of bash history.
As expected, AS mag blatently denied that they where 0WNED, and re-installed
the entire OS and said "no-one touched it". obviously ASmag where in fear of
our 0day walking over to an un-attended loged in root console teqniq. If the
ASmag team actually managed to connect the box to the network we would have
played fair, but the fact is, ASmag could'nt network 2 gameboys together if
they tried.
Anyways, we did have fun, so thanks ASmag for providing us with the
entertainment, although we where expecting a little more of a challenge :>
Saturday evening:
We foolishly entered ourselves for the 'hacker jeopardy' competion.. first
up was bodie who managed to score a grand total of -700 points on starwars
questions, next up was hybrid and helfire in 'team drunk' against a single
american dude 'team yank' -we got 0wned.
Q. its a strange souding Scotish ISP..
A. <hybrid> AOL.
Q. its a black and white american h/p publication
the same size as 2600 mag..
A. <hybrid> blacklisted.. SHIET i mean what is bla..
A. <american dude> what is blacklisted 411..
Our excuse for l00zing: We where to busy admiring the hostess that was
keeping the scores. :P~
:)
The aftermath....
A room full of drunkx0red hax0rz (and computer security professionals).. We
had a picture taken of us all in our D4RKCYDE t-shirts (which we are sure
will appear on certain websites - pic taken by armageddon)..
Well thats our extreamly short account of DNS blackpool. Big shouts to John
the organiser, aswell as Crashd from ASmag (the only ASmag member that spoke
to us) werd, shouts to BRITISH RAIL for providing us with the free transport,
shoutz to MCDONALDS for the free food... shoutz to the pub for the free beer.
shoutz to the chick that winked at hybrid at the station, shouts to the
dude we saw laying in his own vomit at a blackpool kerbab stand. Shouts to
the GBH dudez.. not so big shouts to.. the old woman who shouted at bodie for
doing a pipe on the train, the loud mouth slappers that would'nt shut up
while we tried to conf on a train.. the dude that had his pint knocked over
by zomba (when he brought you another pint the content was slightly altered),
the rain, the wind, the ugly chicks, the cab drivers. WERD to EVERYONE that
attended the D-N-S Convention, Blackpool 1999. See you next year. :>
hybr1d z0mba j4sun bodie sonicborg
EYE 0F THE T1GER (private joke)
www.dnscon.org
-o[ hacking meridian mail - an overview ]o-
-o[ D4RKCYDE ]o-
-o[ by hybrid <hybrid@dtmf.org> ]o-----------------------------------
I think I have read about 6 guides to hacking meridian mail, and they get
worse all the time. Every meridian text I have read concentrates on the
features and architecture of the meridian mail system, however I am supprised
at the lack of information available that concentrates on the actual hacking
of meridian mail. This article with concentrate on various techniques that
can be used when hacking meridian mail.
For those of you who are unaware, meridian mail is a voice messaging system
designed by Nortel technologys and has many advanced features. Alot of
people seem to think that hacking voicemail networks is lame; bullshit. I
would argue that meridian mail is the most advanced voice platform there is
when it comes to voicemail and voicemail networking. Meridian is way more
advanced than any other voicemail system out there, it puts Octel, Audix,
Aspen, Phonemail and other network leaders such as Infostar to shame.
Meridian is designed to be fairly secure, but like most networks it can be
very vulnerable if you know the weak points. The only voicemail system that
I believe offers a respectable level of security is the Audix voicemail
platform, but thats another article. Unlike the other meridian mail guides
out there, I'm not going to rant on and on about meridian mail features and
network architecture, I've written several files on that already, so I'm
going to get staight to the point; here is how you hack meridian mail (the
effective way).
Before you do anything, you need to be able to identify a meridian mail
system properly. There are many different ways to identify a meridian mail
system, most of the time people only pick up on the real obvious meridian
mail systems, where you get a login prompt after you have dialed the number,
(" meridian mail, mailbox?.. "). However, there are many different ways to
identifying a meridian mail system. The voiceprompts on merdian mail are all
in a female voice, and can adopt a multitude of forms from different accents
to different languages, depending on where you are. The majority of the time
the voice prompts will be Americian-English in accent, and quite monotone in
nature. There are several different prompts you can come accross when dialing
a meridian system. As I said before, the most obvious one would be.. 18OOxxx
xxxx.. " meridian mail, mailbox? ". Here is a table to show you different
types of meridian mail dialin examples.
[ " meridian mail, mailbox? " ]
Here you are confronted with the meridian user login prompt, your only option
here is to guess a box number and password. Here is where meridian mail can
be a real bitch, there is no way of telling if you have dialed a valid box on
the system, you could hit any number of digits and still get a password
prompt. Either way, you will usually have 3 login attempts before you will
hear somthing like: " login incorrect, please contact your system
administrator for assistance, goodbye. " Because there is no way of telling
what prefix the mailbox/extension numbers are in from this dialin prompt, you
are dialing blind, so your only hope with this type of dialin prompt is
simple guess work, or if you read this, an educated guess.
Most systems will have 4 digit boxes, which will usually have a default
passcode set to be the same as the box number. The login convention is like
this: you dial your mailbox number xxxx suffixed by [ # ] you then recieve
the password prompt which will ask you to enter your password followed by the
# key. Like I said before, there is no way of telling if you have found a
valid box because you will be asked for a passcode whatever you enter. So,
for this type of login prompt we simply guess. The box ranges could be 3
to 5 digits long+ depending on the size of the voice network, 4 digit boxes
is the most common though. Just try random boxes like this.. 5463 [ # ] 5463
[ # ], 3788 [ # ] 3788 [ # ] etc etc, until you successfully login to a valid
box. (more on this later) note: if someone trys to incorrectly login to a
valid box to many times, the system will disable the box so even the
legitimate user cant access it, they would subseqently have to goto the sys-
admin in order to get the box reactivated.
[ " express messaging, to mailbox? " ]
Here is another common meridian prompt that you are likely to come accross.
It is simply a meridian prompt for an external users to leave a message for
someone on that system, if they know the persons extension/mailbox number.
Here you cant really go wrong, because you are able to find out what prefix
the mailbox/extension numbers are likely to be in. You will get one of these
2 system messages after entering an extension/mailbox number + [ # ].
a) " There is no mailbox at, xxxx "
b) " mailbox xxxx, please leave a message at the tone. (or the persons
recorded name - if they bothered to set one).
If you guessed an invalid mailbox number, just keep trying until you find a
valid mailbox and you should recieve system recording [ b ]. When you have
successfully managed to find a valid box, note the prefix down as there is
bound to be a nice cluster of mailboxes in that area aswell. You now have
the option to do a few things. Once you get system recording [ b ] you could
hit * and you will hear " there is no recorded message, to record a.... " or
if you waited for the tone prompt to record you message for that mailbox hit
[ # ] and you will get " recording stoped " (wherever you get lost with the
commands of meridian mail, simply hit [ * ] to here a limited set of help on
message/mailbox commands.
Now, you could hit [ 81 ] and you will recieve the standard meridian mail
login prompt as described above, but all you can do here is try to login as
the box number you successfully guessed, which should work most of the time,
but if it does'nt you need to find more boxes, which can be achived by
dialing various extensions on the internal pbx system. I will discuss this in
a little while.
[ " the person at extension xxxx is not available to take your call, please
leave your message at the tone. " ]
Again, here you can hit * to get your list of options, such as [ 81 ] to
login, 0 xxxx[ # ] to dial an extension etc.
[ " mailbox xxxx, please leave your message at the tone " ]
Again, hit [ 81 ] to login, * to get message options.
[ " the person at extension xxxx is not a subscriber to this service, call
answering cannot be completed at this time, transfering to an attendant,
one moment please.. or: please try again later, goodbye. " ]
Here there is not alot you can really do, unless you have dialed the number
after buisness hours and it transfers you to the attendtant/operator who is
not likely to be there so a recorded greeting would be in place, where you
would be able to login, dial around the system as normal.
[ " please dial the number of the person you are calling. " (hit * and you
will hear: " you have reached an automated service which will connect you
to the phone number you enter.. " you also have an option to dial by
name. ]
Here is meridian's biggest vulnerabily, you are able to dial extensions on
the system. Big deal I hear you say. The fact is, if you are going to hack a
meridian mail system effectivly, you need to get to this prompt so you can
explore the entire system. You can get to this prompt through many ways as
discussed before, or by dialing 0 number # at a recording prompt, but this
prompt can usally be found by direct dial.
You are looking for a number of things here, such as modems on extensions
(meridian remote administration), valid extensions (valid mailboxes) and
meridian goodies such as the MICB built in meridian conference bridge.
Other things to look out for on meridian extensions are prompt maintanance
extensions, PA extensions (where you control the companys PA system) and
external lines. (more on external lines in a while).
Guessing valid extensions is fairly self explanitory, but sitting there for
ages getting " that number cannot be reached from this service " over and
over again can be a little off-puttting, so we employ our own ways of gussing
an extension number. Here is a vulnerablity that exists on most meridian mail
systems where you are able to get an extension prompt, I give a guy called
'public_nuisance' credit for this, as he was the person who origionaly found
this meridian vulnerabilty. This is what you do if you cant seem to guess a
valid extension.
First start at the higher numbers and work your way up, for example, hit 8
then [ # ] you will get either " beep, that number cannot be reached from
this service, please try again.. " or " pause.. your call cannot be completed
at this time, transfering to an attendant, one moment please.." If this is
the case, and you get " transfering to an attendant " quickly hit [ * ] a
couple of times and it will drop yo back to the dial extension prompt. Now,
here is where the vulnerability lays, if you recieve that system recording,
it means that the system is expecting more digits to be dialed after [ 8 ] or
whatever number you choose to start with. So next you try dialing 89[#] if
you get the same system recording it means it wants more digits so just hit
** again to get back to the dial extension prompt, or you may get " that
number cannot be reached... " which means you need to try 8 then somthing
else like 87[#] see where I'm going?.. Basically you are trying to step up
the digits and looking for the system anouncment that says " transfering to
an attendant " where you will hit [ * ] a few times, and keep dialing adding
more digits to the seqence each time until eventually you find the prefix of
box/extension numbers.
1 2 3 8[ # ] " your call cannot be
| completed at this time "
| ( ** )
4 <-x-- 5 <---- 6 87[ # ] " that number cannot be
| reached from this service "
| 89[ # ] " your call cannot be
7 <-x-- 8 ----> 9 completed at this time "
( ** )
| 896[ # ] " your call cannot be
0 completed at this time "
( ** )
8965[ # ] " your call cannot be
completed at this time "
( ** )
89654[ # ] " that number cannot be
reached from this service "
89652[ # ]--> [ ring ring ring ring ]
So, in the above diagram/working example, we see that the valid extension
number was [ 89652 ], this was found via the means of a proccess of
elimination with the help of the extension vulnerability. This way you do not
have to sit there for ages guessing vaild extensions, you just step up and up
through the trunk selection. This method can also be used if the system is
configured for through-dialing but has a passcode protecting the outdial
service, in which case you can get the passcode by using the above
vulnerabilty because meridian outdialing passcode protection is based on
trunk selection on the pbx system.. way-to-go Nortel ;]
One of the reasons people hack meridian is because of its nice outdialing
feature. Usually once inside a box, you can sometimes get an outside line by
dialing 9 before the number. So for example, if inside a box, you dial 0,
1234 [ # ] that will put you through to extension 1234. But if system
outdialing is enabled you can simply dial like this, 0,9,number [ # ] and
this will select an exteranl trunk and route your call to the outside. On a
poorly configured system (which most are) you may be able to dial externaly
without even loging into a mailbox. For example, if you get to the dial an
extension prompt, you could simply prefix the number with a [ 9 ] and your
call would be proccessed as normal.
Word of warning though. Meridian logs all routing activity, so for example,
say you called your g/f via the means of meridian outdialing, the system
administation part (MAT - meridian administration tool) would log the
following; you dialed 0,9,npa-blahblah[ # ].. meridian will log the
extension (or origionating location) from where the call attemt is commuing
from, it will then log the number, the time of the call, length of the call,
and even how long it took you to dial the digits. (very handy for the 'law').
There are several ways around this though. for starters, dont even think
about calling a meridian direct from your home if you are going to use one
for outdialing, if you do, route you call. Or, if you managed to find the
remote administration dialin modem on one of the extensions, you can
configure your own trunks for through-dialing ie; with no origionating point
or call tracking features enababled. Now, thats enough of the extensions and
call routing etc, now for the rest of the article.
If you dial a number and you get somthing like " press 1 for blah-blah, hit
2 for yack-yack " etc etc, dont just pass it off as some IVR system whatever,
because meridian can be configured to act as a dialin menu aswell. Infact,
this is the most popular type of meridian dialin that you are likely to come
accross. To identify the menu system as meridian, you can use the following:
If you hit an invalid key that is not in the menu options you may get:
[ " that command is not recognised " ]
Again, this is a dead givaway that the system is likely to be meridian based.
If this is the case, it is likely that in the dialin menu, you may have an
option to dial an extension number, leave a message (express messaging) login
to meridian mail etc. If none of those options exist, call the number back
after buisness hours, and try out all of the options until you eventually get
routed to an un-attended extension where the extension owners voicemail
greeting should come on, where you will be able to do what was discussed
before. If all else fails, simply hit [ 0 ] for the operator, if they are not
attending the switchboard, the general voicemail box for that company should
come on, and you can do your stuff.
Now, you know how to identify a meridian mail system, and have managed to
login to a box. Heres what to do next.. When you have loged into a box you
will hear somthing like " you have no new messages " or " you have x new
messages " or " your mailbox is full, to delete a message you no longer
require press 76 " or " your password has expired, to change your password
press 84 " etc etc. Now, you know the defualt password for the system, so
you need your own box. The mistake alot of people make when hacking meridian
is they take over a box that they think is not being used becuase it has no
messages in it, the fact is, if a box has no messages in it, it's likely that
the legitimate owner checks thier messages on a regualar basis. What you are
looking for is a box that either asks you to change your password, or a box
with backdated new messagess from like months ago.
To scan for more valid boxes, login to the one that you have access to, and
hit 75. You will then be asked to enter the mailbox of the recipient, where
you have the option to address the message to multiple boxes, ie: 5400#,
5401#,5402# etc etc. keep addressing the message to seqnetial boxes, so you
are scanning the system internaly. eventually, when you have written down a
list of valid boxes, hit [ # ], then, 76 to erase/cancel the message. You
will then be retured the the mailbox main menu, where you can hot 81 to
re-login to meridian mail, try 2 boxes from your list, if they dont have the
default passcode, log back into a box that you know the passcode to, then 81
again to go through the next 2 boxes on your list, this way you can avoid
being loged off from the system, and keep going until your fingers fall off.
Eventually you will find a box as described before that is not in use (either
loads of backdated messages, or passcode change prompt). You can then hit 84
to change your passcode, and then you can call the box 'yours'. I'm not going
to list all the functions/options available on meridian mail user boxes,
simply becuase all you need to do is hit [ * ] to have them read out to you
by the automated system help. All you need to know really is that [ 2 ] will
play any messages you have, 76 will erase it, 71 will reply, 79 will send,
75 to compose a message, etc. A few notes on meridian mail:
If outdialing is enabled, you may find that certain numbers are blocked, for
example ld numbers, numbers prefixed with a 1, or 01 for UK. This can be
overcome in most cases. If you can call the external operator [ 09,00# ] go
through the usuall bullshit with him/her/it to get them to dial/place the
call for you. Or you can find a telco service provider that offers 8OO
numbers that bill back to the line you are calling from. Or if you are in the
UK, you can sometimes trick the outdial baring by prefixing your call with
things like 9,[141] or 9,[1470] etc.
You can sometimes set the operator assistance number for your voicemail box
to dial an external number, when inside the box hit 82 then follow the
prompts. The number you set would usually be prefixed with a 9, then suffixed
with a # to end the string of entered digits. So when someone calls your
extension/mailbox and they hit [ 0 ] at your personal greeting, they would
get routed to a number of your choice, instead of the internal operator. This
feature can be usefull for simple diverters, but again, not very safe.
Meridian Integrated Conference Bridge (MICB) is a fully integrated, all-
digital audio conference bridge from Nortel (Northern Telecom) designed to
improve and simplify enterprise conferencing capabilities. MICB provides fast
and reliable access to an in-house conference bridge, eliminating the need to
frequently contact conference service bureaus or accommodate complex third-
party conference bridge equipment. Offering simple plug-and-play installation
within a Meridian 1 Intelligent Peripheral Equipment (IPE) shelf, software
keycode activated upgrades, and a variety of flexible features for increased
conference control, MICB is for organizations requiring frequent audio
collaboration to keep multiple dispersed parties connected with critical
communication. As an integrated solution, a single MICB card supports up to
32 ports and up to 10 simultaneous conference calls. There are four MICB card
capacity options available: 12, 16, 24 and 32 ports. If the conferencing
requirements increase, software keycodes activate additional ports on the
MICB card to support the larger port capacities. In addition, multiple MICB
cards can be supported within the Meridian 1 Communications System.
Expunged from one of my previous meridian files, an extract from a Nortel
technical document explaining how meridian call-logging is implemented etc.
"Detect and Alarm Toll Fraud"
Day by day, your Meridian 1 operates, routing calls to and from your company.
Ever wonder what your traffic calling patterns look like on a realtime basis?
Using MAT Call Tracking, you can now visually monitor traffic patterns. How
long are station users on the phone? What percentage of calls are incoming,
outgoing, or via tandem tie lines? These are a few of the available features.
Better yet, you can set up your own meter to visually cue on the criteria
that you want to monitor. Have you ever been a victim of toll fraud? Want to
know who's making long international calls, as they happen? The integrated
alarm filter can detect these scenarios and alarm you when the event occurs.
With multiple alarming notification methods, the system is sure to reach you,
where ever you may be.
Features
Call Tracking is an on-line call monitor and alarm application for the
examination of call usage patterns leading to toll fraud detection. Graphs
are used to indicate trends and provide displays of unusual calls, enabling
you to adjust equipment and services to maximize resources. Multiple
filtering templates allow for your customization of [ toll fraud ]
criteria. The Call Tracking Module provides a number of alarm notification
options to alert you when the filter criteria have been met. Call Tracking
is designed to be used with Call Accounting but can also exist on a stand-
alone basis.
Welp, thats it for this brief overview of hacking meridian. Shouts to:
[ D4RKCYDE ] [ 9X ] [ B4B0 ] [ downtime ] [ zomba ] [ substance ] [ gr1p ]
------------------------
http://hybrid.dtmf.org hybrid@dtmf.org hybrid@ninex.com
http://phunc.com/~hybrid hybrid@b4b0.org hybrid@phunc.com
" 4-wire trunk circuits were converted to 2-wire local cabling,
using a device called a hybrid. Unfortunately, the hybrid is
by its very nature a leaky device. "
-o[ review of.. AntiSocial Magazine ]o-
-o[ D4RKCYDE ]o-
-o[ by hybrid <hybrid@dtmf.org> ]o---------------------------------------
URL: http://www.antisocial.cjb.net/
MAILTO: armageddon@hack-net.com
STAFF: armageddon, loki, crashd, phil, tefx.
ISSUES: 17 to date
(short review, as-16)
We never usually review other h/p ezines, but sinse AS mag decided to review
f41th, we thought we'd retern the favour and review them...
First impressions:
To be be honest, when I first loaded up a-s16, I was quite impressed with the
general layout and organisation of the zine as a whole. Its quite difficult
to get the articles you need for an ezine, editing, organising and presenting
a zine is the most time consuming part, I'm sure armageddon would agree with
me there. I've read most of the a-s zines, but decided to review number 16 as
it seemed to be quite weighty in K's.
A-s claim to cover most of the underground scene, right from tracking,
hardcore, to hacking and telephony. Because of this, A-s have attracted a
wide range of audiences, from white glove wearing whistle blowing hardcore
followers to hackers, its not supprising that they have a respectable volume
of readers.
I was however slightly confused.. The zines makers claim that a-s mag is on
a majority aimed at the UK h/p underground. I was unable to find much, if any
h/p related articles in a-s magazine (with the exception of the news). The
amount of telephony information is minimal (if not void), but I was impressed
with the programming related articles, such as the ASM info. Here I would
argue that a-s magazine is not underground at all (hp), Dont get me wrong,
I'm not saying this for no reason.. Throughout the zine, there is a distinct
feeling that the editors are more interested in seeing how well known they
can get there mag, and are constantly bragging at their supposid colosal
readership. I'm sure many would agree, a h/p zine is not underground if the
editors are trying to get it hosted left right and center, it would'nt
supprise me if I saw a advert on TV for it. There are also sections in the
zine that are designed to be used as advertising space for other "groups"..
Why would an underground h/p group want to 'advertise'; acording to a-s mag:
"so they can become the biggest name in the scene" - is this really
underground?, it's not supprising that the group advertisments consisted of
advertisments for fake ID and lame groups such as PLE.
Overall I was impressed with the contents of the zine. The articles are of a
technical nature, and easy to read. The thing that impressed me the most was
the obvious time and thought that armageddon has put into the zine.. The
editorials, coverage etc are all in depth and interesting to read. As an
honest opinion, loose the advertisments, loose the happy hardcore, loose the
PLE stuff and you've got a great zine. Respect is definitly due to the fact
that a-s mag as a team have managed to keep the zine going over such a long
period of time, I think the "fame" factor is getting to them just a little
bit though ;]
Another thing that was brought to my attention is the fact that some of my
group members are complaining that articles they wrote for f41th are strangly
appearing in a-s magazine (either trunkated or as whole). I managed to find
an article in a-s mag written by PLE (PhoneLoosersEngland). The article was
called "the PLE phonebook" or some shit like that, COMPILED by PLE members.
Is this a joke? -- EVERY SINGLE number in that listing has been taken from
previous D4RKCYDE scanlists and f41th scanlists. I personaly noticed that all
the carriers listed in that "phonebook" where found by yours truely.. We are
NOT happy to say the least (bye bye PLE). And again, another scan, this time
by shadowx, written for f41th.. suddenly appears in a-s magazine.
I'm not going to go on about copyright at this point. I just want to make
somthing clear to PLE/AS: DO NOT RIP OFF F41TH. - thats all I wanted to say.
Closing up here, I feel AS mag is generally a good read, both entertaining
and informative. The .EXE t loader sucks a little, but its different, thats
what counts. Generaly well organised, with a nice layout - with the exception
of the anoying blinking graphics and the group adds which seemed a little on
the childish side. But who am I to judge?
hybrid <hybrid@b4b0.org>
<hybrid@ninex.com>
<http://hybrid.dtmf.org>
Shouts to crashd for having good taste in music in the mebers listing, manics
nirvana, BEASTEE BOYS werd. werd to armageddon. broken legs to PLE.
-----------------------------------------------------------------------------
note from shadowx:
big shout out to alex-uk, undernets biggest fucking lamer.. i told you what
would happen if you go around changing passwords... look where it got you.
armageddon... how did hack the FAG go? (nice typeo's) -- alex-uk, see you
at catastrophe you hampster fucking lame undernet piece of shit.
-----------------------------------------------------------------------------
-o[ brief guide to the evolution of switching ]o-
-o[ D4RKCYDE ]o-
-o[ by hybrid <hybrid@dtmf.org> ]o-----------------------------
Switching Systems
Before the phone network went automated, phone switching was achieved by
operators that manaully made the connections between subscriber lines on
huge panels of inter-connecting circuit boards. As telephony technology
progressed, so did the type of swithing techniques; the manaul switchboards
where replaced by electromechanical switches which took the place of the
manual switchboard operators.
These primitive electromacanical switching mechanisms used a series of
fingers that would rotate and then make contact with the circuit, therfore
connecting the subscriber line; these types of switches where called stepper
switches, in essance they where verical laders of rotary switches with
rottating contacts that would either step up or down. This switching
technology was invented in 1891, and has sinse past its sell-by-date by far.
Next in the line of switch evoloution was a new bread of electromacanical
switch, this time called the crossbar switch. Again, the crossbar switch was
an analog device which only supported mechanical switching functions. The
crossbar switches used multiple verticle and horiztontal paths with some
electromechanical relay switches for the interconnecting of the vertical
paths to the hozzitontal paths. The crossbar switching interface was refered
to as the TXC switch (Telephone eXchange Crossbar). There where various
hybrid's/variants of the TXE switching system such as the number 5 crossbar
switch (5XB) which where deployed throughout end-offices during the 193O's.
Now some more fammiler ground to cover; the next breed of switch that came
to dominate the network where the electronic switches. Like the previous
switches they where also electromacanical, the difference being that these
switches where controled by computers, and therefore adopted the form of
computer controlled electromechanical or electronic switching devices. These
switches where designed to handle/distrobute analog signals, and used a new
method of call handeling; Unlike the previous switches where each digit
dialed would be proccessed one at a time, these new switches stored the
dialed number in a register and then executed the dialed connection. We
refere to this this type of switch as a common control switch, it soon
beacame the first steeping stone towards ESS.
Now, we all know what ESS is right? (you damn well should d0). This breed of
switching technology was derived from the previous switch, with the exception
that they implement[ed] stored program control so trunk up calls. The first
ever switch to implement this new stored program control was the Number 1 --
Electronic Switching System, more comanly refered to as (1ESS). The 1ESS was
a computer controled crossbar switch, which implemented computers to instruct
the elecromechanical functions of the switch; Such a system is refered to as
TXD (Telephone eXchange Digital). At the time this method of switching was
considered to be very advanced and ahead of its time; The concept was infact
rather simple, but effective. The ESS switches had to use an identical or
'generic' program in each class of switch. The differences between offices
was determined by parameters used by the 'generic' program. Parameters are
the number and location of active lines and trunks, tone or rotary dialing,
etc.
During the 197Os when this type of switching architecture was at large, call
handeling traffic increased, so the next breed of switch implemented with an
upgraded CPU type, and morphed from 1ESS to 1AESS, but was still effectivly
a computer controlled crossbar switch.
As the demand for phone services grew, the switching systems advanced into
a newer breed of switching, it was this time that the famous 4/5ESS switches
where born and have sinse been used as the workhorses for the phone network.
The first computer controller digital switch was the 4ESS system, which was
specifically designed for toll switching and routing. It implemented the
previous 1AESS CPU and was coupled together with a TMS (Time Multiplexed
Switch) capable of handeling 5O,OOO[+] similtanous loop connections. The
switch was designed to handle digital signals, but at the time the local
offices had to patch the older local loop equipment to it by ringing
subscriber lines with a 9O volt AC current; Sinse the semiconnductors had a
hard time dealing with this, the new breed of ESS was born -- 5ESS.
In the previous ESS systems, the analog signals where switched at local
offices, but the new 5ESS system converted the analog signals into a digital
form, and stored program switching was born. The AT&T 5ESS switches are based
on a TST (Time Space Time) digital switching concept that are capable of
handeling over 1OO,OOO subscriber lines. The current switch are identified as
Telephone eXchange Electronic (TXE) because they employ electronic switching,
as opposed to electromechanical means such as Crossbar or step-by-step
switches.
Northern Telecom is another manufacturer of digital telephone switches
designated as DMS-1OO, DMS-2OO, and DMS-25O. Each is tailored to specific
switching functions on the phone network. Cellular switch vendors market PBXs
or CO switches reconfigured with software to support mobile subscribers.
Three of the major U.S. cellular switch equipment suppliers -- AT&T, Ericsson,
and Northern Telecom (of Motorola Nortel) -- are also leading suppliers of CO
switches.
Today the phone network is becoming increasingly advanced with new telephony
inovations developing all the time. At present the phone network is run via
advanced digital CO switches which support many fucncions such as CLASS
services (a basic example). We also see the mass implementation of Signaling
System 7 (SS7), Integrated Services Digital Network (ISDN), Custom Local Area
Signaling Services (CLASS -- the phone company delivering the number and/or
name of the calling party to the subscriber), Centrex, cellular
communications, and Advanced Intelligent Networks (AIN) are supported by CO
switch suppliers' products today.
http://hybrid.dtmf.org hybrid@dtmf.org hybrid@ninex.com
http://www.phunc.com/~hybrid hybrid@b4b0.org hybrid@phunc.com
" Hybrid echo, which is generated at the 2-4 wire conversion point, is
the only source of echo that is generated from the PSTN. "
-o[ f41th advisory CNID spoof ]o-
-o[ D4RKCYDE ]o-
-o[ f41th <darkcyde.phunc.com> ]o--------------------------------------------
It has been found that on certain Motorola phones that contain the M145447
chip there is a certain option that allows the chip to be powered down. When
the phone rings, the chip is then woken up and is then in ready state to
recieve, process and deliver the CNID (CallingNumberID) signal, after which
the chip then shuts down again and is then powered up when the next call
occurs.
Should this option be disabled, the chip will be in a 'listen always' state
and it is theoretically possible to 'flood' a line making a vulnerable box
record successive erroneous numbers.
There is a device available called the 'presto chango' which works by
transmiting extra data in the form of an ADSI modem tone after the call has
been picked up. Phones that are fitted with the M145447 caller id chip are
vulnerable to this attack, and will only recieve the data transmitted via
the extra ADSI modem transmission. It has been found that not only are the
motorola M145447 chips are vulnerable to this spoof, but so are the CNID
boxes that come from the RBOC, USWest. So if for example the data '31337'
(for example) was transmitted in ascii via the ADSI modem tone transmission
to a CNID box equipt with such an M chip or USWest box, the recieving line
would see the numbers '31337' appear on their CNID box. Neat huh? - Thank
USWest and Motorola for this nice CLI vulnerability. :)
For more info on CLI/CNID UK and US specifications etc, check out the phunc
telecommunications security research site at www.phunc.com/~hybrid [ temp ].
Also, a file I wrote for 9x which can either be found on www.ninex.com or on
my own website at http://hybrid.dtmf.org.
-o[ The Workings of a 5ESS Central Office ]o-
-o[ D4RKCYDE ]o-
-o[ digiphreq <digiphreq@webcrunchers.com> ]o--------------------------------
Ok several weeks ago I took this telecommunications class at a local
university. It wasn't really a class or anything just something this dude
put together. Actually at this point it was probably like a month or two
ago. Anyways thats not important. During the seminars the professor gave he
discussed many aspects of 5ESS and where the industry is going and so on.
All fairly boring as hell... Most of which I slept through. So after 10
hours of boring as seminars I was finally given the oppurtunity to go through
a CO. Which was really rather cool. While I was there i took alot of notes
and then saved them till now. I should have wrote this for faith8, but I
haven't been near my computer for the last 3 weeks and just couldn't.. This
article isn't the least bit technical really, its just an account of what i
saw on my tour.
The CO is made of several different buildings. They aren't actually
buildings, but that's what they call them. There is the Outside Plant, Cable
Vault, Frame Room, Battery Room, and Fiber Distribution Center.
The Outside Plant isn't actually a plant they just call it that. Anyway,
it's the point between the Subscriber's Minimum Point of Entry (MPOE) and the
CO Main Distribution Frame (MDF).
Next there is the Cable Vault which resides underground. While the locations
of other parts of the CO can very, the Cable Vault is always underground,
because of the basic nature of what the complex houses. The Cable Vault is
where all the cables from other CO and that CO's subscribers come together.
It's kind of a creepy little area. Anyway the cables enter through these
ducts in the walls and the ducts lead to manholes. After entering the Cable
Vault, the cables are racked and plugged with pressure plugs. These pressure
plugs are used to put several pounds of air pressure on each cable as it
leaves the CO to detour moisture from the cable's sheath. After the pressure
plugs the cables are spliced and run into compartments where each cable's
3600 pairs are put into 100pair groups which run are run through more ducts
to the frame room. Each of these pairs contains an average of 3600 twisted
pairs or 3600 telephone lines. A few other types of cable such as coaxial,
fiber optic, and interoffice are also run throught the Cable Vault.
The Main Distribution Frame (MDF) is where the 100 pair groups are seperated
into individual pairs and attached to connectors. This room by no surprise
is the same length as the Cable Vault which is directly below it. You would
also not believe how organized they have the cables in the MDF. I mean your
computer becomes a mess if you get more than 10 cables running behind it.
They've got thousands of cables and they are all organized.. Anyway, there
are two sides to the MDF, the vertical (Vertical Distribution Frame - VDF)
and horizontal (Horizontal Distribution Frame - HDF). The vertical side is
where the outside wiring attached to connectors and is feed through the
protector fuses from. From there the tip and ring of each pair is cross
connected to the horizontal side where the hardwired connectors to the
switching system are located. These hardwired multi-conductor cables run
from the connectors to the physical location of the switching equipment. To
keep them all striaght technicians have access to COSMOS (the phone network
mainframe) from which they can print out information regarding cable and pair
and Office Equipment (OE). With this information they can VDF and on the HDF
connecting/disconneting services as indicated. The VDF side is marked by
cable and pair. The HDF varies in format depending on what type of switch
they are using. Basically a Special Services line would be routed to
different switching equipment that a regular POTS line. That was just a
quick example of how the HDF can vary...
The Battery room is a room which houses the office battery. Inside there are
several racks which hold batteries which look like car batteries. They are
larger in size though. The batteries are all wet cell. Together they
provide power to the copper lines. Copper facilities idle at 48 volts DC
current. The current drops to 6 or 8 volts DC when dial tone is requested.
The current peaks at around 90 DC when a ring is sent. T1 lines peak at
around 140 total DC volts. Each copper wire has an output of between 14 and
16 milliamps from the frame. However the batter room creates an average of
1400 amps.
The Fiber Distribution Frame is a centralized optical termination frame for
facilitating the cross-connecting of optical fibers. Technicians can connect
Outside Plant (OSP) facilities to the CO equipment. Its what allows the
minimum handling of fragile optical fibers after installation. Each
individual FDF bay is placed adjacent to each other to form a continous
Frame. An FDF is used to connect OSP facilities to CO equipment. Conections
are flexible and are made using jumper/patch cables. Thus allowing
connections to be changed without disturbing the fibers or fiber splices. A
jumper can be temporary to get around any trouble or permanently placed if
need be. Basically the FDF allows access to the fibers.
After the tour of all this junk the tour dude then discussed some of the
other equipment which is found in the MDF. This was all prompted by
questions we asked. This particular CO had the following equipment in the
frame room. These aren't equipment per say, more just other things that are
found in the room... T1 or DS1, X.25, SONET, DS3, Cisco 200, MAARS, E9-1-1
(all three variants).
That's basically it for my notes that I took during the tour. So maybe you
now have some idea of how a CO operates. Then again maybe you don't... it's
not my problem.
-o[ BTs lite ADSL technology ]o-
-o[ D4RKCYDE ]o-
-o[ by sonicborg ]o----------------------------------------------
/*
I take sod all credit for this apart from taking the time out to copy it
up from print outs, to the computer disk you are reading this off right now.
*/
While the objective of the market trial is to assess customers reactions to a
wide variety of interactive multimedia services, significent technical
advances have been made since the technology trial of 1994.
The set-top-box (STB) is based on a Apple Macintosh computer - the LC475 -
running MAC O/S moified to support MPEG and a 2Mbit/s network interface. At
start-up it is downloaded with the applications and Oracle Media Objects
(OMO), the run time version of the authorware tool in which the services are
created.
The network plateform is being delivered by Alcatel Network Systems and
comprises STM-16 SDH rings delivering content from the media server in
Colchester to six remote telephone exchanges based in Colchester and Ipswich.
Alcatel's ATM technology switches individual video and control channels at
the remote exchanges where they are delivered as a 2 Mbit/s stream over
either copper using Asymmetric Digital Subscriber Loop (ADSL), or fibre.
The ADSL technology, manufactured by westell international, delivers over an
ordinary telephone loop 2 Mbit/s in one direction a 9.6 kbit/s bidirectional
control channel, and the ordinary analogue telephone service. Fibre customers
are connected using Alcatel's APON technology
The Alcatel switching platform provides the concentration and distrobution to
allow up to 1200 of the 2500 customers to be connected to the server at
anyone time.
The server system consists of an nCUBE massively parallel computer controlled
by a Sequent UNIX computer both running Oracles Media Server software. The
significant advance in server technology since the earlier trial has been
ability to scale the server to allow up to 1200 customers independent access
to 1000 hours of entertainment as well as the other applications. Thereis an
EDI gateway to the server supporting the banking application.
All the video content compressed in to the MPEG1 standard at 2Mbit/s and
carried in MPEG2 frames. The coding of all the short video sequences and
bitmaps is carried out by BT using real-time coding technology.
Business support services utilise Oracles database software and applications
and all the significant components of the system are integrated with BT's
normal billing, network management and customer services systems (CSS)
The invention is currently in use in BT's network. All PSTN and cashless
calls are priced using the pricing engine descriped in the patent
application, with 10 pricing engines dedicated to development for use with
feature-rich virtual networks for major business customers
The pricing engine allows billing processing to be performed at a few
centrally located sites rather than distributing the processing across all of
the switches in the network. The lexibility of the pricing architecture has
allowed BT to view billing as a marketing tool rather than as a necessary
evil.
FILTERS FOR ADSL SYSTEMS
~~~~~~~~~~~~~~~~~~~~~~~~
This invention was critical component in the success of the BTs video-on-
demand market trials recently carried out in east anglia.
ADSL is a transmission technique that allows broadband signlas to be carried
over a standard copper pair such as those owned by BT, UK cable companies,
and european PTO's
ADSL is likely to become a key technology as the access network migrates from
copper to optical fibre. The filters have a novel 'hybrid' structure enabling
the broadband signals to be separated from the telephony signals. It is
expected that significant patent protection will be obtained, giving BT a
competitive advantage when using ADSL to supply broadband services such as
video on demand and fast internet access.
TETING NETWORKS USING REAL SPEECH SIGNALS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These two inventions both address the issue of how to measure a subjevtive
variable, such as the speech quality provided by a network, using an
objective measurement technique, which measures components of transmitted
speech in order to calculate the quality of the circuit. Because these is no
use of a pre-determinded test signal, monitoring can take place on live
circuits without interrupting the calls being made. We expect to gain patent
protection for all the most important aspects of the inventions.
These inventions are already used by Cellnet, in a test system that measures
the quality of new systems and services, and in a non-intrusive measurement
system that assesses the quality of BTs global networks.
REAL TIME RESOURCE ALLOCATION (WORK MANAGER)
Work Manager is used across BT to organise the work of BTs field engineering
workforce. It is currently used daily by nearly 20,000 engineers, making it
the largest automatic work allocation system in the world.
The system allocats jobs to engineers as they become free, which is far more
efficient than the old system of booking out engineers to jobs in advance.
The skills and geographical location of the engineer are taken into account,
as is the priority of the job.
-o[ xDSL local loop access technology ]o-
-o[ D4RKCYDE ]o-
-o[ foundonthenet
]o-------------------------------------
xDSL Local Loop Access Technology
Delivering Broadband over Copper Wires
By Robyn Aber
Today's environment is ripe for the emergence of digital subscriber line
(xDSL) technologies. The use of more multimedia information on the Internet
and World Wide Web by business and residential users is a major growth
factor. Another is the availability of affordable networking equipment that
enables larger numbers of users to access corporate information from remote
sites.
The opening of the telecommunications industry in the United States and
throughout the world is sparking the entry into new service delivery by
incumbent local exchange carriers (ILECs), interexchange carriers (IECs),
Internet service providers (ISPs), competitive local exchange carriers
(CLECs), and satellite and cable companies. Mixed media networking, the need
for affordable broadband transmission rates, and a competitive telecom
service environment all contribute to making xDSL the right technology at the
right time. xDSL services promise to dramatically increase the speed of
copper wirebased transmission systems without requiring expensive upgrades to
the local loop infrastructure. New xDSL services are being readied to join
the bandwidth race.
This paper describes the different xDSL technologies in development today and
compares them to other current and emerging WAN service technologies. It also
reports on current and future worldwide xDSL deployments and gives some
market introduction projections. Finally, the paper describes 3Com's
strategic direction with respect to the emerging xDSL technology market.
Contents:
o What Are Digital Subscriber Line (xDSL) Services?
o Development History
o Different Types of xDSL and How They Work
o Asymmetric Digital Subscriber Line (ADSL)
o Rate-Adaptive Digital Subscriber Line (R-ADSL)
o ADSL Lite
o How ADSL Modems Work
o ISDN Digital Subscriber Line (IDSL)
o High Bit-Rate Digital Subscriber Line (HDSL)
o Single-Line Digital Subscriber Line (SDSL)
o Very High Bit-Rate Digital Subscriber Line (VDSL)
o xDSL Delivers Broadband over Copper
o Technology and Applications Comparison
o 56 Kbps Analog Modems
o DSL Modulation Schemes
o ISDN
o Cable Modems
o xDSL
o ADSL Development and Deployment Progress
o Getting Started with ADSL
o ADSL Suppliers
o Upgrading Digital Loop Carriers (DLCs)
o Network Design: What's Needed
o Conclusion
o Glossary of Related Terms
What Are Digital Subscriber Line (xDSL) Services?
xDSL services are dedicated, point-to-point, public network access
technologies that allow multiple forms of data, voice, and video to be
carried over twisted-pair copper wire on the local loop ("last mile") between
a network service provider's (NSP's) central office and the customer site, or
on local loops created either intra-building or intra-campus. xDSL is
expected to have a significant impact in the next three years by supporting
high-speed Internet/intranet access, online services, video-on-demand, TV
signal delivery, interactive entertainment, and voice transmission to
enterprise, small office, home office, and, ultimately, consumer markets. The
major advantage of high-speed xDSL services is that they can all be supported
on ordinary copper telephone lines already installed in most commercial and
residential buildings.
Development History
xDSL was designed initially to provide video-on-demand and interactive TV
applications over twisted-pair wires. Interest in copper-based digital
subscriber line services was spurred when fiber-based broadband loops proved
to be too costly for widespread deployment. Another boost came with the
passage of the Telecommunications Reform Act of 1996, which allows local
phone companies, long-distance carriers, cable companies, radio/television
broadcasters, Internet/online service providers, and telecommunications
equipment manufacturers in the United States to compete in one another's
markets. The race to provide broadband bandwidth was on.
In xDSL, telecommunications companies see an opportunity to leverage customer
demand for faster data access that has resulted from the explosive growth of
the Internet and the advent of IP telephony. xDSL has the potential to
deliver high-speed data access and much more. xDSL technology is in the early
stages of commercial availability. The key players have agreed on standards
and continue to work out interoperability, provisioning, and operations
issues.
Different Types of xDSL and How They Work
The "x" in xDSL stands for the various kinds of digital subscriber line
technologies, including ADSL, R-ADSL, HDSL, SDSL, and VDSL. To fully grasp
the significance of these technologies and the applications for which each is
best suited, it is important to understand how they differ. Key points to
keep in mind are the trade-offs between signal distance and speed, and the
differences in symmetry of upstream and downstream traffic.
Asymmetric Digital Subscriber Line (ADSL)
ADSL technology is asymmetric. It allows more bandwidth downstream-from an
NSP's central office to the customer site-than upstream from the subscriber
to the central office. This asymmetry, combined with "always on" access
(which eliminates call setup), makes ADSL ideal for Internet/intranet
surfing, video-on-demand, and remote local area network (LAN) access. Users
of these applications typically download much more information than they
send. Downstream, ADSL supports speeds between 1.5 and 8 Mbps; upstream, the
rate is between 640 Kbps and 1.54 Mbps. ADSL can provide 1.54 Mbps
transmission rates at distances of up to 18,000 feet over one wire pair.
Optimal speeds of 6 to 8 Mbps can be achieved at distances of 10,000 to
12,000 feet using standard 24-gauge wire.
Rate-Adaptive Digital Subscriber Line (R-ADSL) R-ADSL operates within the
same transmission rates as ADSL, but adjusts dynamically to varying lengths
and qualities of twisted-pair local access lines. With R-ADSL, it is possible
to connect over different lines at varying speeds. Connection speed can be
selected when the line synchs up, during a connection, or as the result of a
signal from the central office.
ADSL Lite
ADSL Lite is a lower-speed version of ADSL that will eliminate the need for
the telco to install and maintain a premises-based POTS splitter. Elimination
of the POTS splitter is intended to simplify DSL installation and reduce the
costs of DSL for NSPs. ADSL Lite is also supposed to work over longer
distances than full-rate ADSL, making it more widely available to mass market
consumers. It will support both data and voice and provide an evolution path
to full-rate ADSL.
The effort to introduce ADSL Lite has been spearheaded by the Universal ADSL
Working Group, an industry group that worked to develop a worldwide G.Lite
standard within the International Telecommunications Union (ITU) Study Group
15. An ITU standard (G.992.2) was approved in October, 1998. Additional
standards work can be expected in ANSI TIE1.4, the ATM Forum, and the ADSL
Forum to address issues such as compatibility with home wiring and network
interfaces. 3Com is an active participant in these standards bodies working
on the development of ADSL Lite.
How ADSL Modems Work
To create multiple channels, ADSL modems divide the available bandwidth of a
telephone line using one of two methods: frequency division multiplexing
(FDM) or echo cancellation.
FDM assigns one band for upstream data and another band for downstream data.
The downstream path is then divided by time division multiplexing (TDM) into
one or more high-speed channels and one or more low-speed channels. The
upstream path is also multiplexed into corresponding low-speed channels.
Echo cancellation assigns the upstream band to overlap the downstream band
and separates the two by means of local echo cancellation, the same technique
used by V.32 and V.34 modems. Echo cancellation uses bandwidth more
efficiently, but increases complexity and cost. For both FDM and echo
cancellation, a filter called a POTS splitter front-ends an ADSL modem to
split off 4 kHz for voice service (referred to as plain old telephone
service, or POTS). This means that both POTS and ADSL can be transmitted on
the same wire, eliminating the need to have a separate POTS line for voice
communication.
ISDN Digital Subscriber Line (IDSL)
IDSL provides full duplex throughput at speeds up to 144 Kbps. Unlike ADSL,
IDSL is restricted to carrying data only. While IDSL uses the same 2B1Q
modulation code as ISDN to deliver service without special line conditioning,
it differs from ISDN in a number of ways. Unlike ISDN, IDSL is a non-switched
service, so it does not cause switch congestion at the service provider's CO.
ISDN also requires call setup, while IDSL does not (DSL is an "always on"
service).
High Bit-Rate Digital Subscriber Line (HDSL)
HDSL technology is symmetric, providing the same amount of bandwidth upstream
as downstream. HDSL is the most mature of the xDSL technologies, and has
already been implemented in telco feeder plants (lines that extend from
central offices to remote nodes) and also in campus environments. Due to its
speed-1.544 Mbps over two copper pairs and 2.048 Mbps over three pairs-telcos
commonly deploy HDSL as an alternative to repeatered T1/E1. (T1 lines, used
in North America, have a data rate of 1.544 Mbps; E1 lines, used in Europe,
have a data rate of 2.048 Mbps.) Although HDSL's 12,000 to 15,000-foot
operating distance is shorter than ADSL's, phone companies can install signal
repeaters to cost-effectively extend its useful range. HDSL's reliance on two
and three twisted-pair wires makes it ideal for connecting PBX systems,
digital local loops, IEC points of presence (POPs), Internet servers, and
campus-based networks. HDSL II is pro-posed as the next-generation HDSL
within ANSI and ETSI. It will offer the same performance as HDSL, but over a
single pair.
Single-Line Digital Subscriber Line (SDSL)
Like HDSL, SDSL supports symmetrical TI/E1 transmissions, but SDSL differs
from HDSL in two important ways: it uses a single copper-pair wire, and it
has a maximum operating range of 10,000 feet. Within its distance limitation,
SDSL is capable of accommodating applications that require identical down-
stream and upstream speeds, such as video conferencing or collaborative
computing. SDSL is a precursor to HDSL II.
Very High Bit-Rate Digital Subscriber Line (VDSL)
VDSL technology is the fastest xDSL technology, supporting a downstream rate
of 13 to 52 Mbps and an upstream rate of 1.5 to 2.3 Mbps over a single
copper-pair wire. VDSL can be viewed as a cost-effective alternative to fiber
to the home. However, the maximum operating distance for this asymmetric
technology is only 1,000 to 4,500 feet from the central office; this distance
can be extended by running fiber optic cable from the CO to an optical
network unit and copper from that point to the user location up to 4,500 feet
away. In addition to supporting the same applications as ADSL, VDSL's
additional bandwidth could potentially enable NSPs to deliver high-definition
television (HDTV), video-on-demand, and switched digital video, as well as
legacy LAN extension symmetrical services. VDSL is in the requirements and
standards definition stage.
xDSL Delivers Broadband over Copper
The best thing about xDSL technologies is their ability to transport large
amounts of information across existing copper telephone lines. This is
possible because xDSL modems leverage signal processing techniques that
insert and extract more digital data onto analog lines. The key is
modulation, a process in which one signal modifies the property of another.
In the case of digital subscriber lines, the modulating message signal from a
sending modem alters the high-frequency carrier signal so that a composite
wave, called a modulated wave, is formed (Figure 2). Because this high-
frequency carrier signal can be modified, a large digital data payload can be
carried in the modulated wave over greater distances than on ordinary copper
pairs. When the transmission reaches its destination, the modulating message
signal is recovered, or demodulated, by the receiving modem.
Technology and Applications Comparison
There has been a lot of speculation in the industry about which remote access
technologies will succeed and which will fail. As new local access
technologies are rolled out, they do not displace others; actually, the
reverse is true. Technologies like analog dial-up, dedicated leased lines,
Frame Relay, and ISDN all coexist successfully in the market based on
differences in service availability and on their ability to generate
incremental revenue by serving different applications.
The fact that so many WAN services continue to coexist often leads to
confusion and complexity for enterprise network managers and planners. The
range of services will certainly continue into the next century. Factors that
will determine the success of one technology versus another include
availability, pricing, ease of installation and use, and relevance to users'
applications. Some of the key issues surrounding xDSL and competing
technologies are summarized in this section.
56 Kbps Analog Modems
56 Kbps analog modems (ITU V.90 standard) provide a range of midband
(28.8 to 56 Kbps) access to the Internet, intranets, and remote LANs.
In order to realize 56 Kbps throughput, there must be a 56 Kbps modem using
compatible modulation techniques at each end of the connection. Therefore,
NSPs and ISPs must have V.90 modems at their points of presence. A single 56
Kbps modem at the user's site will deliver the next highest speed with which
it can synch up. Even when 56 Kbps modems are installed at both the carrier
and user sites, these modems achieve top speeds only if the connection has
just a single analog/digital conversion, and actual through-put is determined
by line quality.
Another important fact to keep in mind is that this technology is asymmetric.
The 56 Kbps rate is only achieved downstream on a digital line from the
network to the user. The upstream connection is analog and operates in the
28.8 to 33.3 Kbps range.
DSL Modulation Schemes
There are many ways to alter the high-frequency carrier signal that results
in a modulated wave. For ADSL, the most talked-about xDSL technology, there
are two competing modulation schemes: carrierless amplitude phase (CAP)
modulation and discrete multitone (DMT) modulation. CAP and DMT use the same
fundamental modulation technique-quadrature amplitude modulation (QAM)-but
differ in the way they apply it.
QAM, a bandwidth conservation process routinely used in modems, enables two
digital carrier signals to occupy the same transmission bandwidth. With QAM,
two independent message signals are used to modulate two carrier signals that
have identical frequencies, but differ in amplitude and phase. QAM receivers
are able to discern whether to use lower or higher numbers of amplitude and
phase states to overcome noise and interference on the wire pair.
Carrierless Amplitude Phase (CAP) Modulation
Generating a modulated wave that carries amplitude and phase state changes is
not easy. To overcome this challenge, the CAP version of QAM stores parts of
a modulated message signal in memory and then reassembles the parts in the
modulated wave. The carrier signal is suppressed before transmission because
it contains no information and is reassembled at the receiving modem (hence
the word "carrierless" in CAP). At start-up, CAP also tests the quality of
the access line and implements the most efficient version of QAM to ensure
satisfactory performance for individual signal transmissions. CAP is normally
FDM based.
CAP, a single carrier system, has several advantages: it is available today
at 1.544 Mbps (T1) speeds, and it is low on the cost curve due to its
simplicity. It has the disadvantage that it is not a bona fide American
National Standards Institute (ANSI) or European Telecom Standards Institute
(ETSI) standard.
Discrete Multi-Tone (DMT) Modulation
DMT offers a multicarrier alternative to QAM. Because high-frequency signals
on copper lines suffer more loss in the presence of noise, DMT discretely
divides the available frequencies into 256 subchannels, or tones. As with
CAP, a test occurs at startup to determine the carrying capacity of each
subchannel. Incoming data is then broken down into a variety of bits and
distributed to a specific combination of subchannels based on their ability
to carry the transmission. To rise above noise, more data resides in the
lower frequencies and less in the upper ones.
DMT's main advantage is the fact that it is the ANSI, ETSI, and ITU standard.
But DMT also has drawbacks: it will initially be more costly than CAP, and it
is very complex. A variant of DMT, discrete wavelet multi-tone (DWMT), goes a
step further in complexity and performance by creating even more isolation
between subchannels. When fully developed, DWMT could become the ADSL
protocol of choice for long-distance transmission in environments with high
interference. Other versions of DMT, including Synchronized DMT and "Zipper"
are being proposed for use with VDSL.
ISDN
ISDN is also considered a digital subscriber line service. ISDN and xDSL
technologies share some common technical characteristics: use of the existing
telephone company copper cabling infrastructure; digital quality-of-service
capabilities such as low noise, less interference, and clearer voice
transmission; and the security of digital communications, which is inherently
more difficult to tap than traditional analog systems.
However, ISDN differs from xDSL technologies in that it is a switched service
in which both ends must support ISDN, whereas xDSL is a point-to-point access
service. ISDN also requires external power for operation. To ensure
continuous operation, customers need either a backup power system or a
redundant POTS line. In contrast, xDSL carries its own power on the line.
Voice and data transmission is split (multiplexed) on the wire: voice is
carried under 4 kHz; data is carried above 4 kHz. If a power failure occurs,
xDSL data transmission is lost, but lifeline POTS still operates.
Another key difference is that ISDN is widely available now and has momentum
in the marketplace. Telcos, competitive access providers, and ISPs are
investing the resources and building out the infrastructure to develop it
further. As ISDN modems and terminal adapters become easier for users to
configure, customer premises equipment (CPE) prices continue to drop, and
tariffs are reduced, ISDN is gaining broader appeal among telecommuters and
small office and retail users who require Internet and intranet access,
remote LAN access, credit authorization, or database connectivity.
Cable Modems
Designed to provide broadband Internet access, cable modems are primarily
targeted at consumers for residential use. Cable modems offer the potential
of broadband (up to 30 Mbps) information delivery downstream to users and
midband (128 Kbps) to broadband (up to 10 Mbps) connections back upstream to
the cable headend. Unlike xDSL and ISDN, cable modems are a shared-not
dedicated-access technology. The total available bandwidth is shared among
users in a neighborhood as if they were on a LAN. Given that design, not
everyone on the network will get the top speeds of 10 to 30 Mbps that are
quoted for downstream throughput. Actual rates will vary according to the
number of users on the system at any given time and the type of modem that is
being used. Security is also an issue on these shared access systems.
The multimedia cable network system (MCNS ) standard for the delivery of data
over cable has been defined and is being adopted by major multiple system
operators (MSOs) and cable modem manufacturers. Its adoption adds more
stability to cable as a data transmission technology. However, the wide-
spread introduction of cable modems is still contingent upon the development
and implementation of complex, two-way transmission systems and operations
systems for management and billing. Today's systems are primarily telco
return, in which phone lines are used to provide upstream transmission.
Another hurdle that cable modems must overcome is negative perceptions about
the quality of service delivered by cable systems. Some users are approaching
the use of cable modems for data transfer with caution. For cable modem
access providers to be successful, they must be able to compete not only on
price, but also on reliability of service.
xDSL
For all intents and purposes, xDSL modems can be considered "next-generation"
modems, initially targeted for business users. xDSL technologies are being
positioned for a wide range of data dialtone, video dialtone, voice, and PBX
interconnect applications. For the near term, however, the trend continues to
be toward data applications, with voice-over-IP emerging as a new
application.
While xDSL technologies hold a lot of promise, there are a number of critical
issues to be resolved before they can achieve wide-spread commercial
deployment. Standards are now agreed upon. During 19961997, standards bodies
split along the partisan lines of DMT versus CAP modulation schemes. In
January 1998, ANSI re-ratified DMT as the standard of choice, and the ITU
adopted it in February 1998.
Other ongoing issues for xDSL technologies include interoperability, spectral
compatibility (e.g., interference between different services carried in the
same cable binder), near-end crosstalk associated with reverse ADSL
provisioning, and loop qualification. A nontechnical but critical factor will
be how successfully NSPs move from xDSL technology and market trials to
commercial rollout.
Sometime in the next three to five years, xDSL technology could potentially
be used to deliver Asynchronous Transfer Mode (ATM) to the home over the
existing copper infrastructure or via a hybrid fiber/copper network. Efforts
to define the standards for doing this are now under way in ANSI, ETSI, the
ADSL Forum, the ATM Forum, and the Full Service Access Network (FSAN)
Council. While joint development efforts are proceeding, considerably more
cooperative work is needed before these organizations can agree upon a set of
standards that will enable the delivery of low-cost, end-to-end ATM to the
desktop over xDSL.
ADSL Development and Deployment Progress
Of all the emerging xDSL technologies, ADSL is receiving the most attention
because there is a standard (DMT) for it, and its capabilities provide NSPs
with a competitive offering to cable modems. But there is increasing interest
in symmetrical xDSL offerings such as HDSL and SDSL.
As a local access service, ADSL's implementation has no critical drawbacks.
It can be deployed as an overlay network where there is subscriber demand,
eliminating the need for NSPs to risk building out their infrastructure
unnecessarily in the hope that the technology will catch on.
ADSL development and deployment is focused primarily in North America,
followed by northern Europe and the Pacific Rim. In North America, US West,
GTE, Ameritech, SBC, BellSouth, and Edmonton Tel (Canada) are the service
providers leading the current wave of ADSL/xDSL deployment. Covad,
Northpoint, and a handful of other CLECs are entering high-density
metropolitan areas-typically offering a portfolio of xDSL offerings at
different classes of service and price points, and competing with incumbent
local exchange carriers. Chicago-based InterAccess was the first ISP to offer
ADSL. Telia (Sweden), Telenor (Norway), British Telecom (UK), and Telfonica
(Spain) are leading xDSL proponents in Europe. In the Pacific Rim, Telstra
(Australia), Hong Kong Telecom, and Singtel (Singapore) are deploying xDSL
for data and video applications.
ADSL modems have been tested successfully by more than 40 telephone
companies, and close to 50,000 lines have been installed in various
technology trials and commercial deployments. Increasingly, alternative
service providers such as enterprises, multi-tenant building owners,
hospitality businesses (hotels and resorts), and office park developers are
offering or considering offering ADSL to their users as private network
operators.
Getting Started with ADSL
ADSL is not yet generally available. It is an emerging technology that is
predominantly in the early commercial deployment stage. NSPs still must put
in place the overlay networks to handle commercial service offerings, and
network equipment vendors must build production-level DMT systems. Users can
expect to see ADSL products and services introduced throughout 1998, followed
by more wide-spread deployment in 1999 and 2000.
ADSL Suppliers
xDSL suppliers generally fall into three categories:
* Component manufacturers
* Systems providers
* Service providers
Component manufacturers provide the chips, modems, and POTS splitters used at
both ends of a line to receive, send, and process digital data. Systems
providers offer end-to-end solutions that include modems, splitters, and
multiplexers as well as operations, administration, management, and technical
support capabilities. Service providers offer xDSL access services and may or
may not bundle products from component manufacturers or systems providers to
offer their subscribers turnkey solutions.
Prospective users of ADSL need to determine whether their local service
provider offers a turnkey solution, or whether they must work directly with
equipment manufacturers, value-added resellers, or systems integrators. It is
possible that ADSL modems will be available at retail outlets during 1999 in
a number of markets where service is deployed.
Upgrading Digital Loop Carriers (DLCs)
The DLC system is the carrier's local loop infrastructure that connects end
users located more than 18,000 feet, or 3.5 miles, from the central office.
DLC systems consist of physical pedestals containing line cards that
concentrate residential traffic onto digital circuits. To provide end users
with ADSL capability, NSPs will simply retrofit the line cards in the DLC
systems. This is a very cost-effective solution for NSPs, because they are
not required to update their infrastructure to provide ADSL services. It is
estimated that 30 percent of U. S. telephone customers are on DLC systems.
These systems tend to be concentrated in the suburbs, where more affluent
people reside; the initial residential target audience for ADSL service will
be this suburban population.
Potential users of ADSL will need the following:
* An ADSL modem (compatible with the one at the NSP's point of
presence)
* A POTS splitter to separate voice and data transmissions (unless
using ADSL Lite)
Since the ADSL modem essentially front-ends a LAN (or is capable of
doing so), branch office or small business users will need a router or hub;
home users will need a computer interface.
Providers of ADSL services will need modems and POTS splitters in their
digital subscriber line access multiplexer (DSLAM) to terminate and aggregate
incoming ADSL lines and redirect voice traffic to the public switched
telephone network (PSTN) and data to a high-speed digital line (DS3, OC-3, or
OC-12). The DSLAM is the major intelligence component in the ADSL system. It
consists of central site modems and a service access multiplexer (SAM) that
interfaces to the NSP's ATM or Frame Relay backbone. The ADSL service
provisioning model includes two types of DSLAM: the central office DSLAM is
built for high density and concentration, while the remote DSLAM sits in the
remote DLC system. Service providers will also need billing systems, testing
and diagnostic functionality, and network management capabilities.
Significant development work is still needed by NSPs and equipment
manufacturers alike to develop more affordable, scalable, interoperable, and
easily provisioned ADSL systems. But this is an exciting emerging technology
that will initially provide high-bandwidth local access for enterprise
networks and teleworkers.
Conclusion
xDSL technology-with its ability to support voice, content-rich data, and
video applications over the installed base of twisted-pair copper wires-is
inherently suited to meet user demands for broadband, multimedia
communications. The most promising of the xDSL technologies for integrated
Internet access, intranet access, remote LAN access, video-on-demand, and
lifeline POTS applications in the near term is ADSL or R-ADSL (a rate-
adaptive version of ADSL). During the past year, ADSL has concluded trials by
more than 40 network service providers throughout the world, primarily in
North America and northern Europe.
Service introduction began in 1997, but ADSL service is still being rolled
out in many areas. In the meantime, xDSL technologies and standards will
continue to evolve, as will user demand for these emerging services relative
to other local access service alternatives.
Glossary of Related Terms
[ ADSL ]
Asymmetric digital subscriber line. An xDSL technology in which modems
attached to twisted-pair copper wires transmit from 1.5 to 8 Mbps downstream
(to the subscriber) and from 16 to 640 Kbps upstream, depending on the line
distance. amplitude. The maximum value of varying wave forms.
[ ANSI ]
American National Standards Institute. The principal standards development
body in the United States. It consists of voluntary members that represent
the U.S. in the International Standards Organization (ISO). Membership
includes manufacturers, common carriers, and other national standards
organizations, such as the Institute of Electrical and Electronics Engineers
(IEEE).
[ ATM ]
Asynchronous Transfer Mode. A switching technology that allows voice, data,
image, and video traffic to be combined into evenly sized cells for high-
speed transmission over one access circuit. Each 53 byte cell contains 48
bytes of payload and 5 bytes of control information.
[ AWG ]
American Wire Gauge. A wire diameter specification; the lower the AWG number,
the larger the wire diameter. backbone network. The major transmission path
for network interconnection.
[ broadband ]
A communication channel with a bandwidth in excess of 1.54 Mbps.
[ CAP ]
Carrierless amplitude phase modulation. A version of quadrature amplitude
modulation (QAM) that stores parts of a modulated message signal in memory
and then reassembles the parts in the modulated wave. The carrier signal is
suppressed before transmission because it contains no information and is
reassembled at the receiving modem (hence the word "carrierless" in CAP).
[ CLEC ]
Competitive local exchange carrier. An alternative access provider that
competes with incumbent local carriers. CO. Central office. A facility that
contains the lowest node in the hierarchy of switches that comprise the
public telephone network. core network. A combination of switching offices
and transmission plant that connects switching offices together. In the U.S.
local exchange, core networks are linked by several competing interexchange
networks. In the rest of the world, core networks extend to national
boundaries.
[ CPE ]
Customer premises equipment.
[ dial up ]
A type of communications that is established by a switched circuit connection
using the public telephone network.
[ DLC ]
Digital loop carrier. The carrier's local loop infrastructure that connects
end users located more than 18,000 feet or 3.5 miles away from the central
office. DLC systems consist of physical pedestals containing line cards that
concentrate residential links onto digital circuits.
[ DMT ]
Discrete multi-tone modulation. A wave modulation scheme that discretely
divides the available frequencies into 256 sub-channels or tones to avoid
high-frequency signal loss caused by noise on copper lines.
[ DSL ]
Digital subscriber line. A local loop access technology that calls for modems
on either end of copper twisted-pair wire to deliver data, voice, and video
information over a dedicated digital network.
[ DSLAM ]
Digital subscriber line access multi-plexer. Multiplexing equipment that
contains a high concentration of central office splitters, xDSL modems, and
other electronics to connect traffic to the wide area network (WAN).
[ DWMT ]
Discrete wavelet multitone. A variant of DMT modulation, DWMT goes a step
further in complexity and performance by creating even more isolation between
subchannels.
[ E1 ]
The European basic multiplex rate that carries 30 voice channels in a 256-bit
frame transmitted at 2.048 Mbps.
[ echo cancellation ]
A technique used by ADSL, V.32, and V.34 modems that isolates and filters
unwanted signal energy from echoes caused by the main transmitted signal.
[ ETSI ]
European Telecom Standards Institute. A consortium of manufacturers, service
carriers, and others responsible for setting technical standards in the
European telecommunications industry.
[ FDM ]
Frequency division multiplexing. A technique that divides the available
bandwidth of a channel into a number of separate channels.
[ frequency ]
The rate of signal oscillation in hertz (Hz).
[ FSAN ]
Full Service Access Network Council. A consortium of European service
providers (PTTs) responsible for defining access network requirements.
[ HDSL ]
High bit-rate digital subscriber line. An xDSL technology in which modems on
either end of two or more twisted-pair lines deliver symmetric T1 or E1
speeds. Currently, T1 requires two lines and E1 requires three.
[ HDTV ]
High-definition television. A system of transmitting television signals at 24
Mbps, which increases the horizontal lines of resolution from 480 to 560
lines per display.
[ IDSL ]
ISDN digital subscriber line. An xDSL technology that provides full duplex
through-put at speeds up to 144 Kbps based on the 2B1Q ISDN modulation code.
[ IEC ]
Interexchange carrier. A long-distance service provider.
[ IEEE ]
Institute of Electrical and Electronics Engineers.
[ ILEC ]
Incumbent local exchange carrier.
[ ISDN ]
Integrated Services Digital Network. A digital subscriber line network with
circuit and packet switching capabilities for voice and data communications
at data rates of up to 1.544 or 2.048 Mbps.
[ ISO ]
International Standards Organization.
[ ISP ]
Internet service provider.
[ ITU ]
International Telecommunications Union. An international standards body,
formerly called the CCITT.
[ Kbps ]
Kilobits per second.
[ LAN ]
Local area network. A type of broadcast network, covering a limited area, in
which computers and other devices are attached to a common transmission
medium.
[ local loop ]
The line from a subscriber to the telephone company central office.
[ Mbps ]
Megabits per second.
[ MCNS ]
Multimedia cable network system. A standard for the delivery of data over
cable.
[ midband ]
A communication channel with a bandwidth range of 56 Kbps to 1 Mbps.
[ modem ]
Contraction for modulator/demodulator. A modem converts the serial digital
data from a transmitting device into a form suitable for transmission over
the analog telephone channel.
[ modulation ]
The process in which the characteristics of one wave or signal are varied in
accordance with another wave or signal. Modulation can alter frequency,
phase, or amplitude characteristics.
[ MSO ]
Multiple system operator. Cable service providers owning two or more cable
systems.
[ multiplex ]
Combining signals of multiple channels into one channel. This process
provides multiple users with access to a single conductor or medium by
transmitting in multiple distinct frequency bands (frequency division
multiplexing, or FDM) or by assigning the same channel to different users at
different times (time division multiplexing, or TDM).
[ multiplexer ]
Equipment that divides a data channel into two or more independent, fixed
data channels of lower speed.
[ narrowband ]
A communications channel with a bandwidth of less than 56 Kbps.
[ NSP ]
Network service provider.
[ phase modulation ]
A technique that changes the characteristics of a generated sine wave or
signal so that it will carry information.
[ POP ]
Point of presence. Physical access point to an IEC network.
[ POTS ]
Plain old telephone service.
[ POTS splitter ]
A passive filter that separates voice traffic from data traffic.
[ PSTN ]
Public switched telephone network. A telephone system through which users can
be connected by dialing specific telephone numbers.
[ QAM ]
Quadrature amplitude modulation. A bandwidth conservation process routinely
used in modems, QAM enables two digital carrier signals to occupy the same
transmission bandwidth.
[ R-ADSL ]
Rate-adaptive digital subscriber line. An emerging variation of CAP; it
divides the transmission spectrum into discrete sub-channels and adjusts each
signal transmission according to line quality.
[ SAM ]
Service access multiplexer. A component of the DSLAM.
[ SDMT ]
Synchronized DMT. A multicarrier modulation scheme that adds time division
duplexing on top of DMT systems and permits transmit and receive in discrete
time slots. Proposed for use with VDSL.
[ SDSL ]
Single-line digital subscriber line. SDSL is essentially HDSL over a single
twisted pair.
[ SMDS ]
Switched Multimegabit Data Service. A connectionless, high-speed, packet-
switched WAN technology offered by telephone companies.
[ SNMP ]
Simple Network Management Protocol.
[ T1 ]
A 1.544 Mbps line; the same as DS1.
[ TDM ]
Time division multiplexing. A digital transmission method that combines
signals from multiple sources on a common path. This common path is divided
into a number of time slots and each signal or channel is assigned its own
intermittent time slot, allowing the path to be shared by multiple channels.
[ telco ]
American jargon for telephone company.
[ twisted-pair ]
Telephone system cabling that consists of copper wires loosely twisted around
each other to help cancel out any induced noise in balanced circuits.
[ UAWG ]
Universal ADSL Working Group. An industry group that supports the development
of a worldwide G.Lite standard within the ITU Study Group 15.
[ VDSL ]
Very high bit-rate digital subscriber line. A technology in which modems
enable access and communications over twisted-pair lines at a data rate from
1.54 Mbps to 52 Mbps. VDSL has a maximum operating range from 1,000 feet to
4,500 feet on 24-gauge wire.
[ WAN ]
Wide area network. A geographically dispersed network.
[ xDSL ]
The "x" represents the various forms of digital subscriber line (DSL)
technologies: ADSL, R-ADSL, HDSL, SDSL, or VDSL.
[ Zipper ]
A DMT-based modulation scheme using frequency division multiplexing. It
requires synchronization of systems within the same bundle. Proposed for use
with VDSL.
-o[ The workings of a cellular phone ]o-
-o[ D4RKCYDE ]o-
-o[ by downtime <downtime@dangerous-minds.com ]o-----------------------------
There are basically two types of cellular phones today: analog and digital.
The phone that most people have had experience with is the analog. Although
digital is growing in popularity very rapidly as well. First off I want to
talk about the types of cellular phones that there are, then I will get into
how it all works.
AMPS: Advanced Mobile Phone Service.
AMPS is your plain analog cellular phone service. Voice signals are sent
using an FM transmitter, much like the one used in your car radio. Signaling
for call setup is done with digital signaling, but call supervision functions
are done with various signaling tones.
TDMA: Time Division Multiple Access.
This is one of the standards of digital. Your voice is digitized and the re-
sults are sent in bursts that are timed so that it won't interfere with any
other station using that certain channel.
CDMA: Code Division Multiple Access.
CDMA is a form of spread spectrum transmission, where the digitized voice is
combined with a special code that allows several users to share the same
portion of the radio spectrum.
The main thing that is better about digital is that the increase in capacity.
Other benefits include enhanced privacy from the addition of encryption, and
reduction of cellular fraud.
_____________________________________________________________________________
The name Cellular comes from the way that the cellular system is set up. They
are not one big section like some would imagine, instead they are spread out
into little sections referred to as "cells". As a call is made and the caller
is traveling away from the cell, the call itself is handed off to the next
cell site that is nearest. The hand off is accomplished by sending a special
signal to the mobile unit, which then switches to the new cell.
The reason for multiple cells is for frequency re-use. The same channel can
be used in more than one cell, as long as the cells don't overlap in their
coverage area. This produces a much greater efficiency in channel use,
allowing more calls in the system.
It is the job of the Mobile Telephone Switching Office (MTSO) to make all the
connections. The MTSO is the bridge between the Public Switched Telephone
Network (PSTN) and the cell sites that ultimately make the wireless
connection to the subscriber's cellular phone. The MTSO also controls all of
the cell sites, and manages all of the mobiles via a control channel.
Once the call is set up, then the mobile moves off to the specific voice
channel designated for that call by the system.
-o[ Underground Bell Atlantic vaults ]o-
-o[ D4RKCYDE ]o-
-o[ by degauss <degauss@penguinpowered.com> ]o-------------------------------
I WILL NOT BE HELD RELIABLE FOR ANY TROUBLE YOU MAY GET FROM THIS ARTICLE.
I AM HERE TO SHARE MY KNOWLEDGE WITH THE REST. DO NOT ATTEMPT TO DO ANYTHING
UNLESS YOU ARE WILLING TO TAKE RESPONSIBILITY FOR YOUR OWN ACTIONS.
This was found in the Bell Atlantic RBOC in the state of New Jersey USA. It
probably doesn't apply to other RBOCs or telephone networks due to
differences in telephone networks. As i was driving around one day looking
for pinouts, I came across an ugly green thing protruding out of the ground.
Taking a closer look at it, i found bell atlantic symbols and a "storm door"
type of top with a door handle. It had the numbers 1-5 under the door handle
acting as some kind of lock. A couple of days later i came back with some
people and decided to try and break into it out of curiousity. The numbers
under the handle (1-5) had push buttons next to each number (pretty old
looking, no technology or state-of-the-art equipment here). I figured i was
going to have to spend a lot of time trying different numbers for a while
because i did not know the exact combination or how many numbers there were
in the combination. After sitting there for no more then a minute, a few
numbers worked and the door was able to be pushed up. Peering down i saw a
ladder going down into a big room. On my arrival, i found many leds flashing
and a lot of equipment with lucent technologies stickers on them. I found out
later this was all fiber optic equipment. Everything was attached to
computers and what looked liked routers, so i opted to take the manuals and
documents.
One book was named "Controlled Environment Vault and Equipment Enclosure"
In this book i found many useful facts about the Vault.
-The dimensions of the "underground vault" are as follows: approx 10
ft. high 24 ft. long and 6 ft wide.
-There are many climate control systems including ventilation and
dehumidifying machines, air conditioning and heating.
-There is an *intrusion alarm* that is activated on opening of the
vault and is easily turned off by:
"The intrusion switch is located inside the hatch cover frame. It is
activated whenever the cover is opened. Authorized personnel can
deactivate the alarm by pulling the plunger switch out about 1/4
inch further. Yadda yadda yadda."
The Vaults are extremely easy to get into. I am not aware of the exact
combinations, or how many digits, but I know I opened 2 Vaults up in less
then a minute trying 3 digit combinations, turning the handle and pushing the
door up and trying again. Kind of like brute forcing in less time. It is
highly recommended to turn off the *intrusion alarm* if you attempt to get
into one of these things. Down there you will find fiber optic equipment
that will amaze you. I will not be held responsible for you getting in
trouble in anyway for going down one of these things. Have fun and keep
information free for everyone.
-degauss
shouts to wing, sim, the hat and shadow for making the vault info happen and
shouts to the rest of the people in my area: nothingg, dgtlfokus, deadkurt,
voltage, and to my boy downtime far away.
-o[ Federal Government freq list ]o-
-o[ D4RKCYDE ]o-
-o[ by digiphreq <digiphreq@webcrunchers.com> ]o-----------------------------
Ok, I've been reading and writing for faith ezine for a long time now and
have noticed a couple of things. None of which are important right now other
than the one that details a complete lack of radio. So I figured what the
hell I'll throw something together quick. So here is a list of Goverment
radio freqquencies I have compiled. I've been compiling this list for the
past 3 or 4 years.
* = trunked
Dept of Agriculture
170.450 Otis Air Force Base, Falmouth, MA
171.525 Waltham, MA
413.900 Beltsville, MD REsearch Center Security
US Attorney
415.850 Nationwide
416.175 Nationwide
Washington DC Police
164.625 Washington Car to Car
164.800 Washington F1 Dispatch
CIA
163.810
165.010
165.110
165.385
165.875 Langley Security
407.800
407.600
USCG
162.125 LANT
164.1375 Police
166.225 Aircraft
171.3125 Falmouth, MA ANARC Net
171.3375 Utility Network
171.5875
172.300 Security- Boston
415.625 Link- Boston
419.125 Security- Boston
US Congress
169.5750 Cloack Room Page - Washington
Dept of Defense
167.7125 Millitary INtelligence
164.1375 Dept of Defense Police
165.1375
DEA
*418.625 416.050 input Ch1 Operations
*418.900 416.325 input Ch2 Operations Central MA
*418.750 415.600 input Ch3 Surveillance/ Strike Force Oderwire Patch System
418.675 Surveillance Ch4 Strikeforce
*418.825 415.600 input Ch5 Operations
*418.950 416.200 input Ch6 Operations
416.375 input Operations, Cape Cod
*418.975 417.025 input Ch7 Operations
418.975 Simplex Ch8 Operations
416.050 Long Island KLR757
418.700 Nationwide
418.725 Nationwide
418.750 Washington F3 Simplex
*418.750 415.600 NY
418.775 Nationwide
418.800 Nationwide
418.875 Nationwide
418.900 Bridgeport, CT
418.925Nationwide
*419.00 input 417.400 NY Task Force KLR710
Dept of Energy
4.6045 Nuclear Transport
3.3350 Nuclear Transport
5.7510 Nuclear Transport
7.7000 Nuclear Transport
11.5550 Nuclear Transport
164.2250 Brookhaven National Lab. L.I. N.Y Fire Dept
164.3250 Brookhaven National Lab. L.I. N.Y KRF255
*164.750 167.850 input middleton, ma
*167.825 164.275 brookhaven nat. lab. KFW703
167.9750 brookhaven nat. lab. paging KCG827
411.3500 Germantown, MD KZQ924
US Engraving and Printing Office
172.2750 Washington
171.3875 Washington
General Services Administration
Federal Protection Service
413.875 Boston Pagers
414.8500 Washington F3
415.200 Washington F1 Security KGC253
415.2000 Washington Simplex F2
417.200 input 415.2 Boston
417.200 Boston Simplex
419.1750 Baltimore Security-Simplex
Printing Office
411.200 Washington Security
Federal Aviation Administration
162.2750 Washington DC HQ
165.5000 Dulles Airport Police/Fire Operations
165.6625 National Airport Police
165.7125 Dulles Police - Access Highway Net
166.1750 Net York Link
*167.1755 165.6125 New England Network
169.2625 Dulles Police
169.3250 Dulles Police Mobile Lounges
*172.850 169.25 Safety Operations Cape Cod
172.950 169.35 Safety Operations Boston
408.8250 Washington DC HQ
410.9000 Washington DC HQ
FBI
9.2400
10.5000
162.6375
163.425
163.925
*163.725 163.3375 Black/ECC - F2 NY KEC270
163.775
*163.800 164.55
*163.850 167.4175 Blue/ECC2 KGB750
*163.8625 167.5375 Black/ECC CT Tactical\
163.8875 New Haven F5 KEX600
*163.9125 167.150 Black/ECC F1
163.9125 Washington Simplex F3 KGB770
163.9125 167.5125 ECC1 Washington
163.925 F5
163.9375 New Jersey KEX620
163.950 New York F3 Black/ECC
163.9625 167.6625 Maryland
163.9625 MD Simplex F3
163.9875 197.725 AXO Station Alexandria KFQ240
164.1500 Exeter, RI Simulcast w/167.6000
Ok, I'm really sick of typing all this crap... I think I'll finish typing the
rest of it and publish that in faith 10. So watch for it
-o[ Defeating the Caller ID system ]o-
-o[ D4RKCYDE ]o-
-o[ by hybr1d <hybrid@dtmf.org> ]o----------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Defeating The Caller ID System
With Simple but Effective Stealth.
July 1999.
hybrid (hybrid@dtmf.org)
(http://hybrid.dtmf.org)
quick disclaimer: I do not encourage any of the information provided in this
file. I, or f41th cannot be held responcerble for your use of the information
provided in this article, it has been provided for informational purposes
only.
(introduction)
CallerID (CID) or CND (Calling Number Delivery), is an extension to the
widley used ANI (Automatic Number Identification) system. The telcos use ANI
as a means for billing information when you make a toll-call, however dispite
what alot of people think, ANI is not used as part of the CID system, it was
the first system used to allow the recieving party know who was calling and
was widely used before the advent of the SS7 telephony protocol, but sinse
the implementation of SS7 CID/CND has become popular, both in residential
subscriber loops, and commercial lines. In this file I am going to show how
the CID/CND system works, specific to different *bell specifications aswell
as the differences in other countrys, such as the UK. Before we go any
further, you need to know the basics of the *bell CID protocol;
CID information (data) is transmitted on the subscriber loop using a method
known as FSK (Frequency Shift Keyed) modem tones. This data is transmitted in
ASCII format and contains the information needed to display the CID mesage at
the terminating line. The actual data burst occurs between the first and
second ring of the line, and contains basic information about the originating
point of the call, such as the date, time, and of course the calling number.
On more upto date systems, or in a local area, the name of the caller will be
displayed next to their number aswell. Further advances in CID include a new
system called CIDCW or (CID on Call Waiting), where the call waiting tone is
heard and the CID of the second calling person is exposed.
(definition)
As I said before, Caller ID is the identification of the originating
subscriber line. For example, say you had a line installed under your own
name, your details would be stored alongside your line information in your
telcos directory listings. So when you call someone with a CID unit that
displays the calling partys name, your name would be displayed alongside the
number, or whoever pays the bill for the line. Obviously the telco has no
real way of knowing just _who_ is making the call, so the term Caller ID
would be inapropriate, and should technically be refered to as Calling Number
Identification because it is the name of the person associate with the line
rental, and not your docs that are transmitted. The actual CID information is
transmitted to the terminating subscriber loop, as I said before, between
the first and second ring implementing a bell202 type modem specification.
There are 2 tones that are tranmitted, one of them contains the mark
transmission (logic 1) and the other contains the space transmmision (logic
0), mark and space. The transmitted message contains a channel seizure string
and then a mark string followed by the actual caller information. If the
recieving line only has basic CID information installed (where they only
recieve the date, time and number of the caller) SDMF (Single Data Message
Format) is used in the CID data burst. If however, the recieving person has
a more advanced version of CID where they can see the name of the person
calling, MDMF (Multiple Data Message Format) is used in the data burst. If
the MDMF method is used, and you have withheld your CID, the recieving line
will only see a message saying the information was blocked by the caller, or
is unavailable. Later I will discuss ways of making your line information
completly unavailable to the called party.
In New Jersey 1987, the first CID service was offered to subscribers of
NJBell because NJBell where at that time implementing new high-speed networks
and wanted to rake in a little more money by offering this new service to its
customers. Before SS7 ANI was used as a means of obtaining the calling number
info as a means for billing purposes on certain lines. Before SS7, your ANI
would go no furthur than your central office, and would not be forwarded to
international calls. However, that was then and this is now, SS7 has been
implemented big time over the international/national PSTN (Public Switched
Telephone Network) and ANI can be a phreaks worst enemy. These days ANI
information can be transmitted internationaly, and in some cases globably,
depending on the similaritys of the concerned signalling/switching systems.
Numbers that are renowned for implementing full ANI capture are 800 and 900
services (full SS7 based) aswell as operator services, and of course 911.
ANI is _completly_ different from CID, so if you call a line that has an ANI
service installed, you will not be able to block your line information from
going through as ANI works on a different protocol than CID, ie, the *
services used to withhold your CID wont work on an ANI system because they
are designed _only_ for blocking of CID _not_ ANI, remember they are
completly different things. There are alot of rumours that I have heard from
people about ANI, such as its supposid ability to capture your line
information, which ever method you use to call a number. The fact is, ANI is
dependant on SS7, which in turn is dependant on translation tables, who says
you have to use the SS7 network to call someone ;> I'll go into this further
later in this file.
Now, back to CID; Because of the mass implementation of the SS7 protocol, CID
informaion is transmitted to the called party's central office. This is done
using SS7, and is called CPNM or (Calling Party Number Message). Now, heres
the bitch of SS7; when you call someone, your line informaion is sent to the
persons central office _regardless_ of the fact that you may have reqested
that your line informaion is withheld. If you have withheld your CID, the
remote person's central office still get your line information, but notices
that you reqested that your info is withheld (UNLESS the person you are
calling has a deal with their local telco to expose any CID information held
at their central office to be automaticaly transmited to their CID unit,
Thats where things begin to get nasty (at the end of the day, the telcos are
more concerned about the money they are recieving for providing _full_ CID
services to people, and could'nt care less if you reqested your line
informaion remains private).
(lets get technical) -- exphunged from CallerID specifications
by Michael W. Slawson
Eventually standard CID (SDMF) where only the calling number and date etc are
displayed will be completly phased out and replace by the enhanced CNAM
(Calling Name Delivery) where the MDMF data burst transmission is used.
The CID information is sent serially at a rate of 1200 bits per second using
continuous-phase binary frequency shift keying for modulation. The two
frequencies used to represent the binary states are 1200 Hz for the Mark
(logic 1) and 2200 Hz for the Space (logic 0). The data is sent
asynchronously between the first and second ring at a signal level of -13.5
dBm. The level is measured at the central office across a 900 ohm test
termination.
Following a minimum of 500 ms after the end of the first ring, the sequence
of transmission begins with a Channel Seizure. The Channel Seizure is a
string of 300 continuous bits (250 ms) of alternating "0"s and "1"s. This
string starts with a "0" and ends with a "1". A Mark Signal of 180 mark bits
(150 ms) is sent immediately following the Channel Seizure Signal. The
purpose of the Channel Seizure Signal and the Mark Signal is to prepare the
data receiver in the Customer Premise Equipment (CPE) for the reception of
the actual CID transmission.
Once the Channel Seizure and Mark Signals have been sent the CID information
is then transmitted starting with the Least Significant Bit (LSB) of the most
significant character. This is true for both SDMF and MDMF. Each character
in the message consists of 8 bits. For displayable characters these bits
represent a code defined by the American Standard Code for Information
Interchange. When transmitted the character's 8 bits are preceded by a start
bit (space) and followed by a stop bit (mark) giving a total of 10 bits sent
for each character. The CID information is followed by a checksum for error
detection. Figure 1 shows a visual layout depicting the association of the
1st Ring, Channel Seizure Signal, Mark Signal, Caller ID information,
Checksum, and the 2nd Ring.
The checksum word is a twos complement of the modulo 256 sum of each bit in
the other words of the message. The Channel Seizure and Mark Signals are not
included in this checksum. When the message is received by the CPE it checks
for errors by taking the received checksum word and adding the modulo 256 sum
of all of the other words received in the message. The addition done by the
CPE does not include the Channel Seizure and Mark Signals, nor does it
include the received checksum word. The result of this addition should be
zero to indicate that no errors have been detected.
Figure 2 shows a CID message in SDMF. For ease in describing the process of
determining the checksum, the decimal values will be used for the
calculations.
Character Decimal ASCII Actual
Description Value Value Bits (LSB)
- ------------------- ------- ----- ---------------
Message Type (SDMF) 4 0 0 0 0 0 1 0 0
Message Length (9) 18 0 0 0 1 0 0 1 0
Month (December) 49 1 0 0 1 1 0 0 0 1
50 2 0 0 1 1 0 0 1 0
Day (25) 50 2 0 0 1 1 0 0 1 0
53 5 0 0 1 1 0 1 0 1
Hour (3pm) 49 1 0 0 1 1 0 0 0 1
53 5 0 0 1 1 0 1 0 1
Minutes (30) 51 3 0 0 1 1 0 0 1 1
48 0 0 0 1 1 0 0 0 0
Number (6061234567) 54 6 0 0 1 1 0 1 1 0
48 0 0 0 1 1 0 0 0 0
54 6 0 0 1 1 0 1 1 0
49 1 0 0 1 1 0 0 0 1
50 2 0 0 1 1 0 0 1 0
51 3 0 0 1 1 0 0 1 1
52 4 0 0 1 1 0 1 0 0
53 5 0 0 1 1 0 1 0 1
54 6 0 0 1 1 0 1 1 0
55 7 0 0 1 1 0 1 1 1
Checksum 79 0 1 0 0 1 1 1 1
The first step is to add up the values of all of the fields (not including
the checksum). In this example the total would be 945. This total is then
divided by 256. The quotient is discarded and the remainder (177) is the
modulo 256 sum. The binary equivalent of 177 is 10110001. To get the twos
compliment start with the ones compliment (01001110), which is obtained by
inverting each bit, and add 1. The twos compliment of a binary 10110001 is
01001111 (decimal 79). This is the checksum that is sent at the end of the
CID information. When the CPE receives the CID message it also does a modulo
256 sum of the fields, however it does not do a twos complement. If the twos
complement of the modulo 256 sum (01001111) is added to just the modulo 256
sum (10110001) the result will be zero.
If the result is not zero then the message is discarded. It is important to
note that there is no error correction in this method. Even if the CPE were
to notify the central office of errors, the central office will not
retransmit the information. If an error is detected, the CPE receiving the
message should display an error message or nothing at all. Although Bellcore
SR-TSV-002476 recommends that the CPE display an error message if erroneous
data is received, most CPE manufacturers have elected to just ignore the
errored message.
The content of the CID message itself depends on whether it is in SDMF or
MDMF. A message in SDMF includes a Message Type word, a Message Length word,
and the actual Message words. A message in MDMF also includes a Message Type
word, a Message Length word, and the actual Message words, but additionally
includes Parameter Type and Parameter Length words. There are certain points
within these messages where up to 10 Mark bits may be inserted to allow for
equipment delays in the central office. These Stuffed Mark bits are generally
not necessary.
The Message Type word defines whether the message is in SDMF or MDMF. It will
be a binary 00000100 (decimal 4) for SDMF or a binary 10000000 (decimal 128)
for MDMF. The Message Length will include the number of characters in the
message. This length does not include the checksum at the end of the message.
For SDMF the minimum length will be 9 characters. The minimum length for MDMF
will depend on whether the customer has subscribed to CNAM service as well as
CND. In the case of CND only the minimum length will be 13 characters. If the
customer also has CNAM then the minimum will be 16 characters. In all three
of the minimums mentioned there will be no actual number or name delivered.
The field will be marked either "O" (Out of area) or "P" (Private).
Figure 3 shows an example of a minimum message layout for SDMF. The number
will not be delivered because it has been blocked by the calling party. The
CPE will receive the date, time, and a "P" to indicate that the caller's
identification has been blocked at the caller's request.
Character Decimal ASCII Actual
Description Value Value Bits (LSB)
- ------------------- ------- ----- ---------------
Message Type (SDMF) 4 0 0 0 0 0 1 0 0
Message Length (9) 9 0 0 0 0 1 0 0 1
Month (December) 49 1 0 0 1 1 0 0 0 1
50 2 0 0 1 1 0 0 1 0
Day (25) 50 2 0 0 1 1 0 0 1 0
53 5 0 0 1 1 0 1 0 1
Hour (3pm) 49 1 0 0 1 1 0 0 0 1
53 5 0 0 1 1 0 1 0 1
Minutes (30) 51 3 0 0 1 1 0 0 1 1
48 0 0 0 1 1 0 0 0 0
Private 80 P 0 1 0 1 0 0 0 0
Checksum 16 0 0 0 1 0 0 0 0
Character Decimal ASCII Actual
Description Value Value Bits
(LSB)
- -------------------------- ------- ----- ---------------
Message Type (MDMF) 128 1 0 0 0 0 0 0 0
Message Length (33) 33 0 0 1 0 0 0 0 1
Parameter Type (Date/Time) 1 0 0 0 0 0 0 0 1
Parameter Length (8) 8 0 0 0 0 1 0 0 0
Month (November) 49 1 0 0 1 1 0 0 0 1
49 1 0 0 1 1 0 0 0 1
Day (28) 50 2 0 0 1 1 0 0 1 0
56 8 0 0 1 1 1 0 0 0
Hour (3pm) 49 1 0 0 1 1 0 0 0 1
53 5 0 0 1 1 0 1 0 1
Minutes (43) 52 4 0 0 1 1 0 1 0 0
51 3 0 0 1 1 0 0 1 1
Parameter Type (Number) 2 0 0 0 0 0 0 1 0
Parameter Length (10) 10 0 0 0 0 1 0 1 0
Number (6062241359) 54 6 0 0 1 1 0 1 1 0
48 0 0 0 1 1 0 0 0 0
54 6 0 0 1 1 0 1 1 0
50 2 0 0 1 1 0 0 1 0
50 2 0 0 1 1 0 0 1 0
52 4 0 0 1 1 0 1 0 0
49 1 0 0 1 1 0 0 0 1
51 3 0 0 1 1 0 0 1 1
53 5 0 0 1 1 0 1 0 1
57 9 0 0 1 1 1 0 0 1
Parameter Type (Name) 7 0 0 0 0 0 1 1 1
Parameter Length (9) 9 0 0 0 0 1 0 0 1
Name (Joe Smith) 74 J 0 1 0 0 1 0 1 0
111 o 0 1 1 0 1 1 1 1
101 e 0 1 1 0 0 1 0 1
32 0 0 1 0 0 0 0 0
83 S 0 1 0 1 0 0 1 1
109 m 0 1 1 0 1 1 0 1
105 i 0 1 1 0 1 0 0 1
116 t 0 1 1 1 0 1 0 0
104 h 0 1 1 0 1 0 0 0
Checksum 88 0 1 0 1 1 0 0 0
In Figure 4, if the number and name had not been included then the parameter
types for those fields would be different. These alternate parameter types
are used to signify that the data contained in that parameter is the reason
for its absence. The parameter type for the number section would have been a
binary 00000100 (decimal 4) and the parameter type for the name section would
have been a binary 00001000 (decimal 8). When the parameter type signifies
that the data contained is the reason for that fields absence, the parameter
length is always a binary 00000001 (decimal 1). If the reason for absence is
that the calling party does not want their number/name displayed then the
parameter data would be a binary 01010000 (ASCII "P") for Private. If the
reason for absence is that the information is just not available then the
parameter data would be a binary 01001111 (ASCII "O") for Out of area. The
number/name may not be available if the calling party is not served by a
central office capable of relaying the information on through the network.
(lets talk d1rty)
The above specifications are relevant to the US CID system, and not to the
UK specification. Enough of the technical stuff for now though, its time to
look at CID systems from an attack and deffense point of view. First the
real basics; if you are in US you can reqest that your CID is withheld by
using *67 as a prefix when dialing a number. As I said before though, this is
absolutly usless in completly withholding your CID because we know that CID
information is passed onto the called party's central office regardless of
*67 via implementation of the SS7 network. If you are in the UK you would
prefix your call with 141, but again our nice systemX digital exchanges a
real bitches at passing on our CID information to _other_ exchanges, so in
essance your call routing is loged as it passes through exchange boundarys on
the PSTN. So here I am going to discuss different techniques that can be used
to completly render your CID information useless as it is transmitted through
various excahanges and offices.
I'm going to begin with some basic concepts so you can understand the more
advanced techniques better. Now, lets consider this scenario for the
following techniques; You are in Texas (RBOC: SWBell) and you want to set-up
a call to someone in Chicago (Ameritech). Obviously, you know that *67 wont
help you if the person you are calling has full CID (or has access to there
central office ;>) so you consider the following techniques and call-setup
examples.
[ example A: simple diverting ]
Here you can use a host that will be traced back to in the advent that the
person has full CID. In other words, its real simple, you use a PBX
(preferably a long distance one located in another RBOC). This is very self
explanitory, but alot of people get it wrong. Heres how the call setup would
look in a metaphorical diagram:
______ ______ ______
| | | | | | (800)XXX-XXXX
| CO |------------->| CO |------->| PBX | POTS:(123)456-7890
|______| |______|<-------|______|
| |
| |
| __|___
( you ) | |
| CO |----------------------> ( them )
|______|
Now, whats happening here is you are calling the PBX at *671800XXXXXXX, you
then login to the PBX and from there you dial the person you want to call.
When the person checks there CID unit, they will see the number of the PBX
you are calling from instead of your actuall originating number. Now, this is
OK for very very very simple CID spoofing, but if the person you are calling
is resoursefull, they could very easily have words with the host from which
you where calling from (who would have your ANI -its an 800 number) The CO of
the PBX would also have the time, date, and trunk setup information for when
you called the PBX etc, so this example is still not quite as effective as
you would imagine it to be.
Now, to make a long story short, we can enhacne the above method by
implementing our _own_ CID blocking methods along the above routing example.
Look at the diagram in detail, and you will realise that there can be many
different alterations made that can make the routing alot safer, and _alot_
more hastle for them to pin-point your OCP, or originating point.
First we take into account the call we make to the PBX. For starters, you can
op-divert to the 800 number (depending on where you live) so the 800 PBX
recieves operator assisted call ANI instead of yours. This can be done very
easily, and involves you calling your local operator and asking them to call
the number for you. The central office located near to the PBX then has the
OPC of your operator, rather than you.
Now, the PBX host is your safgaurd when it comes to hiding your CID. For
those of you who dont know, all PBXs or privatly owned switching and trunking
mechanisms/systems log incomming and outgoing trunk setups for billing
purposses etc. These days, most PBX exchanges have administration modules
that deal with call routing. The call-setups are stored in the databases of
the PBXs and can be intercepted. Most of the time, a PBX will have 1 if not
several dialin modems that connect to the PBX administration modules for
remote maintanance. Its simply a case of internally scanning the extensions
of the remote PBX for a carrier, and checking out each one until you find
what you are looking for. Once you have access, you could do _many_ things
depending on how advanced the system is. For example, you could erase any log
of your connection to the PBX (aswell as any furture connections), you can
set up incomming and outgoing trunks on the PBX exchange that dont even
exist, you can also select which trunk you wish to call your party with and
therefore selecting which number you wish to be displayed to the called
party. I wont go into to much detail here, you get the picture right?
So now we are using a host to call through that will not log anything that
could point towards you, with the exeption of the timestamping at the central
officess along the routing path. (again, that could be delt with in a similar
fashion). You could also implement op-diverting from the PBX to the dialed
person, or triple the amount of hosts you use to place the call at the same
time using the above methods, but via more PBXs and operators.
In my opinion though, the above method is no way near as secure as you need
it to be, so in the next examples, we take adavntage of ld-carriers, and
global PSTN networks that do not co-operate with each other, ie: calling
party data is not translatable or transmitable (electromechanical).
Now, to really throw someone off track in the advent of a trace (realtime or
aftermath) we take advantage of one of the biggest flaws in the PSTN known
today: new digital exchange units such as digital ESS, systemX etc cannot
effectivly communicate with older lesser implemented electromechanical
exchanges such as crossbar, and CCITT#5 protocols implemented in lesser
developed countrys such as Indonisia, Libia etc. The worlds telcos are also
very lazy when it comes to passing on originating calling party information
from country to country, simply because it is to much hastle for them, time
and money runs into the picture once more. So ld call setups become a good
counter defense when it comes to routing un-traceable calls. Now, I can think
of literaly 100s of methods that could be implemented here, but I'm going to
discuss the structure of how this type of call would be setup, I'll leave the
rest to your imagination (if you have one)
[ example B: international routing ]
Now, consider the previous call setup example, and imagine how it would be
trunked if you placed a long distance barrier in-between. Here we will
imagine we have 2 PBXs, one in the US and one in the UK. Again, you are in
Texas and want to setup a call to someone in Chicago without revealing your
identity. The basic call setup would appear like this:
______ ______ ______
| | | | | | (800)XXX-XXXX
| CO |------------->| CO |------->| PBX | POTS:(123)456-7890
|______| |______|<-------|______|
| | ___
| [ US PSTN ] | ESS routing .--->|co |
| __|___ ____|_ |___|------ ( them )
( you ) | | | |
| CO |------->| DMS | (international DMS
|______| |______| gateway router)
:
:
:
[ super LD ] .........................\........................
\
:
So here you have op diverted :
to the US PBX, then from the :
US PBX op diverted and called ______ ___:__
the PBX in the UK, already | |------->| |
the UK PBX has lost the US | CO |<-------| DMS | (international DMS
PBXs CID, and from the UK PBX |______| |______| gateway router)
you call the person in chicago, |:
which in turn is re-routed back |:
through the international PSTN |: [ UK PSTN ] systemx routing
effectivly deteriating your __|:__
origionating line. | |
| PBX | (UK PBX)
|______|
The problem with this kind of routing example is that you are costing the 2
PBX exchanges involved big bux, and is generaly not a very nice thing to do,
heh. Again, as in the previous example, you can implement the PBX
administration for extra security, the above diagram could be used vise-versa
whether your origionating point was the UK or US. It is howver inconvinient,
both for you, and for the poor owners of the PBXs who have to falk out for
your toll-fraud adventures. There are however other ways of implementing the
above techniques.
Now, probably the most favourable technique to use would be to box your way
out of a country that runs C5, and from there re-route a call back to the US
and even implement a few PBXs along the way, therefore you would have [ 0 ]
CID worrys. A more advanced technique involves the forwarding of subscriber
lines to a designated number (A C5 country direct, PBX etc). Now, if you are
in the US, you could be super lame and simply have another US line forwarded
to another number via the means of posing to the forwarded lines co as a
field engineer requesting a line be forwarded to xxx while you carry out
field 'maintanance' on it, _or_ if you wanna stay away from the lameness, you
could so this:
Lets take Indonisia for example. You can remotely forward an Indonisian
residential line to anywhere you want (providing you can find an english
speaking exchange). Indonisia is just an example, but like the US method of
forwarding lines you have 2 options. You could a) pose a local field
engineer, or if the country has a DMS[+] architecture you could forward the
lines via the means of remote switch access. (Thats another file, but you get
the general idea). So, when it comes down to it, its all about having the
ability to route calls, not spoof them.
So, there you have it, a brief guide to CID blocking (the effective way), its
your choice, *67 (blah) or *67,00-->1800XXXXXXX-->*67,00-->1800XXXXXX(CD)-->
KP2-44-141-0800-XXXXXXX-ST -->001-1800XXXXXXX-->*67,00-->555-555-5555 hello?
<click> <click> <churchunk> <brrr> <curchunk> <click> <click> :>
I hope you enjoyed this file as much as I did writing it, take it easy and
remember to check out my website.. :)
Shouts to 9x, substance, downtime, ch1ckie, oclet, jasun, zomba, psyclone,
bodie, digiphreq, w1repa1r, gr1p, t1p, jorge, b4b0, shadowx, osiris, essgurl,
lowtek, pbxphreak, katkilla, drphace, prez, euk, simmeth, dgtlfokus, voltage,
knight, siezer, oeb, lusta, infidel, devious, werd to #9x #darkcyde #phunc
#b4b0 #2600 #2600-uk & wErd to D4RKCYDE.
: . http://hybrid.dtmf.org
___ ___ _____.___.____________________ ____________
hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \
hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \
hybrid@dtmf.org \ Y /\____ | | | \| | \ | || hy_ \
\___|_ / / ______| |______ /|____|_ / |___/_______ /
+++ NO CARRIER \/ \/ : \/ \/ . \/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: cp850
iQEVAwUBN5dSy7TUyHciIYgJAQGcSgf/er3ngPoYsPon9rmU4VG0klcp9koc5aoA
hBBheVxeeVQOzrUl0kPv5sCUPdHoEKbabHqAyDcoJY9feoM5aZ4U0kryuTBm415z
M57ff31CH+T+8iUaW7ZlQkBfFuJfNr2B3pro6KvDGzU2S7nJhYSCugoCf3IExlLt
+FSXEAl+HC0PCpDcEYlQ+2kNwgOBMLLQ9w3On/vFcRJnD26E9Hk4j5IMv8iv+37F
sdQDDhqQ3ah2y1CN3KGAOrcsaYRhT1OyLjbw+JDwR1buCa38yqawBjpbAuM/PTfU
eoNCmwzFEucjcFKpQJisT1428MgeuK2cWmIj8flfuIr9fhIi/7wdNA==
=570J
-----END PGP SIGNATURE-----
-o[ outness ]o-
-o[ D4RKCYDE ]o-
-o[ write for f41th ]o-------------------------------------------------------
Eventually f41th magazine is going hard copy. We did orionaly plan to do this
by the time we got to issue 1O, but things did'nt go as planed. We are
looking for people to write for f41th magazine, so if you have somthing you
would like to publish in f41th, just email it to one of the following email
addresses.
[ hybrid@dtmf.org ]
[ hybrid@ninex.com ]
[ zomba@phunc.com ]
[ downtime@dangerous-minds.com ]
[ digiphreq@webcrunchers.com ]
Until we get our own bawx online, just use the above addresses to send
anything you want to publish in f41th, ie: letters, comments, articles etc.
If you are writting an article, it must meet the following:
[ all articles sent to f41th must be origional ]
[ all artciles must be at least 10K ]
[ all articles must be in pure .txt format, no .doc ]
[ all articles sent to f41th should not be realeased anywhere else ]
If you are writting us an email that you want to have published in f41th, put
[ f41th ] in the subject header in enclosed square brackets, all other mail
without that header will be considered as reader to writter mail and will not
appear in f41th. Cometo #darkcyde on EFNET and eydle with all the D4RKCYDE
dewdz/dewdesses/weirdos/convicts/exconvicts/fbi/junkees/entitys/things/etc.
If you are submitting to f41th, you can use the bellow pgp key if you desire.
Type Bits/KeyID Date User ID
pub 2048/4D077481 1999/07/30 f41th <http://darkcyde.phunc.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia
mQENAzehyBUAAAEIALNZc5Ba1zi7JrAAaJEDSXlnyQv4U47OavbwyXyidvUSv4Js
siVbSAEGlLfGAEgNHgyGHxoJGdMXMoOdFLhlHAT/N6ye4NtaJGloIy34UUPd9+rj
Cb+Yqz/az/Be56QaexDFSqrcOeOEZPCCNzjzlfW8EN23noHIj42zDppkOcd35VCV
0GZ2sZbKqrtfYca1yf0IVe/yoKBVF+TMfftvAO63kJ+rfl5G8t3mU5xbH7fT5UPU
lrmELJf/372F2RZUCCRwWxdo14ymlSW3QVk7L+DynX7dZ9FNyrQ0Wqpyqh8Anctw
O8fxYD+59n+ezuuBUomxmSiPIThFEyt4UU0HdIEABRO0IWY0MXRoIDxodHRwOi8v
ZGFya2N5ZGUucGh1bmMuY29tPokBFQMFEDehyBoTK3hRTQd0gQEBm5IH/0MPx8FO
Gmc0Epr9Zurk2mx9j77ZsqzvS9AkupTD7uV3UdlVGFNcl8oFUVgpUb5JiM4KuXcv
79uGIFfIy0LzCgitjPrl9STjiWHulHfkA9vdY/Tp8K+IFqXaktCagWJV2DNZF/pK
u26BjNE8T3bUNo+9h9dSvzdobs5Hnj+eks5kdI/A49+hIHsrn5SAyllTL5eIsrei
33ZHwrAtu9KnGkV/YZ1a173VW+h715UgXlPtb3xA7WNVcVGQtaAPhRnLBVtDOYgV
+C98dyjuS0/IgL7ZC+RYz3esvFSiKgJibL/4AU6mXUaOHspCt8d3l/aZ5+z+CKmz
uaa7MkTM77rWWMM=
=lLe4
-----END PGP PUBLIC KEY BLOCK-----
#darkcyde EFNET.
http://darkcyde.phunc.com.
[C] D4RKCYDE Communications.
E0F.
