k-18-(8)-01

OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
    OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
                             OoO=o=oOO=o=O=>
:    -`-             -`-      OoO=o=oOO=o=O=>
;  _|_--oOO--(_)--OOo--_|_      OoO=oOO==OoO=o=oOO=o=O=>
   |    K-1ine Zine !   |      OoO=o=oOO=o=O=>
    ! issue 18, volume 8       OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
       ---------O^O----        OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
;.              |__|__|       OoO=o=oOKill=o=OYourOoO=o=ParentsoOO=o=O=OoO=o=oOO=o=O=>
                  || ||       OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
            ooO Ooo          OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=oOO=o=O=>
                          OoO=o=oOO=o=O=OoO=o=oOO=o=O=KillO=o=ooOYourself=o=OoO=o=>
   ;`-.> August 2001 <=o=O=o=O=o=O

   
   'Too Many Secrets'


        "The belief that enhanced understanding will necessarily stir
           a nation to action is one of mankind's oldest illusions."
_____________________________________________________________________________


 .- Words from the Editor -.                                               |

*: [-] Introduction .......................................... The Clone    :*
*: (-) Contact Information ................................... The Clone    :*
*: (-) Affiliate Web-Links ................................... Nettwerked   :*
*: (-) Advertisment .......................................... HackerSalvage:*
*: (-) Advertisment .......................................... FlipperSmack :*
*: (-) The Canadian Phreakers Union - Same Name, New Look .... The Clone    :*
*: (-) TRAPFONE - now online ................................. The Clone    :*
*: (-) Link of the Month ..................................... RT           :*
*: (-) K-1ine Mirrors ........................................ The Clone    :*
*: (-) Nettwerked Movie Mirrors .............................. Nettwerked   :*
____________________________________________________________________________

 .- Documents -.                                                           |

*: (x) 'CRTC ASSIGNS ACCESS NUMBER 211 TO PUBLIC' ............ "CRTC"       :*
*: (x) 'Additional TracFone Documentation' ................... The Clone    :*
*: (x) "Miscellaneous Switching Source-Code" ................. M4chine      :*
*: (x) 'An Introductory Guide to DATU Systems' ............... The Clone    :*
*: (x) 'Rogers AT&T Billing Vulnerability; Part II' .......... The Clone    :*
_____________________________________________________________________________

 .- Conclusion -.                                                          |

*: [-] Credits ............................................... The Clone    :*
*: [-] Shouts ................................................ The Clone    :*
_____________________________________________________________________________ 



  Introduction -

  Welcome to another addition of K-1ine 'zine. This month I have a nice bunch
  of files for you all - lots of telecommunications information for your intake.
  Well well, I'm fuckin' hot as hell sitting in this stuffy and non-air circulated
  room while listening to Orbital's "Insides" album, drinking Silent Sam vodka,
  and writing... thinking about my utter disgust for humanity and society.
 
  Here's an interesting piece of information I was told about today: Emmanuel
  Goldstein from 2600 magazine has been making a lot of reference to 2600sucks.com
  (the domain I currently own and have directing to Nettwerked.net) such as last
   weeks "Off The Hook", and more recently this past weekend at a hacker conference
  ('HAL2001') where he had a speech about CyberSquatting. I'll be sure to post the
   speech transcripts on a future issue of K-1ine when I get a hold of them.

  Now sit back, relax, and enjoy this goddamn motherfuckin' issue...

 -->

Contact Information;
=-=-=-=-=-=-==-=-=-=

Comments/Questions/Submissions: theclone@hackcanada.com

On IRC: irc.2600.net - #hackcanada, #cpu (key)

Shoot me an ICQ message: (UIN) 79198218

Check out my site: (Nettwerked) http://www.nettwerked.net

-->

=-=-=-=-=-=-==-=-=-=
Affiliate Web-Links:
=-=-=-=-=-=-==-=-=-=

CPU		    http://www.nettwerked.net/cpu *
Damage Incorporated http://www.freeyellow.com/members6/damage-inc/index.html
Grass Hopper Unit   http://www.ghu.ca
Hack Canada         http://www.hackcanada.com
H410G3N-dot-com     http://www.h410g3n.com
Phreak BC           http://www.phreakbc.com
PyroFreak           http://www.multimania.com/pyrozine/index.html
TRAPFONE            http://www.trapfone.com *

* = featured sites of Nettwerked Incorporated

--

                             -- Advertisment --

          +++              WWW.HACKERSALVAGE.COM               +++

           HackerSalvage.com is a non-profit website dedicated to
            keeping old hardware in circulation. Many of us have
           piles of it sitting around but can't just toss it out.
             Here you can post computer items for sale or post a
           want ad for items you are looking for. A perfect place
           to get rid of perfectly good junk.... and get some new
                         stuff to rebuild the pile.
          +++                                                  +++ 

--

Flippersmack AD -

"Flippersmack is a culturemag for a penguin generation. What does this
mean? Articles and reviews from your favorite writers. The low-down on
what's fresh in tech, comics, movies, and music. Wrapped in a style all
its own."

"We will strive to release Flippersmack every week; a taste of insanity to
inspire, inform, and entertain. From the creators of System Failure and
Avalanche, there's a new zine out on the net: FLIPPERSMACK!"

You can read the first fourteen issues at:

http://www.nettwerked.net/flippersmack001.txt
http://www.nettwerked.net/flippersmack002.txt
http://www.nettwerked.net/flippersmack003.txt
http://www.nettwerked.net/flippersmack004.txt
http://www.nettwerked.net/flippersmack005.txt
http://www.nettwerked.net/flippersmack006.txt
http://www.nettwerked.net/flippersmack007.txt
http://www.nettwerked.net/flippersmack008.txt
http://www.nettwerked.net/flippersmack009.txt
http://www.nettwerked.net/flippersmack010.txt
http://www.nettwerked.net/flippersmack011.txt
http://www.nettwerked.net/flippersmack012.txt
http://www.nettwerked.net/flippersmack013.txt
http://www.nettwerked.net/flippersmack014.txt

--

         The Canadian Phreakers Union - Same Name, New Look

"The Canadian Phreakers Union is a last attempt to revive the underground
 culture from which we began: CPU, which stands for "Canadian Phreakers
 Union" is a Canadian based phone phreak organization with headquarters
 in Edmonton, Alberta, Canada. Telecom information is something we believe
 should be exchanged between a small number of people who are interested
 in the similar things. Basically what we exchange between each other are
 codes, exploits, numbers, scans, tricks, tips and just about anything that
 has to do with the telephone system; all discussed in a private irc channel."

	           http://www.nettwerked.net/cpu

-    		
	       	        TRAPFONE - now online

   		 HELP BOYCOTT TRACFONE WIRELESS, INC.

   		  FOR MORE INFORMATION PLEASE VISIT:
		   
		          WWW.TRAPFONE.COM

		    "TRAPFONE; Your Wireless Savour"
-

--=[ LINK OF THE MONTH ]=--

 Every month I post one really great "link of the month" on every issue
of K-1ine magazine. The link can be anything in the technology industry,
music scene, rave scene, punk scene, or even a good article you read on a
news site. I'll be taking submissions via e-mail, ICQ, or IRC right away;
so get your links in and maybe you'll see it in the next issue of K-1ine!

For the month of August, the link of the month is:

		  http://www.tron-movie.com/2.0/
         A Newer, Slicker version of the movie you loved as a kid!

[submitted by: RT]


--

K-1ine Mirrors:

        http://the.wiretapped.net/security/info/textfiles/k1ine/


"Wiretapped.net is an Australian site offering an archive of open
source software, informational and advisory textfiles and radio/conference
broadcasts covering the areas of network security, network operations,
host integrity, cryptography and privacy. We aim to become the largest
archive of this nature in the Asia/Pacific region through steady growth
of our archives and regular updates to them (most updated nightly).
We are proudly telehoused on a 10Mbit/sec connection by Connect.com.au using
OneGuard hardware donated by eSec Limited. The archive, along with its
sister site on the same machine, The AusMac Archive, generates between 10
and 60 gigabytes of outbound traffic daily. Wiretapped.net is hosted in
                        Sydney, Australia."

--

  Def Con 9 coverage for 'Nettwerked: The Movie' is now online!
            Please download from the following mirrors:

         Disclaimer: If you're under 18, don't watch this video.
 Contains scenes of nudity and drunkin' hackers 'n' phreakers acting silly.

     * Mirror #1: http://lumo.eghetto.ca/~theclone/defcon9.wmv
       (the_p0pe's server, Nova Scotia, Canada, 4Mbps)

     * Mirror #2: http://www.pstis.com/defcon9.wmv (h410g3n's server,
       Edmonton, Canada, 4Mbps)

     * Mirror #3: http://www.h410g3n.com/defcon9.wmv (h410g3n's
       server, Leduc, Canada, 4Mbps)

     * Mirror #4: http://www.plappy.com/defcon.wmv (Plappy's server,
       Edmonton, Canada, 2Mbps)

     * Mirror #5: http://the.wiretapped.net/multimedia/defcon9.wmv
       (Wiretapped.net server, Sydney, Australia, 10Mbps)

     * Mirror #6: http://sniperwolf.powersurfr.com/~theclone/defcon9.wmv
       (son4r's server, Edmonton, Canada, 2Mbps)

     * Mirror #7: http://www.nurotek.net/linux/media/defcon9.wmv
       (Nurotek Networks server, California, USA, via two 45Mbps pipes)

 			   Help mirror my video! 

	32.1MB's, 103 kb's / sec, 43:36 minutes, Windows Media Format;
	MPEG-4. Send all new mirror URLs to: theclone@hackcanada.com

--

                  CRTC ASSIGNS ACCESS NUMBER 211 TO PUBLIC
                     INFORMATION AND REFERRAL SERVICES

   August 9, 2001

   OTTAWA-HULL The Canadian Radio-television and Telecommunications
   Commission (CRTC) has assigned access number 211 to a new, toll free
   service that will supply information and referrals about community,
   social, health and government services.

   The United Way of Canada and a number of other agencies brought the
   application for three-digit dialling access to the Commission last
   year. In its bid for the access number, the United Way group was
   supported by many parties, including municipalities, regional and
   provincial governments, local distress centres, Kids Help Phone,
   volunteer centres and community medical services.

   "Canadians gain in two ways," says David Colville, chairman of the
   CRTC. "First, the 211 service will help the public find the right
   person or agency much faster. Second, we now have guidelines in place
   for allocating the three-digit access numbers."

   Access numbers

   In North America, three-digit access numbers are reserved for specific
   services. Until now, in Canada, the only access numbers left were 211
   and 311. 411 service is used for directory assistance. 511 has been
   held in reserve in Canada for access to Message Relay Service (MRS) by
   hearing persons to communicate with deaf persons, and 711 provides
   access to MRS by the deaf. 611 is used for telephone repair
   assistance, 811 is currently reserved for telecommunications service
   providers' business offices and 911 is used for emergency services.

   Guidelines for assigning three-digit access numbers

   In mid-2000, the United Way and the Canadian National Institute for
   the Blind applied to the CRTC for the use of three-digit access
   numbers. In November 2000 the CRTC asked for public comment on how to
   make the best use of the unassigned three-digit access numbers.

   Respondents included telecommunication companies, government
   representatives, non-profit organizations, various enterprises and
   private citizens. Applicants and other parties took advantage of the
   opportunity to contribute to the development of these guidelines.

   Taking all the input into account, the CRTC established the following
   guidelines for assigning a three-digit access number:

     * There is a compelling need to serve the broad public interest that
       would not be satisfied as effectively or efficiently by other
       dialling arrangements;
     * The number is to a specific service or services, not to an
       organization;
     * Assigning the number will serve the broad public interest
       (including providing access to the telephone network to
       disadvantaged individuals or groups);
     * The service does not confer a competitive advantage on those
       providing it;
     * The services reached by the number are available over a wide
       geographical area and are provided for full-time or extended
       hours; and,
     * Where possible, the number does not pose a conflict with the North
       American Numbering Plan and is in keeping the guidelines of the
       Canadian Steering Committee on Numbering.

   United Way group application

   The United Way group applied in June 2000 for the use of 211 to
   provide non-commercial, Canada-wide access to information and
   referrals.

   In its application, the United Way group said organizations taking
   part in the information and referral services would have to meet
   standards developed by social service agencies and would have to be
   endorsed by local government.

   Providers of information and referral services will have specialists
   to assist callers and a database of information about community and
   government services. There will also be standards for the use of
   various call centre technologies, access for people with disabilities
   and multilingual access.

   At first, the service will be offered 70 hours a week. The aim is to
   extend this to 24 hours a day, seven days a week. It is expected that
   the services will be established nation-wide over the next ten years.

   While access to the 211 service will be free to the public,
   long-distance charges will be negotiated with the carrier and paid for
   by the information and referral service provider. Telecom carriers
   will be responsible for implementing 211 dialling.

   The Commission directed parties involved in implementing 211 access to
   use the CRTCs Interconnection Steering Committee (CISC) to address any
   technical issues that arise.

   CNIB application

   While it approved the application of the United Way group, the CRTC
   did not approve an application by the CNIB for a three-digit access
   number for its information service.

   The CNIB currently operates a reading and information service for
   blind and print-impaired persons, consisting of access to newspapers,
   magazines, reference and information services.

   The Commission recognizes the value of CNIB's information service,
   however it does not meet the guidelines for assigning three-digit
   access numbers. CNIB did not demonstrate that three-digit dialling is
   necessary for access to its service, which is currently available via
   conventional dialling arrangements. Furthermore, a password would be
   required for access to the service, thus limiting its use to specific
   people. These and other concerns with the CNIB application were noted
   by many opposing parties including some groups representing blind and
   disabled Canadians.

   The Commission encourages information and referral service providers
   to assist blind and print-impaired callers to make effective use of
   the CNIB's existing information services.

   Reference document: Decision CRTC 2001-475

   General Inquiries:
   Ottawa, Ontario K1A 0N2
   Tel: (819) 997-0313, TDD: (819) 994-0423, Fax: (819) 994-0218
   Toll-free # 1-877-249-CRTC (2782), eMail: info@crtc.gc.ca
   TDD - Toll-free # 1-877-909-2782
   Media Relations:
   Denis Carmel, Tel: (819) 997-9403, eMail: denis.carmel@crtc.gc.ca

--

		  Additional TracFone Documentation -

   Written by: The Clone
   Last Modified: July 31, 2001
   Reference file: www.nettwerked.net/trapfone.txt
   Official Web-site: www.trapfone.com


  Add 22 Units, example PIN pattern:

 *#33248#
 351113928640001534XXXXXXXXXX

 *00##0 SEND
 0108508300003015 SEND

  Reset Codes:

 *#33248#
 **00##0 SEND END
 20144471340001534XXXXXXXXXX "CODE ACCEPTED"
 1836127313041701 SEND

-

 Example:

 TracFone has a deal going on that gives you 30 free minutes to your phone
 if you purchase three cards in a row before their expiry dates kick in...

 - Customer purchases a $7.99 TracFone pre-paid phone card, expires June 30
 
 - Customer purchases another $7.99 Tracfone pre-paid phone card, expires June 30

 - Customer purchases a $20 out-of-state TracFone pre-paid card from Hawaii,
   expires June 30

 - Customer enters: *#32248# and the PIN codes affiliated with the cards he
   purchased.

 - Customer verifies the free time deal on TracFone's official web-site:
   www.tracfone.com
 
  Customers original total was: 152 Units
  Customers total with deal should be: 182 Units
  Customers actual total: 212 Units

  Q: Where did the additional 30 free minutes come from?
  A: Who knows. My guess is the FCC... ;)
  
  Q: What are we dealing with here?
  A: We're dealing with a flaw in TracFone's HLR-like (Home Location Register)
     billing system.

This flaw, though very beneficial to customers, proves to be quite a large one.
With enough patience, one could really exploit in a way that would allow them
to make a lot of free phone calls. 

This, among thousands of other telco bugs have been discovered (and are waiting
to be discovered) throughout the industry's many years of existance. Telco bugs
are slowly patched after years of exploitation by phone phreaks, but patching
doesn't do anything but spring up a dozen or so more bugs just waiting to be
patched by the slow and (often) lazy phone companies.

The real problem lays in the hands of the telco engineers and programmers.
By keeping the software the programmers write and the hardware the engineers
develop in a completely proprietary format, the progression in security and
overall functionality of the finished product is less than acceptable.

What the telecommunications industry needs to do, is to start releasing their
developed software and hardware in open-source or open-source-like format.
Start by having a large group of telecom security experts as well as engineers
and programmers from around the world help to improve the product - this will
create whole new jobs, improve functionality and security 10-fold, and destroy
the software monopolies companies like Nortel and Lucent have over us.

--
<pinguino> clone and I were unfing years before space robots did :)
--


		"Miscellaneous Switching Source-Code"


   Date: 08/14/01
   From: M4chine
   E-mail:m4chine@fucktelus.com 

  			  LINETOOLS version 1.2

send sink
% LINETOOLS
% version 1.2
% This profile is designed to provide very restricted access to LTP commands
% xxx users of this profile require a privclass of 9 and only 9
% Note the "PROFILE" command itself requires privclass of 0 this privclass shou
ld
% be removed from the user once the profile has been set.
% LINETOOLS uses dump unsafe commands and should not be used between 21:55 and
23:00hrs
% Please refer any queries regarding the operation of this program to the NSC
%
directory linetools
attach linetools
erase dnfbs
erase goltp
erase forcebusy
erase linestate
erase busy
erase rets
erase fbusyX
send previous
COMMAND lt (PRINT 'LINETOOLS:')
PRINT 'Type HELPSTATE for linestate details'
PRINT 'Type HELPTOOLS for commands'
PRINT ' ';
PRINT 'Linestate does not remain live. ';
PRINT 'To see changes in line state you must repeat the linestate command. ';
%
COMMAND helpSTATE ( PRINT 'STATE    meaning';
               PRINT 'IDL      Okay,  no call in progress  ';
               PRINT 'CPB      Call probably in progress / faulty if CPB from r
ets ';
               PRINT '         DO NOT Forcebusy a line in the CPB state';
               PRINT 'BSY INB  Line not put into service ';
               PRINT 'MB       Manually busy  ';
               PRINT 'PLO      Permanent loop ';
               PRINT 'SB       System busy    ';lt;)
%
COMMAND helpTOOLS ( PRINT 'COMMAND             meaning';
               PRINT 'LINESTATE  XXXXXXX  Displays the state of line XXXXXXX';
               PRINT 'BUSY  XXXXXXX       Takes line XXXXXXX out of service ';
               PRINT 'FORCEBUSY XXXXXXX   Forces the line XXXXXXX into the MB state';
               PRINT 'RETS XXXXXXX        Attempts to return line XXXXXXX to service';HQDN)
COMMAND HQDN  (PRINT 'QDN XXXXXXX         Displays directory number details';
        PRINT 'QLEN HOST/MUXS XX X XX XX    Displays line equipment details';
        PRINT 'ABORT               IF YOU GET STUCK';lt)
%
COMMAND dnfbs     (send sink;'UNSPECIFIED LINE'->dnfb;erase yes;erase no;send previous)
COMMAND goltp     (mapci nodisp;mtc;lns;ltp;)
COMMAND forcebusy (dnfbs;send sink;@1->dnfb;
                   If (dnfb ^= 'UNSPECIFIED LINE') then (COMMAND yes (fbusyX dn
fb));
                   COMMAND no  (Print 'No action taken';lt);
                   send previous;
                   Print ' Never FORCEBUSY a line that is in the CPB state ';
                   Print ' Are you sure you want to forcebusy?' dnfb ' yes/no '
;)
COMMAND linestate (send sink;@1->dnq;goltp;send previous;post d dnq PRINT;quit
mapci;dnfbs;lt;)
COMMAND busy      (send sink;@1->dnq;goltp;post d dnq;bsy;send previous;post d
dnq PRINT;quit mapci;dnfbs;lt;)
COMMAND fbusyX    (send sink;@1->dnq;goltp;post d dnq;frls;send previous;post d
 dnq PRINT;quit mapci;dnfbs;lt;)
COMMAND rets      (send sink;@1->dnq;goltp;post d dnq;rts;send previous;sleep 4
;post d dnq PRINT;quit mapci;dnfbs;lt;)

-	
		Permissions

send sink
 % PERMISSIONS
 % THIS FILE CONTAINS THE PERMISSIONS FOR USER TYPES IN A COMMAND FORM
 % USER MUST BE ADMIN
 % uname MUST BE AN EXISTING USER
 listsf all
 erase PN PS PP PV PE PL PC PD PT
 send previous
 %
 print 'PN uname     permit as Network Operations user'
 print 'PS uname     permit as Switch user'
 print 'PP uname     permit as Provisioning user'
 print 'PV uname     permit as Provisioning tool (Viper)'
 print 'PE uname     permit as Planning and Engineering'
 print 'PL uname     permit as for LINETOOLS (DESPATCH)'
 print 'PC uname     permit as CDC user'
 print 'PD uname     permit as Digitech'
 print 'PT uname     permit as TAS'
 %
 send sink
 command PN (permit @1 4 7000 ENGLISH 0 1 2 3 4 5 6 10 11 13 16 17 20 21 23 24
25)

 command PS (permit @1 4 7000 ENGLISH 0 1 2 3 4 5 6 10 11 13 16 17 20 21 23)
 command PP (permit @1 4 7000 ENGLISH 0 1 2 3 5 10 11 12 13 17 20 21 22 23)
 command PV (permit @1 4 5000 ENGLISH 0 1 2 5 10 12 20 21 22)
 command PE (permit @1 4 5000 ENGLISH 1 5 20)
 command PL (permit @1 4 5000 ENGLISH 9)
 command PC (permit @1 4 5000 ENGLISH 14)
 command PD (permit @1 4 5000 ENGLISH 0 1 2 5)
 command PT (permit @1 4 7000 ENGLISH 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29)
 send previous

-
		  PLO line posting for switch

send sink
%
% PLOCURE
% This program posts all the PLO lines
% on the switch.
% It then determines the number of lines posted
% It then force releases and returns each line to service.
% It then returns the user to the CI prompt
% PLEASE DO NOT MODIFY THIS PROGRAM IN ANY WAY
%
listsf all
erasesf PLOLINES
send sfdev PLOLINES
quit all;mapci nodisp;mtc;lns;ltp;post s PLO print
send previous
edit PLOLINES
end; linestr->lastline
quit
strsize lastline -> ssize
if (ssize < 38) then ('0'->num) else +
    (substr lastline 38 (ssize-38) -> num)
(decstrtonum num) -> nlines
repeat nlines (frls;rts;next)
erasesf PLOLINES
quit all
send previous
print 'The number of lines found PLO and force released = ' nlines

-
		System Busy Line Posting for Switch

send sink
% This program posts all the system busy lines
% on the switch.
% It then determines the number of lines posted
% It then busies and returns each line to service.
% It then returns the user to the CI prompt
% PLEASE DO NOT MODIFY THIS PROGRAM IN ANY WAY
%
listsf all
erasesf sbsylines
send sfdev sbsylines
quit all;mapci nodisp;mtc;lns;ltp;post s sb print
send previous
edit sbsylines
end; linestr->lastline
quit
strsize lastline -> ssize
if (ssize < 38) then ('0'->num) else +
    (substr lastline 38 (ssize-38) -> num)
(decstrtonum num) -> nlines
repeat nlines (bsy;rts;next)
erasesf sbsylines
quit all
send previous
print 'The number of lines found system busy and restored = ' nlines

--


		 An Introductory Guide to DATU Systems

-
By: The Clone
URL: www.nettwerked.net
Date: Monday, August 6, 2001
-

 * - Disclaimer

 * - Introduction

 * - Locating

 * - Administrating

 * - Credit

 * - Contact


 Disclaimer: The content within this file is for informational and
	     entertainment purposes only. Unauthorized access of
             the systems spoken about in this file may get you in
	     trouble with local and/or national law enforcement.

 -

 Introduction:

 DATU (pronounced 'dat-you') stands for Direct Access Testing Unit.
 A DATU unit is a physical device which is located at the local CO
 on a wiring card that is connected to a "no test trunk"), that allows
 field technicians and linesman to dial up to the trunk and perform
 various tests on a subscribers line. The DATU system itself extends
 the field technician and linesmans testing capabilities of subscriber
 lines through a non-metallic pair gain system. DATU was once manufactured
 and marketed by Hekemian Labs, but is now currently manufactured and
 marketed by Harris-Dracon division. Even though newer systems exist, DATU
 is still the most used analog, menu driven dial up test-board out there.

 -

 Locating:

 Locating and administrating a DATU system can be easy if you know the default
 suffixes your local phone company places them on. Many phone companies (Bell South)
 went through the unneeded liberty of changing the name of DATU either for the sake
 of unethical renaming of standard components, or for security reasons. Below is a
 list of regions, regional specific default suffixes, and the test system names
 associated with the specific regions. Note: 4-Tel is not a DATU, however it does
 function in a similar way to the DATU therefore I feel it belongs on this list...

 
            Canada:

      Name: '4-TEL' (manufactured by: Teradyne)
    Region: Alberta
 Area-Code: 403, 780
   Default: XXX-9935, XXX-DATU (3288), XXX-4TEL (4835)

      Name: '4-TEL' (manufactured by: Teradyne)
    Region: British Columbia
 Area-Code: 250, 604
   Default: XXX-9935, XXX-DATU (3288), XXX-4TEL (4835)
     
          United States:

       Name: 'DATU'
     Region: New Jersey
  Area-Code: 908
    Default: XXX-9935, XXX-DATU

       Name: 'DATU'
     Region: New York
  Area-Code: 212
    Default: XXX-9935, XXX-DATU


       Name: 'VoiceComplete Service'
     Region: Bell South
  Area-Code: 205, 229, 251, 321, 334, 386, 404, 407, 470, 478, 504, 606, 678,
             704, 731, 754, 770, 859, 901, 904, 912, 919, 954, 980, 984, 985
    Default: XXX-0000
       Info: Default VoiceComplete Service Admin PIN: (area code)

             You can ONLY administrate a VoiceService system if you
             have a Nortel 3580A capable of transmitting the KP tone.

              - KP Entry: XXXX KP pwd: XXX
 
              - When you get the pseudo recording, enter KP XXXX, and
                then KP PS, then KP XXX. The recording (ST) will say:
                "Remote Access VoiceService Completion Center 83E"

              - Enter Service or Subscriber number, then press * or
                to get a live supervisor press 1 KP #.

                 Options:
              - Add service
              - Remote Service
              - Change Type of Service
              - Remove CID information from line-set
              - Add Bunker
              - Remove Bunker

  -

 Administrating (From Harris DATU Manual):

 1. Dial Datu Access Number

 2. Enter Password

 3. Dial Seven digit subscriber number

 4. DATU will respond: "connected to xxx-xxxx.", "OK", or
    "connected to xxx-xxxx, busy line, audio monitor".
    Non-Pair gain lines proceed to step 7. Note: If busy line,
    DATU will not access the DC By-Pass Pair or the metallic
    Access Unit.

 5. SLC lines: If line is idle DATU will respond "Pair Gain Line"
    followed by "processing" ("Processing" may be repeated for up
    to 25 seconds) DATU will give voice message:
     
     Single Party line\      (Good)
                       |  
     Multi-Party Line  |     Followed by
     Coin Line        /      *ENTER RT NUMBER*
     Channel Not Available   (No/Bad channel test results)
     PGTC Failure/By-Pass    If same recording is heard
     Pair Busy               repeatedly alert supervisor
     Pair Gain System Alarm  (Alert Supervisor)

 6. If Good (or bad) Channel test results enter the
    RT number dial "*" to end ("**" toggle on or off the Alpha mode).
    Enter Pair Number, Dial "*" to end. Dial "0 *" to use existing
    DC TEST pair. DATU will connect to the By-Pass Pair or call the
    Metallic Access Unit in the RT, except when By-Pass is busy or
    Pair Gain System is in alarm. See Step 7 after connection to the
    remote site.

 7. LINE PREPARATION FUNCTION DIAL CODES:
    
    2 = Audio Monitor
    33 = Short Tip and Ring to Ground
    37 = Short Ring to ground (Tip Open)
    38 = Short Tip to ground (Ring Open)
    44 = High Level Tone on Tip and Ring
    47 = High Level Tone On Ring (Tip Grounded)
    48 = High Level Tone on Tip (Ring Grounded)
     5 = Low Level Tone
     6 = Open Line
     7 = Short Line (Tip to Ring Short)
     9 = Permanent Signal Release 
     # = New Subscriber Line
    ## = Force Disconnect
     * = Connect preparation function after disconnect
         (system programmable from 1 to 99 minutes 
         enter number of minutes); enter number of
         minutes after "*"

  Single Line Access: 

 1. Dial the DATU access number

 2. Enter the user password

 3. Enter the "*" and subscriber number for non pair 
    gain lines or Enter "**" and subscriber's number
    for pair gain lines and then enter RT number. 
    Dial "*" to end. Enter pair number. Dial "*" to end.

 4. Enter Function Desired

 5. Enter number of minuets to apply condition

 6. Hang up and wait 30 seconds for DATU to access and 
    condition line, (90 seconds for RT connection).

 Alpha Character Codes (when physically at DATU station):

  (space) = 11  A = 21  B = 22  C = 23  D = 31  F = 33
        G = 41  H = 42  I = 43  K = 52  L = 53  M = 61
        N = 62  P = 71  Q = 74  R = 72  S = 73  U = 82
        V = 83  W = 91  X = 92  Y = 93  Z = 94  = 13
        = = 12  / = 15

 Generic DATU commands:

  2 - Audio Monitor (allows you to monitor traffic on a busy line)
  3 - Short To Ground (establishes connection between tip, ring, and ground)
  4 - High Level Tone (injects 577MHz tone onto subscriber line to assist
      linemen in locating your pair at remote terminal. 577MHz tone is
      interrupted four times per second for identification purposes)
  5 - Low Level Tone (injects 577MHz tone to locate pair on remote
      terminal when subscriber line is busy)
  6 - Open Line (opens the subscriber line by removing the battery and ground
      thereby dropping voltage from line and disabling pair)
  7 - Short Line (places short across the tip and ring of the subscriber line
      at the Central Office)
  8 - Read Menu
  9 - Permanent Signal Release
 33 - Short Tip and Ring to ground
 37 - Short Ring to ground (Tip open)
 38 - Short Tip to ground (Ring open)
 44 - High Level Tone on Tip and Ring
 47 - High Level Tone on Ring (Tip grounded)
 48 - High Level Tone on Tip (Ring grounded)
  * - Line Preparation Function (used to continue line preparation function
      after disconnecting from the systems access line. Specify 1-9 minutes)
  # - New Subscriber Line (disconnects you from the current subscriber line
      and allows you to specify another subscriber line)
 ## - Force Disconnect (for up to twenty minutes)

 -

  Credit:

 Thank you to POS_RLS (irc.2600.net #hellsouth) for the additional
 Bell South VoiceComplete Service information.

 -

  Contact:

 theclone@hackcanada.com
 irc.2600.net #cpu (key), #hackcanada


.eof


--
<h410g3n> Windows is for people who barely know how to use a twist-tie
--

  	    'Rogers AT&T Billing Vulnerability; Part II'


 Written by: The Clone
 Date: Monday, August 6, 2001

 As mentioned in: The Edmonton Journal (08/05/01)
	          "Rogers cellphone network crippled
		   by mystery glitch"


  -=[The Glitch]
  -=[Glitch Details]
  -=[Conclusion]
  -=[References]
  -=[Contact]

 -
  The Glitch:

 What has been said as this nations largest cellular service interruption
 ever; up to 2.6 million Rogers AT&T wireless customers throughout Canada
 lost communication on Saturday evening. Customers reportedly were able to
 make calls, yet they were unable to receive them. This problem apparently
 started at 1:30pm and was fixed by Rogers staff later on that evening at
 around 11:00pm.

-
 Glitch Details:

 One thing that we noticed last night, was that we were not getting billed
 for any local or long distance outbound calls that we made. This is quite
 similar to another billing vulnerability that we discovered about 9 months
 ago; basically if you were a Rogers AT&T Pay-As-You-Go subscriber
 and you wanted to make yourself a free local or long distance call, all you
 would have to do is enter the phone number you wished to call and wait for
 it to dial. If you did not hear the automated voice telling you how much
 time you had left on your account, you didn't get time taken off - if you
 heard the voice, you did. What caused this problem was simple; if too many
 calls were incoming to to Rogers' HLR (Home Location Register) system which
 screens the subscribers ESN, MIN, phone number, and number dialed, your call
 would divert and directly connect you to your called party for free. This problem
 was recently fixed when Rogers AT&T upgraded their faulty billing system.
 However, last night just showed us something: that Rogers AT&T's supposed new
 "billing system" has larger software problems than before with their lack-of-ability
 to handle a high volume of incoming calls. 

 Spokesperson for Rogers AT&T, Heather Armstrong, told The Edmonton Journal:
 "this kind of an issue is very, very rare. This is receiving our utmost priority and
 attention." This claim, of course, is completely untrue.

- 
 Conclusion:

 Do you think it's about time that the cellular carriers start investing in
 and taking the first steps into adopting and developing open-source based
 billing module? This would help to stop the revenue-loss caused by simple
 proprietary programming errors, and open up a new industry for telecom
 security professionals ("phreaks").
 
-
 References:

 "Rogers/AT&T Pay-As-You-Go Billing Vulnerability"
 http://www.nettwerked.net/rogersatt_exploit.txt

 Edmonton Journal: "Rogers cellphone network crippled by mystery glitch"
 Sunday, August 5, 2001 - [A1] / (continued on) [A12]

-
 Contact:

 E-mail: theclone@hackcanada.com
 URL: www.nettwerked.net

--

-- Credits

    Without the following contributions this zine issue would be fairly
      delayed or not released, so thank you to the following people:

	         "CRTC", M4chine, RT, (and myself) The Clone

-- Shouts:

  Hack Canada (#HackCanada), Canadian Phreakers Union (#cpu), #PhreakBC,
 Blackened @ Damage Inc., The Grasshopper Unit, Flippersmack, Pyrofreak,
 plappy, soap, papercut, Kybo_ren, Flopik, POS_RLS and lastly to everyone
	     and anyone who contributes to the Canadian H/P scene.


                             ;.  .;..  ; ;. ;..
                           ;..   .;..; .;.; .;; ;..
                      .;..;. .;..;  .;.;...; ;..;..
                         .;.         A         .;. .;.
                       ;..   N E T T W E R K E D  ;..
                        ;..;.. P R O D U C T   ;..;..
                          .;..;               ;..;..
                     ;  .;..;.;..   .; .  .;. ..;..
                    .;..   . .;  ..;..;..;.. .;
                ;..;.   .;.. . .;.. .;.;.
              ..;. ..;.. .;.   ;.;..;;..;.;
                ;.;;..;..      ;.;.; .; .
                   ;.;..;. .;. ;.;:.;.
                     ,;....;.
               .;.;. .;.;
              .;.;.;
            .;.;
            ;..;.
           .;.;;.; .;. ..; ;. > > > <krys> i r leet!
