



                ===== Phrack Magazine presents Phrack 16 =====

                  ===== File 1 of 12 : Phrack 16 Intro =====



        Greetings, and welcome to Phrack #16, we are a bit late, but bigger

        then ever. I think you will find this issue very interesting.

        Enjoy and have Phun



        Elric of Imrryr - Editor





Contents this issue:



16.1  Phrack 16 Intro by Elric of Imrryr                        2K

16.2  BELLCORE Information by The Mad Phone-Man                11K

16.3  A Hacker's Guide to Primos:  Part 1 by Cosmos Kid        11K

16.4  Hacking GTN by The Kurgan                                 7K

16.5  Credit Card Laws Laws by Tom Brokow                       7K

16.6  Tapping Telephone Lines by Agent Steal                    9K

16.7  Reading Trans-Union Credit Reports by The Disk Jockey     6K



Phrack World News:



16.8  The Story Of the West German Hackers by Shooting Shark    3K

16.9  The Mad Phone-Man and the Gestapo by The Mad Phone-Man    2K

16.10 Flight of the Mad Phone-Man by The Mad Phone-Man          2K

16.11 Shadow Hawk Busted Again by Shooting Shark                2K

16.12 Coin Box Thief Wanted by The $muggler                     2K







Submission to Phrack may be sent to the following BBSes:



Unlimited Reality       313-489-0747 Phrack

The Free World          301-668-7657 Phrack Inc. (*)

The Executive Inn       915-581-5145 Phrack

Lunatic Labs UnLtd.     415-278-7421 Phrack      (*)

House of the Rising Sun 401-789-1809 Phrack





* You will get the quickest reply from these systems.





                ===== Phrack Magazine presents Phrack 16 =====

                           ===== File 2 of 12 =====



--------------------------------------------------------------------

BELLCORE Information          by The Mad Phone-man

--------------------------------------------------------------------



So, you've broken  into the  big phone box on the wall, and are looking at a

bunch of tags with numbers and letters on them. Which one is the modem line?

Which one is the 1-800 WATS line?  Which one is the Alarm line? Bell has a

specific set of codes that enable you to identify what you're looking at.

These are the same codes the installer gets from the wire center to enable him

to set  up the line, test it, and make  sure it  matches the  customers order.

Here are some extracts from the Bellcore book.



First lets take a hypothetical line number I'm familiar with:

     64FDDV 123456

-------------------------------------------------------------

The serial number format:



        Prefix +  service code + modifier +   serial number +

digits:  1,2         3,4           5,6       7,8,9,10,11,12    continued

-------------------------------------------------------------------------



         Suffix    +  CO assigning circuit number +   segment

digits:  13,14,15            16,17,18,19              20,21,22

-------------------------------------------------------------------------



The important shit is in the 3rd thru 6th digit.



SERVICE CODES    Intra or Inter LATA Block 1-26

-------------

AA- Packet analog access line

AB- Packet switch trunk

AD- Attendant

AF- Commercial audio fulltime

AI- Automatic identified outward dialing

AL- Alternate services

AM- Packet, off-network access line

AN- Announcement service

AO- International/Overseas audio (full time)

AP- Commercial audio (part time)

AT- International/Overseas audio (part time)

AU- Autoscript

BA- Protective alarm (CD)

BL- Bell & lights

BS- Siren control

CA- SSN Access

CB- OCC Audio facilities

CC- OCC Digital facility-medium speed

CE- SSN Station line

CF- OCC Special facility

CG- OCC Telegraph facility

CH- OCC Digital facility high-speed

CI- Concentrator Identifier trunk

CJ- OCC Control facility

CK- OCC Overseas connecting facility wide-band

CL- Centrex CO line

CM- OCC Video facility

CN- SSN Network trunk

CO- OCC Overseas connecting facility

CP- Concentrator identifier signaling link

CR- OCC Backup facility

CS- Channel service

CT- SSN Tie trunk

CV- OCC Voice grade facility

CW- OCC Wire pair facility

CZ- OCC Access facility

DA- Digital data off-net extension

DB- HSSDS 1.5 mb/s access line

DF- HSSDS 1.5 mb/s hub to hub

DG- HSSDS 1.5 mb/s hub to earth station

DH- Digital service

DI- Direct-in dial

DJ- Digit trunk

DK- Data link

DL- Dictation line

DO- Direct-out dial

DP- Digital data-2 4 kb/s

DQ- Digital data-4 8 kb/s

DR- Digital data-9.6 kb/s

DW- Digital data-56  kb/s

DY- Digital service (under 1 mb/s)

EA- Switched access

EB- ENFIA II end office trunk

EC- ENFIA II tandem trunk

EE- Combined access

EF- Entrance facility-voice grade

EG- Type #2 Telegraph

EL- Emergency reporting line

EM- Emergency reporting center trunk

EN- Exchange network access facility

EP- Entrance facility-program grade

EQ- Equipment only-(network only) assignment

ES- Extension service-voice grade

ET- Entrance facility-telegraph grade

EU- Extension service-telegraph grade

EV- Enhanced Emergency reporting trunk

EW- Off network MTS/WATS equivalent service

FD- Private line-data

FG- Group-supergroup spectrum

FR- Fire dispatch

FT- Foreign exchange trunk

FW- Wideband channel

FV- Voice grade facility

FX- Foreign exchange

HP- Non-DDS Digital data 2.4 kb/s

HQ- Non-DDS Digital data 4.8 kb/s

HR- Non-DDS Digital data 9.6 kb/s

HW- Non-DDS Digital data 56  kb/s

IT- Intertandem tie trunk

LA- Local area data channel

LL- Long distance terminal line

LS- Local service

LT- Long distance terminal trunk

MA- Cellular access trunk 2-way

MT- Wired music

NA- CSACC link (EPSCS)

NC- CNCC link (EPSCS)

ND- Network data line

OI- Off premises intercommunication station line

ON- Off network access line

OP- Off premises extension

OS- Off premises PBX station line

PA- Protective alarm (AC)

PC- Switched digital-access line

PG- Paging

PL- Private line-voice

PM- Protective monitoring

PR- Protective relaying-voice grade

PS- MSC constructed spare facility

PV- Protective relaying-telegraph grade

PW- Protective relaying-signal grade

PX- PBX station line

PZ- MSC constructed circuit

QU- Packet asynchronous access line

QS- Packet synchronous access line

RA- Remote attendant

RT- Radio landline

SA- Satellite trunk

SG- Control/Remote metering signal grade

SL- Secretarial line

SM- Sampling

SN- Special access termination

SQ- Equipment only-customer premises

SS- Dataphone select-a-station

TA- Tandem tie-trunk

TC- Control/Remote metering-telegraph grade

TF- Telephoto/Facsimile

TK- Local PBX trunk

TL- Non-tandem tie trunk

TR- Turret or automatic call distributor (ACD) trunk

TT- Teletypewriter channel

TU- Turret or automatic call distributor (ACD) line

TX- Dedicated facility

VF- Commercial television (full time)

VH- Commercial television (part time)

VM- Control/Remote metering-voice grade

VO- International overseas television

VR- Non-commercial television (7003,7004)

WC- Special 800 surface trunk

WD- Special WATS trunk (OUT)

WI- 800 surface trunk

WO- WATS line (OUT)

WS- WATS trunk (OUT)

WX- 800 service line

WY- WATS trunk (2-way)

WZ- WATS line (2-way)

ZA- Alarm circuits

ZC- Call and talk circuits

ZE- Emergency patching circuits

ZF- Order circuits, facility

ZM- Measurement and recording circuits

ZP- Test circuit, plant service center

ZQ- Quality and management circuits

ZS- Switching, control and transfer circuits

ZT- Test circuits, central office

ZV- Order circuits, service



SERVICE CODES FOR LATA ACCESS

---------------------------------------------------

HC- High capacity 1.544 mb/ps

HD- High capacity 3.152 mb/ps

HE- High capacity 6.312 mb/ps

HF- High capacity 6.312

HG- High capacity 274.176 mb/s

HS- High capacity subrate

LB- Voice-non switched line

LC- Voice-switched line

LD- Voice-switched trunk

LE- Voice and tone-radio landline

LF- Data low-speed

LG- Basic data

LH- Voice and data-PSN access trunk

LJ- Voice and data SSN access

LK- Voice and data-SSN-intermachine trunk

LN- Data extension, voice grade data facility

LP- Telephoto/Facsimile

LQ- Voice grade customized

LR- Protection relay-voice grade

LZ- Dedicated facility

MQ- Metallic customized

NQ- Telegraph customized

NT- Protection alarm-metallic

NU- Protection alarm

NV- Protective relaying/Telegraph grade

NW- Telegraph grade facility-75 baud

NY- Telegraph grade facility- 150 baud

PE- Program audio, 200-3500 hz

PF- Program audio, 100-5000 hz

PJ- Program audio, 50-8000 hz

PK- Program audio, 50-15000 hz

PQ- Program grade customized

SB- Switched access-standard

SD- Switched access-improved

SE- Special access WATS-access-std

SF- Special access WATS access line improved

SJ- Limited switched access line

TQ- Television grade customized

TV- TV Channel one way 15khz audio

TW- TV Channel one way 5khz audio

WB- Wideband digital, 19.2 kb/s

WE- Wideband digital, 50 kb/s

WF- Wideband digital, 230.4 kb/s

WH- Wideband digital, 56 kb/s

WJ- Wideband analog, 60-108 khz

WL- Wideband analog 312-552 khz

WN- Wideband analog 10hz-20 khz

WP- Wideband analog, 29-44 khz

WR- Wideband analog 564-3064 khz

XA- Dedicated digital, 2.4 kb/s

XB- Dedicated digital, 4.8 kb/s

XG- Dedicated digital, 9.6 kb/s

XH- Dedicated digital 56. kb/s







Now the last two positions of real importance, 5 & 6 translate thusly:



Modifier Character Position 5

------------------------------



INTRASTATE            INTERSTATE

-------------------------------------

   A                      B           Alternate data & non data

-------------------------------------

   C                                  Customer controlled service

-------------------------------------

   D                      E           Data

-------------------------------------

   N                      L           Non-data operation

-------------------------------------

   P                                  Only offered under intra restructured

                                      private line (RPL) tariff

-------------------------------------

   S                      T           Simultaneous data & non-data

-------------------------------------

   F                                  Interexchange carriers is less than 50%

-------------------------------------

                          G           Interstate carrier is more than 50%

                                      usage

==============================================================================



MODIFIER CHARACTER POSITION 6

--------------------------------------------------------------



  TYPE OF SERVICE        Intra LATA

--------------------------------------

ALL EXCEPT US GOVT       US GOVERNMENT

--------------------------------------

       T                   M          Circuit is BOC customer to BOC customer

                                      all facilities are TELCO provided

--------------------------------------

       C                   P          Circuit is BOC/BOC and part of

                                      facilities or equipment is telco

                                      provided

--------------------------------------

       A                   J          Circuit is BOC/BOC all electrically

                                      connected equip is customer provided

--------------------------------------

       L                   F          Circuit terminates at interexchange

                                      carrier customers location

--------------------------------------

       Z                              Official company service

--------------------------------------

                          Interlata

       S                   S          Circuit terminates at interexchange

                                      carriers point of term (POT)

--------------------------------------

       V                   V          Circuit terminates at an interface of a

                                      radio common carrier (RCC)

--------------------------------------

       Z                              Official company service

--------------------------------------



                           Corridor

       Y                   X          Corridor circuit

--------------------------------------

                           International

       K                   H          Circuit has at least 2 terminations in

                                      different countries

--------------------------------------

                           Interexchange carrier

       Y                   X          Transport circuit between interexchange

                                      carrier terminals.

----------------------------------------



So 64FDDV would be a private line data circuit terminating at a  radiocommon

carrier.  Other examples can be decoded likewise.



Enjoy this information as much as I've had finding it.



    -= The Mad Phone-man =-





                ===== Phrack Magazine presents Phrack 16 =====

                           ===== File 3 of 12 =====



==========================================

====       Cosmos Kid Presents...     ====

====   A Hacker's Guide To:  PRIMOS   ====

====              Part I              ====

====     (c) 1987 by Cosmos Kid       ====

==========================================



Author's Note:

--------------

This file is the first of two files dealing with PRIMOS and its operations.

The next file will be in circulation soon so be sure to check it out at any

good BBS.





Preface:

--------

This file is written in a form to teach beginners as well as experienced

Primos users about the system. It is written primarily for beginners however.

PRIMOS, contrary to popular belief can be a very powerful system if used

correctly.  I have  outlined some  VERY BASIC  commands and  their use in this

file along with some extra commands, not so BASIC.





Logging On To A PRIMOS:

-----------------------

A PRIMOS system is best recognized by its unusual prompts. These are: 'OK',

and 'ER!'.  Once connected, these are not the prompts you get.  The System

should identify itself with a login such as:



Primenet V2.3

-or-

Primecom Network



The  system then  expects some  input from  you,preferably:  LOGIN.  You will

then be asked to enter  your user  identification and  password as  a security

measure.  The login onto a PRIMOS is as follows:



CONNECT

Primenet V 2.3 (system)

LOGIN<CR>      (you)

User id?       (system)

AA1234         (you)

Password?      (system)

KILLME         (you)

OK,            (system)





Preceding the OK, will be the systems opening message.  Note that if you fail

to type login once connected, most other commands are ignored and the system

responds with:



Please Login

ER!





Logging Off Of A PRIMOS:

------------------------

If at any time you get bored with Primos, just type 'LOGOFF' to leave the

system.  Some systems have a TIMEOUT feature implemented meaning that if you

fail to type anything for the specified amount of time the system will

automatically log you out, telling you something like:



Maximum Inactive Time Limit Exceeded





System Prompts:

---------------

As stated previously, the prompts 'ER!' and 'OK,' are used on Primos. The

'OK,' denotes that last command was executed properly and it is now waiting

for your next command. The 'ER!' prompt denotes that you made an error in

typing  your last  command.  This  prompt is  usually  preceded  by  an  error

message.





Special Characters:

-------------------

Some terminals have certain characteristics that are built in to the terminal.

key



CONTROL-H

Deletes the last character typed.





Other Special Characters:

-------------------------

RETURN:  The return key signals PRIMOS that you have completed typing a

         command and that you are ready for PRIMOS to process the command.



BREAK/CONTROL-P:  Stops whatever is currently being processed in memory and

                  will return PRIMOS to your control.  To restart a process,

                  type:

                  START (abbreviated with S).



CONTROL-S:  Stops the scrolling of the output on your terminal for viewing.



CONTROL-Q:  Resumes the output scrolling on your terminal for inspection.



SEMICOLON ';':  The logical end of line character.  The semicolon is used to

                enter more than one command on one line.



Getting Help:

-------------

You can get on-line information about the available PRIMOS commands by using

the 'HELP' command.  The HELP system is keyword driven.  That is, all

information is stored under keywords that indicate the content of the help

files.  This is similar to VAX.  Entering the single command 'HELP' will enter

the HELP sub-system and will display an informative page of text.  The next

page displayed will provide you with a list of topics and their keywords.

These topics include such items as PRIME, RAP, MAIL, and DOC.  If you entered

the MAIL keyword, you would be given information concerning the mail sub-

system available to users on P simply enter PRIME to obtain information on all

PRIMOS commands.  You could then enter COPY to obtain information on that

specific topic.





Files And Directories:

----------------------

The name of a file or sub-directory may have up to 32 characters.  The

filename may contain any of the following characters, with the only

restriction being that the first character of the filename may not be a digit.

Please note that BLANK spaces are NOT allowed ANYWHERE:



A-Z .....alphabet

0-9 .....numeric digits

&   .....ampersand

#   .....pound sign

$   .....dollar sign

-   .....dash/minus sign

*   .....asterisk/star

.   .....period/dot

/   .....slash/divide sign





Naming Conventions:

-------------------

There are very few restrictions on the name that you may give a file.

However, you should note that many of the compilers (language processors) and

commands on the PRIME will make certain assumptions if you follow certain

guidelines. File name suffixes help to identify the file contents with regard

to the language the source code was written in and the contents of the file.

For instance, if you wrote a PL/1 program and named the file containing the

source code 'PROG1.PL1' (SEGmented loader) would take the binary file, link

all the binary libraries that you specify and produce a file named

'PROG1.SEG', which would contain the binary code necessary to execute the

program.  Some common filename suffixes are:  F77, PAS, COBOL, PL1G, BASIC,

FTN, CC, SPIT (source  files).  These all  denote  separate languages  and get

into more advanced programming on PRIMOS.  (e.g. FTN=Fortran).



BIN=the binary code produced by the compiler

LIST=the program listing produced by the compiler

SEG=the linked binary code produced by SEG



Some files which do not use standard suffixes may instead use the filename

prefixes to identify the contents of the file.  Some common filename prefixes

are:



B  Binary code produced by the compiler

L  source program Listing

C  Command files

$  Temporary work files (e.g. T$0000)

#  Seg files





Commands For File Handling:

----------------------------

PRIMOS has several commands to control and access files and file contents.

These commands can be used to list the contents of files and directories, and

to copy, add, delete, edit, and print the contents of files.  The capitalized

letters of each are deleted.  A LIST must be enclosed in parenthesis.



Close arg        ....Closes the file specified by 'arg'.  'Arg' could also be

                 a list of PRIMOS file unit numbers, or the word 'ALL' which

                 closes all open files and units.



LIMITS           ....Displays information about the login account, including

                 information about resources allocated and used, grantor, and

                 expiration date.



Edit Access      ....Edits the Access rights for the named directories and

                 files.



CName arg1 arg2  ....Changes the Name of 'arg1' to 'arg2'.  The arguments can

                 be files or directories.



LD               ....The List Directory command has several arguments that

                 allow for controlled listing format and selection of entries.



Attach arg       ....allows you to Attach to the directory 'arg' with the

                 access rights specified in the directory Access Control List.



DOWN <arg>       ....allows you to go 'DOWN into' a sub-ufd (directory).  You

                 can specify which one of several sub-ufds to descend into

                 with the optional 'arg'.



UP <arg>         ....allows you to go 'UP into' a higher ufd (directory).  You

                 can specify which one of several to climb into with the

                 optional 'arg'.



WHERE            ....Displays what the current directory attach point is and

                 your access rights.



CREATE arg       ....CREATES a new sub-directory as specified by 'arg'.



COPY arg1 arg2   ....COPIES the file or directory specified by 'arg1' into a

                 file by the same name specified by 'arg2'.  Both 'arg1' and

                 'arg2' can be filename with the SPOOL command, whose format

                 is:



SPOOL filename -AT destination

                 where filename is the name of the file you want printed, and

                 destination is the name of the printer where you want the

                 file printed.  For example if you want the file 'HACK.FTN'

                 printed at the destination 'LIB' type:



SPOOL HACK.FTN -AT LIB



PRIMOS then gives you some information telling you that the file named was

SPOOLed and the length of the file in PRIMOS records. To see the entries in

the SPOOL queue, type:



SPOOL -LIST



PRIMOS then lists out all the files waiting to be printed on the printers on

your login system. Also included in this information will be the filename of

the files waiting to print, the login account name of the user who SPOOLed the

file, the time that the file was SPOOLed, the size of the file in PRIMOS

records, and the printer name where the file is to print.





Changing The Password Of An Account:

------------------------------------

If you wish to change the password to your newly acquired account you must use

the 'CPW' command (Change PassWord).  To do this enter the current password on

the command line followed by RETURN.  PRIMOS will then prompt you for your

desired NEW password and then ask you to confirm your NEW password.  To change

your password of 'JOE' to 'SCHMOE' then type:



OK,             (system)

CPW JOE         (you)

New Password?   (system)



You can save a copy of your terminal session by using the COMO (COMmand

Output) command.  When you type:



COMO filename



Everything which is typed or displayed on your terminal is saved (recorded)

into the filename  on the command line (filename).  If a file by the same name

exists, then that file will be REPLACED with NO WARNING GIVEN!  When you have

finished doing whatever it was you wanted a hardcopy of, you type:



COMO -End



which will stop recording your session and will close the COMO file. You can

now print the COMO file using the SPOOL command as stated earlier.



Conclusion:

-----------

This  concludes  this  first  file on PRIMOS.  Please  remember this  file  is

written primarily for beginners, and some of  the text may have seemed BORING!

However, this filewaswrittenin  a verbose fashion to FULLYINTRODUCEPRIMOS

to beginners.  Part II will deal with more the several languages on PRIMOS and

some other commands.





Author's Endnote:

-----------------

I would like to thank the following people for the help in writing this file:



AMADEUS (an oldie who is LONG GONE!)

The University Of Kentucky

State University Of New York (SUNY) Primenet



And countless others.....



Questions, threats, or suggestions to direct towards me, I can be found on any

of the following:



The Freeworld ][.........301-668-7657

Digital Logic............305-395-6906

The Executive Inn........915-581-5146

OSUNY BBS................914-725-4060



        -=*< Cosmos Kid >*=-



========================================





                ===== Phrack Magazine presents Phrack 16 =====

                           ===== File 4 of 12 =====





Hacking the Global Telecommunications Network

Researched and written by:  The Kurgan

Compiled on 10/5/87





Network Procedure Differences



The Global Telecommunications Network (GTN) is Citibanks's international data

network, which allows Citicorp customers and personnel to access Citibank's

worldwide computerized services.



Two different sign on procedures exist: Type A and Type B.  All users, except

some  in  the U.S., must use Type B.  (U.S. users: the number  you dial into

and  the  Welcome  Banner  you  receive  determine  what  sign-on procedure to

follow.)  Welcome banners are as follows:



TYPE A:

WELCOME TO CITIBANK. PLEASE SIGN ON.

XXXXXXXX



@

PASSWORD =



@



TYPE B:

PLEASE ENTER YOUR ID:-1->

PLEASE ENTER YOUR PASSWORD:-2->



CITICORP (CITY NAME). KEY GHELP FOR HELP.

  XXX.XXX

 PLEASE SELECT SERVICE REQUIRED.-3->





Type A User Commands



User commands are either instructions or information you send to the network

for it to follow.  The commands available are listed below.



User Action:  Purpose:



@ (CR)   To put you in command mode (mode in which you can put

         your currently active service on hold and ask the network

         for information, or log-off the service).  (NOTE: This

         symbol also serves as the network prompt; see Type A

         messages.)



BYE (CR)  To leave service from command mode.



Continue (CR)  To return to application from command mode (off hold)



D (CR)                  To leave service from command mode.



ID                      To be recognized as a user by the network (beginning of

                        sign on procedure), type ID, then a space and your

                        assigned network ID.  (Usually 5 or 6 characters long)



Status (CR)             To see a listing of network address (only from @

                        prompt).  You need this address when "reporting a

                        problem."



Type A messages



The network displays a variety of messages on your screen which either require

a user command or provide you with information.



Screen shows:  Explanation:



@   Network prompt -- request for Network ID.



BAD PASSWORD  Network does not except your password.



<address> BUSY          The address is busy, try back later.





WELCOME TO CITIBANK.    Network welcome banner.  Second line provides address

PLEASE SIGN ON.         # to be used when reporting "problems."

XXX.XXX



<address> ILLEGAL       You typed in an address that doesn't exist.



<address> CONNECTED     Your connection has been established.



DISCONNECTED            Your connect has been disconnected.



NOT CONNECTED           You're not connected to any service at the time.



NUI REQUIRED            Enter your network user ID.



PASSWORD =              Request for your assigned password.



STILL CONNECTED         You are still connected to the service you were using.



?                       Network doesn't understand your entry.





Type B User Commands and Messages



Since the Type B procedure is used with GTN dial-ups, it requires fewer

commands to control the network.  There is only 1 Type B command.  Break plus

(CR) allows you to retain connection to one service, and connect with another.





Screen Shows:  Explanation:



CITICORP (CITY NAME).   Network Welcome banner.  Type in service address.

 PLEASE SELECT SERVICE



COM   Connection made.



DER   The port is closed out of order, or no open routes are

      available.



DISCONNECTED  You have disconnected from the service and the network.



ERR   Error in service selected.



INV   Error in system.



MOM   Wait, the connection is being made.



NA    Not authorized for this service.



NC    Circuits busy, try again.



NP    Check service address.



OCC   Service busy, try again.





Sign-on Procedures:



  There are two types of sign on procedures.  Type A and Type B.





Type A:



To log onto a system with type A logon procedure, the easiest way is through

Telenet.  Dial your local Telenet port.  When you receive the "@" prompt, type

in the Type-A service address (found later in the article) then follow the

instructions from there on.



  Type-B:

    Dial the your GTN telephone #, then hit return twice.  You will then see:



"PLEASE ENTER YOUR ID:-1->"



Type in a network ID number and hit return.



    You will then see



"PLEASE ENTER YOUR PASSWORD:-2->"



     Type in Network Password and hit return.



    Finally you will see the "CITICORP (city name)" welcome banner, and it

will ask you to select the service you wish to log onto.  Type the address and

hit return.  (A list of addresses will be provided later)



Trouble Shooting:



    If you should run into any problems, the Citicorp personnel will gladly

help their "employees" with any questions.  Just pretend you work for Citibank

and they will give you a lot.  This has been tried and tested.  Many times,

when you attempt to log on to a system and you make a mistake with the

password, the system will give you a number to call for help.  Call it and

tell them that you forgot your pass or something.  It usually works, since

they don't expect people to be lying to them.  If you have any questions about

the network itself, call 305-975-5223.  It is the Technical Operations Center

(TOC) in Pompano, Florida.



Dial-Ups:



    The following list of dial-ups is for North America.  I have a list of

others, but I don't think that they would be required by anyone.  Remember:

Dial-ups require Type-B log-on procedure.  Type-A is available on systems

accessible through Telenet.



Canada Toronto       416-947-2992     (1200 Baud V.22 Modem Standard)

U.S.A. Los Angeles   213-629-4025     (300/1200 Baud U.S.A. Modem Standard)

       Jersey City   201-798-8500

       New York City 212-269-1274

                     212-809-1164



Service Addresses:



     The following is a VERY short list of just some of the 100's of service

addresses.  In a later issue I will publish a complete list.



Application Name:   Type-A  Type-B



CITIADVICE    2240001600 CADV

CITIBANKING ATHENS   2240004000 :30

CITIBANKING PARIS   2240003300 :33

CITIBANKING TOKYO   2240008100      :81

CITICASH MANAGER

  INTERNATIONAL 1 (NAFG CORP)  2240001200      CCM1

  INTERNATIONAL 7 (DFI/WELLS FARGO) 2240013700 CCM7

COMPMARK ON-LINE   2240002000      CS4

ECONOMIC WEEK ON-LINE   2240011100      FAME1

INFOPOOL/INFOTEXT   2240003800      IP



EXAMPLE OF LOGON PROCEDURE:



THE FOLLOWING IS THE BUFFERED TEXT OF A LOG-ON TO CITIBANKING PARIS THROUGH

TELENET.







CONNECT 1200

TELENET

216 13.41



TERMINAL=VT100



@2240003300



223 90331E CONNECTED



ENTER TYPE NUMBER OR RETURN



TYPE B IS BEEHIVE DM20

TYPE 1 IS DEC VT100

TYPE A IS DEC VT100 ADV VIDEO

TYPE 5 IS DEC VT52

TYPE C IS CIFER 2684

TYPE 3 IS LSI ADM 3A

TYPE L IS LSI ADM 31

TYPE I IS IBM 3101

TYPE H IS HP 2621

TYPE P IS PERKIN ELMER 1200

TYPE K IS PRINTER KEYBOARD

TYPE M IS MAI BASIC 4

TYPE T IS TELEVIDEO 9XX

TYPE V IS VOLKER CRAIG 4404

TYPE S IS SORD MICRO WITH CBMP

RELEASE BSC9.5 - 06JUN85

FOR 300 BAUD KEY ! AND CARRIAGE RETURN

CONFIG.     K1.1-I11H-R-C-B128

ENTER TYPE NUMBER OR RETURN K



CONNECTED TO CITIBANK PARIS - CBP1 ,PORT 5



Have fun with this info, and remember, technology will rule in the end.





                ===== Phrack Magazine presents Phrack 16 =====

                           ===== File 5 of 12 =====



----------------------------------------------------------------------------

|                  The Laws Governing Credit Card Fraud                    |

|                                                                          |

|                        Written by Tom Brokaw                             |

|                         September 19, 1987                               |

|                                                                          |

|                       Written exclusively for:                           |

|                          Phrack Magazine                                 |

|                                                                          |

----------------------------------------------------------------------------

                (A Tom Brokaw/Disk Jockey Law File Production)





Introduction:

------------



     In this article, I will try to explain the laws concerning the illegal

use of credit cards.  Explained will be the Michigan legislative view on the

misuse and definition of credit cards.





Definition:

----------



     Well, Michigan Law section 157, defines a credit card as  "Any instrument

or device which is sold, issued or otherwise distributed by a business

organization identified thereon for obtaining goods, property, services or

anything of value."  A credit card holder is defined as: 1) "The person or

organization who requests a credit card and to whom or for whose benefit a

credit card is subsequently issued" or  2) "The person or organization to whom

a credit  card was  issued and  who uses a credit card whether the issuance of

the credit card was requested or not."  In other words, if the company or

individual is issued a card, once using it, they automatically agree to all

the laws and conditions that bind it.





Stealing, Removing, Retaining or Concealment:

--------------------------------------------



     Michigan Law states, that it is illegal to "steal, knowingly take or

remove a credit card from a card holder." It also states that it is wrongful

to "conceal a credit card  without the consent of the card holder."  Notice

that it doesn't say anything about carbons  or numbers acquired from BBSes,

but I think that it could be considered part of the laws governing the access

of a persons account without the knowledge of the cardholder, as described

above.





Possession with Intent to Circulate or Sell

-------------------------------------------



     The law states that it is illegal to possess or have under one's control,

or receive a credit card if his  intent is to circulate or sell the card.  It

is also illegal to deliver, circulate or sell a credit card, knowing that such

a possession, control or receipt without the cardholders consent, shall be

guilty of a FELONY.  Notice again, they say nothing about possession of

carbons or numbers directly.  It also does not clearly state what circulation

or possession is, so we can only stipulate.  All it says is that possession of

a card (material plastic) is illegal.





Fraud, forgery, material alteration, counterfeiting.

----------------------------------------------------



     However, it might not be clearly illegal to possess a carbon or CC

number.  It IS illegal to defraud  a credit card holder.   Michigan law states

that any person who, with intent to defraud, forge, materially alter or

counterfeit a credit card, shall be guilty of a felony.





Revoked or cancelled card, use with intent to defraud.

------------------------------------------------------



    This states that "Any person who knowingly and with intent to defraud for

the purpose of obtaining goods, property or services or anything of value on a

credit card which has been revoked or cancelled or reported stolen by the

issuer or issuee, has been notified of the cancellation by registered or

certified mail or by another personal service shall be fined not more than

$1,000 and not imprisoned not more than a year, or both.  However, it does not

clearly say if it is a felony or misdemeanor or civil infraction.  My guess is

that it would be dependant on the amount and means that you used and received

when  you  defraud  the  company.   Usually,  if  it is  under  $100,  it is a

misdemeanor  but if it is over $100, it is a felony.  I guess they figure that

you should know these things.





The People of The State of Michigan vs. Anderson     (possession)

------------------------------------------------



     On April 4, 1980, H. Anderson attempted to purchase a pair of pants at

Danny's Fashion Shops, in the Detroit area.  He went up to the cashier to pay

for the pants and the cashier asked him if he had permission to use the credit

card.  He said "No, I won it last night in a card game".  The guy said that I

could purchase $50 dollars worth of goods to pay back the debt.  At the same

time, he presumed the card to be a valid one and not stolen.  Well, as it

turned out it was stolen but he had no knowledge of this.  Later, he went to

court and pleased guilty of attempted possession of a credit card of another

with intent or circulate or sell the same.  At the guilty hearings, Mr.

Anderson stated that the credit card that he attempted to use had been

acquired by him in payment of a gambling debt and assumed that the person was

the owner. The trial court accepted his plea of guilty.  At the sentencing,

Mr. Anderson, denied that he had any criminal intent.  Anderson appealed the

decision stating that the court had erred by accepting his plea of guilty on

the basis of insufficient factual data.  Therefore, the trial court should not

have convicted him of attempted possession and reversed the charges.





The People of the State of Michigan vs. Willie Dockery

------------------------------------------------------



     On June 23, 1977, Willie Dockery attempted to purchase gas at a Sears gas

station  by  using  a  stolen  credit  card. The  attendant noticed  that his

driver's license  picture was  pasted on  and  notified  the police.   Dockery

stated that he had found the credit  card and the license at an intersection,

in the city of Flint.  He admitted that  he knowingly used the credit card and

driver's license without the consent of the owner but he said that he only had

purchased  gasoline  on  the  card.  It  turns  out  that  the credit card and

driver's  license was  stolen from a man, whose grocery store had been robbed.

Dockery said  that he  had no knowledge of the robbery and previous charges on

the cardwhich totalled$1,373.21.  He admitted that he did paste his picture

on the driver's license.  Butagain the court screws up, they receive evidence

that the defendant had a record of felonies dating back to when he was sixteen

and then assumed that  he was guilty on  the basis of his prior offenses.  The

judge later said that  the present  sentence could  not stand in this court so

the case was referred to another court.





Conclusion

----------



     I hope that I have given you a better understanding about the law, that

considers the illegal aspects of using credit cards.  All this information was

taken from The Michigan Compiled Laws Annotated Volume 754.157a-s and from The

Michigan Appeals Report.



In my next file I will talk about the laws concerning Check Fraud.





                                             -Tom Brokaw





                ===== Phrack Magazine presents Phrack 16 =====

                           ===== File 6 of 12 =====



******************************************************************************

*                                                                            *

*                         Tapping Telephone Lines                            *

*                                                                            *

*                              Voice or Data                                 *

*                                                                            *

*                       For Phun, Money, and Passwords                       *

*                                                                            *

*                   Or How to Go to Jail for a Long Time.                    *

*                                                                            *

******************************************************************************



Written by Agent Steal 08/87





  Included in this file is...



      * Equipment needed



      * Where to buy it



      * How to connect it



      * How to read recorded data





  But wait!!  There's more!!



      * How I found a Tymnet node



      * How I got in







*************

THE EQUIPMENT

*************



    First  thing you  need  is  an  audio  tape  recorder.   What you  will be

recording, whether  it be  voice or  data, will  be in an analog audio format.

>From now  on, most references  will be  towards data recording.  Most standard

cassette recorders will work  just fine.  However,  you are limited  to 1 hour

recording time  per side.   This can  present a problem in some situations.  A

reel to reel can also be used.  The limitations here are size and availability

of A.C.  Also, some  reel to  reels lack  a remote  jack that will be used to

start  and stop  the recorder  while the  line is being  used.   This  may not

present  a problem.   More later.  The two  types of recorders I would advise

staying away from (for data) are the micro cassette recorders and the standard

cassette recorders that have been modified for 8 to 10 hour record time.  The

speed  of these  units is too unstable.  The next item you need, oddly enough,

is  sold by  Radio Shack  under the  name "Telephone  recording control"  part

# 43-236 $24.95.  See page 153 of the 1987 Radio Shack catalog.







*****************

HOW TO CONNECT IT

*****************



  The Telephone recording control (TRC) has 3 wires coming out of it.



  #1 Telco wire with modular jack.  Cut this and replace with alligator clips.



  #2 Audio wire with miniature phone jack (not telephone).  This plugs

     into the microphone level input jack of the tape recorder.



  #3 Audio wire with sub miniature phone jack.  This plugs into the "REM"

     or remote control jack of the tape recorder.



    Now all you need to do is find the telephone line, connect the alligator

clips, turn the recorder on, and come back later.  Whenever the line goes off

hook, the recorder starts.  It's that simple.







****************

READING THE DATA

****************



    This is the tricky part.  Different modems and different software respond

differently but there are basics.  The modem should be connected as usual to

the telco line and computer.  Now connect the speaker output of the tape

player directly to the telephone line.  Pick up the phone and dial the high

side of a loop so your line doesn't make a lot of noise and garble up your

data.  Now, command your modem into the answer mode and press play.  The tape

should be lined up at the beginning of the recorded phone call, naturally, so

you can see the login.  Only one side of the transmission between the host and

terminal can be monitored at a time.  Going to the originate mode you will see

what the host transmitted.  This will include the echoes of the terminal. Of

course the password will be echoed as ####### for example, but going to the

answer mode will display exactly what the terminal typed.  You'll understand

when you see it.  A couple of problems you might run into will be hum and

garbage characters on the screen.  Try connecting the speaker output to the

microphone of the hand set in your phone.  Use a 1 to 1 coupling transformer

between the tape player input and the TRC audio output.  These problems are

usually caused when using A.C. powered equipment.  The common ground of this

equipment interferes with the telco ground which is D.C. based.



    I was a little reluctant to write this file because I have been

unsuccessful in reading any of the 1200 baud data I have recorded.  I have

spoke with engineers and techs.  Even one of the engineers who designs modems.

All of them agree that it IS possible, but can't tell me why I am unable to do

this.  I believe that the problems is in my cheap ass modem.  One tech told me

I needed a modem with phase equalization circuitry which is found in most

expensive 2400 baud modems.  Well one of these days I'll find $500 lying on

the street and I'll have nothing better to spend it on!  Ha!  Actually, I have

a plan and that's another file.....



    I should point out one way of reading 1200 baud data.  This should work in

theory, however, I have not attempted it.



    Any fully Hayes compatible modem has a command that shuts off the carrier

and allows you to monitor the phone line.  The command is ATS10.  You would

then type either answer or originate depending on who you wanted to monitor.

It would be possible to write a program that records the first 300 or so

characters then writes it to disk, thus allowing unattended operation.



**************

HOW CRAZY I AM

**************



  PASSWORDS GALORE!!!!



    After numerous calls to several Bell offices, I found the one that handled

Tymnet's account.  Here's a rough transcript:



Op:  Pacific Bell priority customer order dept.  How may I help you?

Me:  Good Morning, this is Mr. Miller with Tymnet Inc.  We're interested in

     adding some service to our x town location.

Op:  I'll be happy to help you Mr. Miller.

Me:  I need to know how many lines we have coming in on our rotary and if we

     have extra pairs on our trunk.  We are considering adding ten additional

     lines on that rotary and maybe some FX service.

Op:  Ok....What's the number this is referenced to?

Me:  xxx-xxx-xxxx (local node #)

Op:  Hold on a min....Ok bla, bla, bla.



    Well you get the idea.  Anyway, after asking her a few more unimportant

questions I asked her for the address.  No problem, she didn't even hesitate.

Of course this could have been avoided if the CN/A in my area would give out

addresses, but they don't, just listings.  Dressed in my best telco outfit,

Pac*Bell baseball cap, tool belt and  test set, I was out the door.  There it

was, just  an office  building, even  had  a  computer  store  in  it.   After

exploring the building for awhile, I found it.  A large steel door with a push

button lock.  Back to the phone.  After finding the  number where  the service

techs were I called it and talked to the tech manager.



Mgr:  Hello this is Joe Moron.

Me:   Hi this is Mr. Miller (I like that name) with Pacific Bell.  I'm down

      here at your x town node and we're having problems locating a gas leak

      in one of our Trunks.  I believe our trunk terminates pressurization in

      your room.

Mgr:  I'm not sure...

Me:   Well could you have someone meet me down here or give me the entry code?

Mgr:  Sure the code is 1234.

Me:   Thanks, I'll let you know if there's any trouble.





    So, I ran home, got my VCR (stereo), and picked up another TRC from Trash

Shack.  I connected  the VCR to  the first  two incoming  lines on the rotary.

One went  to each channel (left,right).  Since the volume of calls is almost

consistent, it wasn't necessary to stop the recorder between calls.  I just

let it run.  I would come back the next day to change the tape.  The VCR was

placed under the floor in case a tech happened to come by for maintenance.

These nodes are little computer rooms with air conditioners and raised floors.

The modems and packet switching equipment are all rack mounted behind glass.

Also, most of the nodes are unmanned.  What did I get?  Well a lot of the

logins were 1200, so I never found out what they were.  Still have 'em on tape

though!  Also a large portion of traffic on both Tymnet and Telenet is those

little credit card verification machines calling up Visa or Amex.  The

transaction takes about 30 secs and there are 100's on my tapes.  The rest is

as follows:



   Easylink          CompuServe        Quantumlink       3Mmail

   PeopleLink        Homebanking       USPS              Chrysler parts order

   Yamaha            Ford              Dow Jones



    And a few other misc. systems of little interest.  I'm sure if I was

persistent, I'd get something a little more interesting.  I spent several

months trying to figure out my 1200 baud problem.  When I went back down there

the code had been changed.  Why?  Well I didn't want to find out.  I was out

of there!  I had told a couple of people who I later found could not be

trusted.  Oh well.  Better safe than sorry.





**************************************



    Well, if you need to reach me,try my VMS at 415-338-7000 box 8130.  But no

telling how long that will last.  And of course there's always P-80 systems at

304-744-2253.  Probably be there forever.  Thanks Scan Man, whoever you are.

Also read my file on telco local loop wiring.  It will help you understand how

to find the line you are looking for.  It should be called Telcowiring.Txt



          <<< AGENT STEAL >>>





                ===== Phrack Magazine presents Phrack 16 =====

                           ===== File 7 of 12 =====



------------------------------------------------------------------------

-                          The Disk Jockey                             -

-                             presents:                                -

-                                                                      -

-                     Reading Trans-Union Reports:                     -

-                       A lesson in terms used                         -

-                        (A 2af presentation)                          -

------------------------------------------------------------------------



This file is dedicated to all the phreaks/hacks that were busted in the summer

of 1987, perhaps one of the most crippling summers ever for us.



Preface:

-------

     Trans-Union is a credit service much like CBI, TRW or Chilton, but offers

more competitive rates, and is being used more and more by many credit

checking agencies.



Logging in:

----------

     Call one of the Trans Union dial-ups at 300,E,7,1, Half Duplex. Such a

dial-up is 314-XXX-XXXX.  After connecting, hit Ctrl-S.  The system will echo

back a 'GO ' and then awaits you to begin the procedure of entering the

account and  password, then  mode, i.e.:  S F1111,111,H,T.   The system  will

then  tell  you  what  database  you  are  logged  on  to,  which  is   mostly

insignificant  for your use.  To  then pull  a  report,  you  would  type  the

following:  P JONES,JIM* 2600,STREET,CHICAGO,IL,60604** <Ctrl-S>.   The name

is  Jim Jones, 2600 is his street address, street is the  street name, Chicago

is the city, IL is the state, 60604 is the zip.



The Report:

----------

     The report will come out, and will look rather odd, with all types of

notation.  An example of a Visa card would be:



SUB NAME/ACCT#   SUB#     OPEND  HICR DTRP/TERM BAL/MAX.DEL PAY.PAT   MOP



CITIBANK         B453411  3/87  $1000   9/87A    $0         12111     R01

4128XXXXXXXXX             $1500         5/87     $120





Ok, Citibank is the issuing bank.  B453411 is their subscriber code.  3/87 is

when the account was opened.  HICR is the most that has been spent on that

card.  9/87 is when the report was last updated (usually monthly if active).

$1000 is the credit line.  $0 is the current balance.  12111 is the payment

pattern, where 1=pays in 30 days and 2=pays in 60 days. R01 means that it is a

"Revolving" account, meaning that he can make payments rather than pay the

entire bill at once.  4128-etc is his account number (card number).  $1500 is

his credit line.  5/87 is when he was late on a payment last.  $120 is the

amount that he was late with.



Here is a list of terms that will help you identify and understand the reports

better:



ECOA Inquiry and Account Designators

------------------------------------

I Individual account for sole use of applicant

C Joint spousal contractual liability

A Authorized user of shared account

P Participant in use of account that is neither C nor A

S Co-signer, not spouse

M Maker primarily liable for account, co-signer involved

T Relationship with account terminated

U Undesignated

N Non-Applicant spouse inquiry



Remarks and FCBA Dispute Codes

------------------------------

AJP Adjustment pending

BKL Bankruptcy loss

CCA Consumer counseling account

CLA Placed for collection

CLO Closed to further purchases

CTS Contact Subscriber

DIS Dispute following resolution

DRP Dispute resolution pending

FCL Foreclosure

MOV Moved, left no forwarding address

ND  No dispute

PRL Profit and loss write-off

RFN Account refinanced

RLD Repossession, paid by dealer

RLP Repossession, proceeds applied towards debt

RPO Repossession

RRE Repossession, redeemed

RS  Dispute resolved

RVD Returned voluntarily, paid by dealer

RVN Returned voluntarily

RVP Returned voluntarily, proceeds go towards debt

RVR Returned voluntarily, redeemed

SET Settled for less than full balance

STL Plate (card) stolen or lost

TRF Transferred to another office



Type of Account

---------------

O Open account (30 or 90 days)

R Revolving or option account (open-end)

I Installment (fixed number of payments)

M Mortgage

C Check credit (line of credit at a bank)



Usual Manner of Payment

-----------------------

00 Too new to rate; approved, but not used or not rated

01 Pays (or paid) within 30 days of billing, pays accounts as agreed

02 Pays in more than 30 days, but not more than 60 days

03 Pays in more than 60 days, but not more than 90 days

04 Pays in more than 90 days, but not more than 120 days

05 Pays in 120 days or more

07 Makes payments under wage earner plan or similar arrangement

08 Repossession

8A Voluntary repossession

8D Legal repossession

8R Redeemed repossession

09 Bad debt; placed for collection; suit; judgement; skip

9B Placed for collection

UR Unrated

UC Unclassified



Kinds of Business Classification

-------------------------------

A Automotive

B Banks

C Clothing

D Department and variety

F Finance

G Groceries

H Home furnishings

I Insurance

J Jewelry and cameras

K Contractors

L Lumber, building materials

M Medical and related health

N National credit card

O Oil and national credit card

P Personal services other than medical

Q Mail order houses

R Real estate and public accommodations

S Sporting goods

T Farm and garden supplies

U Utilities and fuel

V Government

W Wholesale

X Advertising

Y Collection services

Z Miscellaneous



Type of Installment Loan

------------------------

AF Appliance/Furniture

AP Airplane

AU Automobile

BT Boat

CA Camper

CL Credit line

CM Co-maker

CO Consolidation

EQ Equipment

FH FHA contract loan

FS Finance statement

HI Home improvement

IN Insurance

LE Leases

MB Mobile home

MC Miscellaneous

MT Motor home

PI Property improvement plan

PL Personal loan

RE Real estate

ST Student loan

SV Savings bond, stock, etc.

US Unsecured

VA Veteran loan



Date Codes

----------

A Automated, most current information available

C Closed date

F Repossessed/Written off

M Further updates stopped

P Paid

R Reported data

S Date of last sale

V Verified date



Employment Verification Indicator

---------------------------------

D Declined verification

I Indirect

N No record

R Reported, but not verified

S Slow answering

T Terminated

V Verified

X No reply





Hope  this helps.  Anyone  that has used  Trans-Union will  surely  appreciate

this, as the result codes are sometimes hard to decipher.



                                                     -The Disk Jockey





                      #### PHRACK PRESENTS ISSUE 16 ####

                   ^*^*^*^Phrack World News, Part 1^*^*^*^

                            **** File 8 of 12 ****





>From the 9/16 San Francisco Chronicle, page A19:



GERMAN HACKERS BREAK INTO NASA NETWORK (excerpted)



Bonn

        A group of West German computer hobbyists broke into an international

computer network of the National Aeronautics and Space Administration and

rummaged freely among the data for at least three months before they were

discovered, computer enthusiasts and network users said yesterday.



        An organization in Hamburg called the Chaos Computer Club, which

claimed to be speaking for an anonymous group that broke into the network,

said the illicit users managed to install a "Trojan horse," and gain entry

into 135 computers on the European network.



        A "Trojan  Horse" is a  term for  a  permanent  program  that  enables

amateur computer enthusiasts  [as opposed  to professionals?], or "hackers,"

to use a password to bypass  all the security  procedures of a system and gain

access to all the data in a target computer.



[Actually, this type of program is a 'back door' or a 'trap door.' The group

may very well have *used* a Trojan horse to enable them to create the back

door, but it probably wasn't a Trojan horse per se.  A Trojan horse is a

program that does something illicit and unknown to the user in addition to its

expected task.  See Phrack xx-x, "Unix Trojan Horses," for info on how to

create a Trojan horse which in turn creates a trap door into someone's

account.]



        The NASA network that was broken into is called the Space Physics

Analysis Network [ooh!] and is chiefly designed to provide authorized

scientists and organizations with access to NASA data.  The security system in

the network was supplied by an American company, the Digital Equipment Corp.

[Probably DECNET.  Serves them right.]  Users said the network is widely used

by scientists in the United States, Britain, West Germany, Japan and five

other countries and does not carry classified information.



        A Chaos club spokesman, Wau Holland, denied that any data had been

changed.  This, he said, went against "hacker ethics."



        West German television reports said that computer piracy carries a

penalty of three years in prison in West Germany.  The government has not said

what it plans to do.



        The Chaos club clearly views its break-in as a major coup.  Holland,

reached by telephone in Hamburg, said it was "the most successful running of a

Trojan horse" to his knowledge, and the club sent a lengthy telex message to

news organizations.



        It said the "Trojan horse" was spotted by a user in August, and the

infiltrating group then decided to go public because "they feared that they

had entered the dangerous field of industry espionage, economic crime, East-

West conflict...and the legitimate security interests of high-tech

institutions."



        The weekly magazine Stern carried an interview with several anonymous

hobbyists who showed how they gained access to the network.  One described his

excitement when for the first time he saw on his screen, "Welcome to the NASA

headquarters VAX installation."



        According to Chaos, the hobbyists discovered a gap in the Digital VAX

systems 4.4 and 4.5 and used it to install their "Trojan Horse."



[Excerpted and Typed by Shooting Shark.  Comments by same.]





                      #### PHRACK PRESENTS ISSUE 16 ####

                   ^*^*^*^Phrack World News, Part 2^*^*^*^

                            **** File 9 of 12 ****



[Ed's Note:  CertainThings in the article have been blanked (XXXXX) at the

request of the author]



                The Story of the Feds on XXXXXXX BBS

                By The Mad Phone Man



        Returninghome one afternoon with a friend, I knew something wasn't

right when I walked into the computer room.  I see a "Newuser" on the board...

and the language he's using is... well "Intimidating"...



"I want you all to know I'm with the OCC task force and we know who you are...

we are going to have a little get-together and 'talk' to you all."



     Hmmm... a loser?... I go into chat mode... "Hey dude, what's up?" I ask.

"Your number asshole" he says.... Well, fine way to log on to a board if I do

say.... "Hey, you know I talked to you and I know who you are.." "Oh

yeah...Who am I?." he hesitates and says... "Well uh.. you used to work for

Sprint didn't you?"

   I say, "No, you've got me confused with someone else I think, I'm a junior

in high school."

        "Ohyeah?.. You got some pretty big words for a high school kid," he

says....

        "Well, in case you didn't know, they teach English as a major these

days...."

        He says... "Do you really want to know which LD company I'm with?"

        I say "NO, but if it will make you happy, tell me."

        He  says  MCI.  (Whew! I  don't use  them)... "Well you're  outta luck

asshole, I pay for my calls, and I don't use MCI."  He's dumbfounded.

        I wish him the worst as  he asks  me to  leave his rather  threatening

post up on my board and we hang up on him.



        Now, I'm half paralyzed... hmmm.... Check his info-form... he left a

number in 303... Denver.... I grab the phone and call it.. It's the Stromberg

Telephone company... Bingo.. I've got him.

        I search my user files and come up with a user called "Cocheese" from

there, and I voice validated him, and he said he worked for a small telco

called Stromberg... I'm onto him now.

        Later in the week, I'm in a telco office in a nearby major city, I

happen  to  see a book,  marked "Confidential  Employee  Numbers for AT&T."  I

thumb thru and lo and behold, an R.F. Stromberg works at  an office of AT&T in

Denver, and I can't cross  reference him to  an office. (A sure sign he's in

security).  Well, not to be out-done by this loser... I dial up NCIC and check

for a group search for  a driver's licence for him... Bingo.  Licence number,

cars he owns, his SS  number, and a cross reference of the licence files finds

his wife, two kids and a boat registered to him.

        I've never called him back, but If I do have any trouble with him, I'm

gonna pay a little visit to Colorado....





                      #### PHRACK PRESENTS ISSUE 16 ####

                   ^*^*^*^Phrack World News, Part 3^*^*^*^

                           **** File 10 of 12 ****





 [Ed's Note:  Certain names have been change in the article to protect the

 author]



      The Flight of The Mad Phone-Man's BBS to a Friendly Foreign Country





        Using my knowledge that the pigs grab your computer when they bust

you,I got real worried about  losing a BIG investment I've got in my IBM. I

decide  there's a  better way.... Move it!  But where? Where's safe  from the

PhBI?  Well  in the old days, to escape the draft, you went to Canada, why not

expatriate my board....  Well the  costs of  a line  are very  high, let's see

what's available elsewhere.

        One afternoon, I'm working at a local hospital,(one I do telecom work

for) and I  ask the  comm mgr  if they  have any links to Canada?  He says why

yes, we have  an inter-medical link over  a 23ghz microwave into the city just

across the border. I ask to  see the equipment.  WOW!  My dreams  come true,

it's a D4 bank (Rockwell) and it's only got 4 channel cards in it. Now, being

a "nice" guy, I offer to  do maintenance  on this equipment if he would let me

put up another channel...he agrees.  The plot thickens.

        I've got a satellite office for a business near the hospital on the

other side, I quickly call up good ole Bell Canada, and have them run a 2 wire

line from the equipment room to my office. Now the only thing to get is a

couple of cards to plug into the MUX to put me on the air.

        A 2 wire E&M card goes for bout $319, and I'd need two.  Ilook around

the state, and find one bad one in Rochester.... I'm on my way that afternoon

via motorcycle.  The card  is mine,  and the  only thing I can find wrong is a

bad  voltage regulator. I stop by  the Rockwell office in  suburban Rochester

and exchange  the card, while I'm there, I buy a second one (Yeah, on my card)

and drive home.... by 9pm that night the circuit is up, and we are on the air.

        Results- Very good line, no noise, can be converted with another card

for a  modest fee  if I want  the bandwidth.  So that's the  story of how the

board went to a "friendly foreign country."





         The Mad Phone-Man





                      #### PHRACK PRESENTS ISSUE 16 ####

                   ^*^*^*^Phrack World News, Part 4^*^*^*^

                           **** File 11 of 12 ****





Shadow Hawk Busted Again

========================



        As many of you know, Shadow Hawk (a/k/a Shadow Hawk 1) had his home

searched by agents of the FBI, Secret Service, and the Defense Criminal

Investigative Services and had some of his property confiscated by them on

September 4th.  We're not going to reprint the Washington Post article as it's

available through other sources.  Instead, a summary:



        In early July, SH bought an AT&T 3B1 ("Unix PC") with a 67MB drive for

a dirt-cheap $525.  He got Sys V 3.5 for another $200 but was dissatisfied

with much of the software they gave him (e.g. they gave him uucp version 1.1).



        When he was tagged by the feds, he had been downloading software (in

the form of C sources) from various AT&T systems.  According to reports, these

included the Bell Labs installations at Naperville, Illinois and Murray Hill,

New Jersey.  Prosecutors said he also gained entry to (and downloaded software

from) AT&T systems at a NATO installation in Burlington, North Carolina and

Robins AFB in Georgia.  AT&T claims he stole $1 million worth of software.

Some of it was unreleased software taken from the Bell Labs systems that was

given hypothetical price tags by Bell Labs spokespersons.  Agents took his

3B1, two Atari STs he had in his room, and several diskettes.



        SH is 17 and apparently will be treated as a minor.  At the time of

this writing, he will either be subject to federal prosecution for 'computer

theft' or will be subject to prosecution only by the State of Illinois.



        SH's lawyer,  Karen Plant, was quoted as saying that SH "categorically

denies doing anything that he should not have been doing" and that he "had

absolutely no sinister motives in terms of stealing property."  As we said, he

was just collecting software for his new Unix PC.  When I talked to Ms. Plant

on September 25th, she told me that she had no idea if or when the U.S.

Attorney would prosecute. Karen Plant can be  reached at (312) 263-1355.  Her

address is 134 North LaSalle, #306, Chicago, Illinois.





---------



On July 9th SH wrote:



        So you see, I'm screwed. Oh yeah, even worse! In my infinite (wisdom

|| stupidity, take your pick 8-)) I set up a local AT&T owned 7300 to call me

up and send me their uucp files (my uucp works ok for receive) and guess what.

I don't think I've to elaborate further on THAT one... (holding my breath, so

to type)

                                (_>Sh<_



---





                      #### PHRACK PRESENTS ISSUE 16 ####

                   ^*^*^*^Phrack World News, Part 5^*^*^*^

                           **** File 12 of 12 ****





         "Phone Companies Across U.S. Want Coins Box Thief's Number"

                  From the Tribune - Thursday, Nov. 5, 1987





 SAN FRANCISCO  -  Seven  telephone  companies  across  the country, including

   Pacific Bell, are so frazzled  by a coin box thief that they are offering a

   reward of $25,000 to catch him.



 He's very clever, telephone officials say,  and is the only known suspect  in

   the country  that is  able to  pick the  locks on  coin boxes  in telephone

   booths with relative ease.



 He is believed responsible for stealing hundreds of thousands of dollars from

   coin boxes in the Bay Area and Sacramento this year.



 The  suspect  has  been  identified  by  authorities  as  James Clark, 47, of

   Pennisula,  Ohio,  a  machinist  and  tool-and-die  maker,  who is believed

   responsible for coin box thefts in 24 other states.



 Other companies  sharing in  the reward  are Ohio  Bell, Southern Bell, South

   Carolina Bell,  South Central  Bell, Southwestern  Bell, Bell  Telephone of

   Pennsylvania and U.S. West.



 Clark  allegedly  hit  pay  phones  that  are  near  freeways and other major

   thoroughfares.  Clark, described  as  5  feet  9 inches tall, with shoulder

   length brown hair and gold-rimmed glasses, is reported to be driving a  new

   Chevrolet Astro van painted a dark metallic blue.



 He was recently in Arizona but is believed to be back in California.



 Written by a Tribune Staff Writer





 Typed by the $muggler



.

