--------------------------------------- BOOK OF BIOC III --------------------------------------- as international dialing. We will also take a look at the telephone numbering plan. =============================== =North American Numbering Plan= =============================== In North America, the telephone numbering plain is as follows: A) A 3 digit Numbering Plan Area (NPA) code, [ie, Area code] B) A 7 digit telephone # consisting of a 3 digit central office (CO) code plus a 4 digit station number. These 10 digits are called the network address or destination code. It is in the format of: Area Code Telephone # --------- ----------- N*X NXX-XXXX Where: N = A digit from 2-9 * = The digit 0 or 1 X = A digit 0-9 Area Codes: ----------- Check your telephone book or the separate listing of area codes found on many BBS's. Here are the special area codes (SAC's): 510 - TWX (USA) 610 - TWX (Canada) 700 - New service 710 - TWX (USA) 800 - WATS 810 - TWX (USA) 900 - Dial-it Services 910 - TWX (USA) The other area codes never cross state lines, therefore each state must have at least one exclusive NPA code. When a community is split by a state line, the CO #'S are often interchangeable (ie, you can dial the same # from 2 different area codes) TWX: TWX (Telex II) consists of 5 teletypewriter area codes. They are owned by Western Union. These SAC'S may only be reached via other TWX machines. These run at 110 baud. Besides the TWX #'s, these machines are routed to normal telephone #'s. TWX machines always respond with an answerback. For example: WU's FYI TWX # is (910) 988-5956, the corresponding real number to this is (201) 279-5956. The answerback for this service is "WU FYI MAWA." If you don't want to buy a TWX machine, you can still send TWX messages using Easylink [800/325-4112 - see TUC'S and my article entitled "Hacking Western Union's Easylink] 700: At the time of this writing, the 700 exchange does not yet exist. AT&T plans to use it soon though. They plan to make it a type of fancy call forwarding service. It will be targeted towards salesmen on the run. To understand how it works, I'll explain it with an example. Let's say Joe Q. Salespig works for AT&T Security and he is on the run chasing a phreak around the country who royally screwed up an important Cosmos system. Let's say that Joe's 700 # is (700) 382-5968. Everytime Joe goes to a new hotel, he dials a special 700 #, enters a code, and the # where he is staying. Now, if his boss received some important info, all he would do is dial (700) 382-5968 and it would ring wherever Joe last programmed it to. Neat, huh? 800: This SAC is one of my favorites since it allows for toll-free calls. Inward WATS (INWATS): Inward Wide-Area Telecommunications service is the 800 #'S that we are all familiar with. 800 #'S are set up in service areas or bands. There are 6 of these. Band 6 is the largest and you can call a band 6 # from anywhere in the US except the state where the call is terminated (this is why most companies have one 800 # for the country and then another for just one state). Band 5 includes the 48 contiguous states. All the way down to band 1 which includes only the states contiguous to that one. Therefore, less people can reach a band 1 INWATS # than a band 6 #. Intrastate INWATS #'s (ie, you can call it from only 1 state) always have a 2 as the last digit in the exchange (ie, 800-NX2-XXXX). The NXX on 800 #'s represent the area where the business is located. For example, a # beginning with 800-431 would terminate at a NY co. 800 #'s always end up in a Hunt series in a Co. This means that it tries the first # allocated to the company for their 800 lines; if this is busy it will then try the next #, etc.). You must have a minimum of two lines per each 800 #. For example: Travelnet uses a Hunt series - if you dial (800) 521-8400, it will first try the # associated with 8400; if it is busy it will be billed by the # of hours of calls that are made to their #. Outwats (Outward WATS): OUTWATS are for making outgoing calls only. Large companies use OUTWATS since they receive bulk-rate discounts. Since Outwats # cannot have incoming calls, they are in the format of: (800) *XX-XXXX Where * is the digit 0 or 1 which cannot be dialed unless you box the call. The *XX identifies the type of service and the areas that the company can call. Remember: INWATS + OUTWATS = WATS Extender (See part I) 900: This dial-it SAC is a nationwide dial-it service. It is used for taking television polls and other stuff. The first minute currently costs an outrageous 50 cents and each additional minute costs 35 cents. Bell takes in a lot of revenue this way. Dial (900) 555-1212 to find out what is currently on the service. CO Codes: --------- These identify the switching office where the call is to be routed. The following CO codes are reserved nationwide: 555 - Directory Assistance 844 - Time ] These are now in 936 - Weather ] the 976 exchange 950 - Future services 958 - Plant Test 959 - Plant Test 970 - Plant Test (temporary) 976 - Dial-it services Also, the 3 digit ANI & Ringback #'S are regarded as plant test and are this reserved. These numbers vary from area to area. 950: [Also see part I] Here are the services that are currently on the 950 exchange: 1000 - SPC 1022 - MCI Execunet 1033 - US Telephone 1044 - ALLNET 1066 - LEXITEL 1088 - SBS Skyline These SCC'S (Specialized common carriers) are free from Fortresses! Plant Tests: These include ANI, Ringback, and other various tests. 976: Dial 976-1000 to see what is currently on the service. Also, many BBS'S have a listing of these #'s. N11 Codes: ---------- Bell is trying to phase some of these out, but they still exist in many areas. 011 - International Dialing Prefix 211 - Coin Refund Operator 411 - Directory Assistance 611 - Repair Service 811 - Business Office 911 - Emergency ======================= =International Dialing= ======================= With International Dialing, the world has been divided into 9 numbering zones. To make an international call, you must dial: Int. Prefix + Country code + Nat. # In North America, the international dialing prefix is 011 for station-to- station calls and 01 for operator-serviced calls. IDDD stands for International Direct Distance Dialing. The country code, which varies from 1 to 3 digits, always has the world numbering zone as the first digit. For example, the country code for the United Kingdom is 44, thus it is in world numbering zone 4. Some boards may contain a complete listing of other country codes, but here are a few: 1 - North America (US, Canada, etc.) 20 - Egypt 258 - Mozambique 34 - Spain 49 - Germany 52 - Mexico (Southern Portion) 61 - Australia 7 - USSR 81 - Japan 98 - Iran If you call from an area other than North America, the format is generally the same. For example, let's say you wanted to call the White House from Switzerland. First you would dial 00 (the Swiss International Dialing Prefix), then 1 (the US country code), followed by 202-456-1414 (the national # for the White House). Also, country code 87 is required for maritime mobile service, is calling ships: 871 - Marisat (Atlantic) 872 - Marisat (Pacific) 873 - Marisat (Indian ) International Switching: In North America, there are currently 7 no. 4 ESS's that perform the duty of ISC (Internation Switching Centers). All international calls dialed from numbering zone 1 will be routed through one of these "Gateway cities." They are: 182 - WHITE PLAINS, NY 183 - NEW YORK, NY 184 - PITTSBURGH, PA 185 - ORLANDO, FL 186 - OAKLAND, CA 187 - DENVER, CO 188 - NEW YORK, NY system called CCITT. It is an international standard for signaling. ------------------------------------------------------------------------------ ] *> Title: Agent Biocs [File 4] *> Date: 4/1/88 *> Time: 7:05 pm ******BIOC Agent 003's course in******* * * * ========================== * * =BASIC TELECOMMUNCIATIONS= * * ========================== * * PART IV * *************************************** PREFACE: -------- Part IV will deal with the various types of operators, office hierarchy, & switching equipment. OPERATORS: ---------- There are many types of operators in The Network and the more common ones will be discussed. TSPS Operator: The TSPS (Traffic Service Position System) Operator is probably the bitch (or bastard for the phemale liberationists) that most of us are use to having to deal with. Here are her responsibilities: 1) Obtaining billing information for Calling Card or 3rd number calls. 2) Identifying called customer on person-to-person calls. 3) Obtaining acceptance of charges on collect calls. 4) Identifying calling numbers. This only happens when the calling # is not automatically recorded by CAMA (Centralized Automatic Message Accounting) & forwarded from the local office. This could be caused by equipement failures or if the office is not equipped for CAMA (most are). You shouldn't mess with the TSPS operator since she KNOWS where you are calling from. She also knows whether or not you are at a fortress fone & she can trace calls quite readily. Out of all the operators, she is one of the MOST DANGEROUS. INWARD Operator: This operator assists your local TSPS ("O") operator in connecting calls. She will never question a call as long as the call is within HER SERVICE AREA. She can only be reached via other operators or by a Blue Box. From a BB, you would dial KP+NPA+121+ST for the INWARD operator that will help you connect any calls within that NPA area only. (Blue Boxing will be discussed in a future part of BASIC TELCOM) DIRECTORY ASSISTANCE Operator: This is the operator that you are connected to when you dial: 411 or NPA-555-1212. She does not readily know where you are calling from. She does not have access to unlisted #'s, but she does know if an unlisted # exists for a certain listing. There is also a directory assistance for deaf people who use Teletypewriters If you modem can transfer BAUDOT (the Apple Cat can), then you can call her up and have an interesting conversation with her. The # is: 800- 855-1155. She uses the standard Telex abbreviations such as GA for Go Ahead. They tend to be nicer & will talk longer than your regular operators. Also, they are more vulnerable into being talked out of information through the process of "social engineering" as Cheshire Catalyst would put it. Other operators have access to their own DA by dialing KP+NPA+131+ST (MF). This is a little out of the scope of this tutorial, but many telco's are now charging for calls to dir. asst. You can beat this by: (1) count how many calls you make to directory assistance in a billing period. Go to a fortress fone & dial DA. When the operator comes on, give her a name that you know has an unlisted # or ask for a town that isn't in the NPA. She will then ask for your # so she can credit the call to you. Give her your home #; she doesn't know that you are making a free call from the fortress. Just make sure that you don't credit yourself for more calls than you actually made or you might have a few problems! (2) If you have a BAUDOT terminal, use the 800 #; it's frwe & there is one # for all requests. C/NA Operators: C/NA operators are operators that do exactly the opposite of what directory assistance operators are for. See part II, for more info on C/NA & #'s. In my experiences, these operators know more than the DA op's do & they are more susceptible to "social engineering." It is possible to bullshit a C/NA operator for the NON-PUB DA # (ie, you give them the name & they give you the unlisted #). This is due to the fact that they assume your are a phellow comxany employee. INTERCEPT Operator: The intercept operator is the one that you are connected to when there are not enough recordings available to tell you that the # has been disconnected or changed. She usually says, "What # you callin'?" with a foreign accent. This is the lowest operator lifeform. Even though they don't know where you are calling from, it is a waste of your time to try to verbally abuse them since they usually understand very little English. OTHER Operators: And then there are the: Mobile, Ship-to-Shore, Conference, Marine Verify, "Leave Word & Call Back," Rout & Rate (KP+NPA+141+ST), & other special operators who have one purpose or another in the Network. Problems with an Operator? Ask to speak to their supervisor...Which is the equivalent of the Madame in a whorehouse (if you will excuse the analogy). By the way, some CO's that will allow you to dial a 1 or 0 as the 4th digit, will also allow you to call special operators without a blue box. This is very rare though! For example, 212-121-1111 will get you a NY Inward Operator. ================== =OFFICE HIERARCHY= ================== Every switching office office in North America (the NPA system), is assigned an office name & class. There are five classes of offices numbered 1 through 5. Your CO is most likely a class 5 or end office. All Long-Distance (Toll) calls are switched by a toll office which can be a class 4, 3, 2, or 1 office. There is also a 4X office called an intermediate point. The 4X office is a digital one that can have an unattended exchange attached to it (known as a Remote Switching Unit-RSU). The following chart will list the Office #, name, & how many of those offices existed in North America in 1981. Class Name Abb # Existing ----- ---------------- --- ------------ 1 Regional Center RC 12 2 Sectional Center SC 67 3 Primary Center PC 230 4 Toll Center TC 1,300 4P Toll Point TP 4X Intermediate Pt IP 5 End Office EO 19,000 R RSU RSU When connecting a call from one party to another, the switching equipment usually tries to find the shortest route between the Class 5 end office of the caller & the Class 5 end office of the called party. If no inter-office trunks exist between the 2 parties, it will then move upto the next highest office for servicing (Class 4). If the Class 4 office cannot handle the call by sending it to another Class 4 or 5 office, it will be sent to the next office in the hierarchy (3). The switching equipment first uses the high-usage interoffice trunk groups, if they are busy it then goes to the final trunk groups on the next highest level. If the call cannot be connected then, you will probably get a re-order (120IPM busy signal) signal. At this time, the guys at Network Operations are probably shitting in their pants and trying to avoid the dreaded Network Dreadlock (as seen on TV!). It is also interesting to note that 9 connections in tandem is called ring-around-the rosy and it has never occurred in telephone history. This would case an endless loop connection. [A neat way to really screw-up the Network] The 10 regional centers in the US & the 2 in Canada are all interconnected. They form the foundation of the entire telephone network. Since there are only 12 of them, they are listed below: Class 1 Regional Office Location NPA ---------------------------------- --- Dallas 4 ESS 214 Wayne, PA 215 Denver 4T !0 303 Regina No.2 SP1-4W [Canada] 306 St. Louis 4T 314 Rockdale, GA 404 Pittsburgh 4E 412 Montreal No.1 4AETS [Canada] 504 Norwich, NY 607 San Bernardino, CA Norway, IL 815 White Plains 4T, NY 914 The following diagram demonstrates how the various offices may be connected: ^----------^----------^ Regional _|_ _|_ _|_Offices ~~~~~|1| <----> |1| <----> |1|~~~~~ --- --- --- | Others\/ -^-------^-------^------^---------^ _|_ _|_ _|_ _|__ _|_ |2| |3| |4| |4P| |5| --- --- --- -^^- --- | | | | ^----^ | ^----^ | _|_ _|_ | __|_ _|_ | |3| |4| | |4X| |5| ^-----^ --- -^- | ---- --- _|__ _|_ ^ | |4X| |5| __|_ | 0 ---- --- |5R| |-------------^ -^^- /--------|---------\ _|_ _|_ _|_ _|__ |R| |4| |5| |5R| --- --- --- ---- NOTE: The preceding diagram used certain lower case characters that may not be viewed as I intended them if you are not using as lower case terminal. ===================== =SWITCHING EQUIPMENT= ===================== In the Network, there are 3 major types of switching equipment. They are known as: Step, Crossbar, & ESS. STEP-BY-STEP (SxS) The Step-By-Step, a/k/a the Strowger switch or two-motion switch, was invented in 1889 by an undertaker named Almon Strowger. He invented this mechanical switching equipment because he felt that the biased operator was routing all requests for an 'undertaker' to her husband's business. Bell started using this system in 1918 & as of 1978, over 53% of the Bell exchanges used this method of switching. Step-by-Step switching is controlled directly by the dial pulses which move a series of switches (called the switch train) in order. When you first pick up the fone under SxS, a linefinder acknowledges the request (sooner or later) by sending a dial tone. If you then dialed 1234, the equipment would first find an idle selector switch. It would then move vertically 1 pulse, it would then move horizontally to find a free second selector, it would then move 2 vertical pulses, step horizontally to find the next selector, etc. Thus the first switch in the train takes no digits, the second switch takes 1 digit, the third switch takes 1 digit, & the last switch in the train (called the connector) takes the last 2 digits & connects your calls. A normal (10,000 line) exchange requires 4 digits (0000-9999) to connect a local call & thus it takes 4 switches to connect every call (linefinder. 1st & 2nd selectors, & the connector) . While it was the first, SxS sucks for the following reasons: [1] The switched often become jammed thus the calls often become blocked. [2] You can't use DTMF (Dual-Tone Multi-Frequency a/k/a Touch-Tone) directly. It is possible that the Telco may have installed a conversion kit but then the calls will go through just as slow as pulse, anyway! [3] They use a lot of electricity & mechanical maintenance. (bad from Telco point of view) [4] Everything is hardwired. They can still hook up pen registers & other shit on the line so it is not exactly a phreak haven. You can identify SxS offices by: (1) Lack of DTMF or pulsing digits after dialing DTMF. (2) If you go near the CO, it will sound like a typewriter testing factory. (3) Lack of speed calling, call forwarding, & other customer services. (4) Fortress fones that want your money first (as opposed to dial tone first ones). The preceding don't necessarily imply that you have SxS but they surely give evidence that it might be. Also, if any of the above characteristics exist, it certainly isn't ESS! Also, SxS have pretty much been eradicated from large metropolitan areas such as NYC (212). CROSSBAR: There are 3 major types ofrossbar systems called: No. 1 Crossbar (1XB), No. 4 Crossbar (4XB), & No. 5 Crossbar (5XB). 5XB has been the primary end office switch of Bell since the 60's and thus it is in wide-use. Crossbar uses a common control switching method. When there is an incoming call, a stored program determines its route through the switching matrix. In Crossbar, the basic operation principle is that a horizontal & a vertical line are energized in a matrix known as the crosspoint matrix. The point where these 2 lines meet in the matrix is the connection. +===+ =ESS= +===+ Electronic Switching System (ESS) The Phreak's Nightmare Come True (or Orwell's Prophecy as 2600 puts it) ESS is Bell's move towards the Airstrip One society depicted in Orwell's 1984. With ESS, EVERY single digit that you dial is recorded--even if it is a mistake. They know who you call, when you call, how long you talked for, & probably what you talked about (in some cases). ESS can (and is) also programmed to print out #'s of people who make excessive calls to 800 #'s or directory assistance. This is called the "800 Exceptional Calling Report." ESS could also be programmed to print out logs of who calls certain #'s--like a bookie, a known communist, a BBS, etc The thing to remember with ESS is that it is a series of programs working together. These programs can be very easily changef to do whatever they want it to do. One phreak whom I know has some ESS source code listing which is incredibly complex (as well as documented--Gracias Dios). This system makes the job of Bell Security, the FBI, NSA, & other organizations that like to invade privacy incredibly easy. With ESS, tracing is done in microseconds (Eine Augenblick) & the results are printed at the console of a Bell Gestapo officer. ESS will also pick up any "foreign" tones on the line such as 2600 Hz! Bell predicts that the country will become totally ESS by the 1990's. You can identify ESS by the following which are usually ESS functions: [1] Dialing 911 for help. [2] Dial-Tone-First fortresses. [3] Custom Calling Services such as: Call Forwarding, Speed Dialing, & Call Waiting. (Ask your business office if you can get these.) [4] ANI (Automatic Number Identification) on LD calls. Phreaking does not come to a complete halt under ESS though--just be very careful, though!!! Due to the fact that ESS sends a computer generated "artificial ring," where the voice is not connected directly to the called parties line until he picks up, Black Boxes & Infinity Transmitters will not work! NOTE: Another interesting way to find out what type of equipment you are on is to raid the trash can of you local CO--this art will discussed in a separate article soon. Coming Soon: In the part V, we will start to take a look at telephone electronics. Further Reading: For more information on the above topics, I suggest the following: Notes on the Network, AT&T, 1980. Understanding Telephone Electronics, Texas Instruments, 1983. And subscriptions to: TAP, Room 603, 147 W 42 St, New York, NY 10036. Subscriptions are $10/year. Back issues are $0.75. The current issues is #90 (Jan/Feb 1984) 2600, Box 752, Middle Island, NY 11953. Subscriptions are $10/year. Back issues are $1 each. The current issue is #4 (April 1984). They are both excellent sources of all sorts of information (primarily phreaking/hacking). NOTE: For the most part, I have assumed that you have read my previous 3 courses in the BASIC TELCOM series. Hasta Luego, *****BIOC *=$=*Agent *****003 April 13, 1984 {The Year of Big Brother} -------------------------------------------------------------------------------