---------------------------------------
            BOOK OF BIOC III
---------------------------------------
as international dialing.  We will also take a look at the telephone numbering
plan.
===============================
=North American Numbering Plan=
===============================
In North America, the telephone numbering plain is as follows:
     A) A 3 digit Numbering Plan Area (NPA) code, [ie, Area code]
     B) A 7 digit telephone # consisting of a 3 digit central
        office (CO) code plus a 4 digit station number.
These 10 digits are called the network address or destination code.  It is in
the format of:
        Area Code   Telephone #
        ---------   -----------
           N*X        NXX-XXXX
   Where:  N = A digit from 2-9
           * = The digit 0 or 1
           X = A digit 0-9
Area Codes:
-----------
Check your telephone book or the separate listing of area codes found on
many BBS's.  Here are the special area codes (SAC's):
     510 - TWX (USA)
     610 - TWX (Canada)
     700 - New service
     710 - TWX (USA)
     800 - WATS
     810 - TWX (USA)
     900 - Dial-it Services
     910 - TWX (USA)
The other area codes never cross state lines, therefore each state must have
at least one exclusive NPA code.  When a community is split by a state line,
the CO #'S are often interchangeable (ie, you can dial the same # from 2
different area codes)
TWX:
TWX (Telex II) consists of 5 teletypewriter area codes.  They are owned by
Western Union.  These SAC'S may only be reached via other TWX machines.  These
run at 110 baud.  Besides the TWX #'s, these machines are routed to normal
telephone #'s.  TWX machines always respond with an answerback. For
example: WU's FYI TWX # is (910) 988-5956, the corresponding real number to
this is (201) 279-5956.  The answerback for this service is "WU FYI MAWA."
If you don't want to buy a TWX machine, you can still send TWX messages using
Easylink [800/325-4112 - see TUC'S and my article entitled "Hacking Western
Union's Easylink]
700:
At the time of this writing, the 700 exchange does not yet exist.  AT&T
plans to use it soon though.  They plan to make it a type of fancy call
forwarding service.  It will be targeted towards salesmen on the run.
To understand how it works, I'll explain it with an example.  Let's say
Joe Q. Salespig works for AT&T Security and he is on the run chasing a phreak
around the country who royally screwed up an important Cosmos system.  Let's
say that Joe's 700 # is (700) 382-5968. Everytime Joe goes to a new hotel, he
dials a special 700 #, enters a code, and the # where he is staying.  Now, if
his boss received some important info, all he would do is dial (700) 382-5968
and it would ring wherever Joe last programmed it to.  Neat, huh?
800:
This SAC is one of my favorites since it allows for toll-free calls.
Inward WATS (INWATS):  Inward Wide-Area Telecommunications service is the 800
#'S that we are all familiar with.  800 #'S are set up in service areas or
bands.  There are 6 of these.  Band 6 is the largest and you can call a band
6 # from anywhere in the US except the state where the call is terminated
(this is why most companies have one 800 # for the country and then another
for just one state).  Band 5 includes the 48 contiguous states.  All the way
down to band 1 which includes only the states contiguous to that one.
Therefore, less people can reach a band 1 INWATS # than a band 6 #.
Intrastate INWATS #'s (ie, you can call it from only 1 state) always have a 2
as the last digit in the exchange (ie, 800-NX2-XXXX).  The NXX on 800 #'s
represent the area where the business is located.  For example, a # beginning
with 800-431 would terminate at a NY co.
800 #'s always end up in a Hunt series in a Co.  This means that it tries the
first # allocated to the company for their 800 lines; if this is busy it
will then try the next #, etc.).  You must have a minimum of two lines per
each 800 #.  For example: Travelnet uses a Hunt series - if you dial (800)
521-8400, it will first try the # associated with 8400; if it is busy it
will be billed by
the # of hours of calls that are made to their #.
Outwats (Outward WATS):  OUTWATS are for making outgoing calls only.  Large
companies use OUTWATS since they receive bulk-rate discounts.  Since
Outwats # cannot have incoming calls, they are in the format of:
     (800) *XX-XXXX
Where * is the digit 0 or 1 which cannot be dialed unless you box the
call.  The *XX identifies the type of service and the areas that the company
can call.
Remember:
       INWATS + OUTWATS = WATS Extender
       (See part I)
900:
This dial-it SAC is a nationwide dial-it service.  It is used for taking
television polls and other stuff.  The first minute currently costs an
outrageous 50 cents and each additional minute costs 35 cents.  Bell takes in
a lot of revenue this way.
Dial (900) 555-1212 to find out what is currently on the service.
CO Codes:
---------
These identify the switching office where the call is to be routed.
The following CO codes are reserved nationwide:
     555 - Directory Assistance
     844 - Time    ] These are now in
     936 - Weather ] the 976 exchange
     950 - Future services
     958 - Plant Test
     959 - Plant Test
     970 - Plant Test (temporary)
     976 - Dial-it services
Also, the 3 digit ANI & Ringback #'S are regarded as plant test and are this
reserved.  These numbers vary from area to area.
950:
[Also see part I]
Here are the services that are currently on the 950 exchange:
     1000 - SPC
     1022 - MCI Execunet
     1033 - US Telephone
     1044 - ALLNET
     1066 - LEXITEL
     1088 - SBS Skyline
These SCC'S (Specialized common carriers) are free from Fortresses!
Plant Tests:
These include ANI, Ringback, and other various tests.
976:
Dial 976-1000 to see what is currently on the service.  Also, many BBS'S have
a listing of these #'s.
N11 Codes:
----------
Bell is trying to phase some of these out, but they still exist in many areas.
     011 - International Dialing Prefix
     211 - Coin Refund Operator
     411 - Directory Assistance
     611 - Repair Service
     811 - Business Office
     911 - Emergency
=======================
=International Dialing=
=======================
With International Dialing, the world has been divided into 9 numbering zones.
To make an international call, you must dial:
    Int. Prefix + Country code + Nat. #
In North America, the international dialing prefix is 011 for station-to-
station calls and 01 for operator-serviced calls.  IDDD stands for
International Direct Distance Dialing.
The country code, which varies from 1 to 3 digits, always has the world
numbering zone as the first digit.  For example, the country code for the
United Kingdom is 44, thus it is in world numbering zone 4.
Some boards may contain a complete listing of other country codes, but
here are a few:
     1 - North America (US, Canada, etc.)
    20 - Egypt
   258 - Mozambique
    34 - Spain
    49 - Germany
    52 - Mexico (Southern Portion)
    61 - Australia
     7 - USSR
    81 - Japan
    98 - Iran
If you call from an area other than North America, the format is generally
the same.  For example, let's say you wanted to call the White House from
Switzerland.  First you would dial 00 (the Swiss International Dialing
Prefix), then 1 (the US country code), followed by 202-456-1414 (the national
# for the White House).
Also, country code 87 is required for maritime mobile service, is calling
ships:
     871 - Marisat (Atlantic)
     872 - Marisat (Pacific)
     873 - Marisat (Indian )
International Switching:
In North America, there are currently 7 no. 4 ESS's that perform the duty of
ISC (Internation Switching Centers).  All international calls dialed from
numbering zone 1 will be routed through one of these "Gateway cities."  They
are:
     182 -  WHITE PLAINS, NY
     183 -  NEW YORK, NY
     184 -  PITTSBURGH, PA
     185 -  ORLANDO, FL
     186 -  OAKLAND, CA
     187 -  DENVER, CO
     188 -  NEW YORK, NY
system called CCITT.  It is an international standard for signaling.
 ------------------------------------------------------------------------------
]
*> Title:   Agent Biocs [File 4]
*> Date:    4/1/88
*> Time:    7:05 pm

******BIOC Agent 003's course in*******
*                                     *
*     ==========================      *
*     =BASIC TELECOMMUNCIATIONS=      *
*     ==========================      *
*               PART IV               *
***************************************
PREFACE:
--------
Part IV will deal with the various types of operators, office hierarchy,
& switching equipment.
OPERATORS:
----------
There are many types of operators in The Network and the more common ones
will be discussed.
TSPS Operator:
The TSPS (Traffic Service Position System) Operator is probably the bitch
(or bastard for the phemale liberationists) that most of us are use to having
to deal with.
Here are her responsibilities:
1) Obtaining billing information for Calling Card or 3rd number calls.
2) Identifying called customer on person-to-person calls.
3) Obtaining acceptance of charges on collect calls.
4) Identifying calling numbers.  This only happens when the calling # is not
automatically recorded by CAMA (Centralized Automatic Message
Accounting) & forwarded from the local office.  This could be caused by
equipement failures or if the office is not equipped for CAMA (most are).
  <I once had an equipment failure happen to me & the TSPS operator came
on and said, "What # are you calling FROM?"  Out of curiosity, I gave her
the # to my CO, she thanked me & then I was connected to a conversion that
appeared to be between a frameman & his wife.  Then it started ringing the
party I originally wanted to call & everyone phreaked out (excuse the pun).
I immediately dropped this dual line conference!>
You shouldn't mess with the TSPS operator since she KNOWS where you are
calling from.  She also knows whether or not you are at a fortress fone & she
can trace calls quite readily.  Out of all the operators, she is one of the
MOST DANGEROUS.
INWARD Operator:
This operator assists your local TSPS ("O") operator in connecting calls.
She will never question a call as long as the call is within HER SERVICE AREA.
She can only be reached via other operators or by a Blue Box.  From a BB,
you would dial KP+NPA+121+ST for the INWARD operator that will help you
connect any calls within that NPA area only. (Blue Boxing will be discussed in
a future part of BASIC TELCOM)
DIRECTORY ASSISTANCE Operator:
This is the operator that you are connected to when you dial:  411 or
NPA-555-1212.  She does not readily know where you are calling from.  She
does not have access to unlisted #'s, but she does know if an unlisted #
exists for a certain listing.
There is also a directory assistance for deaf people who use Teletypewriters
If you modem can transfer BAUDOT (the Apple Cat can), then you can call her
up and have an interesting conversation with her.  The # is:  800- 855-1155.
She uses the standard Telex abbreviations such as GA for Go Ahead.
They tend to be nicer & will talk longer than your regular operators.
Also, they are more vulnerable into being talked out of information through
the process of "social engineering" as Cheshire Catalyst would put it.
Other operators have access to their own DA by dialing KP+NPA+131+ST (MF).
This is a little out of the scope of this tutorial, but many telco's are
now charging for calls to dir. asst. You can beat this by:
(1) count how many calls you make to directory assistance in a billing
period.  Go to a fortress fone & dial DA.  When the operator comes on, give
her a name that you know has an unlisted # or ask for a town that isn't
in the NPA.  She will then ask for your # so she can credit the call to you.
Give her your home #; she doesn't know that you are making a free call from
the fortress.  Just make sure that you don't credit yourself for more calls
than you actually made or you might have a few problems!
(2) If you have a BAUDOT terminal, use the 800 #; it's frwe & there is one #
for all requests.
C/NA Operators:
C/NA operators are operators that do exactly the opposite of what directory
assistance operators are for.  See part II, for more info on C/NA & #'s.  In my
experiences, these operators know more than the DA op's do & they are more
susceptible to "social engineering."  It is possible to bullshit a C/NA operator
for the NON-PUB DA # (ie, you give them the name & they give you the unlisted
#).  This is due to the fact that they assume your are a phellow comxany
employee.
INTERCEPT Operator:
The intercept operator is the one that you are connected to when there are not
enough recordings available to tell you that the # has been disconnected or
changed.  She usually says, "What # you callin'?" with a foreign accent.  This
is the lowest operator lifeform.  Even though they don't know where you are
calling from, it is a waste of your time to try to verbally abuse them
since they usually understand very little English.
OTHER Operators:
And then there are the:  Mobile, Ship-to-Shore, Conference, Marine
Verify, "Leave Word & Call Back," Rout & Rate (KP+NPA+141+ST), & other special
operators who have one purpose or another in the Network.
Problems with an Operator?  Ask to speak to their supervisor...Which is
the equivalent of the Madame in a whorehouse (if you will excuse the
analogy).
By the way, some CO's that will allow you to dial a 1 or 0 as the 4th digit,
will also allow you to call special operators without a blue box.  This is
very rare though!  For example, 212-121-1111 will get you a NY Inward
Operator.
==================
=OFFICE HIERARCHY=
==================
Every switching office office in North America (the NPA system), is assigned
an office name & class.  There are five classes of offices numbered 1 through
5.  Your CO is most likely a class 5 or end office. All Long-Distance (Toll)
calls are switched by a toll office which can be a class 4, 3, 2, or 1
office.  There is also a 4X office called an intermediate point.  The 4X
office is a digital one that can have an unattended exchange attached to it
(known as a Remote Switching Unit-RSU).
The following chart will list the Office #, name, & how many of those
offices existed in North America in 1981.
Class       Name       Abb  # Existing
----- ---------------- --- ------------
  1   Regional Center  RC         12
  2   Sectional Center SC         67
  3   Primary Center   PC        230
  4   Toll Center      TC      1,300
  4P  Toll Point       TP
  4X  Intermediate Pt  IP
  5   End Office       EO     19,000
  R   RSU              RSU
When connecting a call from one party to another, the switching equipment
usually tries to find the shortest route between the Class 5 end office of
the caller & the Class 5 end office of the called party.  If no inter-office
trunks exist between the 2 parties, it will then move upto the next highest
office for servicing (Class 4).  If the Class 4 office cannot handle the call
by sending it to another Class 4 or 5 office, it will be sent to the next
office in the hierarchy (3).  The switching equipment first uses the
high-usage interoffice trunk groups, if they are busy it then goes to the final
trunk groups on the next highest level. If the call cannot be connected then,
you will probably get a re-order (120IPM busy signal) signal.  At this
time, the guys at Network Operations are probably shitting in their pants
and trying to avoid the dreaded Network Dreadlock (as seen on TV!).
It is also interesting to note that 9 connections in tandem is called
ring-around-the rosy and it has never occurred in telephone history.  This
would case an endless loop connection. [A neat way to really screw-up the
Network]
The 10 regional centers in the US & the 2 in Canada are all interconnected.
They form the foundation of the entire telephone network.  Since there are
only 12 of them, they are listed below:
Class 1 Regional Office Location    NPA
----------------------------------  ---
Dallas 4 ESS                        214
Wayne, PA                           215
Denver 4T    !0                     303
Regina No.2 SP1-4W   [Canada]       306
St. Louis 4T                        314
Rockdale, GA                        404
Pittsburgh 4E                       412
Montreal No.1 4AETS  [Canada]       504
Norwich, NY                         607
San Bernardino, CA
Norway, IL                          815
White Plains 4T, NY                 914
The following diagram demonstrates how the various offices may be connected:
      ^----------^----------^ Regional
     _|_        _|_        _|_Offices
~~~~~|1| <----> |1| <----> |1|~~~~~
     ---        ---        ---
                 |             Others\/
-^-------^-------^------^---------^
_|_     _|_     _|_    _|__      _|_
|2|     |3|     |4|    |4P|      |5|
---     ---     ---    -^^-      ---
 |       |       |       |
 ^----^  |     ^----^    |
_|_  _|_ |   __|_  _|_   |
|3|  |4| |   |4X|  |5|   ^-----^
---  -^- |   ----  ---  _|__  _|_
      ^  |              |4X|  |5|
    __|_ | 0            ----  ---
    |5R| |-------------^
    -^^-      /--------|---------\
     _|_      _|_     _|_      _|__
     |R|      |4|     |5|      |5R|
     ---      ---     ---      ----
NOTE:  The preceding diagram used certain lower case characters
       that may not be viewed as I intended them if you are not
       using as lower case terminal.
=====================
=SWITCHING EQUIPMENT=
=====================
In the Network, there are 3 major types of switching equipment.  They are known
as:  Step, Crossbar, & ESS.
STEP-BY-STEP (SxS)
The Step-By-Step, a/k/a the Strowger switch or two-motion switch, was
invented in 1889 by an undertaker named Almon Strowger.  He invented this
mechanical switching equipment because he felt that the biased operator was
routing all requests for an 'undertaker' to her husband's business.
Bell started using this system in 1918 & as of 1978, over 53% of the Bell
exchanges used this method of switching.
Step-by-Step switching is controlled directly by the dial pulses which move
a series of switches (called the switch train) in order.  When you first pick
up the fone under SxS, a linefinder acknowledges the request (sooner or
later) by sending a dial tone.  If you then dialed 1234, the equipment would
first find an idle selector switch.  It would then move vertically 1 pulse, it
would then move horizontally to find a free second selector, it would then
move 2 vertical pulses, step horizontally to find the next selector,
etc.  Thus the first switch in the train takes no digits, the second
switch takes 1 digit, the third switch takes 1 digit, & the last switch in the
train (called the connector) takes the last 2 digits & connects your calls.
A normal (10,000 line) exchange requires 4 digits (0000-9999) to
connect a local call & thus it takes 4 switches to connect every call
(linefinder. 1st & 2nd selectors, & the connector) .
While it was the first, SxS sucks for the following reasons:
[1] The switched often become jammed thus the calls often become blocked.
[2] You can't use DTMF (Dual-Tone Multi-Frequency a/k/a Touch-Tone)
directly. It is possible that the Telco may have installed a conversion kit but
then the calls will go through just as slow as pulse, anyway!
[3] They use a lot of electricity & mechanical maintenance. (bad from Telco
point of view)
[4] Everything is hardwired.
They can still hook up pen registers & other shit on the line so it is not
exactly a phreak haven.
You can identify SxS offices by:
(1) Lack of DTMF or pulsing digits after dialing DTMF.
(2) If you go near the CO, it will sound like a typewriter testing factory.
(3) Lack of speed calling, call forwarding, & other customer services.
(4) Fortress fones that want your money first (as opposed to dial tone
first ones).
The preceding don't necessarily imply that you have SxS but they surely give
evidence that it might be.  Also, if any of the above characteristics exist,
it certainly isn't ESS!  Also, SxS have pretty much been eradicated from large
metropolitan areas such as NYC (212).
CROSSBAR:
There are 3 major types ofrossbar systems called:  No. 1 Crossbar (1XB),
No. 4 Crossbar (4XB), & No. 5 Crossbar (5XB).  5XB has been the primary end
office switch of Bell since the 60's and thus it is in wide-use.
Crossbar uses a common control switching method.  When there is an
incoming call, a stored program determines its route through the
switching matrix.
In Crossbar, the basic operation principle is that a horizontal &
a vertical line are energized in a matrix known as the crosspoint matrix.
The point where these 2 lines meet in the matrix is the connection.
+===+
=ESS=
+===+
                   Electronic Switching System (ESS)
   The Phreak's Nightmare Come True (or Orwell's Prophecy as 2600 puts it)
ESS is Bell's move towards the Airstrip One society depicted in Orwell's 1984.
With ESS, EVERY single digit that you dial is recorded--even if it is a
mistake.  They know who you call, when you call, how long you talked for, &
probably what you talked about (in some cases).  ESS can (and is) also
programmed to print out #'s of people who make excessive calls to 800 #'s or
directory assistance.  This is called the "800 Exceptional Calling Report."
ESS could also be programmed to print out logs of who calls certain #'s--like
a bookie, a known communist, a BBS, etc The thing to remember with ESS is that
it is a series of programs working together.  These programs can be very
easily changef to do whatever they want it to do.  One phreak whom I know has
some ESS source code listing which is incredibly complex (as well as
documented--Gracias Dios).  This system makes the job of Bell Security, the
FBI, NSA, & other organizations that like to invade privacy incredibly easy.
With ESS, tracing is done in microseconds (Eine Augenblick) & the
results are printed at the console of a Bell Gestapo officer.  ESS will also
pick up any "foreign" tones on the line such as 2600 Hz!
Bell predicts that the country will become totally ESS by the 1990's.
You can identify ESS by the following which are usually ESS functions:
[1] Dialing 911 for help.
[2] Dial-Tone-First fortresses.
[3] Custom Calling Services such as: Call Forwarding, Speed Dialing, &
    Call Waiting.  (Ask your business office if you can get these.)
[4] ANI (Automatic Number Identification) on LD calls.
Phreaking does not come to a complete halt under ESS though--just be very
careful, though!!!
Due to the fact that ESS sends a computer generated "artificial ring,"
where the voice is not connected directly to the called parties line
until he picks up, Black Boxes & Infinity Transmitters will not work!
 NOTE:  Another interesting way to find out what type of equipment you
       are on is to raid the trash can of you local CO--this art will
       discussed in a separate article soon.
Coming Soon:
In the part V, we will start to take a look at telephone electronics.
Further Reading:
For more information on the above topics, I suggest the following:
Notes on the Network, AT&T, 1980.
Understanding Telephone Electronics, Texas Instruments, 1983.
And subscriptions to:
TAP, Room 603, 147 W 42 St, New York, NY 10036.  Subscriptions are $10/year.
Back issues are $0.75.  The current issues is #90 (Jan/Feb 1984)
2600, Box 752, Middle Island, NY 11953. Subscriptions are $10/year.  Back
issues are $1 each.  The current issue is #4 (April 1984).
They are both excellent sources of all sorts of information (primarily
phreaking/hacking).
NOTE:  For the most part, I have assumed that you have read my previous
3 courses in the BASIC TELCOM series.
Hasta Luego,
*****BIOC
*=$=*Agent
*****003
April 13, 1984 {The Year of Big Brother}
-------------------------------------------------------------------------------