private line magazine and e-zine back issue text archive. Caution when using any material here which is now very much dated.

(1)_(1A)_(2)_(2A)_(3)_(3A)_(4)_(4A)_(5)_(5A)_(6)_(6A)_(7)_(7A)

_(11)_(11A) (12)_(12A)

----------------------------------------------------

VOLUME 1, NUMBER 3 -- PRIVATE LINE: A JOURNAL OF INQUIRY INTO THE TELEPHONE SYSTEM

INFORMATION ON PRIVATE LINE

I. EDITORIAL PAGE

II. UPDATES AND CORRECTIONS

III AN INTRODUCTION TO LOCAL SCANNING

IV. DEF CON II REVIEW: FEAR AND HACKING IN LAS VEGAS

V. ROAD TRIP TO VEGAS

IV. A FEW THOUGHTS ON EMS AND 911

----------------------------------------------------

GENERAL INFORMATION ON PRIVATE LINE ISSN No. 1077-3487

A. private line is published six times a year by Tom Farley. Copyright (c) 1994 It runs 24 to 28 pages. It's done in black and white.

B. Subscriptions: $24 a year for subscriber's in the U.S. $31 to Canada or Mexico. $44 overseas. Mailed first class or equivalent. 1. Make checks or money orders payable in US funds to private line. 2. Back issues are five dollars apiece. 3. A sample is four dollars. 4. The mailing list is not available to anyone but me.

C. Mailing address: 5150 Fair Oaks Blvd. #101-348, Carmichael, CA 95608

D. e-mail address: privateline@delphi.com

E. Phone numbers: (916) 488-4231 Voice (916) 978-0810 FAX

F. Submissions: Go for it! Anything semi-technical is strongly encouraged. I pay with subscriptions.

G. Ads: Yes, I'm taking electronic related ads. A full page is $75.00, a half page $37.50 and a quarter $18.75. Subscribers get free classified ads of 25 words or less.

H. Feel free to post this file at any site or on any BBS you wish. I just ask that you keep the file together and not sell any hardcopy version of it. Fair enough?

I. The fourth issue is now on sale. Send me four dollars or ask your dealer to get it through Fine Print Distributors.

------------------------------------------------------------------

I. EDITORIAL PAGE

Going National; War Footing

Welcome to the third issue of private line. I hope you enjoy it. The look and feel of this issue is different from the first two. Why? Well, it's an effort to make the magazine more readable. The first two issues had a great deal of information. I presented that information, however, in a dry, humorless form. Without enough pictures and photographs. I think I can do better, in fact, I know that I must. private line is going national.

I got a letter from Fine Print Distributors of Austin, Texas when I got back from Def Con. Fine Print distributes FactSheet5 as well as several hundred other periodicals. They wanted to distribute private line. I was happy that I had found a way to put the magazine on newsstands. That's where my readers are. But Fine Print wanted 250 copies to start. As in starting now. And that's when the problems began.

I had been producing private line cheaply by myself. I'd take the originals to Kinkos and run off twenty-five or thirty copies at a time. It was an affordable, part time hobby. Two hundred and fifty copies, however, is quite a different thing. That would cost at least 300 dollars. Plus shipping. I would prefer, however, to print 350 copies since I sell back issues and because I need samples. That's at least four hundred and fifty dollars. For the first issue. With five more needed for 1995. With no guarantee that the magazine would sell. I could be down over three thousand dollars in less than a year. What to do? I needed financing, a small business plan and some advertisers. A scanner to add pictures. And time to learn how to produce a more readable magazine.

So, I punted. I put off the distributor. I explained the problems and they were very nice about it. They would be ready when I was. I thought that the first of the year would be a good idea. The first national edition, therefore, comes out in January of 1995. private line is now on a war footing. We're behind schedule but world domination will begin soon. We will never put off a major decision again. Instead, every opportunity will be exploited immediately. private line's staff has dispersed and gone to ground. This assures the public that the national issue will not be stopped. We'll come out swinging for the national edition. Speaking of which, let me tell you about some new things scheduled for the January issue.

Chris Hall of Executive Protection Associates has agreed to write a column. He's their Chief Operating Officer. This company deals with, among other things, industrial espionage and corporate spying. He helped give a great talk at Def Con. His first column may be on telephone bugs.

John Higdon will write a column about telecom from a non-corporate point of view. John keeps alt.dcom.telecom.tech together. It is the most technically grounded newsgroup. John is a good writer with common sense. His posts are always informative and independent.

I will add a small column on telephony and the internet. I'll try to list which resources feature information on communications. The internet is a great help to learning. Books and magazines are wonderful but limited. Try to find, for example, a recent American book on pay phones. There aren't any. But you may find a coin line expert in a newsgroup who is willing to talk. Many people in these groups have worked their entire lives in telecom. They have insights and answers that you will not find anywhere else.

In the meantime, this issue will concentrate less on technical issues and more on observation and opinion. There is no other way to comment on Def Con. The January issue will have more real information. There may be less, however, than in the first two issues because of the space taken up by the photographs. Still, the information that is presented will be more understandable than in the past. I wish you all well and I hope you contribute.

73's

Tom Farley

II. UPDATES AND CORRECTIONS

1. I made a big mistake in the second issue. It's in the Coin First Coin Line article. In paragraph 3.31 I wrote that ". . . coin first did contribute something that it is used to this day by every dial tone first telco pay phone. It's called ground start." Wrong, wrong, wrong. Pay phones actually use loop start, just like ordinary phones. Pay phones do use a ground to produce many signals but they do not depend on it for making the original connection. A pay phone may use groundstart for origination as an option. Groundstart is the rare exception and not the rule. Let's go over my mistake. It says something about making assumptions, the lack of good reference material and about how useful the internet is.

2. Ground start first interested me because it is unusual. A telco coin line is different in many ways than a normal subscriber line. That made it easy for me to think that a coin phone originated a call in a different way. Fike and Friend stated that "Ground start lines are used on loops connecting PBXs to the central office, and in other situations where it is desireable to detect a line that has been selected for use (seizure of the line) instantaneously from either side of the line." (emphasis added) (1)

3. What were these other situations? Pay phones. A table in Engineering and Operations in The Bell System describes the various kinds of loop signaling. It says that coin stations use "loop start or ground start origination" and that loop signaling may involve "ground- start format similar to coin service for PBX-CO trunks. (2) Freeman reprinted this table without comment in his weighty tome. (3) Seemed like good enough authority to me. The language in the chart, however, was conditional. It said may. I thought these three sources proved that pay phones used ground start. All I proved, however, was that pay phones might use ground start. I never went back to check my notes once I made my conclusion.

4. There's more. I didn't know why ground start was used. So I speculated. I thought it tied up switching equipment for less time than loop start. After all, time was the chief reason why the Bell System chose coin first instead of post pay at the turn of the century. I described their decision in the Post Pay article in the first issue. In the second issue I quoted Bell System literature that detailed how concerned they were with this problem when they re-introduced dial tone first in 1968.

5. My speculative argument assumed that ground start is quicker than loop start. Supporting this assumption was Fike's use of the word "instantaneously" in the quotation previously mentioned. Instantaneously seizing a line, however, seems to refer to PBX operation; not the "other situations" that he also mentioned. Seizing the line instantaneously may prevent an incoming call from displacing an outgoing call with a PBX. It does not mean necessarily that ground start is faster. I myself alluded to this in Telco Payphone Basics, Part II.

6. In paragraph 1.71-2(2) I said that DC signals are quick. That's a chief reason for their use. Ground start is a DC signal just like loop start. I pointed out that a DC signal traveling at even 60% of the speed of light would be moving at near a hundred thousand miles a second. What difference in time would there be, therefore, between ground start and loop start? Most pay phones are within three to eight miles of a central office. All DC signals must act as if they are instantaneous. Any difference in time between loop start or ground start is probably minuscule or irrelevant or both.

7. That's not all. I used two other facts to bolster my argument that pay phones used ground start. This part of the argument was also wrong. The presence of a coin is detected by the presence of a ground. Dial tone first, I thought, would then utilize ground start as part of its operating system. Not so. One does not depend on the other. Loop start can be used even if a ground is used for other things. Reeve clears up all this confusion in his excellent chapter on Coin Line Services. He says that "(M)ost prepay paystations are loop start, but many can be optioned for ground start."(4)

8. I found out about my mistake from alt.dcom.telecom.tech. I got involved in a discussion about ground start. People commented on why it was used in PBX operation. No one, however, mentioned pay phones. So I did. I asked why COCOTs used it and not telco pay phones. A coin line expert named Jay replied in great detail that both kinds used loop start. I was rather defensive at first since it went against what I had written. His comments, however, forced me to go back to my notes. He was right. He also gave details about coin phones that I have not found elsewhere. This is what makes the newsgroups so compelling. A question, though, remains: why would a pay phone use ground start? Why would a coin line be optioned for this method? I'm still working on finding this out.

NOTES:

(1.) Rey, R.F., ed. Engineering and Operations in the Bell System. 2d ed. Murray Hills, N.J. AT&T Bell Laboratories. 1983

(2.) Fike, John L. and George Friend. Understanding Telephone Electronics. 2d. ed. Carmel, SAMS 1990 191

(3.) Freeman, Roger L. Reference Manual for Telecommunications Engineering Wiley Interscience. New York 1985 74

(4.) Reeve, Whitman D. Subscriber Loop Signaling and Transmission Handbook: Analog. New York: Institute of Electrical and Electronics Engineers. IEEE Press. 1992 223

III AN INTRODUCTION TO LOCAL SCANNING

9. Editor's Note: I hoped to make this article a complete guide to local scanning but time ran out on me. I had to turn over the entire project to a local hacker at the last moment. Biff was incensed that I dumped this on him. He did agree, though, to write the following introduction.

An Introduction

10. Local scanning is a systematic attempt to find interesting phone numbers. It is a daunting task in many cases because of the number of numbers. A prefix contains 10,000 possible numbers. A large city may contain hundreds of prefixes. Even smaller cities have access to a huge wealth of possibilities. The village of Fair Oaks, for example, uses only 11 prefixes. A local call, for them, however, goes out to a total of 149 prefixes. That's 160,000 possible numbers to investigate with a local call. And, of course, that does not include unlisted prefixes, test numbers or telco numbers. Let's start at the beginning.

Some History

11. The first three digits in a phone number guide the call to the right central office or exchange. The next four digits direct the call to the right subscriber in that exchange. Why 10,000 numbers in a prefix? Why not a thousand? Or 3,425? It's because early switching equipment was designed that way. Tradition continues it. Step by step equipment was arranged in banks of one hundred contacts. Each bank or selector had ten rows of ten contacts. Three banks produced 10,000 numbers. Smaller communities used two banks. Bigger cities used four. It's easier to study the old diagram below.

The Big Picture

12. The prefix map on the next page represents a look at one city's prefixes. It is the logical map to develop if you are interested in your city as a whole. A better map would be color coded. Cell prefixes would be printed in one color, pager prefixes another, governmental agencies would occupy still another. Most prefixes are not dedicated to a single use but you could note the ones that were.

Getting Started: Some Suggestions

13. This depends on what you want to do. What you're interested in. If you are in a big city you have hundreds of thousands of possible numbers to call. Here are some suggestions if you're not sure:

14. a.) The ANAC Angle: Absolutely critical to find. Your first assignment. ANAC stands for automatic number announcement circuit. It's a phone number that you call to get the number you are calling from. Linemen use it to verify the line that they are working on. You can use it to find the number of a pay phone that no longer has its number displayed. Among other things. ANAC's are central office specific. They can vary from one city to another, or even from parts of one city to another. ANAC lists are scattered about the internet and even on services like Compuserve. These are lists built on the definitive anac guide article published in the Autumn 1990 issue of 2600. I did not reproduce it because it is copyrighted. In any case, these lists do exist and they are arranged by area codes. You may not find your number. I have not seen, for example, an ANAC ever listed for 916. So you must search. Many ANACS revolve around touch tone keys that are close together. There are a great deal of "2's" and "1's" in the guides. This probably makes it easy for the lineman to punch in a number quickly.

15. I found the ANAC for my part of town in six tries. It's (916) 211-2222. It was a fantastic piece of luck but I did concentrate on "2's" and "1's". I had a plan. I may, though, go to Davis and hunt for hours. If you are really frustrated then get to a 2600 meeting. Post a message to alt.2600. But try first. And then spread the wealth. I had my local ANAC up on the net within five minutes of its discovery. There are 800 numbers that do the same thing. A local ANAC is preferable since it keeps the 800 number from being abused.

16. b.) The Payphone Angle: Telco payphones rely on specific circuitry at specific central offices. Not all CO's have the hardware to perform coin line functions. Telco payphones, therefore, have been tied to certain CO's. Your mission, should you decide to accept it, is to map out the locations and numbers of each payphone in an area near you. You can investigate them further once your inventory is completed. Here are some tips.

17. An old Thomas map book works great for noting the location of each phone. The particulars ought to be logged in a notebook, with the kind of information I have in my sample sheet on page 55. Do not ignore the wiley COCOT. Many started out as telco payphones. Many still have the same number they did when the telco owned them. They may not be tied to the same circuitry but they do provide clues with their numbers. Speaking of numbers, an 800 ANAC is sometimes essential to have if the number is missing. Although ANAC calls are free with most telco phones, a private phone may charge for the call if it can be completed. Their automated coin toll service or ACTS may ask you for a substantial sum. And then you might just get a long distance call and not the number reading back to you.

18. c.) The Telco Angle: Scanning for telephone company numbers. Always fascinating. Try the lower end of the biggest, oldest exchanges. You'll note in your phone book that certain prefixes are tied together. For example, 440-449 or 451-457. Start out at the bottom of 440. Numbers like 440-0031, 0041, 0003 and so on. Try the first 100 numbers for that exchange. Try the top 100 if nothing is there. You'll find tons of interesting numbers if you are persistent. The bottom of 440, for example, is like an announcement store. You get recordings like "Due to telephone company facility trouble, your call cannot be completed at this time." Or, "Due to heavy calling, your call cannot be completed at this time." Even the ominous, "There is no charge for this call. This number has been disconnected as a result of a recent federal court decision and Pacific Bell's business policy."

19. You'll also find test tones and telco modem numbers in places like these. You might also pick up the telco name for each exchange. Someone picks up the line at the bottom of 440 with just the words "Main" Calling it that makes sense since it is the largest CO downtown. But who would know what "Ivanhoe" means in the 481 exchange? Well, I do. The 481 used to be dialed with IV when letters were used. IVanhoe 8349, for example. To this day, the only human you'll find at the bottom of 481 still answers "Ivanhoe" when he answers the phone. It's still their name for that exchange. Telco tradition dies slowly if at all. By the way, you can find a list of these older names at a well stocked local libary. Look in old newspapers or any locally produced magazine from before 1955 or so. Ads in the back of old high school year books work well, too.

20. d.) The Answering Service Angle: I've had good results with this, although I'm not sure what I have. Older, smaller exchanges often had answering services tied to a particular range. You can still find this in most cities. Call numbers near existing services. No need to call a listed number. You'll get answering machines that are actually voice mail locations, weird tie lines and merchant credit numbers. It's all quite strange. Perhaps the telcos grouped the answering services together in order to deal with heavier loads. Maybe it says something about the switch.

21. e.) The Governmental Telephone System Angle: Always intriguing. I find it fascinating the way that certain counties arrange their communications. You get a taste of this on page 63. Each little community or district needs to communicate with the county seat. Many times it is simply with ordinary dial up lines. Other times it is most complex. Best approach is to poach the relevant county phone book in order to get started.

Logging Your Calls

22. The most difficult part of scanning is keeping your records organized. It's just about impossible with paper. It could be done with the right software, but that is quite a project. Let's look at paper first. Check out the experimental worksheet on page 55. It's nothing special, just a table done in Word. The spacing, though, is correct. You need that much room to make notes. And you need the numbers to be printed out before you make a call. Don't write down each number as you go. It doesn't work. Notice how one sheet only covers 100 numbers. One prefix, however, needs 100 sheets. What's needed is the right equation for EXCEL. You could then produce the pages needed for a particular range.

23. An electronic logging program might be the best thing but I'm not sure it's worth it by itself. If you develop such a beast then you might as well commit to a war dialer as well. A single program could help place calls as well as log them. Quite a project. I am uneasy about any program than scans an entire prefix. You might hassle as many people as a telemarketer. I think the best scanning happens while disturbing the fewest people. (As if you are calling to talk to anyone.) I'd like some comments from anyone interested in local scanning. Hams have a great deal of logging software that is in the public domain; possibly some of it could be converted.

Biff

IV DEF CON II REVIEW: FEAR AND HACKING IN LAS VEGAS

24. We were somewhere around Barstow on the edge of the desert when the cell coverage began to come in . . . The second Def Con was held at the Sahara Hotel in Las Vegas on the weekend of July 21, 1994. Three hundred and seventy people attended. At times it was chaotic, disorganized and anarchistic. I can't wait to go again. Where else can you hear a discussion of UNIX, cryptography, industrial espionage, and the Chaos Computer Club in one weekend? For fifteen dollars? There were some problems. None of them, however, seemed serious enough for me to be concerned with. Dark Tangent and his people deserve congratulations for pulling off a great event for the second year in a row.

25. The con got off to a rocky start on Friday night. Mark Ludwig was to have spoken on UNIX security. But no Ludwig appeared. He was rumored to be either sick, jet lagged or drunk. No one knew. We did know, however, that the Def Con people were in trouble. There was no alternate speaker. One of Dark Tangent's friends tried to stall for time by telling bad jokes on the stand. There was, however, nothing to stall for. Audience members themselves arranged a discussion of UNIX after about a half hour. The con had been hacked. Peter Shipley bravely volunteered to answer general UNIX questions.

NEXT PAGE -->