____________________________________________________________________________



                               End Of Intro/TOC

                                    Issue #4

The LOD/H Technical Journal, Issue #4: File 02 of 10





                          The AT&T BILLDATS Collector

                                  Written by:

                                   Rogue Fed



==============================================================================





NOTES: This article will hopefully give you a better understanding of how

the billing process occurs. BILLDATS is just one part of the billing picture.

Before I began working for the government, I was a Telco employee and thus,

the information within this article has been learned through experience.

Unfortunately, I was only employed for a few months (including training on

BILLDATS) and am still learning more about the many systems that a telco uses.

There are however, a couple of lists that were compiled and slightly modified

from what little reference material I could smuggle out and my notes from the

training class. This article does require a cursory knowledge of telco and

computer operations (ie. switching, SCCS, UNIX).





INTRODUCTION -

==============



BILLDATS - BILLing DATa System



BILLDATS can be explained in a nutshell by the acronym listed above. If it's

one thing telecommunications providers do well, it's creating acronyms.

Basically, BILLDATS collects billing information (that's why they call it a

Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs

are situated in or close to switching offices and are connected to BILLDATS

either through dedicated or dial-up lines. BILLDATS can be considered as

the "middleman" in the billing process. The system collects, validates, and

adds identification information regarding origination and destination. This

is then transferred to tape (or transmitted directly) to the RPC (Regional

Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO

actually processes the billing information. Typically the BILLDATS system is

located in the same or adjoining building (but can be across town) to

the RPC/RAO.



BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses

a combination of software. The software base is UNIX and the BILLDATS Generic


program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS

switches use).



Some of the more interesting features BILLDATS possesses are:



*        Can be accessed via dialup (always a plus).

*        Runs under UNIX (another plus).

*        Interface with SCCS (yet another plus).

*        Can store about 12 million calls for the first two disks and about

         8 million calls for each additional disk. A total of 6 (675 MB) disks

         can be used.

*        Inserts the sensor type and ID and recording office type and ID onto

         every AMA record that it collects.

*        Capable of collecting information from nearly 600 AMATs.



To better understand how/why you get a bill after making long distance phone

calls, I have delineated the steps involved.



You call Hacker X and tell him all about the latest busts that have occurred,

he exclaims "Oh Shit!" hangs up on you and throws all his hacking information

into the fireplace. The actual call is referred to as a call event. As each

event happens (upon termination of the call) the event is recorded by the

switch. This information is then sent via an AMA Transmitter which formats the

information and then sends it to BILLDATS (commonly called a "Host

Collector"). BILLDATS then provides the information to the RAO/RPC. The

billing computer is located at the RAO/RPC. Do not confuse the actual billing

system with BILLDATS! The billing computer:



*   Contains customer records

*   Credit ratings (in some telcos)

*   Totals and prints the bill

*   Generates messages when customers do not pay (ie. last chance and

    temporary termination of service)



When the billing period is over, (typically 25-30 days), many events (it

depends on how many calls you have made) have accumulated. A bill is then

generated and mailed to you.





COLLECTION -

============



BILLDATS collects information in two ways:



1.       AMATs

2.       Users



AMAT input

----------



BILLDATS collects data from the AMAT either directly from the switch, or from

a front end which performs some processing on the data before giving it to

BILLDATS. The data I am talking about here is usually AMA billing information.

The information is in the usual AMA format (see Phantom Phreaker's article in

the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As

I said earlier, the recording office and sensor types and IDs have to be

added by BILLDATS. The other information that is transmitted is usually

maintenance data.



The data that is transferred between BILLDATS and an AMAT is accomplished

over either dedicated or dialup lines using the BX.25 protocol. This protocol

has been adopted by the telecommunications industry as a whole. It is

basically a modified version of X.25.



User input

----------



This is simply sysadmin and sysop information.





INSERTED INFORMATION -

======================



Once the information is collected, additional data (mentioned earlier)

must be inserted. The information that BILLDATS inserts into the AMA records

it receives depends on whether the AMAT is a single or multi-switch AMAT.

Either way, the data is passed through the DEP. The DEP is a module which

is part of the LHS (Link Handler Subsystem) that actually inserts the

additional data. It also performs other functions which are rather

uninteresting to the hacker. The LHS manages the x-mission of all the

collected information. This is either through dedicated or dialup lines. The

LHS is responsible for:



*   Logging of statistics as related to the performance of links.

*   Polling of remote switches for maintenance and billing information.

*   Passing information to the DEP in which additional information is

    inserted.

*   Storing billing information.

*   Other boring stuff.





AMATS -

=======



Basically an AMAT is a front end to the switch. The AMAT:



*   Gets AMA information from the switch.

*   Formats and processes the information.

*   Transmits it to BILLDATS.

*   An AMAT can also store information for up to 1 week.



The following is a list of switches and their related AMAT equipment that

BILLDATS obtains billing information from:



1A ESS: This is usually connected to a 3B APS (Attached Processor System) or

        BILLDATS AMAT.

2ESS:   This is connected to an IBM Series 1 AMAT.

2BESS:  Connected to a BILLDATS AMAT.

4ESS:   Connects to 3B APS.

5ESS:   Direct connection.

TSPS 3B:Direct connection.

DMS-10: Connects to IBM Series 1 AMAT.



There are other AMATs/Switches but they must be compatible with the BILLDATS

interface.





ACCESSING BILLDATS -

====================



Even though a system is UNIX based, that doesn't mean that it is a piece of

cake to get into. Surprisingly (when you think about the average Intelligence

Quotient of telco personnel) but not surprisingly (when you consider that the

information contained on the system is BILLING information--the life blood of

the phone company) BILLDATS is a little more secure than your average telco

system, except for the fact the all login IDs are 5 lower case characters or

less. BILLDATS can usually be identified by:



bcxxxx 3bunix SV_R2+



where:



bc = B(ILLDATS) C(ollector).

xxxx = The node suffix. This is entered when the current Generic is installed.

3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system.

SV_R2+ = Software Version.



The good news is that there is a default username when the system is

installed. The bad news is that upon logon, the system forces you to choose a

password. The default username is not passworded initially. The added security

feature is simply that the system forces all usernames to have passwords. If

it doesn't have an associated password, the system will give you the message:



"Your password has expired. Choose a new one"



A 6-8 character password must then be entered. After this you will be asked

to enter the terminal type. The ones provided are AT&T terminals (615, 4425,

and 5420 models). Once entered a welcome message will probably be displayed:



"Welcome to the South Western Bell BILLDATS Collector"

"Generic 3, Issue 1"

"Tuesday 01 Aug 1989 12:44:44 PM"



dallas>



The BILLDATS prompt was displayed "dallas>" where dallas is the node name.



There are 3 privilege levels within BILLDATS:



1.       Administrator

2.       Operator

3.       UUCP



*   Administrator privs are basically root privs.

*   An account with Operator privs can still do about anything an Admin can do

    except make data base changes.

*   UUCP privs are the lowest and allow file transfer.





Commands

--------



Just like SCCS, UNIX commands can be entered while using BILLDATS. The format

is:



dallas>run-unx:$unix cmd;



All unix commands must be preceded by "run-unx:" and end with a semicolon ";".

The semicolon is the command terminator character (just like Carriage Return).



BILLDATS isn't exactly user friendly, but it does have on-line help. There are

a number of ways that it can be obtained:



dallas> help-?;  or  help-??;  or  ?-help;  or  ??-help;



If you want specific help:



dallas> help-(command name);



I can list commands forever, but between UNIX (commands every hacker should

be familiar with) and help (any moron can use it), you can figure out which

ones are important.





Error Messages

--------------



Just like SCCS, BILLDATS has some rather cryptic error messages. There are

thousands of error messages, once you know a little about the format they

are easier to understand. When a mistake is made, something similar to

the following will appear:



UI0029      (attempted command) is not a valid input string.



  ^                   ^- error message information

  |

  |--  This is the subsystem and error message number



The following is a brief description of subsystem abbreviations:



BD: BILLDATS system utilities. Errors associated with the use of utility

    programs will be displayed.

DB: Data Base manager. These messages are generated when accessing or

    attempting to access the various Data Bases (explained later) within

    BILLDATS.

DM: Disk Manager. Basically, information pertaining to the system disk(s).

EA: Error and Alarm. As the name implies, system errors and alarms.

LH: Link Handler. Messages related to data link activity, either between

    BILLDATS and the AMAT or BILLDATS and the RAO/RPC.

SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon.

    BILLDATS uses cron to schedule things like when to access remote systems.

TW: Tape Writer. Messages related to storing billing information on tapes

    which will then be transported to the RAO/RPC.

UI: User Interface. This was used in the above example. Displays syntax,

    range or status errors when entering commands.

DL: Direct Link. Instead of BILLDATS information being written to tape, a

    direct link to the RPC/RAO mainframe (the actual billing system computer)

    can be accomplished. This is usually done when BILLDATS is located far

    away from the RPC/RAO office as there is always some risk involved in

    transporting tapes, and that risk increases the farther away the two

    offices are. Another neat thing about Direct Link is that the billing data

    can be sent across a LAN (Local Area Network) also. Obviously this incurs

    some concerns regarding security, but from what I have heard and seen,

    AT&T and the BOC's typically choose to ignore the security of their

    systems which suits me just fine. The Direct Link is an optional BILLDATS

    feature and if it is in use, messages related to its operation are

    displayed with the DL prefix.





BILLDATS DATA BASES -

=====================



The databases contain all kinds of useful information such as usernames,

switch types, scheduled polling times, etc.



The AMAT Data Base contains:



*   Type of switch

*   Sensor type and identification

*   AMAT phone number

*   Channel and port number/group

*   Other boring information



The Port Data Base contains:



*   Communications information (like L-Dialers on UNIX Sys. V)

*   Channel and port information

*   Other boring information



The Collector Data Base contains:



*   Collector office ID

*   Version number of the Data Base

*   Number and speed of any remote terminals

*   When reports are scheduled for output

*   Other boring information





CONCLUSION -

============



If you are not technically oriented, I hope this article helped you understand

how you get your bill. I assumed that you would skip over the commands for

using BILLDATS and similar information.




If you are technically oriented, I hope I not only helped you understand more

about the billing process, but also increased your awareness of how detailed

the whole process is. And if you do happen to stumble onto a BILLDATS system,

you have been pointed in the right direction as far as using it correctly is

concerned.



I tried to leave out all the boring details, but some may have slipped by me.

I reserved the right to omit specific details and instructions regarding any

alteration or deletion of calls/charges for my own use/abuse.



The Rogue Federal Agent