Date: Sun, 25 Sep 1994 15:48:03 -0400 From: armitage@dhp.com To: dtangent@fc.net %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % T H E E M P I R E T I M E S % % ------------------------------- % % The True Hacker Magazine % % % % July 10, 1992 Issue II % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Editor in Chief: Albatross Co-Editor: {Spot is Open} Email: bbs.albatros@goonsquad.spies.com Staff: {Spot is Open} wdem416@worldlink.com Dist. Center: The Empire Corporation =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Phile Description Size Author or Group - ------------------------------------------------ ---- --------------- 1 Introduction 1k Albatross 2 The Grim Reaper and his CBI Story 10k The Grim Reaper 3 Why the Secret Service Will Bust You 11k C.P.S.R Instead of the F.B.I. 4 Use The Freedom of Information Act For You 38k F.O.I.A. 5 Carding in the 90's 4k Mustang 6 Specs on Caller ID 6k TELECOM 7 Foiling The Cracker 37k S.E.I. 8 Phreak Knowledge {What All Should Know} 8k Rebel Lion 9 The Beginner's Guide To Hacking On Datapac 73k The Lost Avenger 10 SummerCon '92 (The Conference) 7k Albatross 11 The News .... On the MOD Bust 10k {Various News} =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 1 of 11 Introduction As Time goes on and on, it seems that The Empire Times are reaching a bigger and better field of people, I have noticed myself that the level of knowledge has jump 10 fold since the first issue and that was small. Well after you finsh this baby I think The world will be in for the time of there life.... The Times Needs writes like mad, so talk to me and I see what I can do to give ya a helping hand. I need Freelance writers and dedicated staff members.... "Don't let anybody stand in your way, Fight till the end, Never give in and never let them win, Allways fight Back" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 2 of 11 The Grim Reaper & His CBI Story by The Grim Reaper Well, I am sure you have all heard that I had a small legal problem today, and I know how stuff gets blown out of proportion, so I thought I'd explain the story myself. Here goes... I have carded a few items in the past 3 days, and I have NEVER done this before. The Grim Reaper got CBI accounts and placed orders, and I picked them up. Well, one of the places Grim ordered from was Paradise Computers, they knew it was a bogus order, but told us the package was shipped. Then they called the FEDS. Anyhow, the Feds must have been watching the pickup spot, then following me around till I met up with Grim to deliver his share of the stuff. As soon as we went to make the exchange, the Secret Service, FBI, state police, and local police were running at us with bulletproof vests and automatic guns. They handcuffed us, separated us, and took each of us back to our homes for them to search. So I haven't talked to Grim Reaper since I saw him lying next to me on the ground being arrested. But here's my story. About 20 agents came to my apartment and grabbed all computer equipment without a receipt. So we still have 1 modem, and this computer system. Anyhow, they grabbed\ every piece of paper they could find. Unfortunately, I am a very organized person, and had "the who's who in the pirate world" written down for my use. So if you ever gave me your real name, number, or address, it is now in the hands of the Secret Service and FBI. This list was quite large, as it took 2 years to compile. These boys did their homework. They knew Enterprize was USA HQ and they knew my handle, and they knew I supplied the group with software. They weren't going for just anyone here guys, they knew they needed to bust a group leader. Well, they did. Got me on carding, pirating, and a ton of other legal terms having to do with both of these. I was charged with 6 different counts, each holding a 5-30 year prison sentence. It doesn't look good for me at all. I'll post a file as soon as I get arraigned and let you guys know what is going on. But I will say this now, and I MEAN it. I love the groups, the software, and the competition. But regardless of what happens to me, I am done forever. No more NotSoHumble Babe, no more USA. I hate to do this to everyone, but I really don't have a choice. And regardless of who I am that got busted, be strong and support what you believe in your hearts: piracy. Don't let them win. You guys can all go on without me. Just promise me you won't give up and throw in the towel. If anyone wants to contact me, you can leave e-mail on Enterprize for me, or call voice AT YOUR OWN RISK. They told me they were tapping the phone lines. Just got to say a few goodbyes... Genesis: man, this stuff is in your blood, don't allow my mistakes to mess up something you've loved your whole life. You Gotta Ski! Silencer: well, you warned me and I didn't listen. I needed to listen to the kid with a knowledgable mind. Sorry, the second time I left a group and left you hanging... Cool Hand: Joe, you are a really nice person to talk to, and you've got a wife and kids. Remember that man, is this stuff worth it? Line Noise: Neil, I guess you are one of the happier ones to hear of my bust. No THG, no USA. You will rule the world man, but be more careful than I was. The PieMan: Well, you can quit threatening to turn my board in if you ever get caught. My board was officially busted. Fab.Furlough: Deep down inside, you are a backstabber. But I still love you man... And to all I didn't say anything to, doesn't mean I don't care. I hope USA will continue to live and prosper. And I will do anything I can(legally) to help USA prosper. Goodbye... The NotSoHumble Babe Of course, that was the version she wanted to play to the general public. The NotSoHumble Babe and The Grim Reaper were not just doing this for the first time, it had been a routine thing for quite a while. (For at least 4 months, when TGR carded his 486/33). I guess it would be helpful to take a few steps back, and get a look at the whole picture as I know it (From reliable sources, and from personal experiance with these two people). The NotSoHumble Babe was always known for her good contacts in the software field, that is the reason for USA's quick appearence. People probably wondered how she did it? I am sure she had many ways, but the one tactic she used which gained her the interest of the FBI was telling the software Co's she was a distributor. All of them believed this expept for one. When this one checked her Employer Identification Number, and found it didn't check out with her, they knew something was up. They then had her lines monitored, and because of this found out they had more then a business fraud on their hands, they found out they had a veteran Credit Card abuser, and the leader of a major pirate group. This then in turn caused a lot more investigation to take place, and in turn the interest of the Secret Service. Since they were being monitored, the SS knew all their plans. When TGR had ordered his next shipment of carded goods, the SS notified the company of what was going on, and set the trap. Now, after several months of investigation on The Grim Reaper (Mike Arnolds) and The NotSoHumble Babe, the case was about to come to a close, they had everything they needed to convict these two people in court, and whoever else they wanted. As Amy said in her text above, she and Mike were on the way to meet each other to split the goods they had carded. When Amy went to FedEx to pick up her shit, and go meet Mike, they were surrounded, and arrested. This took place on 1-29-92 at approximately 2:27pm. Mike and Amy were taken back to their houses, where all of their equipment was looked over. As she said, anything without a receipt was confiscated. Then, came the big talks from the Feds - Interrogation. This day totally changed Mike's and Amy's life drastically. Things would not be the same. And because of this, they were both pretty moved. Because of this insecure feeling, and because they are both unable to take this shit themselves, and not implicate other people, they decided to cooperate 100% with the authorities. Anything they didn't have on paper, anything the Feds found unclear, Mike and Amy are/were right there to make a clear picture for them. Amy failed to say this, I see. I know first hand, The Grim Reaper and The NotSoHumble Babe are going to drag as many as they can with them. A loser thing to do, but that's what they are going to do. Looks like it's time for us all to either call it quits for a while, or be very fucking careful. TGR and TNSHB are both history. They fucked up. And now they will pay for their mistakes. But we don't need to be party to their bullshit. Delete their accounts from your board, blacklist them, lock out newusers, change the system pw, and even go as far as deleting all USA affiliates if you feel it is necessary. What about USA? What about Genesis and BBS-A-Holic? Well, Genesis was one of her partners in crime. Thomas always made it a habit to get something out of each of her shipments, so to do this, he had to contribute somehow, nothing is free. He helped card about 25% of the shit they got, so I am sure he is a nervous mother fucker right now. The Feds are monitoring his local FedEx anyway, so if he goes there to pick up his last package, his ass is in jail too. He also was a very avid user of the 950-0511 extender, as the Feds are aware of, and they might pop him for this, who knows? The board? USA? I have heard, but not from Genesis, that USA is now officially dead. BBS-A-Holic is down, and no idea when it will come back up. But when it does again come online, I will not be a member on that system. Thomas is considering turning himself in, if he does this, he said he too will cooperate with the Feds, which means if you were his friend yesterday, and helped him card shit, or anything, then you might share his cell tomorrow. What do you know about The Grim Reaper, The Void, and Vision-x? - The Grim Reaper is getting popped for the second time, therefore, I think his ass will be in jail a few years, once he is sentenced. The Void? I am not sure, but I assume since he had carded all of his computer equipment, that it was all confiscated, along with all of his backups. Mike being in jail, or not, will never again run a board. As for Vision-x, who knows. Warlord has not made a public statement yet, so noone knows yet. He does live in 313 as did the other two, so if I were him I would be scared shitless, especially since he was supposed to receive a carded 386/25 from USA. Felony Net and Toxic Net are all history. Perhaps Warlord will bring them back, though, but I don't foresee this any time soon. The Grim Reaper and The NotSoHumble Babe were charged with Credit Card Fraud, ammounting 18,200$, and software piracy adding up to 72,000$. Once you add Genesis' (Thomas') part in, the credit card fraud will probably amount to 21,000$, but, that's just my guess, based on all this shit he told me about that he assisted in, and some he did on his own. When TNSHB says to call her board and leave her your questions, or number to call you back at, it is just a simple way to drag you in. Dont fall for it. Lives and freedom are too precious to ruin for a bitch like her. Just for the hell of it, here are their telephone numbers, if you want to verify all this shit, just call and ask them. (I advise you do this from a payphone a LONG way from your house, and dont identify yourself) The Grim Reaper (Mike) 313-981-1903/313-981-1296 The NotSoHumble Babe (Amy) 313-442-2523 Genesis (Thomas) 213-328-7507 Hope this has all been helpful. If you want more history on these people, send a public message on OoofNet in care of [>ANONYMOUS<], and I will give the desired history out. [> ANONYMOUS <] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 3 of 11 Why The Secret Service Will Bust You Instead of The F.B.I. Here is a letter from the Director of the Secret Service to US Rep. Don Edwards, D-California, in response to questions raised by Edwards' Subcommittee. This copy comes from Computer Professionals for Social Responsibility in Washington, DC. DEPARTMENT OF TREASURY UNITED STATES SECRET SERVICE WASHINGTON, DC 20223 The Honorable Don Edwards Chairman Subcommittee on Civil and Constitutional Rights Committee on the Judiciary House of Representatives Washington, D.C. 20515 Dear Mr. Chairman: Thank you for your letter of April 3, 1990, concerning your committee's interest in computer fraud. We welcome the opportunity to discuss this issue with your committee and I hope the following responses adequately answer your questions. Question 1: Please describe the Secret Service's process for investigating computer related crimes under Title 18, United States Code, Section 1030 and any other related statutes. Response: The process by which the Secret Service investigates computer related crimes is similar to the methods we use to investigate other types of criminal investigations. Most of the investigative techniques are the same; surveillances, record checks, witness and suspect interviews, etc. the primary difference is we had to develop resources to assist in the collection and review of computer evidence. To provide our agents with this expertise, the secret service developed a computer fraud investigation course which, as of this date, has trained approximately 150 agents in the proper methods for conducting a computer fraud investigation. Additionally, we established a computer Diagnostics center, staffed with computer professional, to review evidence on computer systems. Referrals of computer related criminal investigations occur in much the same manner as any other case. A victim sustains a loss and reports the crime, or, a computer related crime is discovered during the course of another investigation. In the investigations we do select, it is not our intention to attempt to supplant local or state law enforcement. We provide enforcement in those cases that are interstate or international in nature and for one reason or another are beyond the capability of state and local law enforcement agencies. When computer related crimes are referred by the various affected industries to the local field offices, the Special Agent in Charge (SAIC) determines which cases will be investigated based on a variety of criteria. Each SAIC must consider the economic impact of each case, the prosecutive guidelines of the United States Attorney, and the investigative resources available in the office to investigate the case . In response to the other portion of your question, the other primary statute we use to investigate computer related crimes is Title 18, United States Code, Section 1029 ( Access Device Fraud). This service has primary jurisdiction in those cases which are initiated outside a bank and do not involve organized crime, terrorism, or foreign counterintelligence (traditional responsibilities of the FBI). The term "access device" encompasses credit cards, debit cards, automatic teller machines (ATM) cards, personal identification numbers (PIN's) used to activate ATM machines, credit or debit card account numbers, long distance telephone access codes, computer passwords and logon sequences, and among other things the computer chips in cellular car phones which assign billing. Additionally, this Service has primary jurisdiction in cases involving electronic fund transfers by consumer (individuals) under Title 15, U. S. code, section 169n (Electronic Fund Transfer Act). This could involve any scheme designed to defraud EFT systems used by the public, such as pay by phone systems, home banking, direct deposit, automatic payments, and violations concerning automatic teller machines. If the violations can be construed to be a violation of the banking laws by bank employee, the FBI would have primary jurisdiction. There are many other statutes which have been used to prosecute computer criminals but it is within the purview of the U.S. Attorney to determine which statute will be used to prosecute an individual. Question 2: Has the Secret Service ever monitored any computer bulletin boards or networks? Please describe the procedures for initiating such monitoring, and list those computer bulletin boards or networks monitored by the Secret Service since January 1988. Response: Yes, we have occasionally monitored computer bulletin boards. The monitoring occurred after we received complaints concerning criminal activity on a particular computer bulletin board. The computer bulletin boards were monitored as part of an official investigation and in accordance with the directives of the Electronic Communications Privacy Act of 1986 (Title 18 USC 2510) The procedures used to monitor computer bulletin boards during an official investigation have involved either the use of an informant (under the direct supervision of the investigating agent) or an agent operating in an undercover capacity. In either case, the informant or agent had received authorization from the computer bulletin board's owner/operator to access the system. We do not keep records of the bulletin boards which we have monitored but can provide information concerning a particular board if we are given the name of the board. Question 3: Has the Secret Service or someone acting its direction ever opened an account on a computer bulletin board or network? Please describe the procedures for opening such an account and list those bulletin boards or networks on which such accounts have been opened since January 1988. Response: Yes, the U.S. Secret Service has on many occasions, during the course of a criminal investigation, opened accounts on computer bulletin boards or networks. The procedure for opening an account involves asking the system administrator/operator for permission to access to the system. Generally, the system administrator/operator will grant everyone immediate access to the computer bulletin board but only for lower level of the system. The common "pirate" computer bulletin boards associated with most of computer crimes have many different level in their systems. The first level is generally available to the public and does not contain any information relation to criminal activity. Only after a person has demonstrated unique computer skills, been referred by a known "hacker," or provided stolen long-distance telephone access codes or stolen credit card account information, will the system administrator/operator permit a person to access the higher levels of the bulletin board system which contains the information on the criminal activity. As previously reported in our answer for Question 2, we do not keep records of the computer bulletin boards on which we have established accounts. Question 4: Has the Secret Service os0someone acting under its direction ever created a computer bulletin board or network that was offered to the public? Please describe any such bulletin board or networks. Response: No, the U. S. Secret Service has not created a computer bulletin board nor a network which was offered to members of the public. We have created an undercover bulletin board which was offered to a select number of individuals who had demonstrated an interest in conducting criminal activities. This was done with the guidance of the U.S. Attorney's office and was consistent with the Electronic Communications Privacy Act. Question 5: Has the Secret Service ever collected, reviewed or "downloaded" transmissions or information from any computer network or bulletin board? What procedures does the Secret Service have for obtaining information from computer bulletin boards or networks? Please list the occasions where information has been obtained since January 1988, including the identity of the bulletin boards or networks, the type of information obtained, and how that information was obtained (was it downloaded, for example). Response: Yes, during the course of several investigations, the U. S. Secret Service has "down loaded" information from computer bulletin boards. A review of information gained in this manner (in an undercover capacity after being granted access to the system by it's system administrator) is performed in order to determine whether or not that bulletin board is being used to traffic in unauthorized access codes or to gather other information of a criminal intelligence nature. At all times, our methods are in keeping with the procedures as outlined in the Electronic Communications Privacy Act (ECPA). If a commercial network was suspected of containing information concerning a criminal activity, we would obtain the proper court order to obtain this information in keeping with the ECPA. The U. S. Secret Service does not maintain a record of the bulletin boards we have accessed. Question 6: Does the Secret Service employ, or is it considering employing, any system or program that could automatically review the contents of a computer file, scan the file for key items, phrases or data elements, and flag them or recommend further investigative action? If so, what is the status of any such system. Please describe this system and research being conducted to develop it. Response: The Secret Service has pioneered the concept of a Computer Diagnostic Center (CDC) to facilitate the review and evaluation of electronically stored information. To streamline the tedious task of reviewing thousands of files per investigation, we have gathered both hardware and software tools to assist our search of files for specific information or characteristics. Almost all of these products are commercially developed products and are available to the public. It is conceivable that an artificial intelligence process may someday be developed and have application to this law enforcement function but we are unaware if such a system is being developed. The process of evaluating the information and making recommendations for further investigative action is currently a manual one at our CDC. We process thousands of computer disks annually as well as review evidence contained in other types of storage devices (tapes, hard drives, etc.). We are constantly seeking ways to enhance our investigative mission. The development of high tech resources like the CDC saved investigative manhours and assist in the detection of criminal activity. Again, thank you for your interest. Should you have any further questions, we will be happy to address them. Sincerely, /s/ John R. Simpson, Director cc: Honorable Charles E. Schumer =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 4 of 11 Use The Freedom of Information Act For You >>> Freedom of Information Kit <<< The following files are for individuals or organizations who wish to make an FOIA application to a federal agency. This kit is also available in printed form. If you wish to obtain the printed version, please send a check or money order made payable to FOIA,Inc. for $3.00 to: FOIA,Inc., P.O. Box 02 2397, Brooklyn, NY 11202-0050. USING THE FREEDOM OF INFORMATION ACT The Freedom of Information Act entitles you to request any record maintained by a federal Executive branch agency. The agency must release the requested material unless it falls into one of nine exempt categories, such as "national security," "privacy," "confidential source" and the like, in which case the agency may but is not compelled to refuse to disclose the records. This kit contains all the materials needed to make FOIA requests for records on an individual, an organization or on a particular subject matter or event. 1988 EDITION Fund for Open Information and Accountability, Inc. P.O. BOX 02 2397, Brooklyn, NY 11202-0050 (212) 477-3188 INSTRUCTIONS HOW TO MAKE A COMPLETE REQUEST Step 1: Select and make copies of the sample letter. Fill in the blanks in the body of the letter. Read the directions printed to the right margin of the letter in conjunction with the following instructions: For individual files: Insert the person's full name in the first blank space and any variations in spelling, nicknames, stage names, marriage names, titles and the like in the second space. Unlike other requests, the signatures of an individual requesting her/his own file must be notarized. For organizational files: In the first blank space insert the full and formal name of the organization whose files you are requesting. In the second blank space insert any other names, acronyms or shortened forms by which the organization is or has ever been known or referred to by itself or others. If some of the organization's work is conducted by sub-groups such as clubs, committees, special programs or through coalitions known by other names, these should be listed. There is no need to notarize signature for organizational requests. For subject matter or event files: In the first blank space state the formal title of the subject matter or event including relevant dates and locations. In the second blank space provide the names of individuals or group sponsors or participants and/or any other information that would assist the agency in locating the material you are requesting. Step 2: The completed sample letter may be removed, photocopied and mailed as is or retyped on your own stationary. Be sure to keep a copy of each letter. Step 3: Addressing the letters: Consult list of agency addresses on page 7 and 8 of this kit. FBI: A complete request requires a minimum of two letters. Send one letter to FBI Headquarters and separate letters to each FBI field office nearest the location of the individual, the organization or the subject matter/event. Consider the location of residences, schools, work, and other activities. INS: Send a request letter to each district office nearest the location of the individual, the organization or the subject matter/event. Address each letter to the FOIA/PA office of the appropriate agency. Be sure to mark clearly on the envelope: Attention FOIA Request FEES In 1987 a new fee structure went into effect. Each agency has new fee regulations for search and review time and for duplication of released documents. Commercial requesters must pay for search and review time and for duplication costs. News Media representatives and Educational and Scientific Institutions whose purpose is scholarly or scientific research pay for duplication only. Public Interest groups who can qualify as press, educational, or scientific institutions will be charged duplication costs only. All other non-commercial requesters are entitled to up to 100 pages of free copying and up to 2 hours of free search time. Requesters will have to pay fees for work that extends beyond those limits unless they qualify for a fee waiver or reduction (see below). No fee may be charged if the cost of collection exceeds the fee. Advanced payment may not be demanded unless a requester has previously failed to pay on time or the fee exceeds $250. FEE WAIVER You will notice that the sample letter includes a request for a fee waiver with instructions for the agency to refer to an attached sheet. Fees for all non-commercial requesters, beyond the 2 hours/100 page/automatic waiver described above, may be waived or reduced if the disclosure of the information is: "in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in the commericial interest of the requester." You should always request a waiver or fees if you believe the information you are seeking will benefit the public. Read the fee waiver worksheet for non-commercial users included in this kit on page 5 for help in composing a request for a fee waiver. If your request for a waiver is denied, you should appeal that denial, citing the ways in which your request meets the standards set in the attached fact sheet. HOW TO MAKE SURE YOU GET EVERYTHING YOU ARE ENTITLED TO. . . AND WHAT TO DO IF YOU DON'T After each agency has searched and processed your request, you will receive a letter that announces the outcome, encloses the released documents, if any, and explains where to direct an appeal if any material has been withheld. There are four possible outcomes: 1. Request granted in full: This occurs very infrequently. If the response you get indicates that the agency has released all records pertinent to your request, with no exclusions or withholdings, you will receive the requested documents with an agency cover letter, or if bulky, the documents may be mailed under separate cover. Next step: Check documents for completeness (see instructions below) and make an administrative appeal if you find a discrepancy between your own analysis and that of the agency (see instructions below). 2. Request granted in part and denied in part: This response indicates that the agency is releasing some material but has withheld some documents entirely or excized some passages from the documents released. The released documents may be enclosed or, if bulky, mailed under separate cover. Next step: Check documents for completeness (see instructions below) and make an administrative appeal of denials or incompleteness (see instructions below). 3. Request denied in full: This response and the denied part response indicate that the agency is asserting that material in its files pertaining to your request falls under one of the nine FOIA exemptions. These are categories of information that the agency may, at its discretion, refuse to release. Next step: Make an administrative appeal (see instructions below). Since FOIA exemptions are not mandatory, even a complete denial of your request can and should be appealed. 4. No records: This response will state that a search of the agency's files indicates that it has no records corresponding to those you requested. Next step: Check your original request to be sure you have not overlooked anything. If you receive documents from other agencies, review them for indications that there is material in the files of the agency claiming it has none. For example, look for correspondence, or references to correspondence, to or from that agency. If you determine that there are reasonable grounds, file an administrative appeal (see instructions below). HOW TO CHECK DOCUMENTS FOR COMPLETENESS Step 1: Before reading the documents, turn them over and number the back of each page sequentially. The packet may contain documents from the agency's headquarters as well as several field office files. Separate the documents into their respective office packets. Each of these offices will have assigned the investigation a separate file number. Try to find the numbering system. Usually the lower righthand corner of the first page carries a hand-written file and document number. For instance, an FBI document might be marked "100-7142-22." This would indicate that it is the 22nd document in the 7142nd file in the 100 classification. As you inspect the documents, make a list of these file numbers and which office they represent. In this way you will be able to determine which office created and which office received the document you have in your hand. Often there is a block stamp affixed with the name of the office from whose files this copy was retrieved. The "To/From" heading on a document may also give you corresponding file numbers and will help you puzzle out the origin of the document. When you have finally identified each document's file and serial number and separated the documents into their proper office batches, make a list of all the serial numbers in each batch to see if there are any missing numbers. If there are missing serial numbers and some documents have been withheld, try to determine if the missing numbers might reasonably correspond to the withheld documents. If they don't, the release may be incomplete and an administrative appeal should be made. Step 2: Read all the documents released to you. Keep a list of all documents referred to in the text, including letters, memos, teletypes, reports, etc. Each of these "referred to" documents should turn up in the packet released to you. If any are not in the packet, it is possible that they are among the documents withheld and a direct inquiry should be made. In an administrative appeal, ask that each of these "referred to" documents be produced or that the agency state plainly that they are among those withheld. List each "referred to" document separately. The totals of unproduced vs. witheld must be within reason; that is, if the total number of unproduced documents you find referred to in the text of the documents produced exceeds the total number of documents withheld, the agency cannot claim that all the "referred to" documents are accounted for by the withheld category. You will soon get the hang of making logical conclusions from discrepancies in totals and missing document numbers. Another thing to look for when reading the released documents is the names of persons or agencies to whom the document has been disseminated. The lower left-hand corner is a common location for the typed list of agencies or offices to whom the document has been directed. In addition, there may be additional distribution recorded by hand, there or elsewhere, on the cover page. There are published glossaries for some agencies that will help in deciphering these notations when they are not clear. Contact FOIA, Inc. if you need assistance in deciphering the text. Finally, any other file numbers that appear on the document should be noted, particularly if the subject of the file is of interest and is one you have not requested. You may want to make an additional request for some of these files. HOW TO MAKE AN ADMINISTRATIVE APPEAL Under the FOIA, a dissatisfied requester has the right of administrative appeal. The name and address of the proper appeal office will be given to you by each agency in its final response letter. This kit contains a sample appeal letter with suggestions for adapting it to various circumstances. However, you need not make such an elaborate appeal; in fact, you need not offer any reasons at all but rather simply write a letter to the appeals unit stating that "This letter constitutes an appeal of the agency's decision." Of course, if you have identified some real discrepancies, you should set them forth fully (for example see Step 2 under "How to Check Documents for Completeness"), but even if you have not found any, you may simply ask that the release be reviewed. If you are still dissatisfied after the administrative appeal process, the FOIA gives you the right to bring a lawsuit in federal district court. MONITORING THE PROGRESS OF YOUR REQUEST You should receive a letter from each agency within 10 days stating that your request has been received and is being processed. You may be asked to be patient since requests are being handled on a first come first served basis. The best strategy is to be "reasonably" patient, but there is no reason to sit complacently and wait for an interminable period of time. A good strategy is to telephone the FOIA office in each agency after about a month if you have received nothing of substance. Ask for a progress report. Note the name of the person you speak to and what they say. Continue to call every 4 to 6 weeks. Good record keeping helps avoid time-consuming and frustrating confusion. A looseleaf notebook with a section devoted to each request simplifies this task. At the beginning of the request process, sometimes it is difficult to foresee what course of action you will want to take in the future. Keep copies of all correspondence to and from each agency. They can be inserted between the notes on phone calls so that all relevant material will be at hand for future use, including phone consultations, correspondence, newspaper articles, preparation for media appearances, congressional testimony or litigation. [NOTE: All the text in braces [] is for your information. Do NOT include in request] [NOTE: Start by photocopying several copies of this letter or retype if you prefer] SAMPLE REQUEST LETTER FOR ALL AGENCIES Date: To: FOIA/PA Unit [Check box for appropriate agency] __ FBI Headquarters __ FBI Field Office __ Other Agency This is a noncommerical request under the Freedom of Information and Privacy Acts. I have attached a sheet setting out my application for a fee waiver of any fees in excess of those which are provided free because of my category. My category for fee and fee waiver purposes is: (check one) __ request for personal file; no search fee and 100 free pages. __ journalist, academic or scientist; no search fee and 100 free pages. __ other non-commerical requester (group or person); 2 hours free search and 100 free pages. I request a complete and thorough search of all filing systems and locations for all records maintained by your agency pertaining to and/or captioned: ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ including, without limitation, files and documents captioned, or whose captions include: [describe records desired and/or insert full and formal name] ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ This request specifically includes where appropriate "main" files and "see references," including but not limited to numbered and lettered sub files and control files. I also request a search of the Electronic Surveillance (ELSUR) Index, or any similar technique for locating records of electronic surveillance and the COINTELPRO Index. I request that all records be produced with the administrative pages. I wish to be sent copies of "see reference" cards, abstracts, search slips, including search slips used to process this request, file covers, multiple copies of the same documents if they appear in a file, tapes of any electronic surveillance, photographs, and logs of physical surveillance (FISUR). Please place missing documents on "special locate." I wish to make it clear that I want all records in your office "identifiable with my request," even though reports on those records have been sent to Headquarters and even though there may be duplication between the two sets of files. I do not want just "interim" documents. I want all documents as they appear in the "main" files and "see references" of all units of your agency. If documents are denied in whole or in part, please specify which exemption(s) is(are) claimed for each passage or whole document denied. Give the number of pages in each document and the total number of pages pertaining to this request and the dates of documents withheld. I request that excized material be "blacked out" rather than "whited out" or cut out and that the remaining non-exempt portions of documents be released as provided under the Freedom of Information Act. Please send a memo (with a copy or copies to me) to the appropriate unit(s) in your office to assure that no records related to this request are destroyed. Please advise of any destruction of records and include the date of and authority for such destruction. As I expect to appeal any denials, please specify the office and address to which an appeal should be directed. I can be reached at the phone listed below. Please call rather than write if there are any questions or if you need additional information >from me. I expect a response to this request within ten (10) working days, as provided for in the Freedom of Information Act. [Have signature notorized ONLY if requesting your own files] Sincerely, (Signed)_______________________________________________ Name (print or type):_______________________________ Address:___________________________________________________ ___________________________________________________________ Telephone:________________________ Social Security number (optional): _______________________ (for personal files) Date of Birth:____________________ Place of birth:___________________ (for organization files) Date of founding:_____________________________________ Place of founding:____________________________________ Address of organization:______________________________ ___________________________________________________________ ___________________________________________________________ [MARK CLEARLY ON ENVELOPE: FOI/PA REQUEST] FEE WAIVERS Fee Waiver Worksheet for Non-Commercial Requesters All non-commercial requesters are entitled to apply for a fee waiver for charges in excess of those which are provided free because of requester's category. Following amendments to the FOIA in October 1986, the Justice Department issued a memo outlining six criteria to be used by agencies in determining whether or not to grant fee waivers. Many Congresspeople dispute the memo's legality, pointing out its invitation to subjective judgements, and its proclivity to intimidate requesters. Nevertheless, until the six criteria are eliminated, either by Congress or court decisions, requesters will have to address them in order to qualify for a fee waiver. To apply for a fee waiver, attach a separate sheet of paper to your request letter explaining in narrative form how your request satisfies each of the following six criteria. (1) Explain how the records you are requesting are likely to shed light on the operations or activities of the government. (2) Describe how the records you are requesting will contribute to the understanding of government operations or activities. If the information being requested is not already in the public domain bring this fact to the agency's attention. (3)a. Explain to the agency how the public will ultimately benefit from the information you are requesting. Legislative history and recent case law indicate that the "public" is not limited to U.S. public nor must it be the "public at-large." For example, Representatives English and Kindness jointly stated during recent Congressional debate, "Public understanding is enhanced when information is disclosed to the subset of the public most interested, concerned or affected by a particular action or matter." Furthermore, District Court Judge Harold Greene in a 1987 opinion involving a request by a Canadian newspaper said, "There is no requirement in the [FOIA] statute that news media seeking fee waivers [must] serve the American public exclusively, or even tangentially . . . an FBI official does not have the authority to amend the law of the United States by restricting it beyond its plain terms."* In other words, the public you seek to educate does not have to reside in the United States, nor is the size of that public relevant to your entitlement to a fee waiver. (3)b. Explain to the agency your qualifications (educational, work experience, etc.) for understanding the requested information and outline your ability and intention to disseminate the information once it has been obtained. You might want to cite any of the following activities in order to demonstrate your ability and intention to disseminate information to the public: writing newspaper or scholarly articles, writing books, granting interviews, public speaking engagements, preparing Congressional testimony, producing pamphlets, videos, film, radio programs, etc. (4) The Justice Department memo stipulates that the contribution to public understanding must be "significant." What constitutes a "significant" contribution is clearly susceptible to subjective interpretation. However, we suggest that you make reference to current news stories, efforts to correct the historical record or expose government or corporate fraud or threats to public health and safety. Broadly speaking, any information that would enable the public to hold the government accountable for any of its operations or activities can be persuasively argued to be a "significant" contribution to public understanding. (5) and (6) Explain to the agency (if it is the case) that any commercial interest that will be furthered by the requested records is not the primary interest when compared to the public interest that will be served. For example, if the information is requested pursuant to the publication of a book, you should explain (if it is the case) that this book is not destined to become a bestseller because of topic, publisher, or anticipated audience, etc. News media representatives, scholars or scientists, should make requests for documents and fee waivers on the appropriate institutional letterhead. Similarly, requests for organizational files should be made on the appropriate letterhead. You have a right to file an administrative appeal if you receive an adverse decision regarding either your fee category or fee waiver request. The letter containing the adverse decision will tell you to whom you should direct the appeal. ------ * Joint statement by Reps. English and Kindness, Congressional Record, H-9464, October 8, 1986; Judge Greene's opinion in Southam News v. INS. (Civ. No. 85-2721, D.D.C., November 9, 1987). SAMPLE ADMINISTRATIVE APPEAL LETTER Date: To: FOIA/PA Appeals Office RE: Request number [Add this if the agency has given your request a number] This is an appeal pursuant to subsection (a)(6) of the Freedom of Information Act as amended (5 U.S.C. 552). On [date] I received a letter from [name of official] of your agency denying my request for [describe briefly the information your are after]. This reply indicated that an appeal letter could be sent to you. I am enclosing a copy of my exchange of correspondence with your agency so that you can see exactly what files I have requested and the insubstantial grounds on which my request has been denied. [Insert following paragraph if the agency has withheld all or nearly all the material which has been requested] You will note that your agency has withheld the entire (or nearly entire) document that I requested. Since the FOIA provides that "any reasonably segregable portion of a record shall be provided to any person requesting such record after deletion of the portions which are exempt," I believe that your agency has not complied with the FOIA. I believe that there must be (additional) segregable portions which do not fall within the FOIA exemptions and which must be released. [Insert following paragraph if the agency has used the (b)(1) exemption for national security purposes to withhold information] Your agency has used the (b)(1) exemption to withhold information. [I question whether files relating to events that took place over twenty years ago could realistically harm the national security.] [Because I am familiar with my own activities during the period in question, and know that none of these activities in any way posed a significant threat to the national security, I question the designation of my files or portions of my file as classified and exempt from disclosure because of national security considerations.] [Sample optional arguments to be used if the exemption which is claimed does not seem to make sense; you should cite as many specific instances as you care to of items withheld from the documents that you have received. We provide two examples which you might want to adapt to your own case.] "On the memo dated______the second paragraph withheld under the (b)(1) exemption appears to be describing a conversation at an open meeting. If this is the case, it is impossible that the substance of this conversation could be properly classified." Or, "The memo dated____ refers to a meeting which I attended, but a substantial portion is deleted because of the (b)(6) and (b)(7)(c) exemptions for unwarranted invasions of personal privacy. Since I already know who attended this meeting, no privacy interest is served by the withholding." I trust that upon examination of my request, you will conclude that the records I have requested are not properly covered by exemption(s)____ [insert the exemption(s) which the agency's denial letter claimed applied to your request] of the amended FOIA, and that you will overrule the decision to withhold the information. [Insert following paragraph if an itemized inventory was not supplied by the agency] If you choose to continue to withhold some or all of the material which was denied in my initial request to your agency, I ask that you give me an index of such material, together with the justification for the denial of each item which is still withheld. As provided in the Freedom of Information Act, I will expect to receive a reply to this adminstrative appeal letter within twenty (20) working days. If you deny this appeal and do not adequately explain why the material withheld is properly exempt, I intend to initiate a lawsuit to compel its disclosure. [You can say that you intend to sue if that is your present inclination even though you may ultimately decide not to file suit.] Sincerely, name: address: signature: [MARK CLEARLY ON ENVELOPE: ATTENTION: FREEDOM OF INFORMATION APPEALS] FUND FOR OPEN INFORMATION AND ACCOUNTABILITY, INC. P.O. BOX O2 2397, BROOKLYN, NY 11202-0050 FOIA/PA ADDRESSES FOR SELECTED FEDERAL AGENCIES Administrative Office of the U.S. Courts Washington, D.C. 20544 (202) 633-6117 Bureau of Prisons 320 1st St., NW Washington, D.C. 20534 (202) 724-3198 Central Intelligence Agency Information and Privacy Coordinator Washington, D.C. 20505 Civil Service Commission Appropriate Bureau: ___ Bureau of Personnel Investigation, ___ Bureau of Personnel ___ Information Systems Civil Service Commission 1900 E Street, N.W. Washington, D.C. 20415 (202) 632-4431 Commission on Civil Rights General Counsel, U.S. Commission on Civil Rights 1121 Vermont Ave., N.W., Rm. 600 Washington, D.C. 20405 (202) 376-8177 Consumer Producet Safety Commission 1111 18th St., N.W. Washington, D.C. 20207 (301) 492-6580 Defense Intelligence Agency The Pentagon Washington, D.C. 20301-6111 (202) 697-8844 Department of Defense/Department of the Air Force Freedom of Information Manager Headquarters, USAF/DADF Washington, D.C. 20330-5025 (202) 545-6700 Department of Defense/Department of the Army General Counsel Secretary of the Army The Pentagon, Rm. 2E727 Washington, D.C. 20310 (202) 545-6700 Department of Defense/ Marine Corps Commandant of the Marine Corps Department of the Navy Headquarters, Marine Corps Washington, D.C. 20380-0001 (202) 694-2500 Department of Defense/ Dept. of the Navy Chief of Naval Operations OP 09 B30 Pentagon, Rm. 5E521 Washington, D.C. 20350-2000 (202) 545-6700 Department of Energy 1000 Independence Ave., S.W. Washington, D.C. 20585 (202) 252-5000 Department of Justice/ General Administration __ Civil Rights Division, __ Antitrust Division, __ Drug Enforcement Administration __ Immigration and Naturalization Service FOIA/ Privacy Act Unit Department of Justice Constitution Ave. & 10th St., N.W. Washington, D.C. 20530 (202)633-2000 Department of Labor 200 Constitution Ave., N.W. Washington, D.C. 20210 (202) 523-8165 Department of State Director, Freedom of Information Bureau for Public Administration Department of State, Rm 239 2201 C St., N.W. Washington, D.C. 20520 (202) 647-3411 Department of the Treasury Internal Revenue Service 1111 Constitution Ave., N.W. Washington, D.C. 20224 (202) 566-5000 (Consult phone book for regional offices) Environmental Protection Agency Freedom of Information Office A101 Room 1132 West Tower 401 M St., S.W. Washington, D.C. 20460 (202) 382-4048 Equal Employment Opportunities Comm. Office of Legal Services 2401 E St., N.W., Rm. 214 Washington, D.C. 20507 Attn. Richard Roscio, Assc. Legal Counsel (202) 634-6922 Federal Communications Commission 1919 M St., N.W. Washington, D.C. 20554 (202) 254-7674 Food and Drug Administration 5600 Fishers Lane Rockville, MD 20857 (301) 443-1544 Health and Human Services 200 Independence Ave., S.W. Washington, D.C. 20201 Housing and Urban Development 451 Seventh St., S.W. Washington, D.C. 20410 (202) 755-6420 National Aeronautics & Space Administration 400 Maryland Ave, S.W. Washington, D.C. 20546 (202) 453-1000 National Archives and Records Service Pennsylvania Ave. at 8th St., N.W. Washington, D.C. 20408 (202) 523-3130 National Labor Relations Board 1717 Pennsylvania Ave., N.W. Washington, D.C. 20570 (202) 632-4950 National Security Agency Ft. George G. Meade, MD 20755-6000 (301) 688-6311 National Security Council Old Executive Bldg. 17th & Pennsylvania Ave., N.W. Washington, D.C. 20506 Attn. Brenda Reger (202) 395-3103 Nuclear Regulatory Commission Director, Office of Administration Washington, D.C. 20555 (202) 492-7715 Secret Service U.S. Secret Service 1800 G St., N.W. Washington, D.C. 20223 Attn. FOIA/ Privacy Office (202) 634-5798 Securities and Exchange Commission 450 5th St., N.W. Washington, D.C. 20549 (202) 272-2650 U.S. Customs Service 1301 Constitution Ave., N.W. Washington, D.C. 20229 (202) 566-8195 U.S. Agency for International Development 320 21st. St., N.W. Washington, D.C. 20532 (202) 632-1850 U.S. Office of Personnel Management 1900 E St., N.W. Washington, D.C. 20415 (202) 632-5491 U.S. Postal Service Records Office 475 L'Enfant Plaza, S.W. Washington, D.C. 20260-5010 (202) 245-5568 Veterans Administration 810 Vermont Ave., N.W. Washington, D.C. 20420 (202) 389-2741 [2/88] Federal Bureau of Investigation Offices where files are held Albany, NY 12207 Memphis, TN 38103 502 U.S. Post Office and Courthouse 67 N. Main St 518-465-7551 901-525-7373 Albuquerque, NM 87102 Miami, FL 33137 301 Grand Ave. NE 3801 Biscayne Blvd 505-247-1555 305-573-3333 Alexandria, VA 22314 Milwaukee, WI 53202 300 N. Lee St 517 E. Wisconsin Ave 703-683-2680 414-276-4684 Anchorage, AK 99513 Minneapolis, MN 55401 701 C St 392 Federal Bldg 907-276-4441 612-339-7861 Atlanta, GA 30302 Mobile, AL 36602 275 Peachtree St. NE 113 St. Joseph St 404-521-3900 205-438-3674 Baltimore, MD 21207 Newark, NJ 07102 7142 Ambassador Rd Gateway 1, Market St 301-265-8080 201-622-5613 Birmingham, AL 35203 New Haven, CT 06510 Room 1400, 2121 Bldg 150 Court St 205-252-7705 203-777-6311 Boston, MA 02203 New Orleans, LA 70112 John F. Kennedy Federal Office Bldg 1250 Poydras St., Suite 2200 617-742-5533 504-522-4670 Buffalo, NY 14202 New York, NY 10278 111 W. Huron St 26 Federal Plaza 716-856-7800 212-553-2700 Butte, MT 59702 Norfolk, VA 23510 U.S. Courthouse and Federal Bldg 200 Granby Mall 406-792-2304 804-623-3111 Charlotte, NC 28210 Oklahoma City, OK 73118 6010 Kenley Lane 50 Penn Pl 704-529-1030 405-842-7471 Chicago, IL 60604 Omaha, NE 68102 219 S. Dearborn St 215 N. 17th St 312-431-1333 402-348-1210 Cincinnati, OH 45205 Philadelphia, PA 50 Main St 600 Arch St 513-421-4310 215-629-0800 Cleveland, OH 44199 Phoenix, AZ 85012 1240 E. 9th St 201 E. Indianola 216-522-1400 602-279-5511 Columbia, SC 29201 Pittsburgh, PA 1529 Hampton St 1000 Liberty Ave 803-254-3011 412-471-2000 Dallas, TX 75202 Portland, OR 97201 1801 N. Lamar 1500 SW 1st Ave 214-741-1851 503-224-4181 Denver, CO 80202 Quantico, VA 22135 Federal Office Bldg FBI Academy 303-629-7171 703-640-6131 Detroit, MI 48226 Richmond, VA 23220 477 Michigan Ave 200 W. Grace St 313-965-2323 804-644-2631 El Paso, TX 79901 Sacramento, CA 95825 202 U.S. Courthouse Bldg 2800 Cottage Way 915-533-7451 916-481-9110 Honolulu, HI 96850 St. Louis, MO 63103 300 Ala Moana Blvd 1520 Market St 808-521-1411 314-241-5357 Houston, TX 77002 Salt Lake City, UT 84138 515 Rusk Ave 125 S. State St 713-224-1511 801-355-8584 Indianapolis, IN 46204 San Antonio, TX 78206 575 N. Pennsylvania St 615 E. Houston 317-639-3301 512-225-6741 Jackson, MS 39264 San Diego, CA 92188 100 W. Capitol St 880 Front St 601-948-5000 619-231-1122 Jackonsville, FL 32211 San Francisco, CA 94102 7820 Arlington Expressway 450 Golden Gate Ave 904-721-1211 415-552-2155 Kansas City, MO 64106 San Juan, PE 00918 300 U.S. Courthouse Bldg Hato Rey, PR 816-221-6100 809-754-6000 Knoxville, TN 37919 Savannah, GA 31405 1111 Northshore Dr 5401 Paulsen St 615-588-8571 912-354-9911 Las Vegas, NV 89101 Seattle, WA 98174 Las Vegas Blvd. S 915 2nd Ave 702-385-1281 206-622-0460 Little Rock, AR 72201 Springfield, IL 62702 215 U.S. Post Office Bldg 535 W. Jefferson St 501-372-7211 217-522-9675 Los Angeles, CA 90024 Tampa, FL 33602 11000 Wilshire Blvd 500 Zack St 213-477-6565 813-228-7661 Louisville, KY 40202 Washington, DC 20401 600 Federal Pl 1900 Half St. SW =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 5 of 10 The Empire Times Presents Carding in The 90's By Mustang False ------ Carders are out to phuck people over, By charging vast amounts of money to there credit Cards. True ---- Carders are really trying to fuck up the government, by making charges that people refuse to pay and the government has to pick up the tab. Now we all know the dangers of carding, but this file is dedicated to showing you the ways to get by these problems. If any problem is not written in this file or there is something that is wrong E-mail me on Empire or other fine boards. Traces-Even though it's a long shot that the store has a trace, never ever call from home. Use a payphone or public phone. Always know exactly what you want, So you cann make your order fast and easy. Try and use a deep voice when calling a store that way they belive it is a adult. Always use a drop point and never your own home. Know you already have the card number and name. Now pick up the pay phone and call a store. Store Clerk- Hects, Can I help you? Carder- Yes can you please conect me with the BLAH BLAH department. Store Clerk- Please hold. Department Clerk- BLAH BLAH department can I help you? Carder- Yes I would like to order by credit card one BLAH BLAH. Department Clerk- Ok... I will need your credit card number. Carder- American Express, Number xxxxxxxxxxxxxxxx. Departmen Clerk- Ok... Now what's your name. Carder- My name is JOHN DOE. Department Clerk- What's your experation date? Carder- Me experation date is BLAH BLAH. Department Clerk- Please hold while I cheack to see if the info is valid. Department Clerk- Everything checks out. Carder- (Sigh) Can I have that deliverd to my home? Department Clerk- Yes, What's your address? Carder- My addrress is BLAH BLAH. Department Clerk- Thank You it's should arrive in a few weeks. Carder- Thanks alot. CLICK Its as easy as that. Next you have to pick up the stuff you orderd at your drop site. Now if you read the above you know that sending a dilevery to your own home is fucking stupid. So what you do is go out into your naborhood and find a nice little house for sale. Then when you order somthing give the address. Now when the UPS man comes here is a good story to tell him. UPS Man- Dose BLAH BLAH live here. Carder- She used to but moved out last week, she told me to pick up any mail that came to the house and foward it to here. UPS Man- Ok can you please sign here. Carder- Sure, Thank You. Now you have the delivery. (Note, Never put your real name down on the sign in sheet. Now find a good place to hide the goods for about a Two days just so now one get suspiciuos then take it home and have a ball. Geting Credit Card Numbers. There are many ways of doing this. I will just name a few. Trashing- Going through trash looking for numbers. Looking around ATM- machines for those little cards that have thecard number on them. Using Programs- That spit out card numbers. And then my favorte is a system written by Saturday Knight, This file can be found on any Elite BBs, it's called AMEX.zip. Well that's alll I have to say about carding for this issue. And remember Don't card just for fun becase that's how you get busted. I would like to thank The following: ----------------------------------- Dameon- For helping me get started. Cultish Person- For showing how not to be a good user. Alby - For all his help. =-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 6 of 11 Specs On Caller ID This is a copy of the data sheet picked up at the Rockwell booth at the COMDEX show. INTRODUCTION Calling Number Delivery (CND), better known as Caller ID, is a telephone service intended for residential and small business customers. It allows the called Customer Premises Equipment (CPE) to receive a calling party's directory number and the date and time of the call during the first 4 second silent interval in the ringing cycle. The customer must contact a Bellcore Client Company to initiate CND service. According to Pacific Bell representatives, the following states and district currently support CND service: Delaware, District of Columbia, Florida, Georgia, Idaho, Kentucky, Louisiana, Maine, Maryland, Nebraska, Nevada, New Jersey, Oklahoma, Tennessee, Vermont, Virginia, and West Virginia. The following states are scheduled to support CND service by April, 1992: Alaska, Arizona, California, Colorado, Illinois, Indiana, Iowa, Massachusetts, Mississippi, New Hampshire, New York, North Carolina, North Dakota, Ohio, Oregon, Rhode Island, and South Carolina. PARAMETERS The data signalling interface has the following characteristics: Link Type: 2-wire, simplex Transmission Scheme: Analog, phase-coherent FSK Logical 1 (mark) 1200 +/- 12 Hz Logical 0 (space) 2200 +/- 22 Hz Transmission Rate: 1200 bps Transmission Level: 13.5 +/- dBm into 900 ohm load (I have copied this data as presented. I believe the transmission level is meant to be -13.5 dBm.) PROTOCOL The protocol uses 8-bit data words (bytes), each bounded by a start bit and a stop bit. The CND message uses the Single Data Message format shown below. Channel Carrier Message Message Data Checksum Seizure Signal Type Length Word(s) Word Signal Word Word CHANNEL SEIZURE SIGNAL The channel seizure is 30 continuous bytes of 55h (01010101) providing a detectable alternating function to the CPE (i.e. the modem data pump). CARRIER SIGNAL The carrier signal consists of 130 +/- 25 mS of mark (1200 Hz) to condition the receiver for data. MESSAGE TYPE WORD The message type word indicates the service and capability associated with the data message. The message type word for CND is 04h (00000100). MESSAGE LENGTH WORD The message length word specifies the total number of data words to follow. DATA WORDS The data words are encoded in ASCII and represent the following information: o The first two words represent the month o The next two words represent the day of the month o The next two words represent the hour in local military time o The next two words represent the minute after the hour o The calling party's directory number is represented by the remaining words in the data word field If the calling party's directory number is not available to the terminating central office, the data word field contains an ASCII "O". If the calling party invokes the privacy capability, the data word field contains an ASCII "P". CHECKSUM WORD The Checksum Word contains the twos complement of the modulo 256 sum of the other words in the data message (i.e., message type, message length, and data words). The receiving equipment may calculate the modulo 256 sum of the received words and add this sum to the reveived checksum word. A result of zero generally indicates that the message was correctly received. Message retransmission is not supported. EXAMPLE CND SINGLE DATA MESSAGE An example of a received CND message, beginning with the message type word, follows: 04 12 30 39 33 30 31 32 32 34 36 30 39 35 35 35 31 32 31 32 51 04h= Calling number delivery information code (message type word) 12h= 18 decimal; Number of data words (date,time, and directory number words) ASCII 30,39= 09; September ASCII 33,30= 30; 30th day ASCII 31,32= 12; 12:00 PM ASCII 32,34= 24; 24 minutes (i.e., 12:24 PM) ASCII 36,30,39,35,35,35,31,32,31,32= (609) 555-1212; calling party's directory number 51h= Checksum Word DATA ACCESS ARRANGEMENT (DAA) REQUIREMENTS To receive CND information, the modem monitors the phone line between the first and second ring bursts without causing the DAA to go off hook in the conventional sense, which would inhibit the transmission of CND by the local central office. A simple modification to an existing DAA circuit easily accomplishes the task. (I will mail the Rockwell data sheet, which includes the suggested schematic diagram.) MODEM REQUIREMENTS Although the data signalling interface parameters match those of a Bell 202 modem, the receiving CPE need not be a Bell 202 modem. A V.23 1200 bps modem receiver may be used to demodulate the Bell 202 signal. The ring indicate bit (RI) may be used on a modem to indicate when to monitor the phone line for CND information. After the RI bit sets, indicating the first ring burst, the host waits for the RI bit to reset. The host then configures the modem to monitor the phone line for CND information. (I'm skipping some Rockwell-specific information here.) According to Bellcore specifications, CND signalling starts as early as 300 mS after the first ring burst and ends at least 475 mS before the second ring burst APPLICATIONS Modem manufacturers will soon be implementing new modem features based on CND information as this service becomes widely available. Once CND information is received the user may process the information in a number of ways. 1. The date, time, and calling party's directory number can be displayed. 2. Using a look-up table, the calling party's directory number can be correlated with his or her name and the name displayed. 3. CND information can also be used in additional ways such as for: a. Bulletin board applications b. Black-listing applications c. Keeping logs of system user calls, or d. Implementing a telemarketing data base REFERENCES For more information on Calling Number Delivery (CND), refer to Bellcore publications TR-TSY-000030 and TR-TSY-000031. To obtain Bellcore documents contact: Bellcore Customer Service 60 New England Avenue, Room 1B252 Piscataway, NJ 08834-4196 (908) 699-5800 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=- The Empire Times -=- Volume 1, Issue 2, File 7 of 11 ``Foiling the Cracker'' A Survey of, and Improvements to, Password Security This work was sponsored in part by the U.S. Department of Defense. Daniel V. Klein Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15217 dvk@sei.cmu.edu +1 412 268 7791 With the rapid burgeoning of national and international networks, the question of system security has become one of growing importance. High speed inter-machine communication and even higher speed computational processors have made the threats of system ``crackers,'' data theft, data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual accounts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a proactive password checker, is proposed. Introduction The security of accounts and passwords has always been a concern for the developers and users of Unix. When Unix was younger, the password encryption algorithm was a simulation of the M-209 cipher machine used by the U.S. Army during World War II. Robert T. Morris Ken Thompson Password Security: A Case History Communications of the ACM 22 11 594-597 November 1979 Morris1979 This was a fair encryption mechanism in that it was difficult to invert under the proper circumstances, but suffered in that it was too fast an algorithm. On a PDP-11/70, each encryption took approximately 1.25ms, so that it was possible to check roughly 800 passwords/second. Armed with a dictionary of 250,000 words, a cracker could compare their encryptions with those all stored in the password file in a little more than five minutes. Clearly, this was a security hole worth filling. In later (post-1976) versions of Unix, the DES algorithm Proposed Federal Information Processing Data Encryption Standard Federal Register (40FR12134) March 17, 1975 DES1975 was used to encrypt passwords. The user's password is used as the DES key, and the algorithm is used to encrypt a constant. The algorithm is iterated 25 times, with the result being an 11 character string plus a 2-character ``salt.'' This method is similarly difficult to decrypt (further complicated through the introduction of one of 4096 possible salt values) and had the added advantage of being slow. On a \(*mVAX-II (a machine substant- ially faster than a PDP-11/70), a single encryption takes on the order of 280ms, so that a determined cracker can only check approximately 3.6 encryptions a second. Checking this same dictionary of 250,000 words would now take over 19 hours of CPU time. Although this is still not very much time to break a single account, there is no guarantee that this account will use one of these words as a password. Checking the passwords on a system with 50 accounts would take on average 40 CPU days (since the random selection of salt values practically guarantees that each user's password will be encrypted with a different salt), with no guarantee of success. If this new, slow algorithm was combined with the user education needed to prevent the selection of obvious passwords, the problem seemed solved. Regrettably, two recent developments and the recurrence of an old one have brought the problem of password security back to the fore. CPU speeds have gotten increasingly faster since 1976, so much so that processors that are 25-40 times faster than the PDP-11/70 (e.g., the DECstation 3100 used in this research) are readily available as desktop workstations. With inter-networking, many sites have hundreds of the individual workstations connected together, and enterprising crackers are discovering that the ``divide and conquer'' algorithm can be extended to multiple processors, especially at night when those processors are not otherwise being used. Literally thousands of times the computational power of 10 years ago can be used to break passwords. New implementations of the DES encryption algorithm have been developed, so that the time it takes to encrypt a password and compare the encryption against the value stored in the password file has dropped below the 1ms mark. Matt Bishop An Application of a Fast Data Encryption Standard Implementation Computing Systems 1 3 221-254 Summer 1988 Bishop1988 David C. Feldmeier Philip R. Karn UNIX Password Security \- Ten Years Later CRYPTO Proceedings Summer 1989 Feldmeier1989 On a single workstation, the dictionary of 250,000 words can once again be cracked in under five minutes. By dividing the work across multiple workstations, the time required to encrypt these words against all 4096 salt values could be no more than an hour or so. With a recently described hardware implementation of the DES algorithm, the time for each encryption can be reduced to approximately 6 ms. Philip Leong Chris Tham UNIX Password Encryption Considered Insecure USENIX Winter Conference Proceedings January 1991 Leong1991 This means that this same dictionary can be be cracked in only 1.5 seconds. Users are rarely, if ever, educated as to what are wise choices for passwords. If a password is in a dictionary, it is extremely vulnerable to being cracked, and users are simply not coached as to ``safe'' choices for passwords. Of those users who are so educated, many think that simply because their password is not in /usr/dict/words, it is safe from detection. Many users also say that because they do not have any private files on-line, they are not concerned with the security of their account, little realizing that by providing an entry point to the system they allow damage to be wrought on their entire system by a malicious cracker. Because the entirety of the password file is readable by all users, the encrypted passwords are vulnerable to cracking, both on-site and off-site. Many sites have responded to this threat with a reactive solution \- they scan their own password files and advise those users whose passwords they are able to crack. The problem with this solution is that while the local site is testing its security, the password file is still vulnerable from the outside. The other problems, of course, are that the testing is very time consuming and only reports on those passwords it is able to crack. It does nothing to address user passwords which fall outside of the specific test cases (e.g., it is possible for a user to use as a password the letters ``qwerty'' \- if this combination is not in the in-house test dictionary, it will not be detected, but there is nothing to stop an outside cracker from having a more sophisticated dictionary!). Clearly, one solution to this is to either make /etc/passwd unreadable, or to make the encrypted password portion of the file unreadable. Splitting the file into two pieces \- a readable /etc/passwd with all but the encrypted password present, and a ``shadow password'' file that is only readable by root is the solution proposed by Sun Microsystems (and others) that appears to be gaining popularity. It seems, however, that this solution will not reach the majority of non-Sun systems for quite a while, nor even, in fact, many Sun systems, due to many sites' reluctance to install new releases of software. The problem of lack of password security is not just endemic to Unix. A recent Vax/VMS worm had great success by simply trying the username as the password. Even though the VMS user authorization file is inaccessible to ordinary users, the cracker simply tried a number of ``obvious'' password choices \- and easily gained access. What I propose, therefore, is a publicly available \fIproactive\fR password checker, which will enable users to change their passwords, and to check a priori whether the new password is ``safe.'' The criteria for safety should be tunable on a per-site basis, depending on the degree of security desired. For example, it should be possible to specify a minimum length password, a restriction that only lower case letters are not allowed, that a password that looks like a license plate be illegal, and so on. Because this proactive checker will deal with the pre-encrypted passwords, it will be able to perform more sophisticated pattern matching on the password, and will be able to test the safety without having to go through the effort of cracking the encrypted version. Because the checking will be done automatically, the process of education can be transferred to the machine, which will instruct the user \fIwhy\fR a particular choice of password is bad. Password Vulnerability It has long been known that all a cracker need do to acquire access to a Unix machine is to follow two simple steps, namely: Acquire a copy of that site's /etc/passwd file, either through an unprotected uucp link, well known holes in sendmail, or via ftp or tftp. Apply the standard (or a sped-up) version of the password encryption algorithm to a collection of words, typically /usr/dict/words plus some permutations on account and user names, and compare the encrypted results to those found in the purloined /etc/passwd file. If a match is found (and often at least one will be found), the cracker has access to the targeted machine. Certainly, this mode of attack has been known for some time, Eugene H. Spafford The Internet Worm Program: An Analysis Purdue Technical Report CSD-TR-823 Purdue University November 29, 1988 Spafford1988 and the defenses against this attack have also long been known. What is lacking from the literature is an accounting of just how vulnerable sites are to this mode of attack. In short, many people know that there is a problem, but few people believe it applies to them. ``There is a fine line between helping administrators protect their systems and providing a cookbook for bad guys.'' F. Grampp R. Morris Unix Operating System Security AT&T Bell Labs Technical Journal 63 8 1649-1672 October 1984 Grampp1984 The problem here, therefore, is how to divulge useful information on the vulnerability of systems, without providing too much information, since almost certainly this information could be used by a cracker to break into some as-yet unviolated system. Most of the work that I did was of a general nature \- I did not focus on a particular user or a particular system, and I did not use any personal information that might be at the disposal of a dedicated ``bad guy.'' Thus any results which I have been able to garner indicate only general trends in password usage, and cannot be used to great advantage when breaking into a particular system. This generality notwithstanding, I am sure that any self-respecting cracker would already have these techniques at their disposal, and so I am not bringing to light any great secret. Rather, I hope to provide a basis for protection for systems that can guard against future attempts at system invasion. The Survey and Initial Results In October and again in December of 1989, I asked a number of friends and acquaintances around the United States and Great Britain to participate in a survey. Essentially what I asked them to do was to mail me a copy of their /etc/passwd file, and I would try to crack their passwords (and as a side benefit, I would send them a report of the vulnerability of their system, although at no time would I reveal individual passwords nor even of their sites participation in this study). Not surprisingly, due to the sensitive nature of this type of disclosure, I only received a small fraction of the replies I hoped to get, but was nonetheless able to acquire a database of nearly 15,000 account entries. This, I hoped, would provide a representative cross section of the passwords used by users in the community. Each of the account entries was tested by a number of intrusion strategies, which will be covered in greater detail in the following section. The possible passwords that were tried were based on the user's name or account number, taken from numerous dictionaries (including some containing foreign words, phrases, patterns of keys on the keyboard, and enumerations), and from permutations and combinations of words in those dictionaries. All in all, after nearly 12 CPU months of rather exhaustive testing, approximately 25% of the passwords had been guessed. So that you do not develop a false sense of security too early, I add that 21% (nearly 3,000 passwords) were guessed in the first week, and that in the first 15 minutes of testing, 368 passwords (or 2.7%) had been cracked using what experience has shown would be the most fruitful line of attack (i.e., using the user or account names as passwords). These statistics are frightening, and well they should be. On an average system with 50 accounts in the /etc/passwd file, one could expect the first account to be cracked in under 2 minutes, with 5\-15 accounts being cracked by the end of the first day. Even though the \fBroot\fR account may not be cracked, all it takes is one account being compromised for a cracker to establish a toehold in a system. Once that is done, any of a number of other well-known security loopholes (many of which have been published on the network) can be used to access or destroy any information on the machine. It should be noted that the results of this testing do not give us any indication as to what the \fIuncracked\fR passwords are. Rather, it only tells us what was essentially already known \- that users are likely to use words that are familiar to them as their passwords. Bruce L. Riddle Murray S. Miron Judith A. Semo Passwords in Use in a University Timesharing Environment Computers & Security 8 7 569-579 November 1989 Riddle1989 What new information it did provide, however, was the \fIdegree\fR of vulnerability of the systems in question, as well as providing a basis for developing a proactive password changer \- a system which pre-checks a password before it is entered into the system, to determine whether that password will be vulnerable to this type of attack. Passwords which can be derived from a dictionary are clearly a bad idea, Ana Marie De Alvare E. Eugene Schultz, Jr. A Framework for Password Selection USENIX UNIX Security Workshop Proceedings August 1988 Alvare1988 and users should be prevented from using them. Of course, as part of this censoring process, users should also be told why their proposed password is not good, and what a good class of password would be. As to those passwords which remain unbroken, I can only conclude that these are much more secure and ``safe'' than those to be found in my dictionaries. One such class of passwords is word pairs, where a password consists of two short words, separated by a punctuation character. Even if only words of 3 to 5 lower case characters are considered, /usr/dict/words provides 3000 words for pairing. When a single intermediary punctuation character is introduced, the sample size of 90,000,000 possible passwords is rather daunting. On a DECstation 3100, testing each of these passwords against that of a single user would require over 25 CPU hours \- and even then, no guarantee exists that this is the type of password the user chose. Introducing one or two upper case characters into the password raises the search set size to such magnitude as to make cracking untenable. Another ``safe'' password is one constructed from the initial letters of an easily remembered, but not too common phrase. For example, the phrase ``Unix is a trademark of Bell Laboratories'' could give rise to the password ``UiatoBL.'' This essentially creates a password which is a random string of upper and lower case letters. Exhaustively searching this list at 1000 tests per second with only 6 character passwords would take nearly 230 CPU days. Increasing the phrase size to 7 character passwords makes the testing time over 32 CPU years \- a Herculean task that even the most dedicated cracker with huge computational resources would shy away from. Thus, although I don't know what passwords were chosen by those users I was unable to crack, I can say with some surety that it is doubtful that anyone else could crack them in a reasonable amount of time, either. Method of Attack A number of techniques were used on the accounts in order to determine if the passwords used for them were able to be compromised. To speed up testing, all passwords with the same salt value were grouped together. This way, one encryption per password per salt value could be performed, with multiple string comparisons to test for matches. Rather than considering 15,000 accounts, the problem was reduced to 4,000 salt values. The password tests were as follows: Try using the user's name, initials, account name, and other relevant personal information as a possible password. All in all, up to 130 different passwords were tried based on this information. For an account name klone with a user named ``Daniel V. Klein,'' some of the passwords that would be tried were: klone, klone0, klone1, klone123, dvk, dvkdvk, dklein, DKlein, leinad, nielk, dvklein, danielk, DvkkvD, DANIEL-KLEIN, (klone), KleinD, etc. Try using words from various dictionaries. These included lists of men's and women's names (some 16,000 in all); places (including permutations so that ``spain,'' ``spanish,'' and ``spaniard'' would all be considered); names of famous people; cartoons and cartoon characters; titles, characters, and locations from films and science fiction stories; mythical creatures (garnered from Bulfinch's mythology and dictionaries of mythical beasts); sports (including team names, nicknames, and specialized terms); numbers (both as numerals \- ``2001,'' and written out \- ``twelve''); strings of letters and numbers ( ``a,'' ``aa,'' ``aaa,'' ``aaaa,'' etc.); Chinese syllables (from the Pinyin Romanization of Chinese, a international standard system of writing Chinese on an English keyboard); the King James Bible; biological terms; common and vulgar phrases (such as ``fuckyou,'' ``ibmsux,'' and ``deadhead''); keyboard patterns (such as ``qwerty,'' ``asdf,'' and ``zxcvbn''); abbreviations (such as ``roygbiv'' \- the colors in the rainbow, and ``ooottafagvah'' \- a mnemonic for remembering the 12 cranial nerves); machine names (acquired from /etc/hosts); characters, plays, and locations from Shakespeare; common Yiddish words; the names of asteroids; and a collection of words >from various technical papers I had previously published. All told, more than 60,000 separate words were considered per user (with any inter- and intra-dictionary duplicates being discarded). Try various permutations on the words from step 2. This included making the first letter upper case or a control character, making the entire word upper case, reversing the word (with and without the aforementioned capitalization), changing the letter `o' to the digit `0' (so that the word ``scholar'' would also be checked as ``sch0lar''), changing the letter `l' to the digit `1' (so that ``scholar'' would also be checked as ``scho1ar,'' and also as ``sch01ar''), and performing similar manipulations to change the letter `z' into the digit `2', and the letter `s' into the digit `5'. Another test was to make the word into a plural (irrespective of whether the word was actually a noun), with enough intelligence built in so that ``dress'' became ``dresses,'' ``house'' became ``houses,'' and ``daisy'' became ``daisies.'' We did not consider pluralization rules exhaustively, though, so that ``datum'' forgivably became ``datums'' (not ``data''), while ``sphynx'' became ``sphynxs'' (and not ``sphynges''). Similarly, the suffixes ``-ed,'' ``-er,'' and ``-ing'' were added to transform words like ``phase'' into ``phased,'' ``phaser,'' and ``phasing.'' These 14 to 17 additional tests per word added another 1,000,000 words to the list of possible passwords that were tested for each user. Try various capitalization permutations on the words from step 2 that were not considered in step 3. This included all single letter capitalization permutations (so that ``michael'' would also be checked as ``mIchael,'' ``miChael,'' ``micHael,'' ``michAel,'' etc.), double letter capitalization permutations (``MIchael,'' ``MiChael,'' ``MicHael,'' ... , ``mIChael,'' ``mIcHael,'' etc.), triple letter permutations, and so on. The single letter permutations added roughly another 400,000 words to be checked per user, while the double letter permutations added another 1,500,000 words. Three letter permutations would have added at least another 3,000,000 words \fIper user\fR had there been enough time to complete the tests. Tests of 4, 5, and 6 letter permutations were deemed to be impracticable without much more computational horsepower to carry them out. Try foreign language words on foreign users. The specific test that was performed was to try Chinese language passwords on users with Chinese names. The Pinyin Romanization of Chinese syllables was used, combining syllables together into one, two, and three syllable words. Because no tests were done to determine whether the words actually made sense, an exhaustive search was initiated. Since there are 398 Chinese syllables in the Pinyin system, there are 158,404 two syllable words, and slightly more than 16,000,000 three syllable words. The astute reader will notice that 398\s-2\u3\d\s+2 is in fact 63,044,972. Since Unix passwords are truncated after 8 characters, however, the number of unique polysyllabic Chinese passwords is only around 16,000,000. Even this reduced set was too large to complete under the imposed time constraints. A similar mode of attack could as easily be used with English, using rules for building pronounceable nonsense words. Try word pairs. The magnitude of an exhaustive test of this nature is staggering. To simplify this test, only words of 3 or 4 characters in length >from /usr/dict/words were used. Even so, the number of word pairs is \fBO\fR(10\s-3\u7\d\s+3) (multiplied by 4096 possible salt values), and as of this writing, the test is only 10% complete. For this study, I had access to four DECstation 3100's, each of which was capable of checking approximately 750 passwords per second. Even with this total peak processing horsepower of 3,000 tests per second (some machines were only intermittently available), testing the \fBO\fR(10\s-3\u10\d\s+3) password/salt pairs for the first four tests required on the order of 12 CPU months of computations. The remaining two tests are still ongoing after an additional 18 CPU months of computation. Although for research purposes this is well within acceptable ranges, it is a bit out of line for any but the most dedicated and resource-rich cracker. Summary of Results The problem with using passwords that are derived directly from obvious words is that when a user thinks ``Hah, no one will guess this permutation,'' they are almost invariably wrong. Who would ever suspect that I would find their passwords when they chose ``fylgjas'' (guardian creatures from Norse mythology), or the Chinese word for ``hen-pecked husband''? No matter what words or permutations thereon are chosen for a password, if they exist in some dictionary, they are susceptible to directed cracking. The following table give an overview of the types of passwords which were found through this research. A note on the table is in order. The number of matches given from a particular dictionary is the total number of matches, irrespective of the permutations that a user may have applied to it. Thus, if the word ``wombat'' were a particularly popular password from the biology dictionary, the following table will not indicate whether it was entered as ``wombat,'' ``Wombat,'' ``TABMOW,'' ``w0mbat,'' or any of the other 71 possible differences that this research checked. In this way, detailed information can be divulged without providing much knowledge to potential ``bad guys.'' Additionally, in order to reduce the total search time that was needed for this research, the checking program eliminated both inter- and intra-dictionary duplicate words. The dictionaries are listed in the order tested, and the total size of the dictionary is given in addition to the number of words that were eliminated due to duplication. For example, the word ``georgia'' is both a female name and a place, and is only considered once. A password which is identified as being found in the common names dictionary might very well appear in other dictionaries. Additionally, although ``duplicate,'' ``duplicated,'' ``duplicating'' and ``duplicative'' are all distinct words, only the first eight characters of a password are used in Unix, so all but the first word are discarded as redundant. box, tab(:), center; cp+2fB s s s s s s cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB cfB l n n n n n n . Passwords cracked from a sample set of 13,797 accounts Type of:Size of:Duplicates:Search:# of:Pct.:Cost/Benefit Password:Dictionary:Eliminated:Size:Matches:of Total:Ratio\s-2\u*\d\s+2 User/account name:130\s-3\u\(dg\d\s+3:\-:130:368:2.7%:2.830 Character sequences:866:0:866:22:0.2%:0.025 Numbers:450:23:427:9:0.1%:0.021 Chinese:398:6:392:56:0.4%\s-3\u\(dd\d\s+3:0.143 Place names:665:37:628:82:0.6%:0.131 Common names:2268:29:2239:548:4.0%:0.245 Female names:4955:675:4280:161:1.2%:0.038 Male names:3901:1035:2866:140:1.0%:0.049 Uncommon names:5559:604:4955:130:0.9%:0.026 Myths & legends:1357:111:1246:66:0.5%:0.053 Shakespearean:650:177:473:11:0.1%:0.023 Sports terms:247:9:238:32:0.2%:0.134 Science fiction:772:81:691:59:0.4%:0.085 Movies and actors:118:19:99:12:0.1%:0.121 Cartoons:133:41:92:9:0.1%:0.098 Famous people:509:219:290:55:0.4%:0.190 Phrases and patterns:998:65:933:253:1.8%:0.271 Surnames:160:127:33:9:0.1%:0.273 Biology:59:1:58:1:0.0%:0.017 \fI/usr/dict/words\fR:24474:4791:19683:1027:7.4%:0.052 Machine names:12983:3965:9018:132:1.0%:0.015 Mnemonics:14:0:14:2:0.0%:0.143 King James bible:13062:5537:7525:83:0.6%:0.011 Miscellaneous words:8146:4934:3212:54:0.4%:0.017 Yiddish words:69:13:56:0:0.0%:0.000 Asteroids:3459:1052:2407:19:0.1%:0.007 Total:86280:23553:62727:3340:24.2%:0.053 In all cases, the cost/benefit ratio is the number of matches divided by the search size. The more words that needed to be tested for a match, the lower the cost/benefit ratio. The dictionary used for user/account name checks naturally changed for each user. Up to 130 different permutations were tried for each. While monosyllablic Chinese passwords were tried for all users (with 12 matches), polysyllabic Chinese passwords were tried only for users with Chinese names. The percentage of matches for this subset of users is 8% \- a greater hit ratio than any other method. Because the dictionary size is over 16\(mu10\s-2\u6\d\s+2, though, the cost/benefit ratio is infinitesimal. The results are quite disheartening. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000 word dictionary postulated at the beginning of this paper, yet armed even with this small dictionary, nearly 25% of the passwords were cracked! tab(:), center, box; cp+2fB s s cfB cfB cfB l n n. Length of Cracked Passwords Length:Count:Percentage 1 character:4:0.1% 2 characters:5:0.2% 3 characters:66:2.0% 4 characters:188:5.7% 5 characters:317:9.5% 6 characters:1160:34.7% 7 characters:813:24.4% 8 characters:780:23.4% The results of the word-pair tests are not included in either of the two tables. However, at the time of this writing, the test was approximately 10% completed, having found an additional 0.4% of the passwords in the sample set. It is probably reasonable to guess that a total of 4% of the passwords would be cracked by using word pairs. Action, Reaction, and Proaction What then, are we to do with the results presented in this paper? Clearly, something needs to be done to safeguard the security of our systems from attack. It was with intention of enhancing security that this study was undertaken. By knowing what kind of passwords users use, we are able to prevent them from using those that are easily guessable (and thus thwart the cracker). One approach to eliminating easy-to-guess passwords is to periodically run a password checker \- a program which scans \fI/etc/passwd\fR and tries to break the passwords in it. T. Raleigh R. Underwood CRACK: A Distributed Password Advisor USENIX UNIX Security Workshop Proceedings August 1988 Raleigh1988 This approach has two major drawbacks. The first is that the checking is very time consuming. Even a system with only 100 accounts can take over a month to diligently check. A halfhearted check is almost as bad as no check at all, since users will find it easy to circumvent the easy checks and still have vulnerable passwords. The second drawback is that it is very resource consuming. The machine which is being used for password checking is not likely to be very useful for much else, since a fast password checker is also extremely CPU intensive. Another popular approach to eradicating easy-to-guess passwords is to force users to change their passwords with some frequency. In theory, while this does not actually eliminate any easy-to-guess passwords, it prevents the cracker from dissecting /etc/passwd ``at leisure,'' since once an account is broken, it is likely that that account will have had it's password changed. This is of course, only theory. The biggest disadvantage is that there is usually nothing to prevent a user from changing their password from ``Daniel'' to ``Victor'' to ``Klein'' and back again (to use myself as an example) each time the system demands a new password. Experience has shown that even when this type of password cycling is precluded, users are easily able to circumvent simple tests by using easily remembered (and easily guessed) passwords such as ``dvkJanuary,'' ``dvkFebruary,'' etc. Dr. Brian K Reid 1989 DEC Western Research Laboratory Personal communication. Reid1989 A good password is one that is easily remembered, yet difficult to guess. When confronted with a choice between remembering a password or creating one that is hard to guess, users will almost always opt for the easy way out, and throw security to the wind. Which brings us to the third popular option, namely that of assigned passwords. These are often words from a dictionary, pronounceable nonsense words, or random strings of characters. The problems here are numerous and manifest. Words from a dictionary are easily guessed, as we have seen. Pronounceable nonsense words (such as ``trobacar'' or ``myclepate'') are often difficult to remember, and random strings of characters (such as ``h3rT+aQz'') are even harder to commit to memory. Because these passwords have no personal mnemonic association to the users, they will often write them down to aid in their recollection. This immediately discards any security that might exist, because now the password is visibly associated with the system in question. It is akin to leaving the key under the door mat, or writing the combination to a safe behind the picture that hides it. A fourth method is the use of ``smart cards.'' These credit card sized devices contain some form of encryption firmware which will ``respond'' to an electronic ``challenge'' issued by the system onto which the user is attempting to gain acccess. Without the smart card, the user (or cracker) is unable to respond to the challenge, and is denied access to the system. The problems with smart cards have nothing to do with security, for in fact they are very good warders for your system. The drawbacks are that they can be expensive and must be carried at all times that access to the system is desired. They are also a bit of overkill for research or educational systems, or systems with a high degree of user turnover. Clearly, then, since all of these systems have drawbacks in some environments, an additional way must be found to aid in password security. A Proactive Password Checker The best solution to the problem of having easily guessed passwords on a system is to prevent them from getting on the system in the first place. If a program such as a password checker reacts by detecting guessable passwords already in place, then although the security hole is found, the hole existed for as long as it took the program to detect it (and for the user to again change the password). If, however, the program which changes user's passwords (i.e., /bin/passwd) checks for the safety and guessability before that password is associated with the user's account, then the security hole is never put in place. In an ideal world, the proactive password changer would require eight character passwords which are not in any dictionary, with at least one control character or punctuation character, and mixed upper and lower case letters. Such a degree of security (and of accompanying inconvenience to the users) might be too much for some sites, though. Therefore, the proactive checker should be tuneable on a per-site basis. This tuning could be accomplished either through recompilation of the passwd program, or more preferably, through a site configuration file. As distributed, the behavior of the proactive checker should be that of attaining maximum password security \- with the system administrator being able to turn off certain checks. It would be desireable to be able to test for and reject all password permutations that were detected in this research (and others), including: tab(:); c lw(2.3i) c lw(2.3i). \(bu:T{ Passwords based on the user's account name T}:\(bu:T{ Passwords based on the user's initials or given name T} \(bu:T{ Passwords which exactly match a word in a dictionary (not just /usr/dict/words) T}:\(bu:T{ Passwords which match a word in the dictionary with some or all letters capitalized T} \(bu:T{ Passwords which match a reversed word in the dictionary T}:\(bu:T{ Passwords which match a reversed word in the dictionary with some or all letters capitalized T} \(bu:T{ Passwords which match a word in a dictionary with an arbitrary letter turned into a control character T}:\(bu:T{ Passwords which match a dictionary word with the numbers `0', `1', `2', and `5' substituted for the letters `o', 'l', 'z', and 's' T} \(bu:T{ Passwords which are simple conjugations of a dictionary word (i.e., plurals, adding ``ing'' or ``ed'' to the end of the word, etc.) T}:\(bu:T{ Passwords which are patterns from the keyboard (i.e., ``aaaaaa'' or ``qwerty'') T} \(bu:T{ Passwords which are shorter than a specific length (i.e., nothing shorter than six characters) T}:\(bu:T{ Passwords which consist solely of numeric characters (i.e., Social Security numbers, telephone numbers, house addresses or office numbers) T} \(bu:T{ Passwords which do not contain mixed upper and lower case, or mixed letters and numbers, or mixed letters and punctuation T}:\(bu:T{ Passwords which look like a state-issued license plate number T} The configuration file which specifies the level of checking need not be readable by users. In fact, making this file unreadable by users (and by potential crackers) enhances system security by hiding a valuable guide to what passwords are acceptable (and conversely, which kind of passwords simply cannot be found). Of course, to make this proactive checker more effective, it woule be necessary to provide the dictionaries that were used in this research (perhaps augmented on a per-site basis). Even more importantly, in addition to rejecting passwords which could be easily guessed, the proactive password changer would also have to tell the user why a particular password was unacceptable, and give the user suggestions as to what an acceptable password looks like. Conclusion (and Sermon) It has often been said that ``good fences make good neighbors.'' On a Unix system, many users also say that ``I don't care who reads my files, so I don't need a good password.'' Regrettably, leaving an account vulnerable to attack is not the same thing as leaving files unprotected. In the latter case, all that is at risk is the data contained in the unprotected files, while in the former, the whole system is at risk. Leaving the front door to your house open, or even putting a flimsy lock on it, is an invitation to the unfortunately ubiquitous people with poor morals. The same holds true for an account that is vulnerable to attack by password cracking techniques. While it may not be actually true that good fences make good neighbors, a good fence at least helps keep out the bad neighbors. Good passwords are equivalent to those good fences, and a proactive checker is one way to ensure that those fences are in place before a breakin problem occurs. -- ============ -- =========== -- =========== -- =========== -- =========== -- "The only thing that separates us from the animals is superstition and mindless rituals". Daniel Klein CMU-SEI +1 412/268-7791 dvk@sei.cmu.edu -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=- The Empire Times -=- Volume 1, Issue 2, File 8 of 11 Phreak Knowledge Written, Edited, and Remixed By Rebel Lion You are about to witness the power of phreak knowledge. Maybe you're a lamer. Maybe you don't know what a lamer is. Maybe you just want to know a little bit about phreaking. I'm gonna teach you how. I. Definitions Dialup: A telephone number used to access a long distance service such as MCI. Once accessed, a call may be made through a Calling Card. An extender for an LD company. Calling Card: An account with a LD service such as Sprint or MCI. The card itself is plastic and has the subscriber's account number printed on the front, resembling a credit card. Never actually steal one, for it will be cancelled. Just copy down the number and use it for LD or whatever. INWATS: Inward Wide-Area Tellicommunications Service. WATS is an 800 number. Inwards means a WATS that recieves calls, (a normal 1-800 number). PBX: Private Branch Exchange. An extender owned by a private company that allows employees to make calls from outside the company, to be charged to the company. Naturally, a phreak uses this oppurtunity to hack out the code himself and use the PBX for his own needs. Loop: A loop involves two phone numbers. One is the tone side, which is called by one person. The other is the silent side which is called by the second person. The two people can then talk to each other. Used by Ma Bell for some stupid testing thing. Used by Joe Phreaker to talk to people without giving out his home phone number [voice validation, maybe even conference shit]. Ma Bell: A generic term for the phone company, the place you're ripping off. Bridge: A bridge is one big line where many people can call up and be added to an on-going group talk. Used by phreaks for a big conference. AT&T Alliance Teleconference: A new conference system by AT&T that allows up to 50 people in a conference and can easily be accesed by any payphone with an AT&T calling card. It's made for business pigs, so it's a very un-suspicious user-phreindly system. It's run on a voice system, so its much easier than with an operator. ANI: Automatic Number Identification. It is used by companies to identify the number of the caller. Used by phreaks when beige boxing or using a diverter to tell the number they're calling through. Diverter: Basically calling up a company or small business and accesing their outward line. If you're gonna waste your time with this, make sure you use an ANI number to tell you actually have a diverter, and aren't just hearing your own dial tone [its happened]. Local: A non-LD call. Blue Boxing: The original phreaking. Using a 2600hz tone to seize a trunk (using a tone that operators use to connect phone calls). You can also move yourself all around the phone company when you blue box, because Ma Bell thinks you're an operator. This still works under ESS, but if you try it an FCC man will be at your door within an hour. See ESS. Beige Boxing: Using a lineman's handset, or similar homemade device, to access other people's lines through a bridge head. Red Boxing: Using a device ["box"] to produce quarter tones at a phortress phone. Free calls. Black Boxing: Using a device ["box"] to recieve a collect call without paying. Does not work under ESS. ESS: Electronic Switching System. New brand of switching system used by Ma Bell. It is a computer program written to monitor, detect, and prosocute phreakers to the fullest. ESS detects foreign tones on the line, and alerts another computer in the system exactly where the call was originated. As you can see, this is a dangerous weapon against phreakers. Other switching systems: The original switching system was step by step which used pulse and actually moved a relay for every digit you dialed. Next was crossbar, which had DTMF [touch-tones], but didn't have advanced features that ESS has, such as last call re-dial, trace call, other * fucntions, and 911 for emergancy. VMB: Voice Mail Box. An advanced answering machine where the user pays a VMB company to store messages for them, which are then retrieved by the user with a code. Phreaks can hack out a VMB's access code, and then change the box to their own. Conference Call: A telephone call where more than two parties [people] talk at one time. Area Code/NPA: First set of 3 digits in a telephone number. NPA-Nxx-xxxx. Prefix: Second set of 3 digits in a telephone number. NPA-Prefix-xxxx. Exchange: Last 4 digits of a telephone number. NPA-Nxx-exchange. CN/A: Customer Name and Address. This is an office that an emplyee of Ma Bell calls up to recieve the name and address of someone from their phone number. Used by phreaks to see who their ripping off. Phortress Phone: A standard pay phone. Phreaking: The illegal use of the phone system by an individual or group. Phreak: An abuser of the phone system for his own benefit. Scanning: Either by hand or by using a program, dialing random or sequential numbers in an exchange, prefix, or NPA, looking for carriers, PBX's, or other Ma Bell test functions. Extender: A number used by a LD company that can be dialed free from phortress phones [950-xxxx]. Provides instant long distance access for calling card holders. II. Abbreviations NPA: Number Planning Area [area code] (703) Nxx: Prefix (765) xxxx: Exchange (6567) VMB: Voice Mail Box ESS: Electronic Switching System CN/A: Customer name and Address PBX: Private Branch Exchange 99xx: A prefix scan (from 7659900 to 7659999) LD: Long Distance PIN: Personal Identification Number WATS: Wide Area Telecommunications Service XDC: X digit code, where x the number of digits in the code ACN: Any standard 10-digit telephone number CO: Central Office SxS: Step by Step, the first switching system III. Conclusion Phreak Knowledge is very usefull to everyone in the present. Hopefully, phreaking will not die, and any new technology Ma Bell comes up with, Phreaks will fight back at. Unfortunatley, ESS has disproven this theory. This new, electronic switching system, has shown the end to much of our heritage. Blue Boxing, Black Boxing, and in some places even Red Boxing, have all been destroyed. We must ban together and fight against these evils, or we all will perish. -==============================Thanks=================================- Nat X, for teaching me the art of PBX'ing and to go through two of em when using Alliance. Chuck U Farley, for teaching me to always be cautious. -==============================Call===================================- Death Row (703) 892-0015 -=====================================================================- "All Is Fair In Love And Phreak." -=====================================================================- ___________________________ | | | Phreaking Will Never Die | |___________________________| | | | Rebel Lion 06/20/92 | |___________________________| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=- The Empire Times -=- Volume 1, Issue 2, File 9 of 11 The Beginner's Guide To Hacking On Datapac 1992 Update Written By The Lost Avenger Welcome to once again to the first return issue of the UPi newsletter. This file was originally released for Spectrum Issue #1, and then re-released in the very first UPi Newsletter (Volume 1, Issue 1) and from there I have now decided that the public's positive reaction to this file was still so tremendous that it made me decide to re-release the file again and also re-write and update it to the 1992 specifications for Datapac. Hope you enjoy reading this file as I did writing it. After reading through my large collection of g-files. I have found that there hasn't been a good text file for beginner about hacking the Datapac network. This guide will give a general incite on how to identity different types of operating systems when you are hacking about Datapac, and on generally basic information about Datapac. I hope this will give you more knowledge about the Datapac network to help get you started. Hope you learn a lot about Datapac and enjoy reading it at the same time. I have released this file in UPi Issue Number 1 but I have updated it and re-releasing it. These are the ten rules of hacking that I go by when I hack around on systems. These rules are important in order maintain from being caught or discovered illegally hacking on a system. I. Do not intentionally damage *any* system. II. Do not alter any system files other than ones needed to ensure your escape from detection and your future access (Trojan Horses, Altering Logs, and the like are all necessary to your survival for as long as possible.) III. Do not leave your (or anyone else's) real name, real handle, or real phone number on any system that you access illegally. They *can* and will track you down from your handle! IV. Be careful who you share information with. Feds are getting trickier. Generally, if you don't know their voice phone number, name, and occupation or haven't spoken with them voice on non-info trading conversations, be wary. V. Do not leave your real phone number to anyone you don't know. This includes logging on boards, no matter how k-rad they seem. If you don't know the sysop, leave a note telling some trustworthy people that will validate you. VI. Do not hack government computers. Yes, there are government systems that are safe to hack, but they are few and far between. And the government has infinitely more time and resources to track you down than a company who has to make a profit and justify expenses. VII. Don't use codes unless there is *NO* way around it (you don't have a local Telenet or Tymnet outdial and can't connect to anything 800...) You use codes long enough, you will get caught. Period. VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law. It doesn't hurt to store everything encrypted on your hard disk, or keep your notes buried in the backyard or in the trunk of your car. You may feel a little funny, but you'll feel a lot funnier when you when you meet Bruno, your transvestite cellmate who axed his family to death. IX. Watch what you post on boards. Most of the really great hackers in the country post *nothing* about the system they're currently working except in the broadest sense (I'm working on a UNIX, or a COSMOS, or something generic. Not "I'm hacking into General Electric's Voice Mail System" or something inane and revealing like that.) X. Don't be afraid to ask questions. That's what more experienced hackers are for. Don't expect *everything* you ask to be answered, though. There are some things (LMOS, for instance) that a beginning hacker shouldn't mess with. You'll either get caught, or screw it up for others, or both. I think in my own opinion the best way to find systems is by scanning them out. Getting them off a board or off a friend is not very safe as they may already have been hacked to death. Now you are probably wondering how you scan for systems, well this is what you do. First you select a four digit number representing the area you want to scan, for example 4910 or something like that. What you do from there is when you connect to the Datapac network (See Part V for more details on how to connect to Datapac) you type ".." and press enter. You should get some kind message such as "DATAPAC: XXXX XXXX" (with XXXX XXXX the Datapac node number you are on). Once you get that message you will enter a four digit number (the prefix) that you have selected, but don't press enter yet. After that type in another four digit number (the suffix) your have selected and press enter. Datapac will give respond to that by giving you a Network Message which is discussed later (see Part VII for the Datapac Network Messages). These messages will tell you if the system you are trying to reach is out of service, up, busy, and so on. If you have successfully connected to a system and want to disconnect from if and go back into Datapac type in the following string "-P Clear ". To continue scanning for more systems just keep on adding one to the last digit of the number in the suffix that you entered before and press enter. To keep on scanning just continue this until whatever suits your needs, for example you may start scanning at 4910 0000 and could stop scanning at 4910 1000. Ok now in this section I will discuss on how to connect to the Datapac network. Ok what you do to connect to Datapac is first make sure you computer is on. Then you load your terminal program, next call your local Datapac node. Once connected type to Datapac type in "..". Datapac will respond to this with the following message: DATAPAC: XXXX XXXX The XXXX XXXX is the Datapac node number you are on. If you have a Network User Identifier (NUI) then you can enter it in the following way, if you don't have one then skip this part: NUI you will then see the next message: PASSWORD: XXXXXX If Datapac did not send that message then that means that NUI that you entered is not a valid one. If you did get this message then enter the password assigned and press enter. Datapac will respond with either one of the following messages: DATAPAC: network user identifier active. which means that the password entered is correct or DATAPAC: network user identifier error which means that the password entered is not correct. Take note that if you have the valid NUI and it is on and you want to turn it off then type in the following command: NUI Off >from there Datapac will send: DATAPAC: network user identifier not active which means that you are no longer using the NUI, which also means that won't be able to connect to NUA's that don't accept collect calls. Once you enter in all that information.. you can know enter in a NUA. To enter in a NUA just type in 1+DNIC+NUA (example 1208057040540 for QSD). If you connect to the NUA properly then you will get this message: DATAPAC: Call connected to: XXXX XXXX The XXXX XXXX is the NUA that you have requested to connected to, otherwise it will display a different message which is discussed later on in this document. When a Datapac call is established through the network, a call connected message is received at the originating DTE. All or some of the following messages may be identified depending on the type of call, options used for the call, and the type of destination. Example: [HUNTED] [BACKED UP] [BACKED UP & HUNTED] [i LCN] [P/N PACKETSIZE: (128 OR 256)] [NUI (6 to 8 CHAR)CHARGING] [CUG:(CUG#)] [REVERSE CHARGE] MESSAGE EXPLANATION Call connected to: XXXXXXXX A virtual circuit has been established between an originating DTE and a remote (receiving) DTE. Hunted The remote logical channel is part of a hunt group. Backed Up The call attempt to the remote DTE has failed. The network has re-directed the call to another predetermined DTE that has been optioned as backup. i The call has been placed to an international address. P Priority service. Packet size: 128. N Normal service. Packet size: 128 or 256. DNA Data Network Address of the originating DTE. LCN Logical Channel Number of the recipient DTE. NUI The call will be billed to the 6 to 8 character Network User Identifier. CUG The recipient DTE is part of a closed user group. Reverse Charge The recipient DTE has accepted the charge associated with the established call. There are thirty-three messages which may appear when you are accessing the Datapac network. All of these network-generated messages which are sent to a terminal, are written as "Datapac: text". The "text" will be one of the following messages: ADDRESS This is a Datapac herald message for an SVC terminal. The "address" displayed is your Datapac network address. This message indicates that you are connected to the Datapac network. Proceed with the call request command. {P,R} TERMINAL ADDRESS -- (DESTINATION ADDRESS LOGICAL CHANNEL) This is a Datapac herald message for a PVC terminal. It indicates that you are connected to the network (address and destination address) CLOSED USER GROUP ERROR INVALID ADDRESS, MORE THAN 12 DATA CHARACTERS, or COMMA REQUIRED BEFORE DATA CHARACTERS These messages indicate an error in the call request command--correct and re-enter the command. CALLED BY [P][R] or [N][I] ADDRESS (XXX) This message indicates that a host or terminal has called you. Proceed with sign-on. (Note: P or N denotes grade of service. R specifies the charging option, if applicable. I specifies that it is an international call. (XXX) specifies the logical channel number if it is a national call, and specifies the gateway id if it is an international call. CALL CONNECTED This message indicates that the SVC connection between your terminal and the destination has been established successfully. RE-ENTER This message indicates that a transmission error has occurred in the current input line. Re-enter the line. If the problem persists, report the trouble to Telecom Canada. INPUT DATA LOST This message indicates that a transmission error has occurred. Since part of your input line has already been transmitted to the destination, enter a "line delete" character for your application and a carriage return (CR). When the destination replies, re-enter the line. PARITY ERROR This message indicates that a parity error has occurred in the current input line from a terminal which is operating in echo mode. The character which is in error is not echoed. Re-enter the character and continue normal input. If the problem persists, report the trouble to Telecom Canada. INPUT ERROR This message indicates that there is a network problem, due to overruns. If the problem occurs often, contact Telecom Canada. PVC DISCONNECTED - TEMPORARY NETWORK PROBLEM This message indicates that a network problem is preventing the requested call from continuing. Wait for the Datapac herald message, then continue. If the condition persists, contact Telecom Canada. PVC DISCONNECTED - DESTINATION NOT RESPONDING This message indicates that either the access line to the destination, or the destination itself is down. Try again later. If the condition persists, contact the destination. PVC DISCONNECTED - REMOTE REQUEST This message indicates that the destination has asked that the connection be discontinued. INVALID COMMAND This message indicates that there is a syntax error in the command. Correct it and re-enter the command. COMMAND NOT ALLOWED This message indicates that the command which was entered, although syntactically correct, cannot be implemented either due to the NIM state, or because it violates and/or conflicts with the service options selected --e.g., a call request command, when an SVC is already established. CALL CLEARED -- DESTINATION BUSY This message indicates that the destination computer cannot accept another call. Try again later. CALL CLEARED -- INCOMPATIBLE CALL OPTIONS This message indicates that the call request command includes facilities which are not available at the destination or are incompatible with it. Verify and try the call again. If the problem persists, contact the destination. CALL CLEARED -- TEMPORARY NETWORK PROBLEM This message indicates that a network problem has occurred--try again later. If the problem persists, report it to Telecom Canada. CALL CLEARED -- DESTINATION NOT RESPONDING This message indicates that the destination is either not acknowledging your request to connect or it is inoperable. Try again later. If the problem persists, contact the destination. CALL CLEARED -- ACCESS BARRED This message indicates that the network has blocked your call because of a Closer User Group violation. Verify the call establishment procedures with the destination. CALL CLEARED -- ADDRESS NOT IN SERVICE This message indicates that the network address in the call request command identifies a non-existent destination-- i.e., the address is not yet (or is no longer) assigned. Verify the address and re-enter the call request command. If the condition persists, contact the destination. CALL CLEARED -- COLLECT CALL REFUSED This message indicates that the destination is not willing to accept the charges for the connection (e.g., it does not accept calls from Datapac public dial ports). Verify the call establishment procedures and try the call again. If the condition persists, contact the destination. (See Part VII and Part VIII for more information. CALL CLEARED -- LOCAL PROCEDURE ERROR This message indicates that a network protocol error has occurred. Try the call again. If the condition persists, report the trouble to Telecom Canada. CALL CLEARED -- REMOTE PROCEDURE ERROR This message indicates that a destination protocol error has occurred. Try the call again. If the condition persists, contact the destination. CALL CLEARED -- LOCAL DIRECTIVE This message indicates that a virtual circuit has been cleared in response to a clear command from a terminal user. CALL CLEARED -- REMOTE DIRECTIVE This message indicates that a virtual circuit has been cleared in response to a clear request packet from the destination. CALL CLEARED -- REMOTE REQUEST This message indicates that a virtual circuit has been cleared in response to an invitation from the destination to clear the call. RESET -- TEMPORARY NETWORK PROBLEM This message indicates that a network problem has occurred on the PVC connection. Wait for the Datapac herald message, then continue. If the condition persists, report the trouble to Telecom Canada. RESET -- DESTINATION NOT RESPONDING This message indicates that the destination end of the PVC connection is not responding-- i.e., either the access line to the destination, or the destination itself, is down. Try again later. If the condition persists, contact the destination. RESET -- LOCAL PROCEDURE ERROR This message indicates that the PVC has been reset because of a network protocol error. Wait for the Datapac herald message, then continue. If the condition persists, report the trouble to Telecom Canada. RESET -- REMOTE PROCEDURE ERROR This message indicates that the PVC has been reset because of the destination protocol error. Wait for the Datapac herald message, then continue. If the condition persists, contact the destination. If the host computer is connected via the ITHI option, this message indicates that data has been disregarded due to the host not reacting to flow control conditions sent by the PAD. RESET -- LOCAL DESTINATION This message is the network's response to a reset command from the terminal user. Continue. RESET -- BY DESTINATION This message indicates that the destination has reset the virtual circuit. Data may have been lost. Continue. If the condition persists; report it to the destination. RESET -- TEMPORARY NETWORK PROBLEM These messages indicate that the network has reset the switched virtual circuit. Data may have been lost. Continue. If the problem persists, report it to Telecom Canada. RESET -- LOCAL PROCEDURE ERROR These messages indicate that the network has reset the switched virtual circuit. Data may have been lost. Continue. If the problem persists, report it to Telecom Canada. Well let me just get back and discuss something that I was talking about before but didn't go into any great detail about. The Network User Identifier (NUI) is a credit card-like system associated with the Datapac Network - similar to a calling card used to bill long distance calls. A NUI is a 6-8 character alphanumeric code which is entered during call set-up to indicate an account to which Datapac calls may be billed. Associated with each NUI is a password which is used as a security check when establishing a connection to the Datapac network. The password is confidential, known only to the user. The purpose of a NUI is to allow a Datapac user to make use of the Datapac network for data communications without the requirement of a dedicated Datapac connection or the need for the destination to accept reverse charge calls. Once the NUI/password pair has been correctly validated, the call is set up to the requested destination and call usage billed to the NUI/Datapac account number. At call set-up time, the user specifies the NUI and password to the network. The password is used by the network to authenticate the use of the NUI. After the NUI/password pair has been correctly validated (process whereby NUI/password is checked by NUI application), the user will be able to bill all subsequent session usage to the specified NUI. There are many useful applications for NUI. NUI, when provided to authorized users, can eliminate the need for host to accept reverse charge calls. NUI is required by users of public dial who are placing calls to a host application with the reverse charge blocking option. NUI permits subscribers of dedicated and private dial Datapac services to "Third Party" usage charges to a NUI account. For example, some users may decide that they do not want usage charged to the dedicated access line which they are using (i.e., if using someone else's line/terminal). By entering the NUI, all usage for subsequent calls during the same session would be billed to the account associated with the specified NUI. NUI permits sender paid calls to domestic Datapac network addresses and to foreign networks. Users can make international calls to overseas networks and charge the call usage to their NUI when using public dial ports. Offshore networks accessed via Teleglobe do not accept collect calls. Users also have the capability of placing sender paid calls to Domestic Datapac addresses, Telenet, Tymnet, Autonet, ACUNET and DASNET in the United Sates. NUI is required to complete calls using Datapac indial/outdial ports (i.e., devices at destination not connected to Datapac). NUI can be used to achieve benefits of departmental accounting. The Datapac bill is itemized to indicate the charges related to each NUI. This will assist in determining which department has generated usage and the associated charges. There are two main components to Datapac billing which is access and usage Both are billed on a monthly basis. These are the monthly recurring charges for dedicated access to the Datapac network. Included in this component are; Service charges - The one time service charge associated with a request for new service or a change to an existing one. Monthly charges - The recurring charge for basic dedicated access to the Datapac network. Other monthly - The additional recurring charges for any optional charges features or enhancements (additional VCs, PVCs, CUGs, etc.) to a dedicated access. These are the charges for the variable amounts of customer data sent to and >from the network. Included in this component are; Hold charges - Per minute. This applies only to Public Dial Port and International calls. Call set-ups (Call Requests) - Per attempt. Does not apply to Permanent Virtual Circuit (PVCs) arrangements. Resets - Per occurrence when generated by the customer. PAD usage - Per segment*. Applies to all services except Datapac 3000. Network usage - Per segment*. Rateant the grade (1,2,3) of the cities involved (DPSAs) and the distance between them. Surcharges - An incremental 5% to 25% surcharge applies to network usage when a premium throughput class is ordered. - A 25% surcharge applies to network usage with customer requested Priority calls. NUI - although this is a recurring monthly charge, it is grouped with usage for billing. Billing of data packets in Datapac is done in segments and commonly referred to as KILOSEGMENTS (1000 segments). In most cases, one segment is equal to one packet containing from one to 256 characters. There are some exceptions; Priority packets - Are a maximum 128 characters and are billed as one segment, surcharge applies. 512 character packets - Are billed as two segments. Packets to/from U.S. networks - Are a maximum 128 characters and are billed as one segment. Packets to/from Overseas networks - The international standard packet size is a maximum 64 characters and is billed as one segment by Datapac. Some overseas networks have 128 character packets but these are billed as two segments. Network User Identifier (NUI) Charges Monthly Service Rate Charge General NUI $2.40 $75.00 Corporate NUI $50.00 $125.00 Sub-NUI $2.40 No charge General Access Rates Monthly Service Rate Charge Closed User Group (CUG) $1.35 $75.00 - no charge for CUG options Reverse Charge Call Feature $1.35 $22.00 Direct Call Feature $4.20 $75.00 Hunt Group $55.00 $22.00 Call Redirection $157.00 $22.00 - additional charge for diversity where available Usage Rates Datapac usage includes the following billable components: Hold Time (1,2) $0.04/min. Public Dial and International ONLY Call Set-up $0.01 each Public Dial/SVCs ONLY Reset $0.01 each Customer initiated ONLY PAD usage (1,2) Datapac 3101 $0.50/kilosegment Datapac 3201 $0.85/kilosegment Datapac 3303 $0.70/kilosegment Network Usage (1) see following table based on distance and grade (1) A 25% discount applies to these components for calls initiated and completed between 7 PM and 7 AM and on weekends and certain holidays. Applies to ** PUBLIC DIAL ONLY**. (2) PAD and Hold Time charges are applied at both the calling and called end, where applicable. M I L E A G E DPSA (city) 1-100 101-400 401-1000 1000+ ----------- ----- ------- -------- ------ 1 to 1 $0.40 $0.65 $1.06 $1.80 1 to 2 $1.01 $1.70 $2.33 $3.50 1 to 3 $1.70 $3.50 $4.13 $4.77 2 to 2 $1.75 $3.34 $4.24 $5.57 2 to 3 $2.44 $4.24 $5.30 $6.41 3 to 3 $3.13 $5.30 $6.36 $7.00 * NOTE : Larger cities are grade 1 Datapac Serving Areas smaller cities are grade 3 DPSA's The Datapac Summary Usage Statement is monthly statement is free of charge. It is a summary of all calls that have been billed to the addresses or NUIs that are part of an account for that billing period Because this is a summary, it is not possible to accurately reconcile the details of any totals on this statement. This is due to the standard accounting practices of rounding rules, minimum charging and taxing procedures that have been applied. If your organization needs this capability, it must be done from a Detailed Usage Statement. There are other options that can be considered to meet these needs such as; reverse charging, NUI, separate accounts or division codes (where available). Please discuss this with the Sales Representative of your local telephone company. In addition to the customers account number, dates of the billing period involved, tax totals and grand total, the following information is supplied; Billed Address (or NUI and city); Other Address (or City Code if Public Dial call), # of calls, # of resets, billable units (kilosegments), indication of surcharges (if applicable), duration of calls, hold charges (if applicable), and usage charges; A sub total of all above information for each billed address and Service type of each address This information is sorted in descending numerical/ alphabetical order. This same information is given for the U.S. and Overseas Summary Usage Statements and is grouped by Packet Switching Network name. A new format for the Datapac Summary Usage Statement will begin introduction in mid to late 1991. Improved methods of grouping, sorting and reporting usage have been introduced as well as some additional details. Some major highlights; Title page to display previous 12 months billing history, page break by service type, sub-totals by service type, final page with sub-totals of domestic, overseas and International usage with taxes and a grand total. The information you need from a summary statement will be easier to find and handle. The Datapac Detailed Usage Statement which is chargeable option. It is a monthly statement that details each and every call that has been billed to the addresses or NUIs that are part of an account for that billing period. In addition to the customers account number, the dates of the billing period involved, tax totals and the grand total, the following information is supplied for each call; Billed Address or NUI and city, service type, logical channel (virtual circuit #), throughput class; Other Address and city (only City if Public Dial call), service type, logical channel (virtual circuit #), throughput class; Date, local start time and local stop time; Number of resets (if any); Clear Cause Code; Billable Units (segments) received transmitted; Call Set-up Class; Hold charges (if applicable); Usage charges and Taxing province This same information is given for the U.S. and overseas calls and grouped by Packet Switching Network name. The calls on this statement are grouped by billed address and other address then sorted in descending numerical order. The calls between the Billed and Other Address are sorted in descending chronological order. Each call record on this statement can represent either a portion of or a complete call. Under normal circumstances, an accounting record for a call is generated when a call is cleared, or every 12 hours. If required, accounting records can be generated on a call still in session (for variety of network maintenance reasons). Therefore, a complete accounting record for a particular call may appear on more than one line. Such instances are identified by the Class and Clear Codes. If call total is required, it must be calculated manually. Well up to now I have discussed how to connect to Datapac, what a NUI is and how much it cost for a NUI, summary usage statement, detailed usage statements and usage statement codes. Let me changes topics for a minute and describe the different type of Datapac services available. Datapac 3000 is synchronous, application independent service that allows data terminals (DTE's) and data communicating equipment (DCE) to exchange data in a packet-mode over a public or private packet switching network. The DTE/DCE interface connection, disconnection and transmission rules are defined in a packet switching protocol called X.25 recommendation which is developed and governed by the international telephone and telegraph consultativ committee (CCITT). X.25 protocol is a bit oriented framing structure based on the high level data link control (HDLC). The CCITT recommendations for X.25 are divided into three levels, namely: The Physical Interface (Level 1) - Specifies the use of four-wire, point-to-point synchronous circuit between the DTE and the network (DCE). This circuit includes two modems or datasets (one connected to the DTE and the other connected to the network). Characteristics are: 4-wire point-to-point or dial via a V.22 bis modem; Full duplex via RS232 convention. The Frame Level Logical Interface (Level 2) - Defines the frame level link procedures used to synchronize transmission, initiate the "handshaking" necessary to establish the 'R-U-There'/Yes-I-Am sequence, flow control mechanism and perform error checking of data exchange across the DTE/DCE interface (link). the DTE is usually located at the customer premises and is called host while the DCE is located in the network. the procedures used to control the link are defined as commands and responses. Characteristics are: HDLC; Link access procedure balanced (LAPB) X.25(80) or X.25(84). The Packet Level Logical Interface (Level 3) - Defines the packet formats and control procedures required to establish a logical path (call request), exchange information (data packets) and for removing the logical path (clear request) between the DTE and DCR. Characteristics are: Logical Channels (LCN`s); Packet Size; Window Size; And Throughput Class. The customer's terminal (Host) is connected to a local modem which in turn, is connected to a second modem (Remote) in the central office via by 4 wires which in turn, is connected to a line processing module in the Datapac network. This configuration is called the DTE/DCE link and can be assigned speeds of 1200 bps through 19200 bps. This DTE/DCE link is assigned a unique Datapac network address (DNA) and other link parameters such as line speed, modem type, flow control and security by Telecom Canada. When the electrical signals are in the correct state as specified in level 1, the Datapac line processing module continuously transmits a CCITT command called SBMM (Set Asynchronous Balanced Node) to the customer's terminal (Host) every three seconds. If the host is ready, it responds to the SABM with a CCITT response UA (Unnumbered Acknowledgement). When this occurs, the link is initialized (level 2 ready), the host and Datapac module exchange restarts or restart/restart confirmation commands. When this occurs, the DTE/DCE link generates a transition to the next X.25 level, level 3. The DTE then signals the address it wishes to communicate with in a CCITT defined call request format (8 digits ), 10 digits if using 9th and 10th digit subaddressing on a Logical Channel (LCN) Datapac then routes the call request to the appropriate destination (national or international) and awaits a CCITT defined call accept packet. If this occurs, the accept packet is transmitted back to the originating host and both hosts may now exchange CCITT defined data packets. This is called a Switched Virtual Call (SVC); permanent virtual calls (PVC's) are also offered. At the end of the session, either host can terminate the SVC by transmitting a CCITT defined clear request packet. Up to 255 SVC's may be supported simultaneously. Dial access service is also offered at 2400 bps with a maximum of eight LCN's over the public telephone network Datapac 3000 provides customers with a cost effective service derived from packet switching technology and X.25 protocol. Some benefits are: Simultaneous communication with many (up to 255) different locations, national and international, error free transmission, system expansion flexibility, cost containment through reduced host port connections, 24 hours 7 days-a-week service, lower communication costs, call parameter selection to suit particular applications. Datapac 3101 is a network access service which enables teletypewriter compatible devices, such as time-sharing terminals, to access the Datapac network. Low speed, asynchronous devices are supported through an Interactive Terminal Interface (ITI) in a Packet Assembler/Disassembler (PAD), which allows the devices to access the network over dial-up (DDD) or dedicated access lines. ITI, the end-to-end protocol for Datapac 3101 conforms to the CCITT recommendations X.3, X.28 and X.29 and supports access to the Datapac network for asynchronous, start-stop character mode terminals. X.3 specifies the operation of the pad. It contains the specifications for the twelve international parameters and their operation. Additional domestic parameters are also in place to meet Canadian market requirements. X.28 specifies the command language between the terminal and the PAD. It also specifies the conditions which define the command mode and the data transfer mode. X.29 specifies the procedures to be followed by an X.25 DTE to access and modify the parameters in the pad as well as the data transfer procedure. The user needs no special hardware or software to interface a terminal to the Datapac network. A knowledge of the ITI procedures is the only requirement at the terminal end. The Datapac 3101 service provides for terminal to host (user's computer) and terminal to terminal communication. The host access should conform with the X.25 protocol, using the Datapac 3000 access service, and also support the higher level protocol conventions of ITI. host access may also be provided via the Datapac 3101 service for some applications. The Datapac 3101 service also provides block mode and tape support. The Datapac 3201 Network access service which enables various terminals that are buffered, pollable and operate asynchronously to communicate with host computers through the Datapac network. The Datapac 3201 service is typically used by the general merchandise and specialty sectors of the retail industry in Canada. It provides a cost effective communication solution whenever there is a requirement for sending small amounts of information to a host computer and obtaining a short response. The primary applications are on-line compilation of sales data to help in inventory control, and on-line credit verification to detect fraudulent credit cards. Other emerging applications involve trust companies, credit unions, banks and service stations. Datapac 3201 provides support at the customers' terminal end (for example a retail store) by means of a Packet Assembler/Disassembler (PAD) which is located in a Telecom Canada member company central office. The PAD polls the various devices for information in an on-line real time environment. Devices may communicate to the pad via two options: Shared multipoint multidrop access at 1200 bps, or Dedicated access at 1200, 2400 bps. Communication between the PAD and the terminal conforms to the ANSI (American National Standards Institute) X3.28-1976 ISO (International Standards Organization) poll/select asynchronous protocol. Telecom Canada undertakes to test terminals which support this protocol, prior to connecting them to the Datapac 3201 network. Communication between the customers host computer location and the Datapac network is accomplished by the use of a X.25 (Datapac 3000) interface which supports the Datapac 3201 host to PAD "Point-Of-Sale (POS) end to end protocol" specification. - Data Collection: Average 1.7 to 2.3 seconds in the peak periods. - Inquiry-Response (Credit Check): Average 2.7 to 4.2 seconds in the peak periods. A typical retail Datapac 3201 application uses short input and output messages. (For example an average of 50 characters). One kilopacket (1,000 packets or 256,000 bytes) is equal to approximately 1,000 sales transactions or 500 credit authorizations. Average transaction volume would be less than 5000 packets per day. Other optional Datapac network features include Closed User Group (CUG): Allows devices within one group to communicate only with accredited devices of the same group, resulting in a high degree of data security. Additional options are available to limit call attempts between closed user groups or within a closed user group, reverse charge call: Allows a user to charge a call to the destination address, reverse charge call: Reverse charged calls destined to a Datapac 3201 blocking: address will be blocked by the network. Datapac 3303 (BSC) provides polled BSC communications protocol support for IBM 3270 information display systems or their emulators. Datapac 3303 (BSC) supports all the typical on-line inquiry response and data entry applications normally accessed with these 3270 terminal clusters. Datapac 3303 (BSC) is a PAD based service. The 3270 controllers connect to the network via PAD's (Packet Assemblers/Disassemblers). PAD's perform the host functions of communicating with the 3270 controllers in the binary synchronous communications polling protocol, and in doing so, eliminate cross-network polling. Datapac 3303 (BSC) connections are dedicated facilities (one per controller) at speeds of 2400, 4800, or 9600 bps. A virtual circuit is maintained for each terminal across the network and out to the host at the other end via a Datapac 3000 line. Most Datapac 3303 (BSC) connections dialogue with hosts that are running Telecom Canada's Datapac access software (DAS) in their IBM 3720, 3705, 3725 or Amdahl look-alikes front ends. DAS supports X.25 connecting. To the network via Datapac 3000. It also supports the end-to-end protocol transporting the 3270 data across the network. Aside from lower communications costs, the main reasons for using Datapac 3303 (BSC) are: Ease of network reconfiguration, and dynamic multiple terminal functionally. New on-line systems are economically feasible and equipment changes can be easily accommodated without disrupting service or affecting the network. Terminals are now much more versatile than ever before. The capability exists to dynamically access multiple hosts and/or applications from the same destination (either manually, or via a user friendly mnemonic addressing scheme). This means terminals behind the same controller can access different destinations at the same time, saving equipment and communications facilities costs. In conjunction with DAS (Datapac Access Software) in the host's front end, that 3270 terminal can also act as an ASCII asynchronous device and access such systems as Envoy/100 and iNet. In addition, each terminal now has the ability to appear as either a BSC device to a non-SNA host or an SDLC device to an SNA host in a matter of a few keystrokes. There are currently 2 services under Datapac 3303 (SDLC). They are Datapac 3303/SDLC and Datapac 3303/SDLC Plus. Both services allow IBM (and their emulators) devices to access the Datapac network for the purpose of transmitting data using the SDLC link level protocol. Some common features of the Datapac 3303 (SDLC) are terminal pad based: The service provides the X.25 framing and de-framing for SDLC data stream as well as the packetization and de-packetization, QLLC end-to-end protocol: the service conforms to IBM's QLLC specifications thus making it compatible with most host X.25 PAD software/hardware implementations, physical unit type 2 accessibility: services such as the IBM 3270, 3177, 52xx, 36xx, 37xx, 47xx, ATM's, etc. 2.4, 4.8, 9.6 kbps access speeds, Point to point and multipoint on-net and off-net access, terminal or host initiated calling, normal or priority packet size option and Closed User Group (CUG) options. Datapac 3303/SDLC offers 1 VC per PU (controller), switched and permanent virtual circuit support, and the following applications: virtual private line emulation, centralized host processing simple call set up, international (via Telenet/US) access, and token ring gateway support using the IBM 3174 Datapac 3303/SDLC Plus offers 1 VC per LU (end user terminal), local command mode allows call set up and clearing from users terminal, automatic direct call, mnemonic DMA dialing methods of call set up, switched virtual circuit support, and the following applications: disaster recovery, alternate host access using switching capability from user terminal and Datapac options (packet size, charging, CUG's) at user terminal level. Datapac 3304 offers batch terminal support. It supports RJE (or Remote Job Entry) batch work stations or communications terminals operating under binary synchronous communications (BSC) protocols. Datapac 3304 allows users operating under IBM's Multileaving Interface (MLI) protocol to access the Datapac network. It also supports compatible computers and terminals using this protocol. Datapac 3304 supports the bulk data transfer applications from these remote job entry (RJE) work stations whin as 'transparent' s'pad-to-pad operation'. Devices are connected to the Da dedicated lines aor 9600 bps. As users groimplement new technology, the termin upgraded to X.25. A typical user profile would include a host with a spooling or queueing subsystem such as HASP II, JES 2, JES 3, ASP and RSCS, batch terminals such as the IBM 3777 M2 and Data 100 and to have low to medium volumes to transmit. Datapac 3305 also supports a variety of BSC RJE batch work stations such as IBM 2770, IBM 2780, IBM 3740, IBM 3770 and IBM 3780. It provides network access support for those customers using equipment operating under IBM's point-to-point contention mode protocol and those compatible computers and terminals using the same protocol. Datapac 3305 supports the bulk data transfer (batch transmissions) applications that occur between terminals, hosts, and a variety of other devices such as communicating word processors. Datapac 3305 provides savings for those customers running low to medium volume applications. Datapac 3305 is a PAD based service. The RJE (Remote Job-Entry) work stations access the network via PAD's while the host computer may also use the Datapac 3305 PAD or connect via an X.25 link on Datapac 3000. Datapac 3305 supports three modes of access: Dedicated lines at 2400 or 4800 bps, private dial at 2400 bps and public dial at 2400 bps It should be noted that the destination must be dedicated in order to receive a call. Datapac access software (DAS) provides a Datapac (X.25) compatibility for IBM host computer environments. Datapac access software (DAS) resides in customer-provided IBM hardware; the communications controller or front end processor such as the IBM 3725 or IBM 3705, and co-exists with its compatible IBM software such as NCP (Network Control Program), EP (Emulation Program) or PEP (Partitioned Emulation Program). Datapac access software (DAS) compatibility also extends to IBM look-alike hardware manufacturers such as Amdahl. DAS-installed host computer environments have access to their Datapac-bound devices, such as those connected via Datapac 3101, Datapac 3303 (DSI/DSP), Datapac 3303 (QLLC)*, and Datapac 3305, as well as those devices which are connected via conventional communications facilities, such as private line or dial-up. DAS can also provide SNA conversion for non-SNA devices, such as conversion >from 3270 BSC-3 (Datapac 3303 DSI/DSP) to physical unit type 2 (SNA 3270 SDLC representation), and ASCII/asynchronous (Datapac 3101) to physical unit type 1 (SNA ASCII SDLC representation). These SNA conversion features allow the customer to convert his host environment to SNA without modifying or replacing his existing terminal/device population. DAS also provides an extended conversion feature for 3270 devices that modifies the incoming data (3270) to an ASCII/asynchronous datastream and re-routes the traffic into the Datapac network. Thus providing external ASCII database access to the 3270 device population. Other DAS features include multiple host support, transparent path, host to network callout, extended console routines, code conversion, etc. Datapac International provides outgoing and incoming access to 6 U.S. based Networks and to over 100 packet-switched networks around the world. To successfully complete such calls, Datapac has implemented the International CCITT X.75 procedures and X.121 International numbering plan. Thus, the Datapac user originating an international call must use the following format: (1) (DNIC) (FOREIGN ADDRESS) : : : One defines the Datapac International.: : : Prefix. : : : : Packet networks are identified by a ........: : four digit number called a DNIC : (data network identification code) : : The foreign national address is .......................: expressed as an eight to ten digit address. Calls to international networks, other than those to the U.S., must be pre- paid; that is, placed from dedicated or private dial access, m The packet size for an international call must be 128 characters. On both the Summary and Detailed Usage Statements, Service Type (ST) codes are used to identify the type of Datapac service involved with a particular address. Service Service Type Description Code 00 U.S. and overseas 01 3000 Dedicated 02 3101 De Private Dial (300-1200 bps) 04* " Pub05 06 " Out -Dial 07 3201 Shared 08 3303 BSC (DSP) 09 3304 MLI 112 " " Private12 " " P14 3101 Dedicat1 16* " Public Dial (2.4Kbps) 18 3000 Public Dial 19 3303 SDLC (Terminal) 20 3201 Dedicated 21 3303 SDLC (Multihost) 25 3303 SNA/SDLC - Private and Dedicated 26 3001 Enhanced Datapac 3000 Dial trial for off-net in-dial 27 3002 Enhanced Datapac 3000 Dial trial for off-net out-dial On the Detailed Usage Statement, a code is used to indicate the class of the call set-up associated with the associated accounting record of a call. The following codes are used; C Regular call set-up - A call set-up charge applies; CP Priority Call set-up - A call set-up charge applies; N No call set-up - A call set-up charge DOES NOT apply and NP Priority no call set-up - A call set-up charge DOES NOT apply. On the Detailed Usage Statement, a code is used to describe the reason a particular call cleared. At the present time a 3 number code is being used. This will be replaced by a 2 character alpha-numeric code in mid-1991. A call set-up charge applies to those clear codes denoted by an * Clear Code Description 000 00 Trunk network congested 001 01 DSR is invalid 002 02 DSR cannot be reached 003 03 TM not responding 004 04 Address not in tree 005 05 Service down 006 06 Address served not in tree 007 07 Addressed service not ready 010 0A CPM busy 013 0D CPM busy 015 0F Out of norm state - reset 160 A0 Trunk network congested 161 A1 DSR invalid 162 A2 DSR unreachable 163 A3 Time out 164 A4 Address not in tree 165 A5 Service down 166 A6 Network address not found 167 * A7 Addressed service not ready 173 AD CPM busy 174 AE Reset address error 175 AF Reset state error 176 * B0 Local user clear (see note) 177 * B1 Remote user clear 178 B2 Close request from above 179 * B3 Local procedure error 180 * B4 Remote procedure error 181 B5 Message not wanted 182 B6 Packet not wanted 183 B7 CPM shot 184 B8 Call collision 185 B9 Network congestion 186 BA Common block fail 187 BB Local block fail 189 BD Invalid call 190 BE Incoming call prohibited 193 * C1 Local clear before remote accepted 194 C2 X.75 call to clear 195 C3 X.75 reset to clear 196 C4 NUI barred 198 C6 RPOA required 199 C7 RPOA invalid 208 D0 Packet network address error 209 D1 Service not up 210 D2 Service to go down 212 D3 No links up 212 D4 Links restarting 213 * D5 Link out of service 214 D6 No more calls 215 D7 Invalid logical channel number 216 * D8 No free logical channels at called address 217 D9 Nonexistent CUP 218 DA Failure to set up CUP 219 DB Application processor busy 220 DC No application processor 221 DD Maximum number of facilities exceeded 222 * DE Collect call refused 223 DF CUG violation 224 E0 Illegal facility 225 E1 LRC fail 226 E2 Service coming up 227 E3 Service not up Clear code 176 (B0) can also indicate a record was generated by the network for accounting purposes. This is most often associated with PVCs or long calls with a greater than 12 hour duration. The class for this type of record would be N or NP. In addition to the fixed monthly rates for Datapac access lines and options, the following charges apply: Internetwork Usage Rates and Holding Time Charges $/HOUR FOR $/HOUR FOR $/KS $/KS US ORIGINATED CDN. ORIGINATED NETWORK DNIC DP3000 DP3101 CALLS CALLS ACCUNET 3134 $ 2.65 $ 3.90 $ 2.00 DED. = $2.00 PUB. DIAL = $3.80 AUTONET 3126 $ 3.75 $ 5.10 $ 5.10 DED. = $0.60 PUB. DIAL = $2.40 BT TYMNET 3106 $ 2.75 $ 5.00 $ 5.60 DED. = $0.60 PUB. DIAL = $2.40 FEDEX 3138 $ 2.75 $ 5.10 $ 6.30 DED. = $0.60 3150 PUB. DIAL = $2.40 NET EXPRESS 3139 $ 2.50 N/A $ 0.60 DED. = $0.60 WESTERN 3101 $ 2.50 $ 5.00 $ 1.85 DED. = $0.60 UNION 3124 PUB.DIAL = $2.40 SPRINTNET 3120 $ 2.75 $ 5.10 $ 6.30 DED. = $0.60 PUB. DIAL = $2.40 (NOTE: DATAPAC 3303 (SDLC) IS ALSO SUPPORTED THROUGH SPRINTNET DP 3303 $/KS = $5.90 $/HR = NIL ) Notes: (1) Packet Assembler/Disassembler (PAD) charges are included each band. (2) Each individual call is rounded up to the next higher minute (3) Usage charges are calculated on a per Kilo-segment basis. A KS is 1000 segments; each segment is up to 128 characters. In addition to the fixed monthly rates for U.S. access lines, the following charges apply: Internetwork Usage Rates and Holding Time Charges NETWORK DNIC $/KS $/KS $/HOUR FOR $/HOUR FOR DP3000 DP3101 US ORIGINATED CDN. ORIGINATED CALLS CALLS ACCUNET 3134 $ 2.25 $ 3.25 $ 1.80 DED. $1.80 PUB. DIAL = $3.25 AUTONET 3126 $ 0.12 $ 0.15 $ 4.50 DED. = $0.60 (kchar) (kchar) PUB. DIAL = $2.40 BT TYMNET 3106 $ 0.07 $ 0.12 $ 4.98 DED. = $0.48 (kchar) (kchar) PUB. DIAL = $1.92 FEDEX 3138 $ 1.50 ( 0-1000 ks) $ 6.00 Not applicable $ 1.40 (1001-2999 ks) $ 1.30 (3000- + ks) NET EXPRESS 3139 $2.00 N/A $ 0.30 DED. = $0.48 WESTERN UNION 3101 (Not available...) SPRINTNET 3120 $ 2.35 $ 5.10 DED. = $0.60 DED. = $0.60 DIAL = $5.10 PUB. DIAL = $2.40 (NOTE: SDLC SERVICE IS ALSO SUPPORTED THROUGH SPRINTNET) DP 3303 $/KS = $4.80 $/HR = NIL) Notes: All above rates are in U.S. Currency (1) These charges represent both Datapac and selected U.S. Network holding time charges. (2) BT Tymnet cannot currently make sent-paid calls, but will be able to do so shortly. The Datapac outdial service is available in eighteen major centers (DPSA's) are being served by outdial. They are: Vancouver, Calgary, Edmonton, Regina, Saskatoon, Winnipeg, Toronto, Clarkson, London, Windsor, Kitchener, Hamilton, Ottawa, Montreal, Quebec, Halifax, Saint John (NB) and St John's (Nfld) and is only available at 300 and 1200 BPS. The outdial port uses profile 6, except that the user of the is allowed to escape to command mode by using outdial port "Control P". The destination terminal must be set at even parity in order to receive the outdial call. Once connected, Datapac 3000 users can set and read the remote ITI parameters by sending level 1 packets (X.29). Establish a call to Datapac via a dedicated or dial-in access. Note: If using a dial-in access, a network user identifier (NUI) must be activated before establishing the call. Enter the address of the outdial port. Datapac will respond with the following: DATAPAC: call connected ENTER DESTINATION TELEPHONE NUMBER/ENTRER LE NUMERO DE TELEPHONE DU DESTINAIRE Enter the 7-digit telephone number (Local) of the destination terminal. Datapac will respond with the following: DIALING/COMPOSITION DU NUMERO (XXX-XXXX) Printing the destination telephone number as it is dialed. Datapac will then indicate: RINGING/SONNERIE as the modem detects ringback tone. When the destination modem answers the call, Datapac will send the following message to the originating end: CALL CONNECTED/COMMUNICATION ETABLIE then proceed with your call. To clear a call upon completion, enter the clear command: (Control P) Clear Datapac will respond with the following: DATAPAC: call cleared - remote Note: If you have used a NUI to place the ca the network with the command: NUI Off Datapac will respond with the following: DATAPAC: network user identifier not active Well I have talked about Datapac outdials know I will include a list of outdial ports for the 18 cities that I mentioned above. Well here's the list. Calgary (ALTA) 300 63300900 1200 63300901 Clarkson (ONT) 300 91900900 1200 91900901 Edmonton (ALTA) 300 58700900 1200 58700901 Halifax (NS) 300 76101900 1200 76101901 Hamilton (ONT) 300 38500900 1200 38500901 Kitchener (ONT) 300 33400900 1200 33400901 London (ONT) 300 35600900 1200 35600901 Montreal (QUE) 300 82700902 1200 82700903 Ottawa (ONT) 300 85700901 1200 85700902 Quebec City (QUE) 300 48400900 1200 48400901 Regina (SASK) 300 72100900 1200 72100901 St-John's (NB) 300 74600900 1200 74600901 Saskatoon (SASK) 300 71200900 1200 71200901 St. John (NFLD) 300 78100900 1200 78100901 Toronto (ONT) 300 91600901 1200 91600902 Vancouver (BC) 300 67100900 1200 67100901 Windsor (ONT) 300 29500900 1200 29500901 Winnipeg (MAN) 300 69200902 1200 69200901 You want to hack a system on Datapac. So you decided to call and it connects onto the NUA you want, but you find you are having troubles getting the system to recognize your input. So here are some answers to some common problems people find when connecting to systems. The screen remains blank A physical link has failed - check the cables between computer, modem and phone line. The remote modem needs waking up - send a or failing that, a ENQ E, character The remote modem is operating at a different speed. Some modems can be brought up to speed by hitting successive 's; they usually begin at 120 Bps and then go to 300, and so on up the ladder. The remote is not working at V21 standards, either because it is different CCITT standard. Since different standards tend to have different wake-up tones which are easily recognized with practice, you may be able to spot what is happening. If you are calling a North American service you should assume Bell tones. Both your modem and that of the remote service are in answer or in originate and so cannot speak to each other. Always assume you are in the originate mode. The screen fills with random characters. Data format different from your defaults - check 7 or 8 bit characters, even/odd parity, stop and start bits. Mismatch of characters owing to misdefined protocol - check start/stop, try alternatively EOB/ACK and XON/XOFF. Remote computer operating at a different speed from you - try in order, 120, 300, 600, 1200, 2400, 4800, 9600, 14400, 19200, 38400. Poor physical connection - if using an acoustic coupler check location of handset, if not, listen on line to see if it is noisy or crossed. The remote service is not using ASCII/International Alphabet No 5. Every character appears twice. You are actually in half-duplex mode and the remote computer as well as your own are both sending characters to your screen - switch to full-duplex/echo o All information appears on only one li has the facility, enable it to induce carriage returns when each display line is filled. many online services and public dial-up ports let you configure the remote port to send carriage returns and vary line length. Your software may have a facility to show control characters, in which case you will see -K is the remote service is sending carriage returns. Most of the display makes sense, but every so often it becomes garbled. You have intermittent line noise - check if you can command line the remote computer to send the same stream again and see if you get the garbling. The remote service is sending graphics instructions which your computer and software can't resolve. The display contains recognized characters in definite groupings, but otherwise makes no sense. The data is intended for an intelligent terminal which will combine the transmitted data with a local program so that it makes sense. The data is intended for batch processing. The data is encrypted. Data seems to come from the remote computer in jerky bursts rather than as a smooth stream. If you are using PSS or a similar packet-switched service and it is near peak business hours either in your time zone or in that of the host you are accessing, the effect is due to heavy packet traffic. There is nothing you can do - do not send extra commands to speed up twill arrive at the host ev Most of the time everything works smoothly, but I can't get past certain prompts. The remote servr computenormally generate - check your terminal softw sending them. The following is a list of acronyms and terms which are often referred to in this document and others dealing with this subject. ACP - Adapter/Concentrator of Packets. ASCII - American Standard Code for Information Interchange alternate name for International Telegraph Alphabet No 5 - 7 bit code to symbolize common characters and comms instructions, usually transmitted as 8 bit code to include a parity bit. Asynchronous - Description of communications which rely on start and stop bits synchronize originator and receiver of data = hence asynchronous protocols, channels, modems, terminals, etc. Call Accept - In packet switching, the packet that confirms the party is willing to proceed with the call. Call Redirection - In packet switching, allows call to automatically redirected from original address to another, nominated address. Call Request - In packet switching, packet sent to initiate a datacall. Closed User Group - A type of high security NUI in use on several PSNs throughout the world. CUG users can access optional parameters and NUAs blocked out by security. CUG - Closed User Group. Data Circuit Terminating Equipment - Officalese for modems. Data Country Code - The first three digits in the four digits of any given DNIC. Data Network Identifier Code - The four digits which come before the area code/address/port address of any given NUA. The DNIC shows which PSN any given host is based upon. The DNIC can also be broken down into two parts, the DCC and the NC. For more information, see part VIII. Data Terminal Equipment - Officalese for computers. DCC - Data Country Code. DCE - Data circuit terminating equipment. Destination Paid Call - A collect call to a NUA which accepts collect charges. DNIC - Data Network Identifier Code. DTE - Data Terminal Equipment. DTE Address - The five digits following the area code of the host on any given NUA. For example, the NUA 234122345678 has a DTE address of 45678. Gateway - A host on a given PSN which is connected both the the originating PSN and one or more different or same PSN's. Gateways also allow one user on one PSN the ability to move to another PSN and operate on the second as if the first was not interfering. Host - Any system accessible by NUA on the PSN. Hunt/Confirm Sequence - String of characters sent to the SprintNet POTS dialin/port which allows SprintNet to determine the speed and data type to translate to on its PAD. ITI Parameters - Online PAD parameters (X.3 or ITI) which allow the user to modify existing physical measurements of packet length and otherwise. LAN - Local Area Network. Local Area Network - A data network which operates within the confines of an office building or other physical structure where several computers are linked together into a network in order to share data, hardware, resources, etc. These may or may not own a host address on any data network, and if so, may be accessed via NUA; otherwise direct dialin is the only alternative. NC - Network Code. NCP - Nodes of Communication of Packets. Network Code - The fourth digit of any given PSN's DNIC. Network Protocol - The hardware protocol which allows the host systems to communicate efficiently with the PSN it is connected to. Generally, synchronous protocols (X.??) are used within the network and asynchronous protocols (V.??) are used to access the network, but asynchronous protocols within the network and/or synchronous dialin points are not unheard of. The standard protocol for packet transfer today is the X.25 synchronous data protocol. For detailed information, please see part V and Appendix F. Network User Address - The address of any given host system on any PSN. This address is thought of as a "phone number" which is dialed to access the desired host. Network User Identifier - The ID and password which allow the user which has logged onto the PSN's PAD to originate calls to host systems which do not accept collect calls. it is often thought of as a "k0de" or a calling card which will be billed for at the end of every month. NUA - Network User Address. NUI - Network User Identifier. Outdial - Any system which allows local, national, or international dialing from the host system. PC-Pursuit can be defined as a local outdial system. Most outdials operate using the Hayes AT command set and others may be menu oriented. Packet Assembler/Disassembler - The device/host which translates the actual input/output between the host and the user. The PAD often translates between baud rates, parities, data bits, stop bits, hardware protocols, and other hardware dependant data which reduces the hassle of continual modification of terminal and hardware parameters local to the originating terminal. Packet Switched Exchange - Enables packet switching in a network. Packet Switched Network - A network based upon the principle of packet switching, which is the input/output of packets to and from the PAD which translates input and output between the user and the host. For detailed information, please see part IV. Packet Switched System - Another name for the PSN. Packet Switch Stream - The PSN used by British Telecom. PAD Delay - The extra time that is used to translate incoming and outgoing packets of data which is composed of a continuous stream of clear-to-send and ready-to-send signals. PAD delay can vary depending on the type of network protocol and network/port speed is being used. PAD - Packet Assembler/Disassembler (technical), Public Access Device (customer service description). PDN - Public Data Network or Private Data Network. Port Address - The two optional digits at the end of any given NUA which allow the PAD/PSN to access a given port. For example, 131202129922255 would reach the NUA 31202129922255, 55 being the port address. Private Data Network - Any network (LAN/WAN/PSN) which is owned and operated by a private company. Private networks are usually smaller than public networks and may host a myriad of features such as gateways to other public/private networks, servers, or outdials. PSE - Packet Switch Exchange. PSN - Packet Switched Network. PSS - Packet Switch Stream or Packet Switched System. PTSN - Public Switched Telephone Network. Public Data Network - Another name for the PSN. Public Switched Telephone Network - The voice grade telephone network dialed from a phone. Contrast with leased lines, digital networks, conditioned lines. Server - A type of network which is connected to a host system which can be reached either via NUA or direct dial which provides the "brain" for a LAN or WAN. V.?? - Asynchronous network protocol. V1 - Power levels for data transmission over telephone lines. V3 - International Alphabet No 5 (ASCII). V4 - General structure of signals of IA5 code for data transmission over public telephone network. V5 - Standardization of modulation rates and data signalling rates for synchronous transmission in general switched network. V6 - Standardization of modulation rates and data signalling rates for synchronous transmission on leased circuits. V13 - Answerback simulator. V15 - Use of acoustic coupling for data transmission. V19 - Modems for parallel data transmission using telephone signalling frequencies. V20 - Parallel data transmission modems standardized for universal use in the general switched telephone network. V21 - 300 bps modem standarized. V22 - 1200 bps full duplex 2-wire modem for PTSN. V22 bis - 2400 bps full duplex 2-wire modem for PTSN. V23 - 600/1200 bps modem for PTSN. V24 - List of definitions for interchange circuits between data terminal equipment and data circuit terminating equipment. V25 - Automatic calling and/or answering equipment on PTSN. V26 - 2400 bps mode on 4-wire circuit. V26 bis - 2400/1200 bps modem for PTSN. V27 - 4800 bps modem for leased circuits. V27 bis - 4800 bps modem (equalized) for leased circuits. V27 ter - 4800 bps modem for PTSN. V29 - 9600 bps modem for leased circuits. V35 - Data transmission at 48 kbps using 60-108 kHz band circuits. V42 - Combined error correction and data compression standard to give 9600 bps on dial-up lines. WAN - Wide Area Network. Wide Area Network - A data network which operates on a continuous link basis as opposed to the packet switched basis. These do not operate on the X.25 protocol and may only be accessed via direct-dial or a host on a PSN which is linked with the WAN. X.?? - Generally symbolizes some type of synchronous network protocol. X1 - International user classes of services in public data networks. X2 - International user facilities in public data networks. X3 - Packet assembly/disassembly facility (PAD). X4 - General structure of signals of IA5 code for transmission over public data networks. X20 - Interface between data terminal equipment and a data circuit terminating equipment for start stop transmission services on public data networks. X20 bis - V21 compatible interface. X21 - Interface for synchronous operation. X25 - Interface between data terminal equipment and data circuit terminating equipment for terminals operating in the packet switch mode on public data networks. X28 - DTE/DCE interface for start/stop mode terminal equipment accessing a PAD on a public data network. X29 - Procedures for exchange of control information and user data between a packet modem DTE and a PAD X95 - Network parameters in public data networks. X96 - Call process signals in public data networks X121 - International addressing scheme for PDN's. X400 - Standards for electronic mail, covering addressing and presentation. Some interesting books I think you should read that are related to Phreaking & Hacking: Cyberpunk - Outlaws And Hackers On The Computer Frontier, By Katie Hafner And John Markoff, Simon And Schuster Incorporated, Simon And Schuster Building, Rockefeller Center, 1230 Avenue Of The Americas, New York City, NY 10020, 1991, 368 Pages Data Theft, By Hugo Cornwall, Mandarin Paperbacks, Michelin House, 81 Fulham Road, London, England SW3 6RB, 1989, 402 pages Hacker's - Heros Of The Computer Revolution, By Steven Levy, Bantam Doubleday Dell Publishing Group Incorporated, 666 Fifth Avenue, New York City, New York 10103, 1985, 448 Pages New Hacker's Handbook, By Hugo Cornwall, Century Hutchinson Limited, Brookmount House, 62-65 Chandos Place, Covent Garden, London, England WC2N 4NW, 1989, 194 pages The Cuckoo's Egg, By Cliff Stoll, Pocket Books A Division Of Simon And Schuster Incorporated, Simon And Schuster Building, Rockefeller Center, 1230 Avenue Of The Americas, New York City, NY 10020, 1990, 356 Pages The Hacker's Handbook, By Hugo Cornwall, E Author Brown Company, 3404 Pawnee Drive, Alexandia, MN 56308, 1986, 186 Pages -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=- The Empire Times -=- Volume 1, Issue 2, File 10 of 11 SummerCon '92 (The Conference) By Albatross ******************** * Empire Times * * Present: * * * * SummerCon '92 * * St. Louis,MO * * June 26th - 28th * ******************** SummerCon: (Day 2, Saturday June 27th) ---------- The Morning started off with everybody waking up with hang overs and and wet condoms from the previous night with the little girls. Anyhow Saturday was the day of the conference which was suppose to begin at 1pm but was postpone due to late fucks. ANyhow after the shit got going there were some speakers on some intestiing shit with you should check out: SummerCon Conference: -------------------- Dispatar: Opened up The Meeting with a little chat about Phrack and what everything was about etc.. Nothing all That!! Gatsby: His Speech was on that crazy 1000 member bust of some carding ring way out in California some where that was just blown outta proportion. Anyhow Gatsby was saying that the 1,000 member card ring was just The Crypt Keeper blabbing his whole fucking story to the Feds and more or less did nothing more but rat on everybody cause he was scared from the feds {WHAT NOT TO DO!!} Gatsby more or less wrapped it up with by talking about what all has happen since that bust and who all was this and that etc.... Emmanuel: Mr 2600 man got up to speak about the beginnings of 2600 and what all it really stands for and what type do. 2600 has about 15,000 Subscribers and about 3,000 newstand locations, and all there info is encrypted and in very secure locations, so in other words nobody knows you from your membership info, unless the decide to read the mailing labels as there passing thru the Post Office which is a crime in the first place.. Anyhow Emmanuel is looking for Writers to give 2600 a big hand cause there desperate for some writers and he also states that he will publish anybody's SSN (ie. George Bush) Control-C: Mr Ex-LOD member got up to talk on how he got a job with Michigan Bell Security by breaking into there systems, but he then lost his job because some Bell employee never liked him cause he was a Criminal and shit, and also cause the contract said he could break into and test Michigan Bell's security but he went over board and the Government said he had no contract not to fuck with them. (Fucking Feds) Anyhow The feds bust Control-C and they get other Ex-LOD members to testify against Control-C at a grand jury investigation so that they would end up with lighter sentences and all the wimpy shit that goes alone with that Backstabing move.. Signal Surfer: Super Hacker Signal Surfer talks about his new software that he is look for people to Beta test for him on either IBM's of Mac's. The Software will allow you to get a legal internet account and address so that you can recieve mail and read news groups and all that shit (Just not telnet or FTP shit). The Software is great cause I'm beta testing it and I love it so far, it's great for a email site (Look 4 my address). NOTE: If you wish to beta test this software called WorldLink you can reach Signal Surfer (Robert Stratton) at: InterCon Voice: 703-709-9890 ext. 253 950 Herndon Parkway FAX: 703-709-9896 Herndon, VA 22070 Email: strat@intercon.com Predat0r: This is the man behind TAP magazine. Dude to the fact that predator didn't want Chris Coggins camera on during his speech I'll hold back some details on his talk. Pred, was talking about how they did some shit and obtained a 3,000 dollar computer so he could run a board But due to some problems it had to be sold, and in the process of being sold the G-Men snagged them and he served some time behind bars. Anyhow on a lighter note, Tap Magazine is planning on being back in The Fall of '92 and Tap is also looking for writers: You can reach Predator on The Blitzkrieg BBS located in Knoxville, Kentucky The Blitzkrieg BBS 502-499-8933 502-491-5198 NUP: Columbian Coke ICOM: This is a cool dude behind a somewhat small but growing printed mag called 'CyberTek' (Great shit), The mag is loaded with stuff on making your own Pirate Radio/TV station and fucking with caller ID and many other Tek/Anarchy type of projects. To get a hold of this great mag you can reach ICOM at: The New CyberTek BBS -------------------- Uncensored: (914) 761-6877 The Implosion: (914) 762-6954 Blood Axe: This is the legendary Chris Coggins, the man looking for a job that doesn't wanna cut his hair. Anyhow Chris talked about everything and just went on and on, but some of the key key things he had to say was about his artical in Computer World Magazine on computer hackers and shit like that. Also Blood Axe went into shit on PSN networks, but over all it was pretty informative.... Mr. Drunkfux: Talked about all the shit that happened at HoHo Con back in '91 and how the hotel got totally trashed like shit. The Hotel security tried to blame The Hoho Con organizers for fires in the hallways and holes in the walls, and Drunkfux was getting on there shit like 'Well if there was a fire what happen to the smoke alarms' and how they had witnesses that say that they say hotel employees punch holes in the walls just so they could blame it on HoHo Con.. fuck that shit... More or less that was end of teh SummerCon Conference, and I compiled a listing of what States were being represented by at the conference and they were: Massachusetts Argentina (The Country) Texas Missouri Illinois Maryland Louisiana Virginia Florida New York Kentucky Indiana California Mississippi South Carolina Colorado Michigan That was the end of the high point of the Conference, and so we shall wait till next year when more people shall come and bring more computers with them and do more hacking, and all that shit... (And make gifs from pictures) Anyhow, Till Next we meet, See ya!!!!!! SummerCon 4 ever Phrack: 1 Secret Service: 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=- The Empire Times -=- Volume 1, Issue 2, File 11 of 11 M.O.D (Masters of Disaster) Get Busted 5 Computer Hackers Charged with Tampering, Fraud, Conspiracy July 8, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Samuel Maull (Associated Press) NEW YORK -- Five computer "hackers" have been indicted on federal charges of breaking into computer systems run by telephone companies, credit reporting services and educational institutions, officials said. The hackers, in their teens and 20s, did it to show off for their peers, to harass people they didn't like, to obtain services without paying, and to get information they could sell, said U.S. Attorney Otto Obermaier. During these invasions, they obtained 176 credit reports from the TRW credit information company, destroyed an education series of a television station, and left electronic graffiti on an NBC television news show. Obermaier said much of the evidence against the defendants was obtained through wiretaps which were the first ever used to intercept data exchanges between computers communicating with each other. The defendants were part of a group of hackers, people adept at using computers to get into other computers or data systems, who called themselves MOD, which stands for "masters of disaster" or "masters of deception." Obermaier said MOD's members include Julio "Outlaw" Fernandez, 18, John "Corrupt" Lee, 21, Mark "Phiber Optik" Abene, 20, Elias "Acid Phreak" Ladopolous, 22, and Paul "Scorpion" Stira, 22. All are from New York. They are charged with computer tampering, computer fraud, wire fraud, illegal wiretapping and conspiracy. They will be arraigned Manhattan federal court on July 16. Each count is punishable by up to five years in prison. The indictment charges that on November 28, 1989, MOD destroyed the information in WNET Channel 13's Learning Link computer in New York City. Learning Link provided education and instructional material to hundreds of schools and teachers in New York, New Jersey and Connecticut. A message left on the Learning Link computer said, "Happy Thanksgiving, you turkeys, from all of us at MOD." The message was signed "Acid Phreak," "Phiber Optik," and "Scorpion," said Stephen Fishbein, assistant U.S. attorney in charge of the prosecution. During an NBC news broadcast on November 14, 1990, two hackers identified as "Acid Phreak" and "Phiber Optik" claimed responsibility for sending the "Happy Thanksgiving" message that appeared on the screen, Fishbein said. The hackers also allegedly broke into telephone switching computers operated by Southwestern Bell, New York Telephone, Pacific Bell, US West and Martin Marietta Electronics Information and Missile Group. In some case the defendants added and altered calling features. For example they call-forwarded local numbers to long distance numbers so they could get long distance calls for the price of a local call, Obermaier said. Southwestern Bell reported it lost some $370,000 in 1991 because of computer tampering by three of the defendants. Obermaier said no defense intelligence was compromised by the Martin Marietta invasion. Two other defendants, Morton Rosenfeld, 21, and Alfredo de la Fe [Renegade Hacker], 18, pleaded guilty to conspiracy to use and traffic in unauthorized access devices in connection with MOD's activities. _______________________________________________________________________________ Hackers Indicted For Breaking Into Phone, Credit Systems July 8, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Gail Appleson (Reuter Business Report) NEW YORK -- A group of computer hackers has been indicted for breaking into computer systems operated by major telephone companies and credit reporting agencies in what prosecutors said were "crimes of the future." The charges mark the first time court-authorized wiretaps were used to obtain conversations and data transmissions of computer hackers, the government said. "I see these cases as crimes of the future," Ray Schaddick of the Secret Service, told a news conference. The indictment alleges the defendants broke into computer switching systems operated by Southwestern Bell, New York Telephone, Pacific Bell, U S West and Martin Marietta Electronics Information and Missile Group. Southwestern Bell allegedly lost $370,000 because of the crimes. The defendants also allegedly tampered with systems owned by the nation's largest credit reporting companies, including TRW, Trans Union and Information America. They allegedly obtained 176 TRW credit reports on various individuals. The indictment does not state a total amount of money lost by victims of the tampering, and Manhattan U.S. Attorney Otto Obermaier said the hackers, who were all under the age of 22, were often just after power. Indeed, the men called themselves "MOD," an acronym used variously for "Masters of Disaster" and "Masters of Deception." They used individual aliases such as "Corrupt," "Outlaw," "Phiber Optik" and "Acid Phreak." Obermaier quoted the indictment as alleging the group broke into the computers "to enhance their image and prestige among other computer hackers and to harass and intimidate rival hackers and other people they did not like." One of the defendants allegedly said that he wanted information that would let him change TRW credit reports so he and others could "destroy people's lives or make them look like saints." The defendants also allegedly infiltrated computers systems to obtain telephone, credit, information and other services without paying from them and to obtain passwords, account numbers and other information they could sell to others. On one occasion they allegedly intercepted data communications on a network operated by Bank of America and they wiped out almost all of the information contained on a system operated by the Public Broadcasting System affiliate in New York, WNET, that provided educational materials to schools in New York, New Jersey and Connecticut. They left a message on the computer that said "Happy Thanksgiving you turkeys, from all of us at MOD." The defendants in the case are Julio Fernandez, 18; John Lee, 21; Mark Abene, 20; Elias Ladopoulos, 22, and Paul Stira, 22. All are from New York. The indictment contains 11 counts of computer tampering, computer and wire fraud, illegal wire tapping and conspiracy. If convicted, the defendants face a possible maximum prison term of more than 50 years and fines of more than $2.5 million. Prosecutors said two other defendants previously pleaded guilty to buying information from the five hackers. _______________________________________________________________________________ Computer "Masters of Disaster" Indicted July 8, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from United Press International NEW YORK -- Five alleged computer hackers known as "Masters of Disaster" were indicted on federal charges for breaking into computers of major institutions for fun and for gain, authorities said. The defendants, known as "MOD" or "Masters of Disaster/Masters of Deception," broke into computers "to harass and intimidate rival hackers and other people they did not like; to obtain telephone, credit, information and other services without paying for them; and to obtain passwords, account numbers and other things of value which they could sell to others," the indictment said. The case marked the first court-authorized use of wiretaps in an investigation to obtain data transmissions of computer hackers who use computer-connected telephone lines for unauthorized access to other computers, said a spokesman for U.S. Attorney Otto Obermaier. The indictment was announced with two arrests in separate, but related computer fraud cases. Among the computers the defendants allegedly broke into were telephone switching computers operated by Southwestern Bell, New York Telephone, Pacific Bell, U.S. West and Martin Marietta Electronics Information and Missile Group. The hackers also allegedly wiped out of almost all information within the Learning Link computer operated by WNET and left the words, "Happy Thanksgiving you turkeys, from all of us at MOD." Southwestern Bell allegedly lost about $370,000 in 1991, due to alleged tampering by three of the defendants, two of whom also allegedly intercepted data on a network operated by the Bank of America. With access to credit and information services such as TRW, one of the alleged hackers claimed he could "destroy people's lives or make them look like saints," the indictment said. The defendants were identified as Julio "Outlaw" Fernandez, 18, of the Bronx; John "Corrupt" Lee, also known as John Farrington, 21, of Brooklyn; Mark "Phiber Optik" Abene, 20, of Queens; Elias "Acid Phreak" Ladopoulos, 22, of Queens, and Paul "Scorpion" Stira, 22, also of Queens. They are scheduled for arraignment at 10 am, July 16 in U.S. District Court in Manhattan on charges of fraud, wire fraud, illegal wiretapping and conspiracy. In November 1991, Fernandez and Lee sold information to Morton Rosenfeld on accessing credit services and later provided a TRW account number and password that was used to obtain about 176 TRW credit reports on individuals. Rosenfeld, 21, of Brooklyn, pleaded guilty to conspiracy on June 24. Alfredo De La Fe [Renegade Hacker], 18, of Manhattan, pleaded guilty on June 19, to using and selling telephone numbers and codes. Rosenfeld must appear September 9 for sentencing, De La Fe on August 31. Obermaier's office conducted the probe with James Heavey, special-agent-in- charge of New York's U.S. Secret Service, William Doran, special-agent-in- charge of New York's FBI office, and Scott Charney, chief of the computer crime unit of the Department of Justice. _______________________________________________________________________________