mirror of
https://github.com/fdiskyou/Zines.git
synced 2025-03-09 00:00:00 +01:00
767 lines
35 KiB
Text
767 lines
35 KiB
Text
-------[ Phrack Magazine --- Vol. 9 | Issue 55 --- 09.09.99 --- 03 of 19 ]
|
||
|
||
|
||
-------------------------[ P H R A C K 5 5 L I N E N O I S E ]
|
||
|
||
|
||
--------[ Various ]
|
||
|
||
|
||
0x01>------------------------------------------------------------------------
|
||
|
||
SecurPBX using SecurID
|
||
by pbxphreak <chris@lod.com>
|
||
|
||
|
||
.---------------.
|
||
| | 037592 |
|
||
| `--------'
|
||
| SecureID |
|
||
`---------------'
|
||
|
||
|
||
SecurID Token:
|
||
-------------
|
||
|
||
The SecurID token provides an easy, one step process to positively identify
|
||
network and system users and prevent unauthorized access. Used in conjunction
|
||
with Security Dynamics Server software, the SecurID token generates a new
|
||
unpredictable access code every 60 seconds. SecurID technology offers
|
||
crackproof security for a wide range of platforms in one easy-to-use package.
|
||
|
||
Highlights:
|
||
----------
|
||
|
||
- Easy, one-step process for positive user authentication
|
||
- Prevents unauthorized access to information resources
|
||
- Authenticates users at network, system, application or transaction level
|
||
- Generates unpredictable, one-time- only access codes that auto- matically
|
||
change every 60 seconds
|
||
- No token reader required; can be used from any PC, laptop or work- station
|
||
ideal for remote access and Virtual Private Networks
|
||
- Works seamlessly with ACE/Agent for secure Web access
|
||
- Tamperproof
|
||
|
||
|
||
The Solution:
|
||
------------
|
||
|
||
For a sophisticated hacker or a determined insider, it doesnt take much to
|
||
compromise a users password and gain access to confidential resources. And
|
||
when an unauthorized user enters a supposedly secure system all privilege
|
||
definition and audit trail functions become virtually meaningless... in
|
||
essence, the damage is done. Single-factor identification a reusable password
|
||
is not enough.
|
||
|
||
To identify and authenticate an authorized system user, two factors are
|
||
necessary. Factor one is something secret only the user knows: a memorized
|
||
personal identification number (PIN) or password. The second factor is
|
||
something unique the user possesses: the SecurID token.
|
||
|
||
Carried by authorized system users, SecurID tokens available in three models
|
||
generate unique, one-time, unpredictable access codes every 60 seconds. To
|
||
gain access to a protected resource, a user simply enters his or her secret
|
||
PIN, followed by the current code displayed on the SecurID token.
|
||
Authentication is assured when the ACM recognizes the tokens unique code in
|
||
combination with the user's unique PIN. Patented technology synchronizes each
|
||
token with a hardware or software ACM. The ACM may reside at a host, operating
|
||
system, network/client resource or communications device virtually any
|
||
information resource that needs security.
|
||
|
||
This simple, one-step login results in crackproof computer security that easy
|
||
to use and administer. The tokens require no card readers or time-consuming
|
||
challenge/response procedures. With SecurID tokens, reusable passwords can no
|
||
longer be compromised. Most importantly, access control remains in the hands
|
||
of management.
|
||
|
||
|
||
SECURID PINPAD:
|
||
--------------
|
||
|
||
An added level of security can be implemented with a SecurID PINPAD token.
|
||
The PINPAD token enables users accessing the network to login with an
|
||
encrypted combination of the PIN and SecurID token code. Using the keypad on
|
||
the face of the PINPAD token, a user enters his or her secret PIN directly
|
||
into the token, which generates an encrypted passcode. This additional level
|
||
of security is especially appropriate for users in application environments
|
||
who are concerned that a secret PIN might be compromised through electronic
|
||
eavesdropping.
|
||
|
||
SecurID tokens are ideal for any environment. The original SecurID token
|
||
conveniently fits into a wallet like a credit card. The SecurID key fob
|
||
offers a new dimension in convenience to those customers requiring high
|
||
levels of security in multiple environments, along with compact size and
|
||
durability. In addition to providing the same reliable performance in
|
||
generating random access codes as the original SecurID token, the SecurID key
|
||
fob comes in a small, light- weight format.
|
||
|
||
SecurPBX
|
||
--------
|
||
|
||
Ok. Plain and simple. SecurPBX is a product to protect PBX systems worldwide
|
||
and automated Help Desk functions.
|
||
|
||
SecurPBX provides remot access security for telephone lines, modem pools,
|
||
voicemail ports, internet access lines, and the maintenance port on PBX
|
||
systems. Used in conjunction with Security Dynamics SecurID, SecurPBX
|
||
protects valuable PBX resources from remote access by unautorized callers
|
||
without comprimising the conveniences of remote telephone and data access
|
||
to teleworking or traveling employees.
|
||
|
||
Callers dial specific numbers on the PBX for long distance services. As an
|
||
adjunct to the PBX and a client to the server, SecurPBX recieves the
|
||
callers request for resources. Functioning as a client, SecurPBX requires
|
||
remote callers to provide SecurID user authentication and an authorized
|
||
destination telephone number before being transfered to the desired resource.
|
||
SecurPBX transmits the credentials to the server for authentication
|
||
and simultaneously validates the telephone number by user specific
|
||
permissions and denials. SecurPBX integrates with the PBX to process the
|
||
call based on the validity of the caller via SecurID and the destination
|
||
number attemped.
|
||
|
||
|
||
.----------. |
|
||
| SERVER |---- -x- <-- Security
|
||
`----------' |
|
||
| |
|
||
| _-_
|
||
.--------------. |
|
||
| | 037592 | ,-----.
|
||
| `--------' ----- | PBX | ----- .-----------.
|
||
| SecureID | `-----' | SecurePBX |
|
||
`--------------' | Switch |
|
||
| `-----------'
|
||
|
|
||
--------------- Users
|
||
|
||
Each SecurID card is a visually readable credit card sized token or key which
|
||
is programmed with Security Dynamics powerful algorithm. Each card
|
||
automatically generates an unpredictable, one time access code every 60
|
||
seconds. The token is conveinent to carry and simple to use and is resistant
|
||
to being counterfeited or reversed engineered.
|
||
|
||
SecurPBX extends the secure working enviroment of an organization to remote
|
||
locations. SecurPBX applies user specific calling restrictions before any
|
||
call is completed to prevent unauthorized toll charges and misuse of PBX
|
||
resources. The time of day, volume of calls per user, destination telephone
|
||
numbers (restricted to NPA and NXX) and customizable classes of service add
|
||
a vital layer to access security without compromising the conveinience of
|
||
having remote access to telephone resources. SecurPBX logs all successful
|
||
and unseccessful attempts including the destination telephone number.
|
||
Caller ID/ANI if available also provides the origination telephone number,
|
||
pin pointing the location of the caller.
|
||
|
||
Highlights of SecurPBX:
|
||
----------------------
|
||
|
||
- Compatible with all major PBX vendor types.
|
||
- Cost effective remote access security for PBX resources.
|
||
- Prevents unauthorized access to valuable voice and data resources.
|
||
- Secures remote long distance, and alternative method for replacing
|
||
calling cards.
|
||
|
||
- Works in conjunction with each users SecurID card.
|
||
- Centralized network authentication and security administration.
|
||
- Easy to Use, voice prompting available in multiple languages.
|
||
- Audit trails and reporting assure true caller accountability.
|
||
- Caller ID/ANI option provides originating telephon number identifying
|
||
hacker locations.
|
||
|
||
SecurPBX operates in Microsoft Windows NT enviroment. Callers and data users
|
||
achieve seamless access to PBX resources with validation data gathered as
|
||
efficiently as using a calling card and/or attemping a standard logon
|
||
procedure. In many cases, SecurPBX can be a calling card replacement and
|
||
may also be used with cellular phones to combat calling card fraud.
|
||
Fraudulent or suspect callers are denied access before toll charges and
|
||
resources damage occur.
|
||
|
||
Typically, securing a PBX from unauthorized remote access has required
|
||
disabling remote access to the PBX. Using dynamic, two factor authentication
|
||
through the server and validation destination numbers dialed, SecurPBX
|
||
systematically locks out unauthorized callers preventing toll, voicemail,
|
||
and data fraud. This provides a secure access point for
|
||
teleworking resources.
|
||
|
||
SecurPBX uniquie voice identification:
|
||
-------------------------------------
|
||
|
||
SecurPBX is a unique indentification solution providing secure remote
|
||
access to all major PBX or Centrex telephone systems. Protected resources
|
||
included are:
|
||
|
||
- Long distance lines and trunks
|
||
- Voice mail access lines
|
||
- Call centers
|
||
- Interactive voice response systems and audio response units
|
||
|
||
Access is controlled through postive identification by their unique,
|
||
individual voice prins. SecurPBX uses SpeakEZ voice print speak
|
||
verification service tehcnology to efficiently allow access to authorized
|
||
callers while eliminating access to unauthorized callers. The SpeakEZ
|
||
voice print system is recognized as the best in the voice verification
|
||
industry today.
|
||
|
||
Significant investments in telephone resources simple cannot be protected
|
||
by traditional static passwords or PINs. When making a telephone call from
|
||
any telephone using your calling card number, the one condition verifiable
|
||
as certain by the PBX or phone company is that someone is making a call with
|
||
a known authorization code, however, it could be anyone. Casual calling by
|
||
unauthorized personnel, recognized as a major misuse of corporate telephone
|
||
resources, must be controlled if not eliminated. SecurPBX provides that
|
||
capability to your organization.
|
||
|
||
SecurPBX prodives reliable, independant two factor user identification and
|
||
authentication. Factor one is something the users knows: a memorized personal
|
||
identification number or password. The Second factor is something unique
|
||
the user possesses: his/her own voice print. Each caller is required to
|
||
merely speak his/her chosen password which is compared to a stored voice
|
||
print. The password can be in any language or dialect.
|
||
|
||
SecurPBX extends the unique user authentication provided by SpeakEZ voice
|
||
print to include user specific calling restrictions. Time of day, volume of
|
||
calls per user, destination telephone numbers which are restricted to NPA
|
||
and customizable classes of service add important layers of access security
|
||
without compromising the convenience of remote access to telephone resources.
|
||
|
||
|
||
Highlights:
|
||
----------
|
||
|
||
- Compatible with all major PBX vendor-types and Centrex
|
||
- Cost effective remote access security for PBX resources
|
||
- Prevents unauthorized access to valuable voice resources
|
||
- Secures remote long distance
|
||
- Non-intrusive security, callers are validated by their own voice prints
|
||
- Language independent passwords
|
||
- Centralized authentication and security administration
|
||
- Easy to use, voice prompting available in multiple languages
|
||
- Audit trails and reporting assure true caller accountability
|
||
- Multiple voice prints available per user
|
||
|
||
Remote Access Security Solution:
|
||
-------------------------------
|
||
|
||
Optionally, after authentication, SecurPBX administrators can manage user
|
||
permissions and denials on from either the same SecurPBX workstation or from
|
||
another workstation connected via a LAN or remotely by modem in a Windows
|
||
friendly environment.
|
||
|
||
Long distance callers achieve seamless access to PBX outbound trunks with
|
||
validation criteria gathered as efficiently as a calling card and as easily
|
||
as talking to a telephone attendant. Fraudulent or suspect callers are denied
|
||
access before any damaging toll charges can occur.
|
||
|
||
SecurPBX logs all calls, successful and unsuccessful, including the date and
|
||
time, user ID, and destination telephone number. Depending on the PBX type,
|
||
Calling Line Identification ANI may be used as part of the validation process
|
||
and in those cases, will also be logged. Log information can be exported to an
|
||
external spreadsheet application or displayed in reports generated by the
|
||
SecurPBX Administrator.
|
||
|
||
SpeakEZ Voice Print:
|
||
-------------------
|
||
|
||
SpeakEZ Voice Print Speaker Verification is a highly effective method of
|
||
confirming a caller's identity. The service is based on the fact that each
|
||
person's voice is uniquely different, and, as a means of identification, is
|
||
highly reliable. Speaker Verification is an application of the SpeakEZ Voice
|
||
Print technology which compares a digitized sample of a person's voice with
|
||
a stored model "voice print" of that individual's voice for verification.
|
||
|
||
- Authenticates the caller as opposed to information (i.e. PIN) or a piece
|
||
of equipment.
|
||
- Easy to use, language independent
|
||
- Safe: a voice print cannot be lost or stolen
|
||
- Cost-effective: does not require special hardware for the caller
|
||
- Virtually fraud-proof: a voice is difficult to forge
|
||
|
||
Applications of SecurPBX:
|
||
------------------------
|
||
|
||
- Secure Telecommuting (all valuable PBX resources)
|
||
- Call center user authentication
|
||
- Securing Interactive Voice Response (IVR) and Audio Response Units (ARUs)
|
||
- Help Yourself suite of products for help desk automation (ASAPTM -
|
||
ACE/Server Administration Program - PIN reset, SecurNT - Windows NT
|
||
password reset, E-Help Desk - Entrust/PKITM profile recovery)
|
||
|
||
Technical Requirements:
|
||
----------------------
|
||
|
||
Telephony platforms :
|
||
All major PBXs including Nortel, AT&T, Rolm and Mitel
|
||
|
||
Processor : 100% IBM compatible PC, Pentium 133 minimum
|
||
Disk requirement : Hard disk 1 gigabyte minimum, 32MB RAM for Switch I
|
||
nterface, Client software, 8 MB for Administrator
|
||
software, actual storage based on size of user
|
||
population
|
||
|
||
Capacity : An unlimited number of users may be administered and
|
||
issued SecurID Cards. 32 simultaneous voice channels
|
||
per Switch Interface
|
||
|
||
Configuration : Multiples of 4, 12 and 24 line telephone interfaces
|
||
|
||
Management : SecurPBX Administrator includes extensive
|
||
administrative menus in user-friendly Windows 3.1 and
|
||
95 environment, real time monitoring and management of
|
||
multiple PBX sites
|
||
|
||
Conclusion:
|
||
----------
|
||
|
||
SecurPBX is defiantely the way to go to prevent your data and PBX systems
|
||
from getting hacked and abused.
|
||
|
||
0x02>------------------------------------------------------------------------
|
||
<++> P55/Linenoise/ckludge.c !2231f4cc
|
||
/* */
|
||
/* CKludge.C (Amiga) */
|
||
/* */
|
||
/* If you are a PC user you can port this C source easily. */
|
||
/* */
|
||
/* You might even want to use it to fix your fucking millenium bug... */
|
||
/* */
|
||
/* Ha! Ha! Ha! 2000 is nigh. */
|
||
/* */
|
||
/* Clock Kludge 1.0 by `The Warlock' */
|
||
/* */
|
||
/* This little patch will freeze your clock - useful if you wish to bypass */
|
||
/* time restrictions imposed by many programs... */
|
||
/* */
|
||
/* It works by patching the level 3 IRQ vector, vertical blank, to hold the */
|
||
/* complex interface adapter internal time of day clock registers to zero. */
|
||
/* ($bfe801 = TOD lo, $bfe901 = TOD mid, $bfea01 = TOD hi) */
|
||
/* */
|
||
/* Should work on all Amiga models. */
|
||
/* */
|
||
/* Handles relocated vector base correctly. */
|
||
/* */
|
||
/* Compiling info: lc2 -v (disable stack checking so no need to use le.lib) */
|
||
/* */
|
||
|
||
#include "exec/types.h"
|
||
#include "exec.memory.h"
|
||
#include "exec/interrupts.h"
|
||
#include "hardware/custom.h"
|
||
#include "hardware/intbits.h"
|
||
|
||
struct Interrupt*VertBIntr;
|
||
long count;
|
||
|
||
main()
|
||
|
||
{
|
||
|
||
extern void VertBServer();
|
||
|
||
*/ allocate an Interrupt node structure */
|
||
|
||
VertBIntr=(struct Interrupt *)
|
||
AllocMem (sizeof(struct Interrupt),MEMF_PUBLIC);
|
||
|
||
if (VertBIntr==0){
|
||
printf("not enough memory for interrupt server");
|
||
exit (100);
|
||
|
||
}
|
||
|
||
/* initialize the Interrupt node */
|
||
|
||
VertBIntr->isNode.1n_Type=NT_INTERRUPT;
|
||
VertBIntr->isNode.1n_Type=Pri=-60;
|
||
VertBIntr->isNode.1n_Name="Clock Kludge";
|
||
VertBIntr->is_Data=(APTR)&count;
|
||
VertBIntr->is_Code=VertBServer;
|
||
|
||
/* put the new interrupt server into action */
|
||
|
||
AddIntServer (INTB_VERTB,VertBIntr);
|
||
|
||
/* wait for user to type 'q' */
|
||
|
||
printf ("Type q to quit...\n);
|
||
while (getchar()!='q');
|
||
|
||
/* remove interrupt server */
|
||
|
||
RemIntServer (INTB_VERTB,VertBIntr);
|
||
|
||
/* free memory */
|
||
|
||
FreeMem (VertBIntr,sizeof(struct Interrupt));
|
||
|
||
}
|
||
|
||
/* the VertBServer might look like this */
|
||
|
||
XDEF _VertBServer
|
||
|
||
_VertBServer:
|
||
|
||
clr.b $bfe801 ; clear TOD lo
|
||
clr.b $bfe901 ; clear TOD mid
|
||
clr.b $bfea01 ; clear TOD high
|
||
|
||
move.l a1,a0 ; get address of count
|
||
addq.l #1,(a0) ; increment value of count
|
||
moveq #0,d0 ; continue to process other vb-servers
|
||
rts ; must be rts NOT rte
|
||
|
||
end ; eof
|
||
<-->
|
||
0x03>------------------------------------------------------------------------
|
||
<++> P55/Linenoise/IPChange.asm !85660240
|
||
*--------------------------------------*
|
||
*
|
||
* IPChange.Asm (DevPac) by `The Warlock'
|
||
*
|
||
* Nowadays almost all ISPs allocate dynamic IP addresses, meaning your IP
|
||
* address will change for each connection you make.
|
||
*
|
||
* On a shitbox PC, a reset causes the CD signal on the serial port to go low,
|
||
* meaning that the connection is lost and you must initiate another.
|
||
*
|
||
* On an Amiga, a reset does not pull the CD signal low, meaning that
|
||
* reconnection is possible.
|
||
*
|
||
* When you reconnect, your ISP allocates another dynamic IP address, so in
|
||
* effect, you have changed your IP address without starting a new connection!
|
||
*
|
||
* Create a batch file called ipchange.bat as follows:
|
||
*
|
||
* echo > s:reconnect
|
||
* wait 5
|
||
* cpu nofastrom > nil:
|
||
* ipchange
|
||
*
|
||
* Make the following additions to your startup-sequence:
|
||
*
|
||
* if exists s:reconnect
|
||
* delete s:reconnect > nil:
|
||
* execute <your internet startup script>
|
||
* else
|
||
* endif
|
||
*
|
||
* Now, whenever called, ipchange.bat will reset, and automatically load your
|
||
* internet software for quick reconnection.
|
||
*
|
||
*--------------------------------------*
|
||
|
||
opt c+,d- case sensitive no debug
|
||
|
||
section ,code code section
|
||
|
||
*--------------------------------------*
|
||
|
||
START bra.s MAIN call main
|
||
|
||
*--------------------------------------*
|
||
|
||
ID dc.b "$VER:IPChange V1.0 by `The Warlock!",0
|
||
|
||
*--------------------------------------*
|
||
|
||
cnop 0,4 32 bit alignment
|
||
|
||
MAIN move.l 4.w,a6 exec base a6
|
||
jsr -$84(a6) call forbid()
|
||
|
||
move.l 4.w,a6 exec base a6
|
||
jsr -$78(a6) call disable()
|
||
|
||
lea RESET(pc),a5 supervisor code a5
|
||
move.l 4.w,a6 exec base a6
|
||
jsr -$1e(a6) call supervisor()
|
||
|
||
*--------------------------------------*
|
||
|
||
cnop 0,4 32 bit alignment
|
||
|
||
RESET lea 2,a0 kickstart rom jump vector
|
||
reset kickstart rom remapped
|
||
jmp (a0) kickstart rom restarted
|
||
|
||
*--------------------------------------*
|
||
|
||
end eof
|
||
|
||
*--------------------------------------*
|
||
<-->
|
||
0x04>------------------------------------------------------------------------
|
||
|
||
THE BULGARIAN PHREAK SCENE
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
by TOKATA (firestarter)...
|
||
|
||
|
||
What to say about the Bulgarian phreak scene - is there really one?
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
Hmmm... it's a bad new - in Bulgaria there aren't any phreak-wise peoples at
|
||
all... But almost second fucked bastard, which has a computer, is interested
|
||
in hacking. Bastards, which don't know any programming language; their hard
|
||
drive is full with games, MP3s and porno JPG files; hang on Internet and
|
||
download hacking programs. They use them (or ask someone to show how to
|
||
work with them) and imagine - they a superhackers. So Bulgaria is full of
|
||
motherfucking lamers.
|
||
We have an electronic underground magazine named "Phreedom Magazine", but
|
||
the hacking is the main theme. No phreak articles, because there aren't any
|
||
phreak authors. So, read...
|
||
|
||
|
||
Bulgarian phone system - the best phone system in the world! :)))
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
Hmmm... how to begin... err... So, 98% from our local tandem exchanges are
|
||
SxS A-29 type (made by Siemens). A typical SxS exchange - no computerization,
|
||
strowger switches, sleeve. The impedans is 600ohms, the battery by off-hook
|
||
is 60V, by on-hook - 10V. The resistance range is within 0-1600Ohms, the
|
||
current - within 15-100mA, but usually is 40-60mA.
|
||
A mini Bulgarian crossbar system (KRS-200) is used in some small villages
|
||
(up to 200 subscribers). As transit national exchange is used "Crosspoint"
|
||
(made by Siemens too) aka ESK-1000. The Crosspoint's switch is a ESK-relay.
|
||
ESK stands for Edelmetal-Schnell-Kontakt auf Deutsch. Also "Crosspoint" is
|
||
used as local tandem in some of the big cities.
|
||
In Sofia (our capital) is located a transit international exchange MT-20
|
||
(by THOMSON - France). Also year ago our Telco began to install real digital
|
||
switching systems there. But the tax for these is terrible and their subscribers are companies, offices and some bastards with a lot of money... and the
|
||
most of capital ISPs ;)
|
||
The cables are quite old, there is much of background noise in the handset,
|
||
the modem connections are terrible - with a 14.4K modem the average speed is
|
||
1000bps, it drops you on every 3 minutes. After rain there is no subscriber
|
||
with normal connection.
|
||
So the number detection here is too hard. By us ONLY the calling party can
|
||
drop the connection. So if you want to catch someone, you make a complaint to
|
||
the telco. She put on your Linefinder a device, named 'dog'. That 'dog'
|
||
effects on the switch contacts, so you can hold the connection. After that,
|
||
you call the Telco from the neighbors and they catch the called party number
|
||
by the wires. But 'the dog' don't work by long distance conversations. Also
|
||
we have an ANI equipment, named 'AMUR' or 'SKAT', specially designed for SxS
|
||
switches, but in the villages and very small towns, there isn't any ANI. So
|
||
with ANI the Telco can catch you, but they don't use it for normal cases, I
|
||
think, you know 'why' ;))) But if you make a call from a different area the
|
||
Telco can't catch you even with the help of ANI :) But nobody knows that :(
|
||
All the people think: "The Telco ALWAYS CAN DETECT your number! There is no
|
||
chance to mislead them". Blah, what for idiots. Btw I try to test here the
|
||
forced ANIF, so I hope to get it in work. In my town (47 000 citizens) we ha-
|
||
ve ANI equipment, but all the Telco employers says - it's used only for sub-
|
||
scribers info. The billing information here is still collecting with the help
|
||
of photographs. No operator comes on my line when I flash the switchhook.
|
||
|
||
Signaling
|
||
~~~~~~~~~~
|
||
I devoted a 2 years on learning the signaling methods in Bulgaria, but:
|
||
1. There aren't good tech books about signaling. In some books it is menti-
|
||
oned quite cursory. 70% and higher about signaling I have learned from
|
||
several Phrack articles.
|
||
2. Nobody from the local Telco in my town knows anything about this. I talked
|
||
with a few high educated employers, but they knew less than me :(
|
||
|
||
Well, I have learned the following from the books (and from other places):
|
||
N4 and N5 is used on international circuits, otherwise R2 is used. Well, I
|
||
know that "Crosspoint" uses R2, but I'm not sure that the stupid A-29 (SxS
|
||
type) uses the R2 signaling system. Also, I have read in a tech book, that
|
||
(!) R2 is in-band signaling system. But we all know, that this is not true,
|
||
because the blow-off frequency for R2 is 3825Hz.
|
||
The major multiplexing is FDM with 4KHz channels. So if you whistle 3825Hz
|
||
tone in the microphone, when speaking on LD, the other end will hear that.
|
||
So we try to blue box with programs. If that success, we will announce that :)
|
||
But I think - there are line and rejector filters at the end of our trunks
|
||
and the signal must be clear (a straight sinusoide). An telco employer said
|
||
to me, he heard about 2100Hz signal, but he wasn't sure :( Can anyone help?
|
||
|
||
Our beloved Telco
|
||
~~~~~~~~~~~~~~~~~
|
||
So by us, the BTC (Bulgarian Telecomunication Company) was always monopo-
|
||
listic. Also they try now to occupy and take under full control all ISP in
|
||
Bulgaria. The local calls are not free and our taxes are the highest in Euro-
|
||
pe. Our average salary is 100$ and we pay 0.04$ for each tax unit. There are
|
||
also permanent taxes and other thing and for comparison if you have 200 units
|
||
you'll pay 10$. That's 12% from the average salary in country!!! Also if you
|
||
dial from Canada to Bulgaria that'll cost you 0.8$ per minute, BUT IF YOU
|
||
CALL Canada from Bulgaria (btw we can't dial direct North America without ope-
|
||
rator assistance) that'll cost you 2.3$ per minute he-he-he :)
|
||
So this year our Telco is going to go private. There was 3 candidates to
|
||
buy 51% from Telco's shares - Deutsche Telecom/Turkey firm, Telefonica and
|
||
the Holland/Greece telcos. The price was 500 000 000$. But Telefonica and DT
|
||
gave up in the last moment. Maybe you guess why? Nobody want to throw his mo-
|
||
ney for Telco, that uses 98% SxS switches, where a big part from peoples
|
||
(70%) are poor and don't make many calls (under 100 units), in which country
|
||
you don't know what will happen tomorrow and etc...
|
||
So, as I've read about Argentina's telco, I can say: the situation is al-
|
||
most the same. But by us there is ONLY ONE company which control anything -
|
||
all the phones, pagers, a big part of GSM network, all public phones, runs
|
||
the only X.25 datapac network - BULPAC, they are also ISP... Total monopoly!
|
||
|
||
The Laws
|
||
~~~~~~~~
|
||
Ha-ha-ha? What for laws? Against phreaking? There is no way :) Also nobody
|
||
in Bulgaria don't understand what {the fuck} term 'phreaking' means. And not
|
||
just the ordinary people. If you are in the IRC channel #bulgaria and ask:
|
||
"Hey, what does the phreaking mean?", I'm sure that nobody shall know.
|
||
Up to now, I didn't hear about someone to get busted for phreaking. Our telco
|
||
(and all of their employers) think - the system is unbreakable! But they also
|
||
have an law about devices, that are illegally hooked to the phone line. At the
|
||
first time you'll be warned 'bout that, and at the second time you'll be dis-
|
||
connected. But you pay the tax for new phone (100$) and congratulations - you
|
||
already have a phone :)
|
||
So, our legislation don't contain anything about hacking, cracking, phreaking
|
||
and all kinds of electronic frauds. In Bulgaria there is no term such as
|
||
'illegal software' or 'illegal access to someone's computer'.
|
||
|
||
The PayphoneZ
|
||
~~~~~~~~~~~~~
|
||
There is no good word to say about our shitty motherfucking Telco, even for
|
||
payphones. You think - you can do red boxing in Bulgaria. Forget it! Our
|
||
Payphones a COCOT and are used only for local calls! There are huge, metal
|
||
boxes :) full mechanical, no fine electronics! You can see inside a capacitor
|
||
like a hand bomb! The Payphones worked with coins, but there was so many idi-
|
||
ots, who took out there coins from the payphones with a thread (string). So
|
||
our beloved Telco become a mad about this and they replace the coins with a
|
||
special made by them phone-coins with borders, which made them impossible to
|
||
take out ;). As I have said, the payphones are COCOT - you take the handset,
|
||
hear a dialtone, dial a number (pulse, with a dialing disk!!!), the called
|
||
person answers... and then the polarity is reversed. A relay inside the phone
|
||
notice that and after 3 seconds cuts off the mouthpiece... and the earpiece.
|
||
Then the hole for the money gets opened and the coin falls inside. There are
|
||
no such terms such a coin return.
|
||
There is a trick to make free calls (local) on these phones. If you press
|
||
the hook, when the polarity is reversed, there is no current on the line in
|
||
that moment, and because there is no current in that moment, the relay
|
||
wouldn't
|
||
be noticed for the answer, and it wouldn't cut the mouth- earpiece.
|
||
Another trick is to unlock the phone and fill your pockets with coins :)
|
||
The lock picking on these is quite easy...
|
||
There was also payphones for international and LD calls operating with
|
||
money, but 10 years before began an big inflation and these phones died.
|
||
Now you should to put a lot of coins (2-5kg) to make a 3 min international
|
||
call.
|
||
So 5-6 years before our telco installed two types of card-phones: BetCom and
|
||
Bulfon. BetCom is British-Bulgarian Company (GPT&BTC) and their card phones
|
||
are magnetic strip style. The security of these card was too weak so a few
|
||
people began to make free phone calls. After 3 years loosing a lot of money
|
||
from these frauds, BetCom install new phones and change the cards with elec-
|
||
tronic ones, but there are still many old phones :) You just copy the
|
||
magnetic strip of the card and here it is...
|
||
|
||
The Bulfon phones are much intelligent. They are the same such as these in
|
||
Argentina and Germany. The test signal is 16KHz, with nice LCD display, have
|
||
button for several languages, for replacing exhausted cards, for signal am-
|
||
plification and other options. I forgot to say, that both the cardphones use
|
||
pulse dialing. They usual don't have a number to dial the cardphone, but for
|
||
a short time the phones in the capital have already a number... and MF
|
||
dialing.
|
||
|
||
There was a very popular trick on Bulfon cardphones with 2 cards - full one
|
||
and empty one (bat at least with 1 unit). You quickly push and pull the full
|
||
card into the slot and the display begin to flash. After that you do this
|
||
again and put the empty card. The phone remember the units from the first
|
||
card and you talk for free. A big amount of people became familiar with this
|
||
and they began to use it for and without need. And since our telco is mad
|
||
for every loosed penny, this feature bombed out. Also I have heard, that a
|
||
few people recharge cards and make unlimited ones (a PIC emulator), but since
|
||
I'm not a cardphreaker, I don't know much about it. But I know that the
|
||
bulfon exchange is very sophisticated and it's very hard to fool those. For
|
||
example, you can't dial more than 400 units with the same card from one
|
||
cardphone. And yet one funny feature - every night, a built-in modem in the
|
||
cardphone establish a connection with the Bulfon exchange and transfer info.
|
||
Info such as - how many units are used, the cards serial number and much more
|
||
(such as frauds).
|
||
If you, for example, steal a few cards from the post office, the exchange
|
||
send to all the phones, that cards with a number 444 xxx xxx ... are invalid.
|
||
Ahh... I forgot, the public phone cables don't go through PVC or metal pi-
|
||
pes. But... on Bulfon (and I think - and on BetCom) phones you can't just cut
|
||
the wire and hook with a handset, because as you know the line device can't
|
||
find the phone - when you pick up the handset on Bulfon, the exchange send
|
||
16KHz test signal and the phone must answer with the same signal. The CPU of
|
||
these is 68HC11 (Motorola).
|
||
|
||
btw we have a GSM network since 1995. Also we have a pager network.
|
||
|
||
Phreaking methods
|
||
~~~~~~~~~~~~~~~~~
|
||
As I have said, there aren't phreak wise people in Bulgaria (but almost every
|
||
is interested in hacking). A lot of falsely accused 'phreaks' do pitting -
|
||
hooking with a handset to a pair of wires or the outside connection box.
|
||
Phreak methods used by me are:
|
||
|
||
- forced 3way calling = some type of abuse the structure of the connector.
|
||
So, in my town the NPA is X-YY-ZZ. So lets imagine, that someone called
|
||
4-33-28. I begin to dial 4-33 and when I hit the right pause after the 3rd
|
||
it's puts me into their conversation.
|
||
|
||
- free calling from local payphones = already talked bout that.
|
||
|
||
- free calling on local and short haul calls - by dialing a chain of prefi-
|
||
xes (such as in UK). I dial the prefix (NPA) of the town X, and after that
|
||
dial the prefix for another place and then the number. But not every exchan
|
||
ge allows you to make that. Your exchange waits a signal from exchange X,
|
||
that a called party is answered, but the X waits too for that... But the
|
||
connection is terrible... and after 3 minutes without taxing on the trunk
|
||
your Telco cuts the connection ;(
|
||
|
||
Also I think that black and blue boxing is still possible, but didn't test
|
||
it entirely.
|
||
|
||
There also "hidden" long distance numbers and prefixes, which are very use-
|
||
ful in some cases (I also found 3-4 of them), but nobody try to find it :(
|
||
There aren't free numbers in Bulgaria, except these for police, fire alarm,
|
||
hospital and the telco number for failure complaints, but they are ONLY FOR
|
||
LOCAL DIALING! I also discover a method to call these as trunk-calls, BUT...
|
||
but our phone system is made so, that if on a trunk-call there isn't a tax
|
||
signal coming after 3 minutes, the call is terminated.
|
||
Some people with knowledge of electronic also make "free calls" through
|
||
their neighbor's lines, but BTC is familiar with those methods and it always
|
||
check the line (plus these of the neighbors) when a subscriber made a com-
|
||
plaint for big bill.
|
||
In Bulgaria there are NO PBX-es, Voice Mail Systems, WATS numbers, Call for-
|
||
warding, Call waiting, DTMF requesting, Speed dialing and other.
|
||
About PBX - some of our factories have PBX-es, but I still learn how to use/
|
||
abuse them.
|
||
|
||
In almost every town with more than 10 000 subscribers we have a conference
|
||
phone, which can be dialed only local (errrr... quite not true ;)) for 1
|
||
tax unit per 3/5/10/30 minutes. But the stupid people don't know that and
|
||
in many towns (such as mine) this phone is *forever* free.
|
||
|
||
I also have heard about peoples, which emulate the GSM SIM card to make free
|
||
calls.
|
||
|
||
|
||
PHREAK'EM ALL!!!
|
||
|
||
|
||
0x05>------------------------------------------------------------------------
|
||
|
||
----[ PDM
|
||
|
||
Phrack Doughnut Movie (PDM) last issue was `Dark City`.
|
||
|
||
PDM54 recipients:
|
||
|
||
I forget. I think Adam Shostack was definitely one. It's been a while
|
||
though.
|
||
|
||
PDM55 Challenge:
|
||
|
||
"Beware my wrath."
|
||
|
||
0x06>------------------------------------------------------------------------
|
||
|
||
----[ Super Elite People That REad Phrack (SEPTREP)
|
||
|
||
New additions:
|
||
|
||
|
||
Why they are SEP:
|
||
|
||
----[ Current List
|
||
|
||
W. Richard Stevens
|
||
Ron Rivest
|
||
|
||
-----------------------------------------------------------------------------
|
||
|
||
----[ EOF
|