The newsletter of the Society for the Freedom of Information (SFI) ======================================= T H E N E W F O N E E X P R E S S ======================================= Electronic Edition ------------------------------------------------------------------------------ The publisher, SFI, distribution site(s), and authors contributing to the NFX are protected by the Bill of Rights in the U.S. Constitution, which specifically permits freedom of speech and freedom of the press. We accept article submissions of nearly any sort, about hack/phreak/anarchy/gov't/etc. The printed edition of the newsletter may be available soon. The info will appear here as soon as possible. To be quite honest, the printed version looks a hell of a lot better; but as of now, only the members of SFI receive it. ------------------------------------------------------------------------------ Highlights for Issue #1/Jun 1991 -------------------------------- Signaling System 7 Special Issue * Dialup List (see ref on page 2 top) * Reference of Recent Telco Terms (see ref on page 2 middle) * Signaling System 7 Updates (see ref on page 3 middle) * SUPPLEMENT: Known areas with Signaling System 7 * Caller ID .. What does it mean to you? (see ref on page 4 top) * The State of Surveillance (see ref on page 4 middle) * Trend Watcher (see ref on page 5) * Editorial (see ref on page 5 middle) National Dialup Table (updated 05/18/91) Phone Number Owned by Status Descript ------------------------------------------------------------------------------- (800) 369-3100 MCI Dangerous 6N/7N (800) 753-9900 ? ? (new) 7N (800) 657-9600 Access Billing 7N (800) 635-1167 ? (SDN?) ? (new) 6N (800) 327-9488 ITT/Metro Safe/? 13I (800) 950-0070 ? ? 6N (800) 433-4778 ? (SDN) ? 10N (800) 225-5946 ? (SDN) ? 10N (800) 833-2808 ? (SDN) ? 10N (800) 321-0264 ? (SDN) ? 10N (800) 426-6565 ? (SDN) ? 10N (800) 882-4913 ? (SDN) ? 10N (800) 553-7149 ? (SDN) ? 10N (800) 284-8277 ? ? 7N (800) 228-4512 ? ? 7I (800) 476-3636 ? (Sprint?) Uncer., watch it 6N ------------------------------------------------------------------------------- * Notes on the above table: Description format is this standard: , i.e. 7I is a dialup that is ACN+7 digits. 6N is 6 digits+ACN. SDN is a type of system. It is suspected AT&T, however some of these dialups may be owned by other LD companies. The regional 950-XXXX dialups have been left out; they differ from LATA to LATA (roughly an area code), and often the codes on them are regional. However, a few of them are 950-1407, 950-0511, 950-1011, etc. 1407 seems to be reliable in CA. I don't really recommend the use of 950s in particular - I will probably have a table of 950s coming out in the future. Several people have had good results with 800-635-1167. By the way, any changes/additions/alerts are accepted. Contact me or call the SFI VMB. PLEASE do not post any codes/etc on this box, just vague updates. Thanks. Telco Term Reference I strongly recommend you review this list before reading the article on Signaling System 7. These are by far not all of them, just essential ones needed to deal with the article below. SS7 - Signaling System 7. See article. Note: You need the DMS switch to run SS7. CCS - Common Channel Signaling. Basically, sending call information across the same line as voice. A major part of SS7. CO - Central Office. The building(s) in your city that house the local switching equipment. Your telephone line is connected to one. RBOC - Regional Bell Operating Company. The seven companies that AT&T was split up in the early '80s. Also known as RHCs, or Regional Holding Companies. ONA - Open Network Architecture. A plan to open the telephone network up to ESPs, who will provide services beyond basic switching. Such services might be cable TV, fast computer data channels, etc. See ISDN, ESP, SS7. ESP - Enhanced Service Provider. See ONA definition. The ESPs, who will provide services such as computer linkups and cable TV when ONA is implemented, are frustrated at the limitations of the RBOCs' ONA plans. Some ESPs are the major long-distance companies. PSC - Public Service Commission. The bureaucrats who set tariffs and decide on exactly what your local Telco can do. CLASS - Custom Local Area Signaling Services. Part of the RBOC's SS7 plans, these services, for example, include Caller ID, automatic call return and call blocking. LATA - Local Access Transport Area. Roughly synonymous with area codes. Your LATA is defined by where you can call locally without having to call long-distance. In certain areas, like the Northeast, this may comprise three to four area codes. Call Control Options - Services such as call trace and call blocking that do not need to be run using SS7. They can be utilized on 5ESS switches. DMS - Digital Multiplex Switch. One of the most advanced phone company switches on the market, this switch is necessary for SS7. It is produced by Northern Telecom. ISDN - Integrated Services Digital Network. A critical part of ONA, this is basically a plan to provide optical fiber interconnects to households. It will allow much more than just a telephone conversation; it will also allow (among other things) cable TV signals and SS7 communications. >< Signaling System Seven Update Once again, your intrepid editor is back with the current compilation of information regarding Signaling System Seven, or SS7. If you haven't heard about SS7 recently, or at all, here's your chance to catch up. First, the technical notes: SS7 is an international high-speed telecommunications network signaling standard publicly announced in 1988. It is a protocol for digital communication between COs, ESPs and telephone subscribers. It is made up of four basic levels: the bottom three (Signaling Data Link Functions, Signaling Link Functions, and Signaling Network Functions) control the message transfer part, and the top layer (Signaling Connection Control) controls additional services. The message transfer part controls the network itself, which is packet-switched. It handles all call control functions, and enables COs and ESPs to transparently switch the call internally. For example, if AT&T's SS7 software had been working properly, the network crash on 15 Jan 1990 would probably have had negligible effects. The network would have been able to route the call around the malfunctioning switch while it reset. The signaling connection control part supports other services that may be provided; such as call forwarding, caller ID, call trace, etc. This layer is the one that will be utilized by the ESPs when ONA is implemented; the message transfer part is controlled by the RBOCs. The architecture of SS7 will bring the telecommunications network into tomorrow, and coupled with broadband ISDN and ONA, is the network of the future. However, this will also insure that the RBOCs have a major part in this future. Not to mention the fact that this will put the RBOCs in control of everything that comes down the cable. Now, what SS7 really means: Signaling System Seven will basically allow the phone company to route your call information from point to point until your final destination. In other words, in 1991 (in most regions), if you wanted to make sure a system didn't trace you back, you could call through a few diverters, PABXs, etc. However, when SS7 is installed throughout the nation, your call information will be routed from diverter to PABX to system instead of stopping at the first diverter. Us common people can buy this feature too -- see "Caller ID - What does it mean to me?" below. >< Areas with SS7 as of 04/17/91 ------------------------------------------------------------------------------- All of New Jersey United & NJ Bell Las Vegas, Nevada Centel Northeast Virginia Bell Atlantic? Washington, D.C. Bell Atlantic? Austin, Texas Southwestern Bell Kentucky (unknown where) GTE Olathe, Kansas Southwestern Bell ------------------------------------------------------------------------------- As with all our tables, any additions/corrections? Let us know. Caller ID ... what does it mean to me? Caller ID is probably the most anticipated and feared part of Signaling System 7. This service, only available in SS7 areas (see above table), keeps track of the last 10 numbers that called and the time and date they did so. Example: Let's say you are in an SS7 area. You call a friend with a Caller ID device (generally costing about $40). Between the first and second ring, they have your number. It's as easy as that. The problem is, when SS7 goes nationwide, ANY system you hack/phreak/phuck/whatever pegs you within 5 seconds of your call. I can hear you say, "What about diverters, and stuff like that?" Well, for one thing, there won't BE too many diverters left after this goes worldwide. The second thing is that if the system is serious enough about getting your number, it can pick the call information straight up off layer 4 of the call -- in other words, your call information, instead of stopping stone cold at the diverter, was passed from node to node up to your intended system. Cute, eh? .. but only if you're BEHIND the trigger. So, what can be done about it? Well, I am told that PSCs around the nation have been requiring that your local RBOC provide per-call blocking of Caller ID whenever they decide to go install SS7. This is good: You dial something like *67 and then the number, and the information is blocked. However, the Telco still gets the call info (but then again, they always have..). Also, you hardware people out there, I suggest you work on finding out more about Caller ID - and figure out where in the bandwidth this info is... sigh.. >< The State of Surveillance (part one of a series) I figured it was about time for an update on government and private surveillance techniques and what you can do about them. First, we'll start off with ways to spy, if you will. The all-time favorite technique seems to be tapping the telephone in some way - whether it be from wiring your phone for an infinity transmitter, wiring your junction box, induction tapping your wires, or taps at the local CO, the phone line is one of the most commonly tapped items. An infinity transmitter, aka a harmonica bug, has to be installed inside your phone. It works by intercepting all calls into the house and looking for a tone around the first ring. It then uses the microphone on the handset to pick up what's going on inside the house, while the phone is on the hook. What the person would do is call your house, and while the phone is ringing, he would send a tone down through the line. You wouldn't hear that first ring because the bug traps it, and he could listen to anything going on in the house. The way to check for one of these is to either open up your phone or to call a tone sweep, available in most areas. At a certain frequency, the bug would kick in and your phone would start either ringing or making strange noises. Another popular technique is wiring junction boxes, aka pedestals or cans. This is the large, 6 foot green box with the Bell logo on it with 1000 connections inside, or the small, 3 or 4 foot green box with the Bell logo on it with 7 through 60 connections. These boxes contain rows of wire pairs. Your adversary could open one of these up, find your wire pair with an ANI, and hook up some sort of recording device or jumper cable to it. In effect, it is like picking up an extension outside the building. The way to detect it is to either look for a marked impedance drop on your phone, notice that people sound softer, or go outside and find your pedestal and examine it. The perennial inductance tap is a relatively secure tap - unless you catch your 'bugger' outside near your phone wires doing strange things, it's undetectable. Basically, a coil of wire and an amplifier are hooked together and brought near your telephone wires somewhere -- he doesn't have to splice them. Through the principles of electric induction, he can hear everything said on that line. As I said, this bug is very hard to detect. And finally, perhaps the hardest bug to detect at all: the telephone CO bug. If the Feds are really serious about tapping you, they won't hook up crude-as-hell wiretaps -- they'll go to your local central office and monitor your line from there. It is virtually undetectable if done right; if done wrong, you have no way of proving they did it... The next installment will cover non-telephone audio bugs. >< Trend Watcher This column will cover small interesting bits of information and trends that either I or any of you notice. Have any? Let me know. AT&T makes money selling 5ESS switches to other countries. MCI 800 ANI network pegs your number in under one minute in xESS areas. 18-Gigahertz transmission is now economically feasible; radio waves at that frequency act like light. In a vote of 5-0, the FCC approves an independently-developed stage of ONA to the dismay of the Baby Bells, opening up the fiber network to ESPs of all kinds. Las Vegas telephone network is the most advanced in the nation. In 1989, the FCC busted 144 pirate radio station operators, both medium-wave and shortwave, and charged a total of $347,000 in fines. >< Editorial "Too much to say, and not enough space to say it in" Well, you're almost at the end of our first issue. Do you like it? Can you write better articles? (Which won't be hard, considering I wrote all of them in this issue..) By all means, send them to me. An article on IBM Phonemail? Or maybe a doc on how the gov't is really putting one over on us this time? I'll take it. You know how to get in touch with me... A slower way to do so is to use the VMB, at 301-771-1151 box #140. You might have to press the pound key first, I don't remember. But in any case, don't put anything illegal on the SFI box, like codes, etc - just news and messages to me. By the way, if you stumble upon a small bit of news that's important, call it and leave it there.. The reason that our first issue is on Signaling System Seven is because this will be one of the most important phone company developments since the invention of the ESS switch. Read the set of articles that are on it and maybe you will understand why. Loss of privacy and profiteering of the phone networks just so Domino's Pizza can route a call from a WATS number to the closest Domino's location nearest you so you don't have to go through the mental and physical anguish of looking it up in the telephone book. Brighten up, men, this is progress at work! In any case, what I can leave you with are these thoughts: support the Electronic Frontier Foundation, the Free Software Foundation, the League for Programming Freedom, and any organization that supports open thought. Fight the secret policies and projects of a dishonest government that perpetuates hypocrisy, and keep looking over your shoulder for Big Brother. ><