.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
1 of 16
Issue 49 Index
____________________
P H R A C K 4 9
November 08, 1996
____________________
Welcome to the next generation of Phrack magazine. A kinder, gentler, Phrack.
A seasoned, experienced Phrack. A tawdry, naughty Phrack. A corpulent,
well-fed Phrack. Phrack for the whole family. Phrack for the kids, Phrack
for the adults. Even Phrack for the those enjoying their golden years.
If you thought 48 was a fluke, here is 49, RIGHT ON SCHEDULE. Full speed
ahead, baby. We promised timely Phrack. We promised quality Phrack. Here
are both in ONE CONVENIENT PACKAGE! We trimmed the fat to bring you the lean
Phrack. Chock full of the healthy information you need in your diet. All
natural. No artificial ingredients. No snake oil. No placebo effect.
Phrack is full of everything you want, and nothing you don't.
This issue is the first *official* offering from the new editorial staff. If
you missed them, our prophiles can be found in issue 48. Speaking of 48,
what a tumultuous situation article 13 caused. All that wacking SYN flooding.
Well, it got the job done and my point across. It got vendors and programmers
working to come up with work-around solutions to this age-old problem. Until
recently, SYN-flooding was a skeleton in the closet of security professionals.
It was akin the crazy uncle everyone has, who thinks he is Saint Jerome. We
all knew it was there, but we ignored it and kinda hoped it would go away...
Anyway, after this issue, I hope it *will* just go away. I have done
interviews for several magazines about the attack and talked until I was blue
in the face to masses of people. I think the word is out, the job is done.
Enough *is* enough. " SYN_flooding=old_hat; ". Onto bigger and better things.
A few more quick points (after all, you want Phrack Warez, not babbling
daemon9). I want to thank the community for supporting me (and co.) thus far.
Countless people have been quite supportive of the Guild, the Infonexus, and
of Phrack. Time and work do permit me to get back to all of you individually,
so just a quick blurb here. Thank you all. I will be using Phrack as a tool
to give back to you, so please mail me (or any of the editors with your
suggestions). This is *your* magazine. I just work here.
Most of all, I am stoked to be here. I am giving this my all. I'm fresh, I'm
ready... I'm hyped + I'm amped (most of my heros don't appear on no stamps..).
Drop us a line on what you think of 49. Comments are encouraged.
Bottom line (and you *can* quote me on this): Phrack is BACK.
- daemon9
[ And remember: r00t may own you, but the Guild loves you ]
[ TNO, on the other hand, doesn't even fucking care you exist ]
---------------------------------------------------------------------------
Enjoy the magazine. It is for and by the hacking community. Period.
Editors : daemon9, Datastream Cowboy, Voyager
Mailboy : Erik Bloodaxe
Elite : Nirva (*trust* me on this one)
Raided : X (investigated, no charges as of yet)
Hair Technique : Mycroft, Aleph1
Tired : TCP SYN flooding
Wired : Not copping silly slogans from played-out, vertigo
inducing magazines.
Pissed off: ludichrist
Pissed on: ip
News : DisordeR
Thanks : Alhambra, Halflife, Snocrash, Mythrandir, Nihil, jenf,
xanax, kamee, t3, sirsyko, mudge.
Shout Outs : Major, Cavalier, Presence, A-Flat, Colonel Mustard,
Bogus Technician, Merc, Invalid, b_, oof, BioHazard,
Grave45, NeTTwerk, Panzer, The Bishop, TeleMonster,
Ph0n-E, loadammo, h0trod.
Phrack Magazine V. 7, #49, November 08, 1996. ISSN 1068-1035
Contents Copyright (c) 1996 Phrack Magazine. All Rights Reserved.
Nothing may be reproduced in whole or in part without written
permission from the editors. Phrack Magazine is made available
quarterly to the amateur computer hobbyist free of charge.
Any corporate, government, legal, or otherwise commercial usage
or possession (electronic or otherwise) is strictly prohibited without
prior registration, and is in violation of applicable US Copyright
laws. To subscribe, send email to phrack@well.com and ask to be
added to the list.
Phrack Magazine
603 W. 13th #1A-278 (Phrack Mailing Address)
Austin, TX 78701
ftp.fc.net (Phrack FTP Site)
/pub/phrack
http://www.fc.net/phrack (Phrack WWW Home Page)
phrack@well.com (Phrack E-mail Address)
or phrackmag on America Online
Submissions to the above email address may be encrypted
with the following key (note this is a NEW key):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQENAzJuWJgAAAEH/2auap+FzX1AZOsQRPWRrRSOai2ZokfVpWWJI8DRuSpX9l7w
5qWHrZdL/RweA4lgwAmcrAOD6d8+AzZfXEhkKi92G9ZNy2cjsb5g7oamkcPmC03h
pdhRe5rHXDWUtXDEhHlkV0WvkLXrhFijW2VdJ2UDFyFd8q0nBSIz+JTGneNO0w4q
aowCx3gZpEb4hkEU1LFoJXywZhnBg06jSxD9exbBF2WKeealqTlntlcsMmeJ3OdS
9fqnGI19BWirqkIJYtNXdzP4M2usOEvikrdhXwSbCNcDGcY6pyKco2rKbBUj5V2I
8/2L0TSGSaRBZ/YKRplwycldy63UVVTLMNGQCCUABRG0KlBocmFjayBNYWdhemlu
ZSA8cGhyYWNrZWRpdEBpbmZvbmV4dXMuY29tPg==
=eHJS
-----END PGP PUBLIC KEY BLOCK-----
ENCRYPTED SUBSCRIPTION REQUESTS WILL BE IGNORED
Phrack goes out plaintext... You certainly can subscribe in plaintext
.oO Phrack 49 Oo.
-------------------------------------
Table Of Contents
1. Introduction 7 K
2. Phrack loopback 6 K
3. Line Noise 65 K
4. Phrack Prophile on Mudge by Phrack Staff 8 K
5. Introduction to Telephony and PBX systems by Cavalier 100K
6. Project Loki: ICMP Tunneling by daemon9/alhambra 10 K
7. Project Hades: TCP weaknesses by daemon9 38 K
8. Introduction to CGI and CGI vulnerabilities by G. Gilliss 12 K
9. Content-Blind Cancelbot by Dr. Dimitri Vulis 40 K
10. A Steganography Improvement Proposal by cjm1 6 K
11. South Western Bell Lineman Work Codes by Icon 18 K
12. Introduction to the FedLine software system by Parmaster 19 K
13. Telephone Company Customer Applications by Voyager 38 K
14. Smashing The Stack For Fun And Profit by Aleph1 66 K
15. TCP port Stealth Scanning by Uriel 32 K
16. Phrack World News by Disorder 109K
575k
-------------------------------------
"...There's MORE than maybes..."
- Tom Regean (Gabriel Bryne) "Miller's Crossing"
[ Obviously referring to the blatent truism that Phrack IS back ]
"...Fuckin' Cops..."
- Verbal Kint/Keyser Soze (Kevin Spacey) "The Usual Suspects"
[ Not sure what was meant by that.. ]
"Got more funky styles than my Laserjet got fonts"
- 311/Grassroots "Omaha Stylee"
[ That would be referring to us, of course ]
EOF
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 2 of 16
Phrack Loopback
-----------------------------------------------------------------------------
[The Netly News]
September 30, 1996
Today, Berkeley Software Design, Inc. is expected to publicly release
a near-perfect solution to the "Denial of Service," or SYN flooding attacks,
that have been plaguing the Net for the past three weeks. The fix, dubbed
the SYN cache, does not replace the need for router filtering, but it is
an easy-to-implement prophylaxis for most attacks.
"It may even be overkill," says Alexis Rosen, the owner of Public
Access Networks. The attack on his service two weeks ago first catapulted
the hack into public consciousness.
The SYN attack, originally published by Daemon9 in Phrack, has
affected at least three service providers since it was published last month.
The attack floods an ISP's server with bogus, randomly generated connection
requests. Unable to bear the pressure, servers grind to a halt.
The new code, which should take just 30 minutes for a service provider
to install, would keep the bogus addresses out of the main queue by saving two
key pieces of information in a separate area of the machine, implementing
communication only when the connection has been verified. Rosen, a master of
techno metaphor, compares it to a customs check. When you seek entrance to a
server, you are asked for two small pieces of identification. The server then
sends a communique back to your machine and establishes that you are a real
person. Once your identity is established, the server grabs the two missing
pieces of identification and puts you into the queue for a connection. If
valid identification is not established, you never reach the queue and the
two small pieces of identification are flushed from the system.
The entire process takes microseconds to complete and uses just a few
bytes of memory. "Right now one of these guys could be on the end of a 300-baud
modem and shut you down," says Doug Urner, a spokesman for BSDI. "With these
fixes, they just won't matter." still, Urner stresses that the solution does
not reduce the need for service providers to filter IP addresses at the router.
Indeed, if an attacker were using a T1 to send thousands of requests per
second, even the BSDI solution would be taxed. For that reason, the developers
put in an added layer of protection to their code that would randomly drop
connections during an overload. That way at least some valid users would
be able to get through, albeit slowly.
There have been a number of proposed solutions based on the random-drop
theory. Even Daemon9 came up with a solution that looks for any common
characteristics in the attack and learns to drop that set of addresses. For
example, most SYN attacks have a tempo -- packets are often sent in
five-millisecond intervals -- When a server senses flooding it looks for these
common characteristics and decides to drop that set of requests. Some valid
users would be dropped in the process, but the server would have effectively
saved itself from a total lockup.
Phrack editor Daemon9 defends his act of publishing the code for the
attack as a necessary evil. "If I just put out a white paper, no one is
going to look at this, no one is going to fix this hole," he told The
Netly News. "You have to break some eggs, I guess.
To his credit, Daemon9 actually included measures in his code that made
it difficult for any anklebiting hacker to run. Essential bits of information
required to enable the SYN attack code could be learned only from reading
the entire whitepaper he wrote describing the attack. Also, anyone wanting to
run the hack would have to set up a server in order to generate the IP
addresses. "My line of thinking is that if you know how to set a Linux up
and you're enough in computers, you'll have enough respect not to do this,"
Daemon9 says. He adds, "I did not foresee such a large response to this."
Daemon9 also warns that there are other, similar protocols that can be
abused and that until there is a new generation of TCP/IP the Net will be open
to abuse. He explained a devastating attack similar to SYN called ICMP Echo
Flood. The attack sends "ping" requests to a remote machine hundreds of times
per second until the machine is flooded.
"Don't get me wrong," says Daemon9. "I love the Net. It's my bread and
butter, my backyard. But now there are too many people on it with no concern
for security. The CIA and DOJ attacks were waiting to happen. These holes were
pathetically well-known."
--By Noah Robischon
[ Hmm. I thought quotation marks were indicative of verbatim quotes. Not
in this case... It's funny. You talk to these guys for hours, you *think*
you've pounded the subject matter into their brains well enough for them to
*at least* quote you properly... -d9 ]
[ Ok. Loopback was weak this time. We had no mail. We need mail. Send us
mail! ]
----<>----
.oO Phrack Magazine Oo.
Volume Seven, Issue Forty-Nine
File 3 of 16
// // /\ // ====
// // //\\ // ====
==== // // \\/ ====
/\ // // \\ // /=== ====
//\\ // // // // \=\ ====
// \\/ \\ // // ===/ ====
------------------------------------------------------------------------------
CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96
Tengo que hable con mi abogado.
----------------------------------------------------------------
What : A computer/telephony/security conference. (show this part to your
boss.)
Where: Fort Brown Hotel, Brownsville Texas.
When : 28 & 29 December, 1996
Who : The usual gang of cretins.
Why : It's winter, and it is 12 degrees outside. The dumpsters are frozen
shut, and there are icicles on the payphones. Brownsville is at the
Southern-most tip of Texas, right up against...Mexico. Yes, Mexico,
land of cheap cerveza, four-dollar strippers, and liberal drinking
laws. Mexico, where you too can own your very own Federal law
enforcement official for a fistful of pesos.
----------------------------------------------------------------
Speakers
Anybody wishing to speak at CuervoCon should send
e-mail to the address at the bottom of this announcement.
Currently the list includes:
u4ea (by teleconfrence)
Major
ReDragon
Caffiend (about her Breasts)
daemon9 (about his Breasts)
----------------------------------------------------------------
Events
"How Much Can You Drink?"
"Fool The Lamer"
"Hack The Stripper"
"Hack The Web Server"
"sk00l"
"Ouija Board Hacking"
...as well as a variety of Technical Presentations.
----------------------------------------------------------------
General Information
The Fort Brown Hotel will have available to us, 125 rooms at the holiday in @
$55 a room, and $75 rooms at the ramada @ $45 each. The Fort Brown was
previously an actual fort when it was closed down by Uncle Sam. It became one
large hotel until it was recently purchased and split into the Holiday Inn and
the Ramada. The Fort Brown was chosen because it is across the street from
the bridge to Mexico. You can call the Fort Brown Ramada at:
210-541-2921
You can call the Fort Brown Holiday Inn at:
210-546-2201
Call for reservations, make sure to tell them your with CuervoCon.
Friday and Saturday the con will be in the 'Calvary' room. While Sunday we
have the 'Fortress Room' where all the big speakers will be. Friday and
Saturday we will have a few speakers and activities. Friday Night mainly,
so we can have people arrive on time. We hope to have the con room open 24
hours a day.
Brownsville is right on the Mexican border, adjacent to the Mexican town
Matamoris. The Gulf of Mexico is 25 miles away. Brownsville has a population
just over 100,000. The police force includes 175 officers, and a wide variety
of federal law enforcement agencies have a strong presence there as well.
The climate is semi-tropical, and the RBOC is SouthWestern Bell.
Matamoris is the other half of brownsville. Home of over 1/2 a million
people, it is known since the early 1900's as a pit of sin. The federale's
are not to be fucked with and it is serviced by TelMex. It is known for its
bars, strip clubs and mexican food. Matamoros also has an airport incase
you live in Mexico and care to go, via aeromexico.
Directions:
In Texas Driving - Go anyway you can to get to US 77 South. Take 77 South
till it ends in Brownsville. From there you will turn right on International.
Proceed all the way down international, right before the bridge, turn left.
The Fort Brown will be on the left.
For those flying in - We are going to try to have a shuttle going. Also just
tell the cab driver, Fort Brown.
The Con Registration Fee, aka the pay it when you walk in our we will beat you
up, is only 10$ and an additional 5$ for the 'I paid for eliteness sticker'
which will let you into the special events, such as hack the stripper.
----------------------------------------------------------------
Celebrity Endorsements
Here's what last years participants had to say about CuervoCon:
"I attended the CuervoCon 95. I found many people there who, fearing a
sunburn, wanted to buy my t-shirts!" -ErikB
"I tried to attend, but was thwarted by "No Admittance to The Public"
sign. I feel as though I missed the event of the year." - The Public
"mmmm...look at all the little Mexican boys..." -Netta Gilboa
"Wow! CuervoCon 95 was more fun that spilling my guts to the feds!" -
Panther Modern
"CuervoCon is our favorite annual event. We know we can give
security a day of rest, because you people are all too drunk to
give us any trouble..." - AT&T
"No moleste, por favor." - TeleMex
Don't miss it!
----------------------------------------------------------------
Have you ever hacked a machine in your hometown from a foreign
country?
Have you ever had to convert dollars into pesos to get your bribe right?
Have you ever spent time in a foreign prison, where your "rights as an
American" just don't apply?
Have you ever been taken down for soemthing that wasn't even illegal
half an hour ago?
YOU WILL! And the con that will bring it to you?
CUERVOCON 96
----------------------------------------------------------------
CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96 CUERVOCON 96
brought to you by
- S.o.B. - TNo - PLA - Phrack - The Guild - F.U.C.K. - SotMESC -
Contact Information
info@cuervocon.org
www.cuervocon.org - Look here for updates.
Voice mail system coming up soon.
----------------------------------------------------------------
----<>----
*** The truth behind the Adult Verification Services
('porno' will set you free)
*** By your passively skeptical author, t3.
*** 10.30.96
Let's speak for a minute about 'porno'. 'Porno' has saturated the
Net to a level in which it's difficult *not* to see it, regardless if
you're looking for it. It can be found on the largest web site and the
smallest ftp site. It can be found on Usenet, it can be found with any
one of numerous search engines. Let's not delude ourselves, porno is
*everywhere* and anyone with the motor skills to click a mouse can have access
to it.
About a year ago a concept came along called 'Adult Verification'. This first
started out by people writing crude cgi scripts that would query every person
as to their age. 'Are you 18' it would say, and even a sexually aware 9-year
old would know to say 'yay' to this.
Soon thereafter, someone topped this 4-line piece of code by writing a login
interface, most likely it was incorporated into Netscape or some other, less
worthy browser. This program made use of the actual browser to authenticate
users. Of course one needed a login and password, of which had to be manually
added after ample proof of age was received. If one merely wanted to
cover one's ass, this would not be a logical solution.
This all occurred during which the CDA (Communications Decency Act) had
actually existed. On June 7, 1995, the CDA was passed through the Senate
to the President, signed, and made a law:
(1) in the heading by striking `Broadcasting obscene
language' and inserting `Utterance of indecent or profane
language by radio communication; transmission to minor of
indecent material from remote computer facility, electronic
communications service, or electronic bulletin board service';
et al...Now it was illegal to transmit 'indecent material' on the
Internet. If this were to actually be adhered to, the Net would shrink
so drastically that the current topology would last ten years before
needing an upgrade.
Is was soon apparent that this act was not going to fly. Groups like the
EFF and the ACLU suddenly became extremely busy. Companies such as Apple
and Microsoft challenged the constitutionality of such a law and took
this directly to court. It was also apparent that the transmission of
'indecent material' would not disappear, but merely go further underground.
Indeed, this is exactly what happened. Soon thereafter Adult Verification
services began popping up. AVS (Adult Verification Services), Adultcheck,
Adultpass, and a slew of others came up with an idea.
The idea was to verify a person's adult status by acquiring one's credit
card number. This would, ahem, without a doubt, prove that the individual
was 18. Why? Because you had to be 18 to have a credit card of course!
Someone obviously didn't take into consideration the five or so million
pre-adults that would make it their goal to surpass such shotty
authentication.
It began by the government stating that a credit card is a legal means of
verifying one's age, this allowing those distributing 'porno'graphic
materials to continue distributing to those 18 and over. The initial
means that the 'providers of porn' used to do this was to basically
verify the format of the card and not actually run a check on it. As
most of us all know, there have been plenty of "Credit Card Generators"
produced in the last five years, quite capable of fooling these shotty
authentication systems.
As this authentication was obviously lacking in the "authentication"
part, the next step was to actually validate the cards. This began and
ended nearly as quickly, for finding a credit card (for example, in
mommy's purse), junior could peruse porn until his dick grew red and chafed.
On June 12, 1996 it was was determined that the CDA indeed violated one's
constitutional rights and was striken down as a law. More on this at
.
But it didn't seem to phase the Authentication services.
The Authentication Services currently verify age by obtaining a credit
card, verifying it, and actually charging a fee for the service. About
$9.95 for two years which entitles you to an abundance of graphic, ad,
and airbrush-laden web pages and images. This most likely sufficiently
scared off the less determined of minors because now they'd be engaging in
credit card fraud.
It's truly odd that after it has been deemed legal to distribute said
porn, that all of these services still insist that it's illegal to do
so. Let us realize that Usenet barely flinched when the CDA was in
effect, and still offered gigs upon (glorious) gigs of nude bodies to
oggle at.
After taking a good look at this whole bizarre operation, I have made a
few conclusions of my own.
Charging $9.95 for two years of access to 'porno'graphy seems a little too
good to be true. One must realize that there is a charge to the billing
company for each credit card transaction made. I'd be surprised if it
wasn't half of this ten bucks. These authentication companies also pay
"handsomely" the purveyors of porn. In order for such a service to
function, obviously there needs to be an agreement with the distributor and the
authenticator.
Now, one that distributes 'porno'graphy on the Net will certainly not feel
the need to do these Verification Services any favors. The majority of
people that do run these explicit sites are certainly not interested in
supporting censorship of their material (probably 90% money-making). The
AVS's knew this and offered a stipend to those using their services.
The AVS's currently work by paying the site that contains 'indecent
material' a certain amount each time that site gets another person to
sign up with their service. This works by the AVS sending html that is
put on a verification page. If one finds this page important enough,
they may be convinced to sign up with the service that allows you to
access it.
The stipend is generally around $4.00, and as high as $7.50. There are
many AVS's, and the majority of the said 'sites' use more than one,
sometimes all of them for verification. If a particular site uses one
AVS exclusively, the AVS will pay on the highest end of their scale for new
recruits.
If we get into some simple math, we may find some contradictions
regarding this. The initial fee to those interested in accessing porn is
$9.95. Out of these we can safely say that more than $3.00 goes to
simply checking the validity of the card and billing it. This leaves the
AVS with $6.95.
Now, on the receiving end we have a very minimum of $4.00 going towards
each new person that signs up. It's probably safe to say that over 90%
of new customers to these AVS's sign-up through 'porno'graphic pages and
not directly from the site itself.
So $9.95 ends up being $6.95 after expenses, and then the service sends
another $4.00 to the person that gave them the account. This leaves the
AVS with a maximum of $2.95 total.
The costs running an AVS are surely not exorbant, but are certainly not
cheap. I have yet to find an AVS running off of anything less than at T1
(1.544mbit) speeds. This translates to an extreme minimum of 1k/month.
If you include employees, office space, and incidentals, running any such
service couldn't cost less than 5k a month at the very least. This would
mean to break even one would have to bring in:
5000/2.95
1694 new customers a month, simply to break even! That's a lot
considering the membership lasts for two years. And this is in the
*best-case* scenario. I would be hard-pressed to believe that one such
service could steadily rely on such a base of new clients every month
indefinitely!
I have theorized that these services are in fact not self-run moneymaking
ventures, but are actually being funded by a higher authority. It's
quite feasible to believe that the government, having been challenged and
beat, have actually allocated funds to protecting the minors of the Net
from obscenity. It's *certainly* not far-fetched, especially with Al
Gore (think, Tipper) in an improperly high position.
The government could allocate a comparitively paltry sum of one million a
year towards funding (even creating) companies that act merely to pay
people to be complacent. What if the government merely let relatively
computer proficient professionals bid on forming these AVS's? What if?
Well, unless i'm overlooking something, I can't see too much illogic to
my theory.
Another consideration of these services is that even at their current
state, they are extremely easy to overcome. So easy, in fact, that their
existence will hardly offer much resistance to a horny teenager. Remember,
people will do anything to get 'porno'graphy.
Such holes in these systems are that the verified member of such an AVS
connects to a sexually explicit site, is bounced backed to the AVS for
authentication, and is then bounced back again to the page (url) that
contains the "naughty stuff". This page can be simply bookmarked and
distributed to anyone and their Mom.
Why? All the services I've come across (the largest ones) do not
authenticate the target url, they target the initial "warning" page and
contain information to pass the user on to the naughty stuff. Thus if
one single person can obtain the target url, he can bypass all future
authentication and can as well pass the url on through various channels,
quite easily ending up in the hands of a minor.
As well, if stupidity was a metaphor for AVS's, most of the target url's
have filenames such as "warning.html" or "granted.html". Any
half-respectable search engine (such as AltaVista) is capable of snarfing
out such information. Doubly-so because these services will obviously
want to advertise their existence.
The only method that seems to partially protect minors from 'porno'graphy
is the method of installing client-based software such as SurfWatch that
try to censor 'porno'graphy. This, as well, relies on a willing company or
individual to operate. This works quite archaically by imbedding META
tags in html source. For example:
This particular tag would be placed in the receiving html of a
co-operative service or individual. The client-based software would
search for such tags and censor the content accordingly. From my
understanding, those using AVS's are not required to embed these tags in
their "warning" page html. If they do not, which I would imagine many
probably wouldn't, then suddenly these client-based censorship tools are
rendered useless.
So in conclusion, I would give a big thumbs-down for this whole pathetic
means of controlling freedom. The Internet was meant to be a place to
free exchange of information. Today a minor is just as able to find
explicit material on the Net as he/she is able to dig through Mom and
Dad's dresser for copies of Hustler. A minor is just as capable of
watching R or X-rated movies, stealing a magazine from a store, or even
buying one.
It's time to stop using half-assed and crippled ways of protecting kids
from obscenity on the Net. If you're a parent and you don't want your
child to view such 'porno'graphy, then why not do what you're supposed to
do and discipline the kid.
Lazy fuckers.
t3
.end
----<>----
T.A.C.D Presents...
Hacking ID Machines
By PiLL
Table Of Contents
I. What is an ID Machine & who uses them?
II. Hardware and software of the ID machines
III. Common security of ID Machines
IV. What to do once you get in
V. Closing
VI. Greets
Part One: What is an ID machine and who uses them?
First we will start with the basics. An IDM or ID Machine is exactly
what the name entails. It is a computer that government and large
companies use to make security badges and ID cards for employees and
visitors. All of the IDM's are DOS based so security, to say the least,
sucks. There are four models of IDM's. The one we will be covering the
most is the latest and greatest: the ID 4000. Also in the family of
IDM's are the 3000, 2000+, and 2000. I have heard of an ID 1000 but I
have yet to see or play with one, so if you find one, tell me. The 2000
is DOS 3.3 so I can imagine that an ID 1000 is even a bigger waste of
time. IDM's are manufactured by a branch of Polaroid entitled Polaroid
Electronic Imaging. If you want more information on IDM's call (800)343-5000
and they will send you some general specs. I will let you know right
off the start that these machines sell for as much as $75,000.00 but the
average price is around $40,000.00. So getting caught crashing one is
NOT a good idea.
You are probably wondering what companies use ID machines. Here is a
brief list. All of the Colorado and Alaska DMV's, The IRS, The FBI, The
U.S. Mint, The Federal Reserve, almost any military branch, Hewlett
Packard, Polaroid, Westinghouse (I wouldn't recommend fucking with them:
for more information on Westinghouse check out the movie Unauthorized Access
available from CDC's home page), and all of the major prisons in the
United States. By now you should be getting ideas of the potential fun
you can have. Not that I would ever use what I know for anything illegal
;)
Part Two: Hardware and Software
I will cover each machine in order but you will probably notice that the
ID4000 will get by far more attention then any other.
Hardware and Software for the 2000+ and 2000 is kind of like teaching
someone about the Apple ][ and how to use Logo so I will try not to bore
you to much with them. The 2000 series are unique to the others because
they are one full unit. The hardware is basically a really cheesy
oversized case with a 9 monochrome monitor, a 3 monitor for viewing the
victim of the hideous picture it takes, a 286 Wyse computer with 1meg of
RAM (really hauls ass), a data compression board, image processing board
(*Paris* Board), a signature scanner, a color film recorder or CFR, a
WORM Drive, a modem, and most of the time a network card so the data can
be stored on a mainframe. The Software of the 2000 series is a really
neat database program running under DOS 3.3. If you have never heard of
or used EDLIN, I would not recommend playing with a 2000. The only major
differences between an ID2000 and an ID2000+ is that the computer on the
2000+ is a HP Vectra 386 with 4megs and a SCSI Interface. That's all you
really need to know you probably won't ever encounter one unless you go
trashing a lot.
The ID3000 is also an HP 386/20 but uses DOS 5.0 and a Matrox Digital
Processing board instead of the old Paris board of the 2000 series.
This came about when your state ID actually started to remotely resemble
you in 1992. Also in the 3000 years their were more peripherals
available such as the latest CFR at the time (I think it was the 5000),
PVC printers, and bar code label printers. The software is basically
DOS 5.0 but this time they use a database shell much like DOSSHELL as
the interface with the machine. The 3000 uses SYTOS for data storage and
transfer and it is best to dial in using a program called Carbon Copy.
The 4000 is the best even though it's not that great. It was is the
first IDM in the Polaroid line that let the customer customize the
machine to their needs. This is the machine that you see when you go to
the DMV, at least in Denver. It consists of a JVC camera, a Matrox
processing board, a data compression board, an Adaptec 1505 SCSI card, a
14.4 modem, a network card, and can have any of the following added to
it: a PVC printer (in case you didn't know that's what they use on
credit cards), a magnetic stripe encoder, a bar code printer, a thermal
printer, a CFR (usually the HR6000 like at the DMV), a Ci500 scanner,
and signature pad, a finger print pad (interesting note if you have a
black light and one of the new Colorado Driver licenses hold it under a
black light and look what appears under your picture, you should see
your finger print), and a laminator. Now some of you are thinking what
about the holograms? Those are actually in the lamination, not on the
badge itself. To obtain lamination walk into the DMV and look to the
right or left of the machine if you see a little brown box that's what
you need, but please remember to leave some for the rest of us that
might be next in line. Or you can go to Eagle hardware and buy a bolt
cutter for the dumpster but that's a different text file.
The 4000 runs DOS 6.0 and Windows 3.1. The actual software for the 4000
is a terrible Visual Basic shell that reminds me of the first time I ran
that program AoHell. The only difference is that AoHell did what it was
suppose to, the 4000 software is a headache of GPF's , Environment
Errors, and Vbrun errors. A nice feature that the 4000 has that the
other IDM's don't, is the ability to create and design your own badge.
You can even do it remotely ! ! =) . Unfortunately the program Polaroid
developed for this makes paintbrush look good. But on a bright note you
can import Images.
Briefly here is a run down of what exactly happens when you get your
picture taken on an ID4000 at the DMV. At the first desk or table the
narrow eyed, overpaid, government employee will ask you for some general
information like a birth certificate, picture ID, name, address, SSN#, what
party you prefer to vote for, and whether or not you want to donate your
organs in the event of your untimely demise. You reply by handing her
your fake birth certificate and ID that you had printed no more then an
hour ago, hoping the ink is dry. "My name is Lee Taxor I reside at
38.250.25.1 Root Ave in the Beautiful Port apartments #23 located in
Telnet, Colorado, I prefer to vote for Mickey Mouse of the Disney party,
and can't donate my organs because Satan already owns them." The
disgruntled employee then enters all your information in the correct fields
while never taking an eye off you in fear that you know more about the
machine he or she is using then they do (perhaps you shouldn't of worn
your Coed Naked Hacking T-shirt that you bought at DefCon 4). As soon as
the bureaucrat hits all of the information is sent to a database
located in the directory named after the computer (i.e.
c:\ID4000\ColoDMV\96DMV.MDB). Then you are directed to the blue screen
where you stare at the JVC monitor trying to look cool even though the
camera always seems to catch you when you have to blink or yawn or even
sneeze. *SNAP* the picture is taken and displayed on the monitor where
the employee can laugh at your dumb expression before printing it. If
the employee decides to print the picture it is saved as a 9 digit
number associated with your database record. The 4000 then compresses
the picture and saves it. So the next time you go in and the pull up
your record it will automatically find the associated picture and
display it on the screen. But in the mean time you grab your fake ID the
DMV just made for you and leave happy.
In a nut shell that's all there is to these machines.
Part Three: Security
I think a better topic is lack of security. I have yet to see any of
these machines that are remotely secure. Before we go any further the
4000 is best accessed using CloseUp the others using Carbon Copy, But
any mainstream communications program will more then likely work. You
Dial and it asks you right away for a username and password. whoa, stop,
road block right their. Unless of course you know the backdoor that
Polaroid put in their machines so they can service them. =)
ID4000
Login: CSD (case Sensitive)
Password: POLAROID (who would of guessed?)
ID3000
Login: CPS
Password: POLAROID (god these guys are so efficient)
ID2000+ And ID2000
Login: POLAROID (ahh the good old days)
Password: POLAROID
Now if these do not work because they have been edited out, there are
still a few VERY simple ways of getting in to your victims system. The
first is to go with every hackers default method of social engineering.
The best way to do this is to call them up and say "Hi this is (insert
tech name here) with Polaroid Electronic Imaging! How is it going down
there at (name of company)." The say "pretty good!" in a funny voice
thinking what great customer support. You say "How is the weather been
in (location of company)" they reply with the current weather status
feeling that they can trust you cause you are so friendly. You say "well
(name of person), we were going through our contacts one by one doing
routine upgrades and system cleaning to ensure that your database is not
going to get corrupted anytime soon and that everything is doing what it
is supposed too, if you know what I mean (name of person)." Now they
reply "oh yeah" and laugh with you not having a clue of what you are
talking about. And they then say "well everything seems to be in order."
You say "great sounds good but old *Bob* would have my head if I didn't
check that out for myself." Then you ask if the modem is plugged in and
wait for the reply. The either say yes or no then you ask them go plug
it & give you the number or just give you the number. Then they comply
cause they are just sheep in your plan. You say "Hey thanks (name) one
more thing would happen to know if user CSD:Polaroid exists or did you
guys delete it." If they deleted it ask them to put it back in, giving
you administrative access. They probably know how to and will comply. If
they need help have them do the following: Click on the combination lock
icon at the top of the screen. This will bring them to the
administrative screen and they will have the choices of Purge, Reports,
and Passwords. Have them click on passwords. Then have them enter you as
a new user with CSD as your Name and Polaroid as your Password. After
they have done that make sure they give you all the Keys. The keys are
basically access levels like on a BBS. Lets some users do certain things
while others can not. The only key you need is administrative but have
them give you the rest as well. The other keys are Management and Luser
I think. The keys are located to the left of the user information that they
just entered. Then have them click OK and close the call politely. Ta
da!! Here is a list of Polaroid phone techs but I would not advise using
Bob or Aryia cause their big wigs and nobody ever talks to them.
Senior Techs of Polaroid
Regular Techs
Bob Pentze (manager)
Don Bacher
Aryia Bagapour (assistant)
Richard
Felix Sue
Rick Ward
Jordan Freeman
Dave Webster
Call 1-800-343-5000 for more Names =)
Part Four: What to Do once you get in
Now that your in you have access to all of their database records and
photos. Upload your own and have fun with it! Everything you do is
logged so here's what you'll want to do when you're done making yourself
an official FBI agent or an employee of the federal reserve. Go to all
of the available drives which could be a lot since they are on a network
and do a search from root for all of the LOG files i.e. C:\DIR /S *.LOG
Then delete the fuckers!!!! You can also do this by FDISK or formatting.
Just kidding! But if you want to do it the right way then go to the
admin screen and purge the error and system logs.
Basically if you want the form for government badges or the FBI agents
database this is the safest way to go. These computer do not have the
ability to trace but it does not mean the phone company doesn't! ANI
sucks a fat dick so remember to divert if you decide to do this. If you
don't know how to divert I recommend you read CoTNo or Phrack and learn
a little bit about phone systems and how they work.
Moving around in the software once your past the security is very simple
so I'm not going to get into it. If you can get around a BBS then you
don't need any further help. Just remember to delete or purge the logs.
Part Five: Closing
If your looking for some mild fun like uploading the DMV a new license
or revoking your friends this is the way to do it. However if you're
looking to make fake ID's I recommend you download the badge format and
purchase or obtain a copy of IDWare by Polaroid. IDware is a lot like
the 4000 software except you only need a scanner not the whole system.
As a warning to some of the kids I know of one guy who bought a
$50,000.00 ID4000 and paid it off in a year by selling fake ID's. When
Polaroid busted him they prosecuted to the fullest and now the guy is
rotting in a cell for 25 to 50 years. Just a thought to ponder.
Peace
PiLL
Greetz
Shouts go out to the following groups and individuals: TACD, TNO, MOD,
L0pht, CDC, UPS, Shadow, Wraith, KaoTik, Wednesday, Zydirion, Voyager,
Jazmine, swolf, Mustard, Terminal, Major, Legion, Disorder, Genesis,
Paradox, Jesta, anybody else in 303, STAR, BoxingNuN, MrHades, OuTHouse,
Romen, Tewph, Bravo, Kingpin, and everyone I forgot cause I'm sure there
are a bunch of you, sorry =P.
----<>----
The Top Ten things overheard at PumpCon '96
10. "You gotta problem? Ya'll gotta rowl!"
- Keith the security guard
9. "My brain has a slow ping response"
- Kingpin
8. "Space Rogue, I've been coveting your pickle."
- espidre
7. "If there's space -n shit, then it's Star Trek. Unless there's that
little Yoda guy - then it's Star Wars"
- Kingpin
6. "I'm the editor of Phrack. Wanna lay down with me?"
- A very drunk unnamed editor of Phrack
5. "Let's go find that spic, b_, no offense"
- A drunk IP to b_.
4. "I'm lookin for that fat fucker Wozz. He's big, and got a green shirt,
and glasses, and curly hair, just like you. As a matta a fact, you
gots similar characteristics!"
- A drunk IP to wozz.
3. "He was passed out on the floor... so I pissed on him"
- An unknown assailant referring to IP
2. "It was the beginning and the end of my pimping career"
- Kingpin referring to his escapade of getting paid
two dollars for sex.
1. "French Toast Pleeeeze!"
- Everyone
----<>----
TOP 0x10 REASONS TO KICK && WAYS TO GET
KICKED OUT OF #HACK (Revision 0.1.1)
By SirLance
0x0f asking for any information about any Microsoft products
0x0e talking about cars, girls, or anything unrelated to hacking
0x0d flooding with a passwd file contents
0x0c asking how to unshadow passwd
0x0b being on #hack, #warez and #hotsex at the same time
0x0a asking for ops
0x09 using a nick including words like 'zero' 'cool' 'acid' or 'burn'
0x08 asking if someone wants to trade accounts, CCs or WaR3Z
0x07 asking what r00t means
0x06 asking when the latest Phrack will be released
0x05 asking where to get or how to create a BOT
0x04 having the word BOT anywhere in your nick
0x03 having a nick like Br0KnCaPs and SpEak LiK3 Th4t all the time
0x02 asking for flash.c or nuke.c, spoof.c, ipsniff.c or CrackerJack
0x01 thinking #hack is a helpdesk and ask a question
0x00 being on from AOL, Prodigy, CompuServe, or MSN
-EOL-
----<>----
International business
by HCF
Friday, 3:00am 4.12:
I get the call:
Julie: "You break into computers right...?"
Dover: "Yea, what kind..."
Julie: "Mac, I think."
Dover: "Hmm... Call ``HCF'' at 213.262-XXXX"
Julie: "Uh, will he be awake...?"
Dover: "Don't worry (snicker) he'll be awake."
Friday, 4:00am 4.12
HCF called me at 4am after he got the call from Julie:
HCF: "you got me into this mess, I need to barrow your car."
Dover: "Umm shure. Ok..."
HCF: "I'll be right over..."
Friday, 12:30pm 4.12: upon returning the car:
HCF: "Umm, got a parking ticket, I'll write you a check later..."
(I never got the check.)
Kathleen's comment to Julie which was passed to me (days later):
Kath: "Why didn't you tell me he was cute, I want him for myself!"
When I passed this on to HCF:
HCF: "She is *gorgeous* but not without a wet suit..."
Here is the story that happened early one Friday morning... The names
have been changed to protect the innocent, the guilty, and the innocent-looking
guilty....
I was reading up on a new firewall technology, the kind that locks
addresses out of select ports based on specific criterion, when the phone
rang.
"Hello?"
The voice of a women, between 18 and 30, somewhat deep like Kathleen
Turner's, said, "Uh, hello..."
There was an obvious pause. It seemed she was surprised that I was so
awake and answered sharply on the second ring. It was in the middle of my
working hours; 3:30 AM. There was no delay in the phone's response, no
subtle click after I picked up, and the audio quality was clear.
"Do you hack?" she asked.
Recorder on. Mental note: *stop* getting lazy with the recorder.
"No. Are you on a Cell phone?" I responded
"No."
"Are you using a portable battery operated telephone?"
"No. I was told by my friend ..."
"Are you in any way associated with local, federal or state law enforcement
agencies?"
"Oh, I get it. No I'm not. Julie said that you could help me."
I knew Julie through a mutual friend.
"Could you call me back in 5 minutes."
"Well, um, ok."
Throughout the whole conversation, the phones on her end were ringing off
the hook. As soon as I hung up, Ben, the mutual friend, called. Julie had
called him first, and he gave her my number. I got his reassurance that
this was legit. Ben was snickering but wouldn't divulge what it was about.
By now my curiosity was piqued.
The phone rang again, "I need someone who can break into a computer."
"Whose computer?"
"Mine."
It turns out that the woman had hostility bought out the previous owner of
this business. The computer in question had both a mission-critical
database of some sort and a multi-level security software installed. She
had been working under a medium permission user for some time. The
computer crashed in such a way as to require the master password (root) in
order to boot. The pervious owner moved out of town, could not be
contacted, and was most likely enjoying the situation thoroughly. The
woman was unaware of any of the technical specifications or configuration
of the machine. I was able to find out that it was a Apple Macintosh Color
Classic; a machine primarily distributed in Japan. It would be around
10:00 AM in Tokyo.
"Why are the phones ringing so often at this time of the morning?" I asked.
"I do a lot of international business."
I was intrigued, the answer was smoothly executed without a delay or pitch
change. I took the job.
Upon arriving, I was greeted by a young, stunningly beautiful, woman with
long, jet-black hair and stressed but clear green eyes. I checked the room
for obvious bugs and any other surveillance. There were calendars on the
wall, filled out with trixy and ultra-masculine sounding names like Candy
and Chuck. The phones had died down some. The machine in question was
obviously well integrated into the environment; dust patterns, scratch
marks, worn-out mouse pad; it had been there for some time. There was a
PBX, around 6 to 8 voice lines, three phones, and no network, modem or
outside connectivity.
The security, which we'll call VileGuard, defeated all the "simple" methods
of by-passing. None of the standard or available passwords, in any case or
combination, worked. A brute-force script would be slow as second failure
shut the machine down.
I made a SCSI sector copy onto a spare drive and replaced it with the
original. This involved tearing open the machine, pulling various parts
out, hooking up loose wires, merging several computers, and turning things
on in this state. Trivial and routine, I did it rapidly and with both
hands operating independently. For those who have never opened the case of
an all-in-one Mac, it involves a rather violent looking smack on both sides
of the pressure fitted case backing, appropriately called "cracking the
case." This did not serve well to calm the nerves of the client. After a
few moments of pallor and little chirps of horror, she excused herself from
the room.
While the SCSI copy preceded, I overheard her taking a few calls in the
other room. What I heard was a one-sided conversation, but I could pretty
much fill in the blanks,
"Hello, Exclusive Escorts, may I help you?"
"Would you like to be visited at your home or at a hotel?"
"Well, we have Suzy, she's a 5'4" Asian lady with a very athletic body.
Very shy but willing, and very sensual, she measures 34, 24, 34."
"Big what? Sir, you'll have to speak a little clearer."
"Oh, I see, well we have a very well endowed girl named Valerie, she's a
double D and measures 38, 24, 34. Would that be more to your liking?"
It was not easy to keep from busting up laughing.
"He wants you to do what? Well, charge him double."
With the new drive installed, and to predictable results, I fired up a hex
editor. My experience has been that full-disk encryption typically slows
the machine down to the point where the user disables it. At around
$5C9E8, I found, "...507269 6E74204D 616E6167 65722045 72726F72...
...Print Manager Error..." in plain text. I searched for some of the
known, lower permission, passwords. I found a few scattered around sector
$9b4. The hex editor I was using could not access the boot or driver
partitions, so I switched to one that could. It's not as pretty of an
interface as the last editor, and is rather old. Its saving grace though
is that it doesn't recognize the modern warnings of what it can and cannot
see. There it was, VileGuard; driver level security.
"Eric is endowed with eight and has a very masculine physique."
Every male was "endowed with eight," every female had relatively identical
measurements.
I hunted fruitlessly around the low sectors for what might be the master
password. All awhile wishing the find function of the editor would accept
regexp. All the other passwords were intercapped on the odd character, but
that was a convention of the current owner, and not necessarily used by the
past owner.
"Oh, you want a girl that is fluent in Greek?"
It's not professional for me, and not good salesmanship for her, to have me
overheard laughing myself into anoxia. After trying to straighten up and
gather my wits together again, I began to consider an alternate
possibility. If I don't know the password, what happens if I make it so
that the driver doesn't either. Return to the first-installed condition
perhaps? It was a thought. It turned out to be a bad thought, resulting in
my haphazardly writing "xxxx" over, pretty much, random sectors of the
driver partition.
"Oh yes sir, Roxanne prefers older men. She appreciates how very
experienced they are. I understand sir, and I'm sure she can help you with
that."
Before I made a second copy and whipped out the RE tools, TMON and MacNosy,
I tried booting. The results were, as you'd expect, that the disk didn't
mount. Instead, it asked me if I wanted to reinitialize the disk. Pause.
Think... ya, why not. This was most definitely farther than I had gotten
with the secure driver installed and functional. I canceled and fired up
one of many disk formatters I had on hand. Though the formatter wasn't the
slickest, it had proven itself repeatedly in the past. Its main quality
was that of writing a driver onto a disk that is in just about *any*
condition. It's made by a French drive manufacturer. As dangerous as this
behavior is, I'm sure it's a planned feature. It could see the drive and
allowed me to "update" the driver. A few seconds later, a normal
"finished" dialog.
"Yes, Stan carries a set of various toys with him. No, I don't believe he
normally carries that, but I'm sure if you ask him nicely, he'll drop by
the hardware store on his way and pick one up."
I rebooted. It worked. I copied over the disk's data and reformatted.
Time to try it on the original drive (I had, of course, been working on my
copy.) Upon startup, before anything could be accessed, "Please input the
master password..."
Puts an unusual twist on the phrase, "adverse working conditions"
- HCF
Note 1: Payment was in currency.
Note 2: If you ever think you understand the opposite sex's view on sex,
you're underestimating.
----<>----
The Beginners Guide to RF hacking
by Ph0n-E of BLA & DOC
Airphones suck. I'm on yet another long plane ride to some
wacky event. I've tried dialing into my favorite isp using this lame GTE
airphone, $15 per call no matter how long you "talk". In big letters it
says 14.4k data rate, only after several attempts I see the very fine
print, 2400 baud throughput. What kind of crap is that? A 14.4 modem that
can only do 2400? It might be the fact they use antiquated 900MHz AM
transmissions. The ATT skyphones that are now appearing use imarsat
technology, but those are $10/minute. Anyway they suck, and I have an
hour or so before they start showing Mission Impossible so I guess I'll
write this Phrack article Route has been bugging me about.
There are a bunch of people who I've helped get into radio stuff, five
people bought handheld radios @ DefCon... So I'm going to run down some
basics to help everyone get started. As a disclaimer, I knew nothing about
RF and radios two years ago. My background is filmmaking, RF stuff is just
for phun.
So why the hell would you want to screw around with radio gear? Isn't it
only for old geezers and wanna be rentacops? Didn't CB go out with Smokey
& the Bandit?
Some cool things you can do:
Fast-food drive thrus can be very entertaining, usually the order taker
is on one frequency and the drivethru speaker is on another. So you can
park down the block and tell that fat pig that she exceeds the weight
limit and McDonalds no longer serves to Fatchix. Or when granny pulls up
to order those tasty mcnuggets, blast over her and tell the nice MCD slave
you want 30 happy meals for your trip to the orphanage. If you're lucky
enough to have two fast food palaces close to each other you can link them
together and sit back and enjoy the confusion.
You've always wanted a HERF gun, well your radio doubles as a small
scale version. RF energy does strange and unpredictable things to
electronic gear, especially computers. The guy in front of me on the plane
was playing some lame game on his windowz laptop which was making some very
annoying cutey noises. He refused to wear headphones, he said "they mushed
his hair...". Somehow my radio accidentally keyed up directly under his
seat, there was this agonizing cutey death noise and then all kinds of cool
graphics appeared on his screen, major crash. He's still trying to get it
to reboot.
Of course there are the ever popular cordless phones. The new ones work
on 900MHz, but 90% of the phones out there work in the 49MHz band. You can
easily modify the right ham radio or just use a commercial low band radio
to annoy everyone. Scanning phone calls is OK, but now you can talk back,
add sound effects, etc... That hot babe down the street is talking to
her big goony boyfriend, it seems only fair that you should let her know
about his gay boyfriend. Endless hours of torture.
You can also just rap with your other hacker pals (especially useful
cons). Packet radio, which allows you up to 9600 baud wireless net
connections, its really endless in its utility.
How to get started:
Well you're supposed to get this thing called a HAM license. You take
this test given by some grampa, and then you get your very own call sign.
If you're up to that, go for it. One thing though, use a P.O. box for your
address as the feds think of HAMs as wackos, and are first on the list when
searching for terrorists. Keep in mind that most fun radio things are
blatantly illegal anyway, but you're use to that sort of thing, right?
If you are familiar with scanners, newer ones can receive over a very
large range of frequencies, some range from 0 to 2.6 GHz. You are not going
to be able to buy a radio that will transmit over that entire spectrum. There
are military radios that are designed to sweep large frequencies ranges for
jamming, bomb detonation, etc. - but you won't find one at your local radio
shack.
A very primitive look at how the spectrum is broken down into sections:
0 - 30MHz (HF) Mostly HAM stuff, short-wave, CB.
30 - 80MHz (lowband) Police, business, cordless phones, HAM
80 - 108MHz (FM radio) You know, like tunes and stuff
110 - 122MHz (Aircraft band) You are clear for landing on runway 2600
136 - 174MHz (VHF) HAM, business, police
200 - 230MHz Marine, HAM
410 - 470MHz (UHF), HAM, business
470 - 512MHz T-band, business, police
800MHz cell, trunking, business
900MHz trunking, spread spectrum devices, pagers
1GHZ+ (microwave) satellite, TV trucks, datalinks
Something to remember, the lower the frequency the farther the radio waves
travel, and the higher the frequency the more directional the waves are.
A good place to start is with a dual band handheld. Acquire a Yaesu
FT-50. This radio is pretty amazing, its very small, black and looks cool.
More importantly it can easily be moded. You see this is a HAM radio, it's
designed to transmit on HAM bands, but by removing a resistor and solder
joint, and then doing a little keypad trick you have a radio that transmits
all over the VHF/UHF bands. It can transmit approximately 120-232MHz and
315-509MHz (varies from radio to radio), and will receive from 76MHz to about
1GHz (thats 1000MHz lamer!), and yes that *includes* cell phones. You also
want to get the FTT-12 keypad which adds PL capabilities and other cool stuff
including audio sampling. So you get a killer radio, scanner, and red box all
in one! Yaesu recently got some heat for this radio so they changed the eprom
on newer radios, but they can modified as well, so no worries.
Now for some radio basics. There are several different modulation schemes,
SSB - Single Side Band, AM - Amplitude Modulation, FM - Frequency Modulation,
etc. The most common type above HF communications is NFM, or Narrow band
Frequency Modulation.
There are three basic ways communication works:
Simplex - The Transmit and Receive frequencies are the same, used for short
distance communications.
Repeater - The Transmit and Receive frequencies are offset, or even on
different bands.
Trunking - A bunch of different companies or groups within a company share
multiple repeaters. If you're listening to a frequency with a scanner and
one time its your local Police and the next it's your garbage man, the fire
dept... - that's trunking. Similar to cell phones you get bits and pieces
of conversations as calls are handed off among repeater sites.
Their radios are programmed for specific "talk groups", so the police only
hear police, and not bruno calling into base about some weasel kid he found
rummaging through his dumpsters. There are three manufacturers - Motorola,
Ericsson (GE), and EF Johnson. EFJ uses LTR which sends sub-audible codes
along with each transmission, the other systems use a dedicated control
channel system similar to cell phones. Hacking trunk systems is an entire
article in itself, but as should be obvious, take out the control channel
and the entire system crashes (in most cases).
OK so you got your new radio you tune around and your find some security
goons at the movie theater down the street. They are total losers so you
start busting on them. You can hear them, but why they can't hear you?
The answer-- SubAudible Tones. These are tones that are constantly
transmitted with your voice transmission - supposedly subaudible, but if
you listen closely you can hear them. With out the tone you don't break
their squelch (they don't hear you.) These tones are used keep nearby
users from interfering with each other and to keep bozos like you from
messing with them. There are two types, CTCSS Continuos Tone-Codes Squelch
system (otherwise known as PL or Privacy Line by Motorola) or DCS Digital
Coded Squelch (DPL - Digital Privacy Line). If you listened to me and got
that FT-50 you will be styling because its the only modable dual band that
does both. So now you need to find their code, first try PL because its
more common. There is a mode in which the radio will scan for tones for
you, but its slow and a pain. The easiest thing to do is turn on Tone
Squelch, you will see the busy light on your radio turn on when they are
talking but you wont hear them. Go into the PL tone select mode and tune
through the different tones while the busy light remains on, as soon as you
hear them again you have the right tone, set it and bust away! If you
don't find a PL that works move on to DPL. There is one other squelch
setting which uses DTMF tone bursts to open the squelch, but its rarely
used, and when it is used its mostly for paging and individuals.
Now you find yourself at Defcon, you hear DT is being harassed by
security for taking out some slot machines with a HERF gun, so you figure
it's your hacker responsibility to fight back. You manage to find a
security freq, you get their PL, but their signal is very weak, and only
some of them can hear your vicious jokes about their moms. What's up? They
are using a repeater. A handheld radio only puts out so much power,
usually the max is about 5 watts. That's pretty much all you want radiating
that close to your skull (think brain tumor). So a repeater is radio that
receives the transmissions from the handhelds on freq A and then
retransmits it with a ton more watts on freq B. So you need to program
your radio to receive on one channel and transmit on another. Usually
repeaters follow a standard rule of 5.0MHz on UHF and .6MHz on VHF, and
they can either be positive or negative offsets. Most radios have a
auto-repeater mode which will automatically do the offset for you or you
need to place the TX and RX freqs in the two different VCOs. Government
organizations and people who are likely targets for hacks (Shadow Traffic
news copter live feeds) use nonstandard offsets so you will just need to
tune around.
Some ham radios have an interesting feature called crossband repeat.
You're hanging out at Taco Bell munching your Nachos Supreme listening to the
drive thru freq on your radio. You notice the Jack in the Box across the
street, tuning around you discover that TacoHell is on VHF (say 156.40) and
Jack in the Crack is on UHF (say 464.40). You program the two freqs into
your radio and put it in xband repeat mode. Now when someone places their
order at Taco they hear it at Jacks, and when they place their order at
Jacks they hear it at Taco. When the radio receives something on 156.40 it
retransmits it on 464.40, and when it receives something on 464.40 it
retransmits it on 156.40.
"...I want Nachos, gimme Nachos..."
"...Sorry we don't have Nachos at Jack's..."
"...Huh? Im at Taco Bell..."
Get it? Unfortunately the FT-50 does not do xband repeat, that's the only
feature it's lacking.
Damn it, all this RF hacking is fun, but how do I make free phone calls?
Well you can, sort of. Many commercial and amateur repeaters have a
feature called an autopatch or phonepatch. This is a box that connects the
radio system to a phone line so that you can place and receive calls. Keep
in mind that calls are heard by everyone who has their radio on! The
autopatch feature is usually protected by a DTMF code. Monitor the input
freq of the repeater when someone places a call you will hear their dtmf
digits - if you're super elite you can tell what they are by just hearing
them, but us normal people who have lives put the FT-50 in DTMF decode mode
and snag the codez... If your radio doesn't do DTMF decode, record the audio
and decode it later with your soundblaster warez. Most of the time they
will block long-distance calls, and 911 calls. Usually there is a way
around that, but this is not a phreaking article. Often the repeaters are
remote configurable, the operator can change various functions in the field
by using a DTMF code. Again, scan for that code and you too can take
control of the repeater. What you can do varies greatly from machine to
machine, sometimes you can turn on long-distance calls, program speed-dials,
even change the freq of the repeater.
What about cordless phones, can't I just dial out on someone's line?
Sort of. You use to be able to take a Sony cordless phone which did
autoscanning (looked for an available channel) drive down the block with
the phone on until it locked on to your neighbors cordless and you get a
dialtone. Now cordless phones have a subaudible security tone just like PL
tones on radios so it doesn't work anymore. There are a bunch of tones and
they vary by phone manufacturer, so it's easier to make your free calls other
ways.
But as I mentioned before you can screw with people, not with your FT-50
though. Cordless phones fall very close to the 6 meter (50MHz) HAM band and
the lowband commercial radio frequencies. There are 25 channels with the
base transmitting 43-47MHz and the handset from 48-50MHz. What you want to
do is program a radio to receive on the base freqs and transmit on the
handset freqs. The phones put out a few milliwatts of power (very little).
On this freq you need a fairly big antenna, handhelds just don't cut it -
think magmount and mobile. There are HAM radios like the Kenwood TM-742A
which can be modified for the cordless band, however I have not found a
radio which works really well receiving the very low power signals the
phones are putting out. So, I say go commercial! The Motorola
Radius/Maxtrac line is a good choice. They have 32 channels and put out
a cool 65watts so your audio comes blasting out of their phones. Now
the sucko part, commercial radios are not designed to be field
programmable. There are numerous reasons for this, mainly they just want
Joe rentalcop to know he is on "Channel A" , not 464.500. Some radios are
programmed vie eproms, but modern Motorola radios are programmed via a
computer. You can become pals with some guy at your local radio shop and
have him program it for you. If you want to do it yourself you will need
a RIB (Radio Interface Box) with the appropriate cable for the radio, and
some software. Cloned RIB boxes are sold all the time in rec.radio.swap
and at HAM swap meets. The software is a little more difficult, Motorola
is very active in going after people who sell or distribute thier software
(eh, M0t?) They want you to lease it from them for a few zillion dollars.
Be cautious, but you can sometimes find mot warez on web sites, or at HAM
shows. The RIB is the same for most radios, just different software, you
want Radius or MaxTrac LabTools. It has built in help, so you should be
able to figure it out. Ok so you got your lowband radio, snag a 6 meter
mag mount antenna, preferably with gain, and start driving around. Put
the radio in scan mode and you will find and endless amount of phone calls
to break into. Get a DTMF mic for extra fun, as your scanning around listen
for people just picking up the phone to make a call. You'll hear dialtone,
if you start dialing first since you have infinitely more power than the
cordless handset you will overpower them and your call will go through.
It's great listening to them explain to the 411 operator that their phone is
possessed by demons who keep dialing 411. Another trick is to monitor the
base frequency and listen for a weird digital ringing sound - these are tones
that make the handset ring. Sample these with a laptop or a yakbak or
whatever and play them back on the BASE frequency (note, not the normal
handset freq) and you will make their phones ring. Usually the sample won't
be perfect so it will ring all wacko. Keep in mind this tone varies from
phone to phone, so what works on one phone wont work on another.
Besides just scanning around how do you find freqs? OptoElectronics
makes cool gizmos called near-field monitors. They sample the RF noise
floor and when they see spikes above that they lock on to them. So you
stick the Scout in your pocket, when someone transmits near you, the scout
reads out their frequency. The Explorer is thier more advanced model which
will also demodulates the audio and decode PL/DPL/DTMF tones. There are
also several companies that offer CDs of the FCC database. You can search
by freq, company name, location, etc. Pretty handy if your looking for a
particular freq. Percon has cool CDs that will also do mapping. Before
you buy anything check the scanware web site, they are now giving away
their freq databases for major areas.
OK radioboy, you're hacking repeaters, you're causing all the cordless
phones in your neighborhood to ring at midnight, and no one can place
orders at your local drivethrus. Until one day, when the FCC and FBI
bust down your door. How do you avoid that?? OK, first of all don't
hack from home. Inspired people can eventually track you down. How?
Direction Finding and RF Fingerprinting. DF gear is basically a
wideband antenna and a specialized receiver gizmo to measure signal
strength and direction. More advanced units connect into GPS units for
precise positioning and into laptops for plotting locations and advance
analysis functions such as multipath negations (canceling out reflected
signals.) RF finger printing is the idea that each individual radio has
specific characteristics based on subtle defects in the manufacture of the
VCO and AMP sections in the radio. You sample a waveform of the radio and
now theoretically you can tell it apart from other radios. Doesn't really
work though-- too many variables. Temperature, battery voltage, age,
weather conditions and many other factors all effect the waveform.
Theoretically you could have a computer scanning around looking for a
particular radio, it might work on some days. Be aware that fingerprinting
is out there, but I wouldn't worry about it *too* much. On the other hand
DF gear in knowledgeable hands does work. Piss off the right bunch of HAMS
and they will be more than happy to hop in their Winnebego and drive all
over town looking for you. If you don't stay in the same spot or if you're
in an area with a bunch of metal surfaces (reflections) it can be very very
hard to find you. Hack wisely, although the FCC has had major cutbacks
there are certain instances in which they will take immediate action. They
are not going to come after you for encouraging Burger King patrons to become
vegetarians, but if you decide to become an air-traffic controller for a day
expect every federal agency you know of (and some you don't) to come looking
for your ass.
My plane is landing so thats all for now, next time - advanced RF hacking,
mobile data terminals, van eck, encryption, etc.
EOF
----<>----
10.16.96
Log from RAgent
GrimReper: I work For Phrack
GrimReper: Yeah
GrimReper: I gotta submit unix text things like every month
GrimReper: I've been in Phrack for a long time
GrimReper: Phrack is in MASS
-> *grimreper* so how much does Phrack pay you?
*GrimReper** How much?
*GrimReper** Hmm......
*GrimReper** About $142
-> *grimreper* really
-> *grimreper* who paid you?
*GrimReper** w0rd
*GrimReper** CardShoot
*GrimReper** Cardsh00t
-> *grimreper* hmm, I don't see any "cardsh00t" in the credits for phrack
+48
*GrimReper** There is
-> *grimreper* you might as well stop lying before I bring in daemon9,
+he's another friend of mine
-> *grimreper* he's one of the editors of phrack
*GrimReper** Get the latest Phrack?
*GrimReper** Its gonna have my NN
*GrimReper** watch
-> *grimreper* not anymore
*GrimReper** Go Ahead
-> *grimreper* actually
*GrimReper** so?
-> *grimreper* you will be mentioned
-> *grimreper* you'll be known as the lying fuckhead you are, when this
+log goes in the next issue
----<>----
10.24.96
Log from Aleph1
*** ggom is ~user01@pm1-6.tab.com (ggom)
*** on irc via server piglet.cc.utexas.edu ([128.83.42.61] We are now all
piglet)
*ggom* i am assembling a "tool shed". A "shed" for certain "expert" activity.
Can you help?
-> *ggom* maybe... go on
*ggom* i represent certain parties that are looking for corporate information.
this would fall under the "corporate espionage" umbrella
*ggom* this information could probably be obtained via phone phreak but access to
corporate servers would be a plus...can you help?
-> *ggom* a) how do I know you are not a cop/fed? b) why did you come to #hack
to ask for this? b) what type of data you after? c) what type of money are
you talking about?
*ggom* where else should i go to ask for this stuff????????
-> *ggom* you tell me. How do you know about #hack?
*ggom* looked it up on the irc server...figured this was a good place to
start........... i am talking about 4 to 5 figures here for the information
-> *ggom* you are also talking 4 to 5 years
-> *ggom* #hack is visited regularly by undercovers and the channel is logged
-> *ggom* talking openly about such thing is not smart
*ggom* whatever........... man, if you are GOOD, you are UNTRACEABLE. i
guess i am looking in the wrong place......
-> *ggom* you been watching way to many times "Hackers" and yes #hack is the
wrong place...
*ggom* we are on a private channel.........suggest a more private setting....
-> *ggom* sorry you started off on a bad foot. If you got a million to spare
for such information you would also have the resources to find the
appropiate person to do the job. So you either are full off it, are a fed,
or just plain dumb. This conversation ends here.
*ggom* later
*ggom* not talking a million.. talking 5 to 6 figures......... you are
right
*ggom* talk to me.......
*ggom* talk to me.......
----<>----
.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
4 of 16
-:[ Phrack Pro-Phile ]:-
We discussed for a long time who in the hacking world today best
exemplifies everything that is right with hacking today, and we came
up with a unanimous conclusion that it was Mudge. And so we were quite
happy that our first choice for the first pro-phile that we have done
accepted our invitation. He cracked your Apple warez when you couldn't,
he wrote buffer overflows before they were cool, he owned your Sendmail
(and probably still does), and he still manages to give more back to the
community than anyone else around. We can't say much more about him so
let's see what he has to say for himself...
Mudge
~~~~~
Personal
~~~~~~~~
Handle: mudge
Call him: Enough people know it that its not secret, if you know
it great, if not you probably don't have to.
Past handles: Many old Apple ][ crackers remember me by a different
handle. That handle is long put to rest thanks to the
government.
Handle origin: Mudge is a very common Irish last name. Though I'm not
Irish I met someone with the name and couldn't believe
it was a proper name. Out of homage to this person I
took it as a handle several years ago (and since I
couldn't use the old one for legal reasons).
Date of Birth: Mid to Late '60s
Age at current date: Mid to Late 20s
Height: 6'0"
Weight: 150
Eye color: Blue
Hair Color: Brownish / dirty blonde and loooong
Computer: MPP Risc machine with 16 processors, 4 processor i860
Cadmus, 2 Sparcs, my original Apple ][+, NeXT cube,
486, 4 Sun 3's, Textronix 4051, SouthWest Technical
Products 75
Sysop/Co-Sysop of: Cell-Block, Magic Tavern, Co-Sysop on the old Circus
and Circus-II boards, ATDT, Works, and various AEs
scattered across the country. And a little place
called the l0pht.
Boards Frequented: Terrapin Station, Metal Shop, Black Crawling Systems,
Used to hang on Rutgers' with the old Darpa people
(they know who they are) through telenet.
Net address: mudge@l0pht.com
Favorite Things
~~~~~~~~~~~~~~~
Women: Not a big womanizer, when I hook up with someone it's usually
for quite some time. Though it's always nice when big companies
try to bribe you other ways. (Moreso 'cause it shows how sleazy
the big companies are in comparison to human beings :>)
Cars: Ford GT40, Porsche Wolf, Ferrari 318's, and of course a black
SVT Cobra with black leather interior.
Foods: Beer
Beers: Mateen Triple - with a runner up of Pilsner Urquell
Music: Frank Zappa, Dream Theater, Rush, Gentle Giant, King Crimson
Instruments: Guitar. I actually hold advanced degrees in music (hehe had
to make some money so here I am back in the 'puter world).
Guitars: Ibanez 7 string, Gibson es225 Jazzer, and a custom built Ibanez
from an endorsement deal (which is signed by 2 porn stars)
Books: Jack of Shadows, Roadmarks, Stranger in a Strange Land,
This Immortal, Steal this Urine Test, Steal this Book, PANIC -
the wonderful Sparc buffer overflow writers bible.
Turn Ons: Pet Rocks
Turn Offs: 7/11 employees who think they can dance to Frank Zappa
Other Passions, Interests, Loves:
I love running the l0pht and the people that are involved in it. There's
nothing like knowing that you are, at least attempting, to keep information
flowing and offering back to the community. I love a lot of things. It's
nice to see there is a sense of humor in the scene, and that there are still
enough old-school hackers that are willing to help if approached correctly
Granted there aren't enough of the older ones to answer every aol.com
e-mail... It's a great feeling to be beneficial to both sides. For instance:
when the 8.7.5 sploit went out and when we were doing a lot of work on SecureID
(which much to their schagrin we got *really* far) that both the people writing
the software and the hackers were happy to see our results. It's all about
information and learning. If you stop learning... you're not doing it right.
Unfortunately... it usually takes disseminating sploits to get some of the
large companies to fix their buggy software.
Most Memorable Experiences
~~~~~~~~~~~~~~~~~~~~~~~~~~
Having a bunch of suits get out of, yes, K-cars and take away most of my
belongings - learning 6502 (and living it) assembler - writing my first
buffer overflow a few years back - the band cutting it's first audio CD -
playing the music for one of Hobbit's laser shows - having Wietse Venema
ask me "not" to break into bell labs at a talk he was giving - having the
bellcore author of the OTP RFC write me e-mail realizing that I had beaten
him to the punch with vulnerabilities - everyday that I spend with my
girlfriend - hearing one of the songs I wrote and played on being played
on the radio - The L0pht and it's people - everytime that you finish working
on a new project and it actually works [especially when you are working on
a hypothetical exploit and it pans out].
Some People to Mention
~~~~~~~~~~~~~~~~~~~~~~
Cheshire Catalyst for the initial inspiration. The L0pht folks, Raven,
Hobbit for being a flat out brilliant fucker, ReDragon (best sense of humor -
and best patience... look who he works for ;-)), Glyph - one nasty coder,
Squarewave for providing countless hours of ooh's and aahhh's while
pouring through his code. The NewHack folks. G-heap, Pope, SpaceRogue,
Kingpin, Tan, Weld, Stefan, Brian Oblivion, t-com, all the standard
people that hang out and have a good time at the cons with the l0pht folks
(ie the r00t, NHC, l0ck/anti l0ck, cDc...) shit ALL the cDc folks. etc.,
etc. etc. The ASR guys. There are so many people that have contributed so
much. I'm sure I've left out many.
The biggest one: my father [the only person who could sit there and grin
through all of it... and explain the leafing procedures and how the 6502
REALLY worked] (that's not leafing through on the Apple ][+... two
separate things).
A few things you would like to say:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
French Toast please...
31337 is not a strong XOR key...
(unless your secret host key is less than 5 characters long)
Thanks to the new phrack lineup for keeping a good thing going.
Still remember DL'ing the latest ones along with the Countlegger series
and having to Dalton's Disk Disintegrator them back together.
Oh yeah...
and if someone tells you something is secure...
ask them to prove it, and then STILL don't believe them.
~~~~~~~~~~~~~~~~~~~~~
One last thing, in your personal experience, have you found that most
people in the scene are pretty much computer geeks?
"Absolutely not. I've had the privilege to hang out with everyone from
Weitse Venema, Dan Farmer, Casper Dik, Peter Guttman, to the hacker scene
like Hobbit, Daemon9, the l0pht folks... and there's very few out of the
bunch that I would label 'computer geeks'. Computer geeks seem not to have
that creative twist in many cases that hackers have. This is the same twist
that says: I don't care what it's _supposed_ to do - I bet I can make it do
*this*."
Thanks a lot for the prophile.
"Thanks a lot for the opportunity."
.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
File 05 of 16
Introduction to Telephony and PBX
by Cavalier[TNO]
Table of Contents
1. . . . . . . . . . . . . . . . . . . . The Central Office
2. . . . . . . . . . . . . . .Private Branch Exchange (PBX)
3. . . . . . . . . Properties of Analog and Digital Signals
4. . . . . . . . . . . . . . . . .Analog-Digital Conversion
5. . . . . . . . . . . . . . . . . . . Digital Transmission
6. . . . . . . . . . . . . . . . . . . . . . . Multiplexing
7. . . . . . . . . . . . . . . . . . . . Transmission Media
8. . . . . . . . . . . . . . . . . . . . . . . . .Signaling
.--------------------.
1 | The Central Office |
`--------------------'
Telephones alone do nothing special. Their connection to the rest of
world makes them one of mankind's greatest achievements.
In the early days of telephone communications, users had to establish
their own connections to other telephones. They literally had to string
their own telephone lines.
Although the customer inconvenience of building their own connections
limited the availability of phone service, an even greater problem soon
arose. As the telephone became more popular, more people wanted to be
connected. At the time, each phone had to be directly wired to each
other. In a very short time there was a disorganized maze of wires
running from the homes and businesses.
A simple mathematical formula demonstrates the growth in the number of
connections required in a directly wired network:
I = N(N-1)/2
(I = number of interconnections; N = number of subscribers)
I = 100(100-1)/2
If just 100 subscribers attempted to connect to each other, 4950
separate wire connections would be needed! Obviously, a better method
was needed.
Switching
A Central Office (CO) switch is a device that interconnects user
circuits in a local area, such as a town. The CO is a building where
all subscriber phone lines are brought together and provided with a
means of interconnection. If someone wants to call a neighbor, the call
is routed through the CO and switched to the neighbor.
What if someone wanted to call a friend in the next town? If their
friend was connected to a different CO, there was no way to communicate.
The solution was to interconnect COs. Then, CO-A routed calls to CO-B
to complete the connection.
Today every CO in the world is connected to every other CO in a vast
communication highway known as the Public Switched Network (PSN). The
PSN goes by a variety of different names:
Dial-up network
Switched network
Exchange network
The CO provides all users (subscribers) with a connection to each other.
A critical note, however, is that no CO has the resources to switch all
their users simultaneously. It would be too expensive and it is
unnecessary to attempt to do so because for the vast majority of the
time, only a small percentage of subscribers are on the phone at the
same time.
If, on a rare occasion, all the circuits are busy, the next call will be
blocked. A call is blocked if there are no circuits available to switch
it because all the circuits are in use.
The term `probability of blocking` is a statistical logarithm which
determines the chance that a call cannot be switched. For modern day
commercial COs, the probability of blocking is very low.
History of COs
Operating switching
In the first COs, a subscriber who wanted to place a call cranked a
magneto-generator to request service from the local phone company. An
operator at the CO monitored subscriber connections by observing lamps
on a switchboard console. When a subscriber's lamp lit, indicating the
request for service, the operator would answer: "Number please...".
The operator connected one call to another by plugging one end of a cord
into the jack of the caller and the other end of the cord into the jack
of the called party, establishing a manual, physical connection.
The switchboard had to have a jack for every incoming and outgoing line
that needed service. The number of lines an operator could monitor was
limited by her arm's reach. Billing was accomplished by the operators
writing up a ticket for each call designating its starting and ending
times.
When telephone subscribers were few in number, this method worked fine.
As the popularity of the phone increased, more phones placed more calls
and it became increasingly unmanageable and expensive to manually switch
and bill each call.
Strowger Step-by-Step Switch
A mechanical switch was invented in the 1890's by a Kansas City
mortician named Almon B. Strowger. He became very suspicious because
callers looking for a mortician were continually referred to his
competition instead to him. When he learned that the local operator was
the wife of his rival, his suspicions were confirmed. He set about to
invent a switching system that would not be dependent upon human
intervention.
His creation, called the Strowger or Step-by-Step switch, was the first
automated electromechanical switching system. It placed switching
control in the hands of the subscriber instead of the operator by adding
a dialing mechanism to the phone.
The Strowger switch completed a call by progressing digit by digit
through two axes of a switching matrix in the CO. A call was stepped
vertically to one of ten levels and rotated horizontally to one of ten
terminals.
It was called step-by-step because calls progress one step at a time as
the customer dialed each digit of the number. When the final digit was
dialed, the switch seized an available circuit and connected the call.
The result of the step-by step switch was to eliminate the need for
manual operator connection and grant privacy and call control to the
subscriber.
The step-by-step switch was a wonderful invention for its day. Today
it is obsolete. Compared to modern day switches, it is slow, noisy
and too expensive to maintain. It is also both bulky and inefficient.
The Crossbar Switch
The crossbar switch was invented and developed in the late 1920s. One
of its main technological advanced was the introduction of a hard wired
memory to store dialed digits until the dialing was complete.
Unlike the step-by-step method, calls are not processed under the
direct control of incoming dial pulses. In the step-by-step method,
each phone call controlled its own pathway through the switching matrix
at the speed the digits were dialed by the user. The crossbar switch
introduced a better method.
Devices called registers stored the digits in memory as they were dialed
by the callers. Not until all the digits were dialed would the call
begin to be switched. Once all the digits were received and stored in
the register, the register handed the digits to a processor to be
examined and used to route the call.
When a pathway had been established and the call was connected, the
register and processor would release and become available to handle
another call. Collectively, this process was called `common control`.
Common control resulted in faster call completion and increased capacity
of the switch. With the old step-by-step, the time it would take a user
to physically dial the digits would occupy valuable switch time because
dialing the digits was the most time consuming part of switching a call.
This 8 to 12 seconds of dialing time prevented other users from
accessing the switching matrix and generally slowed things down.
The genius of the crossbar common control was to store the dialed digits
as they came in and then after the user finished dialing, send the
digits off for processing. The act of dialing no longer kept other
calls waiting for switch resources.
Common control created the separation of the control functions (setting
up and directing the call) from the switching functions (physically
creating the connections).
Crossbar Switching Matrix
Calls were connected by sharing a dedicated wire path through the
switching matrix. Crossbar switches used the intersection of two points
to make a connection. They selected from a horizontal and vertical
matrix of wires, one row connected to one column. The system still
stepped the call through the network, but only after all the digits were
dialed. This method created a more efficient allocation of switch
resources.
There are four important components of a crossbar switch.
. The marker is the brain of a crossbar switch. It identifies a
line requesting service and allocates a register.
. The register provides dial tone and receives and stores the dialed
digits.
. The matrix is a set of horizontal and vertical bars. The point at
which the crosspoints meet establishes the connection.
. A trunk interface unit, also called a sender, processes calls from
a PBX.
Although crossbar is faster and less bulky than step-by-step, it is
still electromechanical and requires a lot of maintenance. It requires
huge amounts of space, generates a lot of heat, and makes a great deal of
noise.
Electronic Switching System (ESS)
The advent of electronic switching (also called stored program
switching) was made possible by the transistor. Introduced in 1965, the
Electronic Switching System (ESS) greatly sped up switch processing
capacity and speed and has done nothing less than revolutionize the
industry.
Modern ESS switches perform five main functions to establish and
maintain service in a public network.
1. Establish a connection between two or more points
2. Provide maintenance and testing services
3. Record and sort customer billing charges
4. Offer customer features, such as call waiting
5. Allow access to operators for special services
An ESS uses computer-based logic to control the same two primary
operations we introduced with the crossbar -- common control and the
switching matrix.
(In an ESS, the terms stored program control, common control, and
electronic switching are all synonymous.)
ESS Common Control
The function of the common control is similar to its function in the
crossbar. The difference is that common control is accomplished
electronically instead of electromechanically. Like the crossbar, one
group of control devices controls the functions of all lines. However,
instead of the hard wired logic of the crossbar, the control device
consists of a computer with memory, storage, and programming capability.
In the ESS, the computer governs the common control. It monitors all
the lines and trunks coming into the CO, searching for changes in the
electrical state of the circuit, such as a phone going off-hook. When a
subscriber goes off- hook and dials a number, the common control
equipment detects the request for service and responds by returning the
dial tone. It then receives, stores, and interprets the dialed digits.
Again, similar to the workings of the crossbar, once the digits have
been processed, the computer establishes a path through the switching
matrix to complete the call. After the connection for the call has been
established, the common control equipment releases and becomes available
to complete other calls.
ESS Switching Matrix
Recall that in the crossbar, calls were connected by sharing a dedicated
wire path through the matrix, establishing a connection between an input
and an output. The matrix in an ESS is logically similar to the
crossbar grid except the pathway is electronic instead of
electromechanical. Called a TDM bus, it is solid state circuitry and is
printed into small computer controlled circuit boards. The computer
controls the connections and path status map to determine which path
should be established to connect the calling and called parties.
Remember
Crossbar switching matrix = maze of physical wire cross connections
ESS switching matrix = electronic multiplexed TDM (time division
multiplexing) bus
ESS Advancements
The unprecedented advancement of the ESS was the speed and processing
power advantage it had over the crossbar because it switched calls
digitally instead of electromechanically. The processing capacity that
would have required a city block of crossbar technology could be
accomplished by one floor of ESS equipment. Much less effort was
required to maintain the ESS because it was smaller and had fewer moving
parts.
Telephone companies would have moved to the new technology for these
advantages alone. But, there was much more to be offered. There was
the power of the computer.
There are major advantages to a computer stored program. It allows the
system to perform functions earlier switches were incapable of. For
example, the switch can collect statistical information to determine its
effectiveness. It can perform self-diagnostics of circuit and system
irregularities and report malfunctions. If trouble occurs, technicians
can address it via a keyboard and terminal. The same terminal, often
called a system managers terminal, allows personnel to perform system
changes and to load new software, eliminating the need for manually
rewiring connections.
The computer uses two types of memory:
. Read Only Memory (ROM) is used to store basic operating
instructions and cannot be altered by the end user. The contents
of this memory can only be changed by the manufacturer.
. Random Access Memory (RAM) stores configuration and database
information. The contents of its memory can be changed by a
system administrator.
Other important functions of the computer include
. Performing telephone billing functions
. Generating traffic analysis reports
. Generating all tones and announcements regarding the status of
circuits and calls
Computer control operates under the direction of software called its
generic program. Periodically updating or adding to the generic program
allows the ESS to be much more flexible and manageable than previous
switch generations because it is the software, not the hardware, that
normally has to be upgraded.
Electronic switching heralded the introduction of new customer features
and services. Credit card calls, last number redial, station transfer,
conference calling, and automatic number identification (ANI) are just
a few examples of unprecedented customer offerings.
The ESS is an almost fail-safe machine. Its design objective is one
hour's outage in 20 years. In today's competitive environment for
higher quality communication equipment, ESS machines provide a level of
service and reliability unachievable in the past.
.-----------------------------------.
2 | The Private Branch Exchange (PBX) |
`-----------------------------------'
The two primary goals of every PBX are to
. facilitate communication in a business
. be cost effective
Organizations that have more than a few phones usually have an internal
switching mechanism that connects the internal phones to each other and
to the outside world.
A PBX is like a miniature Central Office switching system designed for a
private institution. A PBX performs many of the same functions as a CO
does. In fact, some larger institutions use genuine COs as their private
PBX.
Although a PBX and a CO are closely related, there are differences
between them
. A PBX is intended for private operation within a company. A CO is
intended for public service.
. A PBX usually has a console station that greets outside callers
and connects them to internal extensions.
. Most PBXs do not maintain the high level of service protection
that must be maintained in a CO. Assurance features such as
processor redundancy (in the event of processor failure) and
battery backup power, which are standard in a CO, may not be a
part of a PBX.
. COs require a seven digit local telephone number, while PBXs can
be more flexible and create dialing plans to best serve their
users (3, 4 5, or 6 digit extensions).
. A PBX can restrict individual stations or groups of stations from
certain features and services, such as access to outside lines. A
CO usually has no interest in restricting because these features
and services are billed to the customer. COs normally provide
unlimited access to every member on the network.
A PBX is composed of three major elements.
1. Common equipment (a processor and a switching matrix)
2. CO trunks
3. Station lines
Common Equipment
The operation of a PBX parallels the operation of a Central Office ESS.
Its common control is
. A computer operated Central Processing Unit (CPU) running software
that intelligently determines what must be done and how best to do
it.
. A digital multiplexed switching matrix printed on circuit boards
that establishes an interconnection between the calling and called
parties.
The CPU stores operating instructions and a database of information from
which it can make decisions. It constantly monitors all lines for
supervisory and control signals. A switching matrix sets up the
connections between stations or between stations and outgoing trunks.
Housed in equipment cabinets, PBX common equipment is often compact
enough to occupy just a closet or small room. Given the extremely high
rental rates many companies have, a major benefit of a PBX is its small
size.
CO Trunks and Station Lines
A trunk is a communication pathway between switches. A trunk may
provide a pathway between a PBX and the CO or between two PBXs and two
COs. A trunk may be privately owned or be a leased set of lines that
run through the Public Switched Network.
A line is a communication pathway between a switch and terminal
equipment, such as between a PBX and an internal telephone or between a
CO and a home telephone.
The function of the PBX is to interconnect or switch outgoing trunks
with internal lines.
Two Varieties of Lines
Station lines are either analog or digital, depending on the station
equipment it is connecting. If the phone on one desk is digital, it
should be connected to a digital line. If the phone on the desk is
analog, it should be connected to an analog line.
Varieties of Trunks
There exists a wide variety of trunks that can be connected to a PBX for
off-premises communication. Each variety has different functions and
capabilities. It is important to be able to distinguish them.
Tie Trunks
Organizations supporting a network of geographically dispersed PBXs
often use tie trunks to interconnect them. A tie trunk is a permanent
circuit between two PBXs in a private network. Tie trunks are usually
leased from the common carrier; however, a private microwave arrangement
can be established. Usually, leased tie trunks are not charged on a per
call basis but rather on the length of the trunk. If a tie trunk is
used more than one or two hours a day, distance sensitive pricing is
more economical.
A T1 trunk is a digital CO leased trunk that is capable of being
multiplexed into 24 voice or data channels at a total rate of 1.544
Mbps. T1 trunks are used as PBX-to-PBX tie trunks, PBX-to-CO trunks as
well as PBX trunks to bypass the local CO and connect directly to a long
distance carrier. It is a standard for digital transmission in North
America and Japan.
T1 uses two pairs of normal, twisted wire--the same as would be found in
a subscriber's residence. Pulse Code Modulation is the preferred method
of analog to digital conversion.
A T2 trunk is capable of 96 multiplexed channels at a total rate of
6.312 Mbps.
A T3 trunk is capable of 672 multiplexed channels at a total rate of
44.736 Mbps.
A T4 trunk is capable of 4,032 multiplexed channels at a total of
274.176 Mbps.
Direct Inward Dialing (DID) Trunks
Incoming calls to a PBX often first flow through an attendant position.
DID trunks allow users to receive calls directly from the outside
without intervention from the attendant. DID offers three main
advantages.
1. It allows direct access to stations from outside the PBX.
2. It allows users to receive calls even when the attendant
switchboard is closed.
3. It takes a portion of the load off the attendants.
Trunk Pools
Trunks do not terminate at a user's telephone station. Instead trunks
are bundled into groups of similarly configured trunks called trunk
pools. When a user wants to access a trunk, he can dial a trunk access
code--for example, he can dial 9 to obtain a trunk in the pool. Trunk
pools make system administration less complicated because it is easier
to administer a small number of groups than a large number of individual
trunks.
Ports
Ports are the physical and electrical interface between the PBX and a
trunk or station line.
PBX Telephones
Telephone stations in a PBX are not directly connected to the CO but to
the PBX instead. When a station goes off-hook, the PBX recognizes it
and sends to the station its own dial tone. The PBX requires some
access digit, usually "9" to obtain an idle CO trunk from a pool to
connect the station with the public network. This connection between
the telephone and the PBX allows stations to take advantage of a myriad
of PBX features.
The attendant console is a special PBX telephone designed to serve
several functions. Traditionally, most PBXs have used attendants as the
central answering point for incoming calls. Calls placed to the PBX
first connected to the attendant, who answered the company name. The
attendant then established a connection to the desired party. The
attendant also provided assistance to PBX users, including directory
assistance and reports of problems.
In recent years a number of cost-saving improvements have been made to
the attendant console. A feature commonly called automated attendant
can establish connections without a human interface, substantially
decreasing PBX operating costs.
Blocking versus Non-blocking
Blocking is a critical aspect of the functioning of a PBX. A
non-blocking switch is one that provides as many input/output interface
ports as there are lines in the network. In other words, the switching
matrix provides enough paths for all line and trunk ports to be
connected simultaneously.
PBX systems are usually blocking. It requires an exponential increase
in resources and expense to ensure non-blocking. Based on call traffic
studies and the nature of calls, it is generally acceptable to engineer
a low level of blocking in exchange for a major savings of common
equipment resources.
Grades of service are quantitative measurements of blocking. They are
written in the form:
P.xx
where xx is a two digit number that indicates how many calls out of a
hundred will be blocked. The smaller the number, the better the grade
of service.
P.01 means one call out of a hundred will be blocked. It is a better
grade of service than P.05 that block five calls out of a hundred.
Naturally the P.05 service costs less than the better grade of service
provided by P.01.
Even if a PBX's switching matrix is non-blocking, an internal caller may
still not be able to reach an outside trunk if all the trunks are busy.
CO trunks cost money, and very few PBXs dedicate one trunk to every
internal line. Instead, traffic studies are performed to determine the
percentage of time a station will be connected to an outside trunk
during peak hours.
If, for example, it is determined that the average station uses a trunk
only 20% of the time during peak hours, then the switch may be
configured to have a 5:1 line-to-trunk ratio, meaning for every five
lines (or extensions) there is one trunk. Most PBXs are configured on
this principle as a major cost saving method.
PBX Features
COs and PBXs share many of the same attributes and functionality.
However, COs are built to perform different tasks than a PBX, resulting
in feature differences between them. The following is an overview of
common PBX features not found in a CO.
Automatic Route Selection (ARS)
A primary concern of any telecommunications manager is to keep costs
down. One of these costs is long distance service. ARS is a feature
that controls long distance costs.
Most PBXs have more than just public CO trunks connected to them. They
may have a combination of tie trunks to other PBXs (T1/E1 trunks and
many others). Each type of trunk has a separate billing scheme,
relatively more or less expensive for a given number of variables.
It is extremely difficult to attempt to educate company employees on
which trunks to select for which calls at what time of day. It defeats
the productivity-raising, user-transparency goal of any PBX if employees
must pour over tariffing charts every time they want to use the phone.
Instead, ARS programs the PBX central processor to select the least
expensive trunk on a call by call basis. When a user places a call, the
computer determines the most cost effective route, dials the digits and
completes the call.
Feature Access
PBXs support a wide variety of user features. For example, call
forward, hold, and call pickup are all user features. There are two
methods of activating a feature. A code, such as "*62" can be assigned
to the call forward feature. To activate call forward the user presses
"*62" and continues dialing.
Dial codes are not the preferred method of feature access. The problem
is that users tend to forget the codes and either waste time looking
them up or do not take advantage of time saving features, thereby
defeating the purpose of buying them.
Dedicated button feature access is a better solution. Programmable
feature buttons, located on most PBX telephones, are pressed to activate
the desired feature. If a user wants to activate call forward, he
presses a button labeled "call forward" and continues dialing.
The only drawback of telephones with programmable feature buttons is
that they are more expensive than standard phones.
Voice Mail
For a voice conversation to occur, there is one prerequisite so obvious
it is usually overlooked. The called party must be available to answer
the call. In today's busy world, people are often not accessible which
can create a major problem resulting in messages not being received and
business not being conducted.
Statistics confirm the need for an alternate method.
75% of call attempts fail to make contact with the desired party.
50% of business calls involve one-way information--one party
wishing to deliver information to another party without any
response necessary.
50% of incoming calls are less important than the activity they
interrupt.
Voice mail (also known as store and forward technology) is a valuable
feature that is designed around today's busy, mobile office. It is like
a centralized answering machine for all telephone stations in a PBX.
When a telephone is busy or unattended, the systems routes the caller to
a voice announcement that explains that the called party is unavailable
and invites the caller to leave a message. The message is stored until
the station user enters a security dial access code and retrieves the
message.
Automated Attendant
Automated attendant is a feature sometimes included with voice mail. It
allows outside callers to bypass a human attendant by routing their own
calls through the PBX. Callers are greeted with a recorded announcement
that prompts them to dial the extension number of the desired position,
or stay on the line to be connected to an attendant.
Reducing cost is the primary goal of automated attendant. The decreased
attendant work load more d) an pays for the cost of the software and
equipment.
When automated attendant was first introduced, it met with substantial
resistance from the general public. People did not want to talk to a
machine. But, as its cost effectiveness drove many companies to employ
it, the public has slowly adjusted to the new technology.
Restriction
Nearly every PBX enforces some combination of inside and outside calling
restrictions on certain phones. Depending upon the sophistication of
the PBX, a system administrator can have nearly unlimited flexibility in
assigning restrictions. For example, a tire manufacturing plant could
restrict all lobby phones at corporate headquarters to internal and
local calls only. The phones at the storage warehouse could be
restricted for only internal calling. But, all executive phones could
be left unrestricted.
Long distance toll charges can be a crippling expense. Toll fraud is a
major corporate problem. Restriction combats unauthorized use of
company telephone resources and is a prime function of any PBX.
Tandems
As stated earlier, it is necessary to have a switching mechanism to
interconnect calls. If a number of phones all wish to be able to talk
to each other, an enormous amount of cabling would be wasted tying each
of them together. Thus, the switch was born.
The same principle applies for interconnecting PBXs. Large firms that
have PBXs scattered all over the country want each PBX to have the
ability to access every other one. But the expense of directly
connecting each could drive a company out of business. The solution is
to create a centrally located tandem switching station to interconnect
the phones from one PBX with the phones from any other. This solution
creates a Private Switched Network.
Directing digits are often used to inform the tandem switch where to
route the call. Each PBX is assigned a unique number. Let's say a PBX
in Paris is numbered "4." To call the Paris PBX from a PBX in Chicago,
a user would dial "4- XXXX."
Uniform Dialing Plan
A network of PBXs can be configured poorly so that calling an extension
at another PBX could involve dialing a long, confusing series of numbers
and create a lot of user frustration. A Uniform Dialing Plan enables a
caller to dial another internal extension at any PBX on the network with
a minimum of digits, perhaps four or five. The system determines where
to route the call, translates the digits and chooses the best facility,
all without the knowledge of the user. As far as the user knows, the
call could have been placed to a station at the next desk.
Call Accounting System (CAS) and Station Message Detail Recording (SMDR)
CAS works in conjunction with SMDR to identify and monitor telephone
usage in the system. SMDR records call information such as the calling
number, the time of the call, and its duration. The raw data is usually
listed chronologically and can be printed on reports.
SMDR by itself is not particularly useful because the sheer volume and
lack of sorting capability of the reports make them difficult to work
with. A Call Accounting Systems is a database program that addresses
these shortcomings by producing clear, concise management reports
detailing phone usage.
The primary function of CAS reports is to help control and discourage
unnecessary or unauthorized use and to bill back calling charges to
users. Many law firms use a call accounting system to bill individual
clients for every call they make on behalf of each client.
Attendant Features
A number of features are available to improve the efficiency of
attendant consoles.
Here are a few of them.
Direct Station Selection (DSS) allows attendants to call any
station telephone by pressing a button labeled with its extension.
Automatic Timed Reminder alerts the attendant that a station has
not picked up its call. The attendant may choose to reconnect to
the call and attempt to reroute it.
Centralized Attendant Service groups all network attendants into
the same physical location to avoid redundancies of service and
locations.
Power Failure Schemes
If a city or a town experiences a commercial power failure, telephones
connected directly to the CO will not be affected because the CO gets
power from its own internal battery source. A PBX, however, is
susceptible to general power failures because it usually gets its power
from the municipal electric company.
There are several different ways a PBX can be configured to overcome a
power failure.
A PBX can be directly connected to a DC battery which serves as
its source of power. The battery is continually recharged by an
AC line to the electric company. In the event of a power failure,
the PBX will continue functioning until the battery runs out.
A PBX can have an Uninterruptable Power Supply (UPS) to protect
against temporary surges or losses of power.
A PBX can use a Power Failure Transfer (PFT) which, in the event
of a power failure, immediately connects preassigned analog phones
to CO trunks, thereby using power from the CO instead of from the
PBX.
Outgoing Trunk Queuing
In the event all outgoing trunks are busy, this feature allows a user to
dial a Trunk Queuing code and hang up. As soon as a trunk becomes free,
the system reserves it for the user, rings the station and connects the
outside call automatically.
System Management
PBXs can be so large and complex that without a carefully designed
method of system management chaos can result. The best, most advanced
systems mimic CO management features--computer access terminals which
clearly and logically program and control most system features. The
system manager has a wide variety of responsibilities which may include,
but is not limited to
Programming telephone moves, additions, and changes on the system
Performing traffic analysis to maximize system configuration
resources and optimize network performance
Responding to system-generated alarms
Programming telephone, system, attendant, and network features.
ISDN
ISDN is not a product. Rather, it is a series of standards created by
the international body, ITU (previously known as CCITT), to support the
implementation of digital transmission of voice, data, and image through
standard interfaces. Its goal is to combine all communications services
offered over separate networks into a single, standard network. Any
subscriber could gain access to this vast network by simply plugging
into the wall. (At this time not all PBXs are compatible with the ISDN
standard.)
Alternatives to a PBX
There are two main alternatives to purchasing a PBX. They are
purchasing a Key system or renting Centrex service from the local
telephone company.
Key System
Key systems are designed for very small customers, who typically use
under 15 lines. There is no switching mechanism as in a PBX. Instead
every line terminates on every phone. Hence, everyone with a phone can
pick up every incoming call.
Key systems are characterized by a fat cable at the back of each phone.
The cables are fat because each phone is directly connected to each
incoming line and each line has to be wired separately to each phone.
Fat cables have become a drawback to Key systems as building wire
conduits have begun to fill with wire. It has become increasingly
difficult to add and move stations because technicians must physically
rewire the bulky cables instead of simply programming a change in the
software.
Key telephones are equipped with line assignment buttons that light on
incoming calls and flash on held calls. These buttons enable a user to
access each line associated with each button. Unlike a PBX, there is no
need to interface with an attendant console to obtain an outside line.
Differences between Key and PBX Systems
Key systems have no switching matrix. In a Key system, incoming
calls terminate directly on a station user's phone. In a PBX,
incoming calls usually first go to the attendant who switches the
call to the appropriate station.
PBX accesses CO trunk pools by dialing an access code such as "9."
Key systems CO trunks are not pooled. They are accessed directly.
Key systems make use of a limited number of features, many of them
common to the PBX. These include
Last number redial
Speed dialing
Message waiting lamp
Paging
Toll restriction
Today's PBXs can simulate Key system operation. For example, telephones
can have a line directly terminating on a button for direct access.
Centrex
The other alternative to purchasing a PBX is leasing a Centrex service.
Centrex is a group of PBX-like service offerings furnished by the local
telephone company. It offers many of the same features and functions
associated with a PBX, but without the expense of owning and maintaining
equipment and supporting in-house administrative personnel.
Because network control remains the responsibility of the CO, companies
that choose Centrex service over purchasing and maintaining a private
PBX can ignore the sophisticated world of high tech telecommunications
and leave it up to the telephone company representatives.
To provide Centrex service, a pair of wires is extended from the CO to
each user's phone. Centrex provides an "extension" at each station
complete with its own telephone number. No switching equipment is
located at the customer premises. Instead, Centrex equipment is
physically located at the CO.
There are a number of reasons a company would choose a Centrex system
over owning their own PBX. Currently Centrex has six million customers
in the United States market.
Advantages of a Centrex System over a PBX:
Nearly uninterruptable service due to large redundancies in the CO
Easily upgraded to advanced features.
No floor space requirement for equipment.
No capital investment
24-hour maintenance coverage by CO technicians
Inherent Direct Inward Dialing (DID). All lines terminate at
extensions, instead of first flowing through a switchboard.
Call accounting and user billing as inherent part of the service.
Reduced administrative payroll.
Disadvantages of a Centrex System:
Cost. Centrex is tariffed by the local telephone company and can
be very expensive. Companies are charged for each line connected
to the Centrex, as well for the particular service plan chosen.
Additionally, Centrex service may be subject to monthly increases.
Feature availability. Centrex feature options are generally not
state of the art, lagging behind PBX technology. Not all COs are
of the same generation and level of sophistication--a company
associated with an older CO may be subject to inferior service and
limited or outdated feature options.
Control of the network is the responsibility of the CO. While
this release from responsibility is often cited as a positive
feature of Centrex, there are drawback to relinquishing control.
CO bureaucracy can be such that a station move, addition or change
can sometimes take days to achieve. Furthermore, each request is
charged a fee. Also, some companies are more particular about
certain features of their network (security for example) and
require direct control for themselves.
.------------------------------------------.
3 | Properties of Analog and Digital Signals |
`------------------------------------------'
A man in Canada picks up a telephone and dials a number. Within
seconds, he begins talking to his business partner in Madrid. How can
this be?
Telephony is a constantly evolving technology with scientific rules and
standards. You will learn to make sense of what would otherwise seem
impossible.
Voice travels at 250 meters per second and has a range limited to the
strength of the speaker's lungs. In contrast, electricity travels at
speeds approaching the speed of light (310,000 Km per second) and can be
recharged to travel lengths spanning the globe. Obviously, electricity
is a more effective method of transmission.
To capitalize on the transmission properties of electricity, voice is
first converted into electrical impulses and then transmitted. These
electrical impulses represent the varying characteristics that
distinguish all of our voices. The impulses are transmitted at high
speeds and then decoded at the receiving end into a recognizable
duplication of the original voice.
For a hundred years, scientists have been challenged by how best to
represent voice by electrical impulses. An enormous amount of effort
has been devoted to solving this puzzle. The two forms of electrical
signals used to represent voice are analog and digital.
Both analog and digital signals are composed of waveforms. However,
their waveforms have very distinctive properties which distinguish them.
To understand the science of telephony, it is necessary to understand
how analog and digital signals function, and what the differences
between them are.
If you do not possess a fundamental understanding of basic waveforms,
you will not understand many of the more advanced concepts of
telecommunications.
Analog Signal Properties
Air is the medium that carries sound. When we speak to one another, our
vocal chords create a disturbance of the air. This disturbance causes
air molecules to become expanded and compress thus creating waves. This
type of wave is called analog, because it creates a waveform similar to
the sound it represents.
Analog waves are found in nature. They are continually flowing and have
a limitless number of values. The sine wave is a good example of an
analog signal.
Three properties of analog signals are particularly important in
transmission:
amplitude frequency phase
Amplitude
Amplitude refers to the maximum height of an analog signal. Amplitude
is measured in decibels when the signal is measured in the form of
audible sound. Amplitude is measured in volts when the signal is in the
form of electrical energy.
Amplitude of an Analog Wave
Volts represent the instantaneous amount of power an analog signal
contains.
Amplitude, wave height, and loudness of an analog signal represent the
same property of the signal. Decibels and volts are simply two
different units of measurement which are used to quantify this property.
Frequency
Frequency is the number of sound waves or cycles that occur in a given
length of time. A cycle is represented by a 360 degree sine wave.
Frequency is measured in cycles per second, commonly called hertz (Hz).
Frequency corresponds to the pitch (highness or lowness) of a sound. The
higher the frequency, the higher the pitch. The high pitch tone of a
flute will have a higher frequency than the low pitch tone of a bass.
Phase refers to the relative position of a wave at a point in time. It
is useful to compare the phase of two waves that have the same frequency
by determining whether the waves have the same shape or position at the
same time. Waves that are in-step are said to be in phase, and waves
that are not synchronized are called out-of-phase.
Modulation
The reason these three properties are significant is that each can be
changed (modulated) to facilitate transmission.
The term modulation means imposing information on an electrical signal.
The process of modulation begins with a wave of constant amplitude,
frequency, and phase called carrier wave. Information signals
representing voice, data, or video modulate a property (amplitude,
frequency, or phase) of the carrier wave to create a representation of
itself on the wave.
Amplitude Modulation is a method of adding information to an analog
signal by varying its amplitude while keeping its frequency constant. AM
radio is achieved by amplitude modulation.
Frequency Modulation adds information to an analog signal by varying its
frequency while keeping its amplitude constant. FM radio is achieved by
frequency modulation.
Phase Modulation adds information to an analog signal by varying its
phase.
The modulated wave carrying the information is then transmitted to a
distant station where it is decoded and the information is extracted
from the signal.
Properties of Digital Signals
Unlike analog signals, digital signals do not occur in nature. Digital
signals are an invention of mankind. They were created as a method of
coding information. An early example of digital signals is the Morse
Code.
Digital signals have discrete, non-continuous values. Digital signals
have only two states:
Type of Signal State
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Light switch On Off
Voltage Voltage Level 1 Voltage Level 2
(-2 volts) (+2 volts)
Morse Short beat Long beat
Computers and humans cannot communicate directly with ea