======================================= T H E N E W F O N E E X P R E S S ======================================= The newsletter of the Society for the Freedom of Information (SFI) Electronic Edition --------------------------------------------------------------------------- The publisher, SFI, distribution site(s), and authors contributing to the NFX are protected by the Bill of Rights in the U.S. Constitution,which specifically protects freedom of speech and freedom of the press. The information provided in this magazine is for informational purposes only, and the publisher, SFI, distribution site(s) and authors are not responsible for any problems resulting >from the use of this information. Nor is SFI responsible for consequences resulting from authors' actions. This disclaimer is retroactive to all previous issues of the NFX. We accept article submissions of nearly any sort, about hack/phreak/anarchy/ gov't/nets/etc. We will also send the author a free printed issue for each article written. The printed edition of the newsletter is finally available for $24 (U.S.) per year, until we find a cheaper way to reproduce it on paper. Articles may also be submitted to this address. Send mail to the New Fone Express, Box 639, 15405 Michigan Rd., Woodbridge, VA 22191. --------------------------------------------------------------------------- Highlights for Issue #3/August 1991 =================================== * Phones Take Lunch Break ... typed by Silicon Avalanche, edited (see article #1) * SUPPLEMENT: What Happened? * A Pick Tutorial pt.2 ... by Silicon Avalanche (see article #2) * State of Surveillance pt.3 ... by the Cavalier (see article #3) * Altair Wireless LANs ... by the Cavalier (see article #4) * Corrections ... edited (see article #5) * Editorial and Bell IS News ... by the Cavalier (see article #6) ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Phones Take Lunch Break ... Computer Failure Disables Pa. Phones... ... Outage Linked to Problem That Hit Here ... ... by Cindy Skrzycki and Evelyn Richards ... ... Washington Post Staff Writers ... Telephone service in Pittsburgh and other parts of Pennsylvania was paralyzed yesterday (7/1/91) by the same sort of massive computer software failure that knocked phones out in the Washington area only four days ago (6/29/91). The outage in Pittsburgh interfered with service to about 1 million customers, or about one-third of the state, beginning just after 11 a.m. Service was restored by 5:15 p.m. Later yesterday (7/1/91), service was disrupted for several minutes in San Francisco, which telephone company officials attributed to the same problem. The failures in Pennsylvania happened just as Bell Atlantic Corp., the parent company of both Chesapeake & Potomac Telephone Cos. and Bell of Pennsylvania, was trying to reach some conclusion on the cause of the disruption in Washington, which was probably the most massive collapse in local phone service ever. The Pennsylvania problem was the third major disruption to hit a metropolitan area in less than a week. Last Wednesday, Los Angeles lost phone service for much of the same time that some 6.3 million lines were out in four states served by C&P. Each of the problems, which have telecommunications experts scrambling for explanations, is linked to the same type of computer switch and software that allows phone companies to offer sophisticated services such as Caller ID. The switch and software are manufactured by DSC Communications Corp. of Plano Tex., (214)519-3000, the largest supplier of such equipment. The rash of software-related disruptions confirms the predictions of many telecommunications experts that outages will recur because of the complexity of the new technology. Customers in Pennsylvania, as in Washington, found when the outage hit that they had difficulty calling across town and making toll calls to nearby exchanges. Dessi Plutis, who lives in Pittsburgh, ran up against the problem when she tried to make a call across town. "The line was busy, busy, busy," Plutis said. "I assumed they took the phone off the hook." What really was happening was a near replication of a major software glitch that hit in the Washington area last Wednesday around the same time of day. In that case, a complex computer switching system called Signaling System 7 broke down in Baltimore and quickly affected three other computer switches that route and set up calls for the Washington area. The computers went into overload and shut down after reacting to a flood of maintenance messages in the system. These messages tell computers in the telephone network that some congestion, real or imagined, or some other problem is being experienced. The flood of these messages prevents other calls from going through. In Pennsylvania, an overload of maintenance messages between two Signaling System 7 computers also seems to be the culprit. "When it overloaded, it backed up to the other one," said Eric Rabe, spokesman for Bell of Pennsylvania. What experts find most intriguing is the fact that all of the problems seem to be traceable to the software supplied by DSC. The company recently completed shipment on its hundredth Signaling System 7 switch and counts among its major customers the regional telephone companies and long-distance carriers such as MCI Communications Corp. and US Sprint Communications Co. A spokesman for DSC said Signaling System 7 is "the leading product in the industry. It has run flawlessly for a number of years. We still don't know that it isn't." The spokesman said the computer did what it was supposed to do - shut down when it's overloaded. He said approximately 200 people are working "around the clock" to prevent a recurrence of the outages, and phone companies have been sensitized for what conditions to watch for, as well as how to isolate, stabilize and restore service. "We know the symptoms. We don't know the cause," the DSC spokesman said. The outages on the Eastern seaboard present a major image and reliability problem for Bell Atlantic. All told, the company has had major problems in five of the seven states it serves in the last week. "Obviously, [the breakdown] doesn't help us, but... I hope we've built up a lot of years of understanding that quality is the name of the game," said Anton J. Campanella, president of Bell Atlantic. "We are not going to rest until we find the answer to this one." Bell Atlantic said it is working closely with DSC and that the switch manufacturer has provided software "patches" to prevent the problem from recurring by shutting down maintenance messages. But the company clearly is worried that some element of Signaling System 7 may somehow be inherently flawed. "My tummy gets upset when a manufacturer delivers a product that doesn't work correctly," said Campanella, though he stressed that the problem hasn't been identified. He also said that a virus is not being ruled out since all of the occurrences in the Bell Atlantic network seemed to start around the same time of day. The company has been in contact with the FBI to follow up on that possibility. Pacific Bell, whose problems began on June 10, also has been in close touch with DSC. "We were entirely unhappy with what happened June 10," said Sue Galloway, regional switching manager for Pacific Bell's Southern California network operations. "Even though analysis was going on, we were concerned and we wanted to send a very clear message." The company was so concerned that Pacific Bell called in DSC's chairman to meet with top telephone officials in northern California, a Pacific Bell official said. In San Francisco, a computer began spitting out congestion messages about 11 a.m. Pacific time. Traffic was rerouted and service was restored. The outage in Pennsylvania also caused officials at C&P to rethink an announcement yesterday about how customers in the Washington region might be compensated for their troubles last Wednesday. "It may be premature to make any kind of announcement," said Michael Daley, spokesman for C&P in the District. "We'll talk about what we can do for customers when we get over the hurdles of these phone outages." ... Staff writer John Burgess contributed to this report ... ... Courtesy of Silicon Avalanche of SFI ... ... from The Washington Post, July 2, 1991, pgs. D1 and D4. ... >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ What Happened? As far as we could guess, the common denominator in all these cases was a switch that was processing a large number of calls. Due to SS7's capability to pass network traffic off to other switches, it tried to do so, but ended up passing an overload message instead. The second switch then decided that it wanted to be overloaded, and it cascaded through the local network of CCS7-connected switches, thereby locking up the entire SS7-capable network. DSC Communications eventually turned out to be the culprit - another bug in the SS7 software, which was written by the DSC people. We've been told that this is not exactly what happened with the AT&T network crash on Jan. 15, 1990, however: apparently AT&T writes their own STP (signaling transfer point, a module that allows switches to run SS7) software. We would venture a guess that DSC is a vendor of STPs - and a popular one at that. >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ A Pick Tutorial A Pick Tutorial - Courtesy of Silicon Avalanche of SFI Installment #2 TICKLE, TICKLE... Well, by now you should have some means of getting in and out of some account on a Pick system, whether it be the TUTOR account, or some other system account. The best place to be is at what is called TCL (pronounced "tickle"), short for 'T'erminal 'C'ommand 'L'evel. This is the main command level, Pick's version of Direct Mode. If you're not there, and you're at a menu or some other place, try "Q", "X", "", and other such options, to see which of them may work. Try sending a character, or -"C", this should take you to either the Pick/Basic Debugger or the System Debugger. If this is the case, you should be taken to a prompt similar to: I502 or 274.263 * ! at the prompt, enter END and hopefully you'll be at TCL. Worst case, you'll be back at the menu you just left. If this is the case, find the way to logoff, and find a new account to use. You've hit a dead end on this one. WHAT CAN I DO NOW? Command / Function & Output ----------------------------------------------------------------------------- LISTFILES / Lists the files available from the account you're in WHO / Tells you what account and port # you're logged onto LISTU / Lists the other users on the system and the accounts / they're logged onto TIME / Gives the system time DATE / Gives the system date LIST GAMES / On many systems, lists a file of games to play LOGON / Log another port onto a specified account LOGOFF / Log another port off LOGTO acct / Change accounts from the current one to 'acct' ----------------------------------------------------------------------------- More Interesting Commands: LIST ONLY SYSTEM Lists all valid accounts on the system LIST ONLY SYSTEM WITH *A7 = "" Lists all valid accounts on the system that have NO PASSWORD CHARGE-TO acctname Makes the system record think you are logged onto another account (acctname). Confusing to explain, but a good thing to do if you're hacking.. ----------------------------------------------------------------------------- ** The PICK Glossary has been dropped from this installment of A Pick Tutorial in the name of brevity. It will be printed in a later installment. ** ----------------------------------------------------------------------------- HOW DO I MAKE MY OWN ACCOUNT? By using the following process, you will create a system-level account that has the same privileges as SYSPROG, the master account on the system. >From the TCL prompt, type ED SYSTEM acctname where acctname is the name of the account that you want to create to use for access at a later date. The system will respond with something like: NEW ITEM TOP . and the cursor will be positioned to the right of the '.'. Now type I and the computer will respond with 001+ and will await entry of the lines of information. Type the following EXACTLY AS IT IS WRITTEN! Q SYSPROG . . . . . SYS2 L 10 F RU99/.// FI Now you will be back at the TCL prompt. Your account is now created. Type LOGTO acctname where acctname is the name of the account you just made, and you will be in your new account. If you want to put a password on your new account, type PASSWORD and you'll be prompted for the account name and password you wish to use. Enter this information, and when prompted for the next account name, hit and you'll return to the TCL prompt. Passwords can be any length, comprised of virtually any characters, including control codes, as stated in installment #1 of the Pick Tutorial. WHAT NOW? Play around in your new account, see what things do, take as much time as you like. The system does not record logon/logoff or on-line times for this account, because it was not created to track such things. Since this is the case, the only way that your account will be noticed is if someone looks at the SYSTEM file to see all the accounts on the system. WHAT'S NEXT? The next installment of The Pick Tutorial will contain information on a simple Pick Virus, and other methods of wreaking havoc on the system. (For the benevolent ones of you, this will still be useful information.) >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ State of Surveillance pt.3 This third installment covers video bugs. First off, we'll start with the video camera. Since walking around pointing shoulder-held video cameras at people tends to be somewhat obvious, companies have made cameras that are the size of matchboxes, being somewhere around an inch and a half square. This is, of course, without power supply or tape. A neat trick for observing people in rooms is to run a fiber optic cable through a lens or two to the camera, and to run the other end through a pinhole in the wall. In this way, the light from the room will enter the fiber optic cable and be recorded on the other end by a camera, conveniently out of sight on the other side of the wall. I've also been told about a fake car antenna that has a similar pinhole and fiber optic assembly leading down to a camera and transmitter under the antenna. The antenna rotates and sends a video image to a briefcase with a receiver and a TV screen. It's supposedly used for stakeouts. Through fiber optics, one can mount the actual camera almost anywhere. Another type of 'video bug,' in a way, is night-vision. There are t wo major commercial approaches to night vision: infrared and image amplification. Infrared vision can be accomplished in one of two ways: active or passive. Active infrared vision consists of an infrared flashlight and a camera or goggles that are sensitive to infrared light. The subjects never know they're being watched, unless they have an infrared-sensitive device. The best way to detect if you are being watched by an active infrared camera is to buy an infrared detector card used for testing remote controls, such as Radio Shack sells for $6.95. Assuming this will be done in the dark, the card should fluoresce when hit by strong infrared light. Passive infrared vision is a little bit more tricky. This type of vision doesn't depend on an infrared light source; therefore, it is a lot harder to detect. This system detects the differences in the amount of heat given off by objects and translates it into a video image. As a side benefit, these systems can be so sensitive that they can detect a handprint up to five minutes after the subject has left, simply because of the heat difference. Passive infrared can't be detected by the above-mentioned card. Image amplification is a technique used for amplifying the amount of visible light incident on the goggles and turning it into a video image. Along with passive infrared vision, image amplification is another technique the United States military uses. As a matter of fact, image amplification was used extensively in the so-called 'Desert Storm conflict,' by forward scouts who needed to see in the dark. Another meaning of 'video bug' can be applied to TEMPEST equipment, or what is sometimes called Van Eck phreaking. Video screens, computers, 'intelligent' keyboards (like those found on IBM/IBM compatibles) all send out immense amounts of what most people regard as RF interference. However, with the proper equipment, these signals can be picked up and read from as far as one kilometer away. The defense against this, of course, is to shield your computer from this type of emission. A few years ago, GRiD Inc. (now part of Tandy) sold some TEMPEST-shielded computer equipment to the Government, so you may wish to contact them. The next installment will cover miscellaneous other counter-surveillance and personal-protection type items, and will supposedly be the last. >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Altair Wireless LANs The Altair wireless LAN system (or the Altair Wireless In-Building Network, or WIN for short, as Motorola likes to say) is probably the most technologically-advanced wireless LAN system on the market. The major difference between the Altair network and other competing wireless products is that the Altair uses the 18-GHz DTS band to transmit, allowing speeds as fast as 15 MBps. Since Ethernet's top speed is 10 MBps, the Altair WIN should easily be able to handle the amount of communication. Also, since the DTS band is quite uncrowded, the LAN doesn't have to deal with as much interference as wireless LANs that operate in the UHF band. Since that band is also allocated to cellular phones, television, FM radio, and 'high- performance' walkie-talkies, they also need to use spread-spectrum transmission. Simply put, this type of transmission will limit the bandwidth to 1.5 - 2 MBps, far too slow for true Ethernet. Infrared LANs only work when the computers in general share a 'common ceiling,' quite literally. Most infrared LANS consist of modules aimed at the ceiling. In this way, the light should bounce of the ceiling and down to another computer. This technology has serious problems when the surface in question is textured or non-flat in any way. A typical Altair LAN consists of one Control Module, or CM, and one or more User Modules, or UMs, per microcell. One CM can have up to 32 Ethernet devices in a microcell, and each UM can be hooked up to a maximum of six Ethernet devices (i.e. workstations, printers, etc.). Data security is exceptional, for three reasons. The first is the frequency at which the data is transmitted. The 18 GHz frequency area is extremely hard to pick up without large, high-priced, ultra-sensitive microwave detection equipment (incidentally, similar to that used to pick up monitor and computer emissions - see "State of Surveillance pt.3," elsewhere in the issue). Signals in this range of the spectrum act like light in that they partially reflect off surfaces, and like radio in that they penetrate non-structural walls (i.e. drywall, and walls that aren't thick concrete, etc.) Because the signal reflects, multipath distortion (similar to that experienced with 'ghosting' on a TV set) would effectively scramble the signals beyond recognition. Not to mention, since the maximum output power is 25 mW, this equipment would have to be positioned very close to the microcell itself. For this reason, one can have another Altair microcell operating independently as close as 200 feet away. A second reason is that the network automatically scrambles data sent between the CMs and UMs. Each UM has a specific scrambling code, similar to an address. This 16-bit code can have one of 65,535 possible values, and is in addition to the slot-assigned 10-bit 1024-combination code, which is changed every time data is sent between modules. The third reason is that the network supervisor can enter a list of 12- digit UM Ethernet addresses from all of the UMs that are supposed to be in the network. The CM will then ignore any UM whose registration number is not on the list. The UM can then neither transmit or receive data, since both operations must be verified by the CM by a slot assignment before they take place. The protocol used is a variant on the 'slotted Aloha' protocol: for every transaction, the UM requests a transmission slot from the CM. When the CM has verified that the UM should exist on the network, the CM executes the request, scrambling per both the 10-bit conversation code and the 16-bit UM ID code. The actual transmission protocol is built into a VLSI ASIC chip, which uses four-level frequency-shift keying (similar to that of 2400 and 9600 baud modems, which split the signal across four 600 or 2400 bps segments) and handles miscellaneous network functions. Since the network is packet-switched, it also handles CRC checksums and CSMA functions, providing a bit error rate of 10 to the negative eighth power (according to Motorola). The ICs that actually transmit and receive the information are five GaAs (gallium arsenide) chips, hooked up to a six-sector antenna. At the beginning of each transmission, the system sweeps through each combination of antennae for transmission and reception, 36 in all. Each antenna occupies a 60-degree arc, so when an obstacle is placed in the path of a transmission the system automatically reconfigures the antenna network for a better path. The system's operating frequencies are the 18.820-18.870 GHz band and the 19.160-19.210 GHz band, both licensed from the FCC under the DTS (Digital Termination Service) designation and well into the microwave range. The Altair WIN will most probably be the wireless LAN technology of the '90s. Using the Altair system, a business can have a microcell on each floor, with the CMs connected through an Ethernet backbone. The security of the LAN is so bulletproof that it would be a lot easier to try to hack into the LAN itself, and businesses will appreciate this. For more information, contact Motorola's Altair division. >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Corrections Silicon Avalanche's handle IS Silicon Avalanche, not "Silicon Lightning" as misprinted in NFX #2. >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Editorial Right before we went to press, it was just announced that the Baby Bell RBOCs have just been allowed to enter the information services business, under pressure from the Dept. of Justice and the FCC. Judge Greene (the judge presiding over the breakup of AT&T in 1982) made the ruling apparently against his will, but he did leave a block of time to allow appeals. Well here we are at the end of the third issue... By the way, sorry about putting the above piece of news in the editorial, but I couldn't find anywhere else to... There is now a way to subscribe to the New Fone Express, or to send articles, if you want - see the header. Also, to download the NFX, there is now an account on Secret Society (see the header on this one, too).. And by the way, no, I'm not the sysop -- the sysop is Grim, and he's been a great help in getting the NFX out. [Thanks!] This one is a little smaller than #2.. we didn't get in that many articles this time around, but that's probably because it's July... I barely even had time to do much either, but I think this one is still better than the first. I'm saving up a lot of the information for a big Trendwatch column for NFX #4.. I didn't have too much this time around, so I figured it would be better to put it all in a combined one. During a trip to Canada, it was somewhat amusing to visit the Bell Canada building in Toronto -- they were so proud of their Northern Telecom SL-1 switch, they had in on display behind plexiglas in the lobby!.. A little farther out, we ran into more party lines than we knew what to do with, and we promptly kicked ourselves for not bringing some sort of.. tone-generating device, that's it!... Oh well.. BTW, Dr. Logic -- I haven't forgotten you, I'll get back to you ASAP if I haven't already by the time you see this.. And I think that will just about wrap this issue up. Until next time. ><