PRISM - Is Not What You Think (Illustrated)

I wanted to write this post because it seems that the media is doing a great job at confusing people on what PRISM really is. I will be using some of the information from the Mark Klein testimony to Congress, who was a former Master Technician for ATT.

Let me start by saying that PRISM, while it may be the name of the program the NSA decided on, actually stems from a very important technical accomplishment in using a prism to split a light source into multiple components. This is very important, because it is the foundation behind the technology that enables the NSA and others to do what they do. The science behind beam splitting is not new, but the incorporation into telecommunications is fairly recent and is the backbone of the entire Internet as it exists today, providing the fast access we all typically enjoy.

Here is a simple diagram of how a beam splitter works, with a single input and multiple out:



What we keep hearing about on the news with regard to the PRISM program is that it relates to the "big" Internet companies. This is only partially true. Those companies have very specific writing in their contracts and terms that states that their property is private and unauthorized access will prosecuted. This includes Federal agencies. This is why they MUST get a warrant before they are allowed to ACCESS the data that physically belongs to these companies and is stored on their servers. But the reason these big companies deny that the NSA has direct access to their servers is because it is TRUE, they (the NSA or Feds) do NOT have access directly to their servers. And they don't need it, here is why:

One 60-page document, identified as coming from "AT&T Labs Connectivity & Net Services" and authored by the labs' consultant Mathew F. Casamassima, is titled Study Group 3, LGX/Splitter Wiring, San Francisco and dated 12/10/02. (See sample PDF 1-4.) This document addresses the special problem of trying to spy on fiber-optic circuits. Unlike copper wire circuits which emit electromagnetic fields that can be tapped into without disturbing the circuits, fiber-optic circuits do not "leak" their light signals. In order to monitor such communications, one has to physically cut into the fiber somehow and divert a portion of the light signal to see the information.

This problem is solved with "splitters" which literally split off a percentage of the light signal so it can be examined. This is the purpose of the special cabinet referred to above: Circuits are connected into it, the light signal is split into two signals, one of which is diverted to the "secret room." The cabinet is totally unnecessary for the circuit to perform -- in fact it introduces problems since the signal level is reduced by the splitter -- its only purpose is to enable a third party to examine the data flowing between sender and recipient on the internet.

All of that data has to flow through what is called a data exchange point, which usually belongs to the massive telecommunications companies like ATT, MCI, etc. It is in these locations that the NSA has strategically placed equipment, with huge racks of optical splitters to copy all internet traffic that passes through them. This is an unfathomable amount of data, and there is no way that they can sift through it all easily, not even with supercomputers, so they look for very specific things to focus on. This is the other half of the PRISM name, which focuses in on only those "interesting" bits of information that match certain patterns, similar to how a prism focuses light.

And to illustrate:



In reality, there is no real "agreement" with the big internet companies like Google or Facebook. Basically, if the NSA or the Feds approach them with a warrant, they turn over whatever they are being asked for. It would take too long for the NSA to sift through all of the data that they have collected because there is just too much "noise" mixed in with the other traffic, and more importantly, because most web mail and other types of transmissions are SSL encrypted, which makes it many times harder to identify. Instead, they try to look for the key identifiers in the traffic, narrow it down to a specific place, such as an email that was sent through Google, and then get a warrant with "probable cause" to request that Google provide them with every piece of data that they want on that individual since Google owns the private encryption key used, which is what they actually need the warrant for. Only Google can decrypt their secure traffic.

According to a year 2007 company press release, the latest version of NarusInsight Intercept Suite (NIS) is "the industry's only network traffic intelligence system that supports real-time precision targeting, capturing and reconstruction of webmail traffic... including Google Gmail, MSN Hotmail and Yahoo! Mail".[11] However, currently most webmail traffic can be HTTPS encrypted, so the content of messages can only be monitored with the consent of service providers.

Take your typical net connection, which is usually 1.5-10 Megabits per/sec. The exchange points are handling on average 500 Gigabits per/sec to 1.5 Terabits per/sec, and this just one exchange point. There are dozens in the US, hundreds around the world. We are not the only ones with Government tapping the data exchange points, other countries do the same. There is also no way the NSA (or anyone else) can keep up with all of that traffic, so they have to depend on things that get "flagged" for a person, usually an NSA analyst, to look at. If they determine that there is something contextually significant, they will escalate it and that's where the warrant process comes in. At that point, the warrant is procedural, because they already have captured all of your data and can examine however much of it they have the time and computer processing power to do, which is a lot. It still takes a significant amount of time, and this is usually why they will go directly to the company that has all of the data.

So how exactly do they identify the "flagged" data? Using a product from a company called Narus that does deep packet inspection. (DPI) This is a well-known technique in computer forensics and fraud detection / analysis:

"The (Narus) STA Platform consists of stand-alone traffic analyzers that collect network and customer usage information in real time directly from the message.... These analyzers sit on the message pipe into the ISP (internet service provider) cloud rather than tap into each router or ISP device" (Telecommunications magazine, April 2000). A Narus press release (1 Dec., 1999) also boasts that its Semantic Traffic Analysis (STA) technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) is the only technology that provides complete visibility for all internet applications."

Who is Narus owned by? BOEING! And who helped fund them? JP Morgan Partners! Is it starting to come together yet?

Don't let the media spin this! The real issue is them capturing ALL traffic. PRISM is more than just the program, it's the tribute to the technology that allows them to spy on us all.

~Namaste

Didn't have enough room for sources...

Source

Source

Source

Source

Source

Source

~Namaste

Then why even bother getting a warrant....

Narus partners:

Giza Systems is the number one systems integrator in Egypt and the Middle East, providing a wide range of industry specific technology solutions in the telecom, utilities, oil and gas, and manufacturing industries.

www.gizasystems.com...

SecureTech (ST) is one of the leading and renowned information and communication technology (ICT) service providers in the UAE. Equipped with skilled resources and state-of-the-art infrastructure, SecureTech provides clients with robust, cost-effective, and secure IT solutions.

www.securetech.ae...


www.narus.com...

Originally posted by WaterBottle
Then why even bother getting a warrant....

You must have missed the explanation for the warrant...

The NSA can't decrypt all of the secure / SSL traffic that they have. They can see the bits that are unencrypted. They inspect that traffic for "signs" of behavior that should be flagged. However, if all of your email is sent over SSL, it could take them days, weeks even months to decrypt all of your email. Same with chats or instant messages. The warrants are because they are not allowed to have the super duper secret encryption key that Google, or Facebook, or whoever uses, to encrypt their traffic, so they issue the warrant to bypass that problem and just get the decrypted data from the company.

I hope that makes sense.

~Namaste

reply to post by SonOfTheLawOfOne


Excellent post!
I would like to add that there is a discrepancy with what you are saying though...

The Prism leaked information shows instruction to gather data from the example you provide - direct monitoring of real time data flow - and collation with data on the systems of the companies listed as being a part of the program.

Basically, the NSA can use the method of communication monitoring you have shown to log all the surfing you do and all the data you send and collect, but there is a secondary system which agents can tap into to gather data directly from the servers of those corporations.

The slide was released by the Guardian showing instruction to use both systems (cable interception of traffic and collation with the largest corporations in the system).

So, if you're just looking at a site like ATS, they can monitor all of this through cable. But if you're using Google, they can watch you online through that cable data and access what you're doing on Google from their services as a secondary source, perhaps to verify the traffic or information, or to more easily see what it is that you are doing there.

That's how I understand it from the information in the leaked presentation documents.

That YouTube is pretty specific. During the protests in Egypt people were organizing by Internet. The "Deep Packet" sits on routers and filters traffic in order to point out specific individuals that are inciting or fomenting insurrection.

reply to post by Rocker2013


Thank you for the feedback. I can tell you from first-hand experience, that they do not have access directly to the servers around the clock, any time they want. They have to have a warrant to get access to the servers or directly to the data within an organization.

The way it works is that they get the warrant, and the company has a certain amount of time to "comply". What compliance means has a lot of definitions. If you look through the documents, the compliance can be either direct access to the servers through a VPN (virtual private network), RDP (remote desktop protocol for Windows machines), or even physical print outs of the information requested. In some cases, the company may make an entire copy of a database or a server and isolate it in a separate part of the network that grants exclusive access to the NSA or Feds. To avoid giving out their private encryption keys, the will also sometimes decrypt the data, and re-encrypt it using a temporary encryption key that they can give to the Feds or NSA without compromising everyone else's data.

Keep in mind, what you've seen online and in the media is just a fraction of the capabilities that they really have. When they tell you they have access to the servers, it's to steer your attention towards them spying on "only 13 big companies" rather than the entire Internet, which is what they are really doing.

~Namaste

This is true. A friend of mine has worked on the wiring at a PRISM facility. They basically spliced into the internet at data hubs, based on what I heard. I never thought about the name before!

My telecom experience goes back to 1974 when 1200 baud modems were the state of the art at the time.

Every digital switch in the telecommunications network has backdoor microcode gathering data.

Every fiber optic cable has additional "unused" communications channels in excess of its' stated bandwidth - I'm referring to big "OC" pipes. Fifteen years ago I had a conversation with Bell Labs regarding bandwidth enhancement and splitting using multi-spectrum laser multiplexing (at the time all laser-fiber optics were single spectrum).

Every communications satellite has back channel communications processors.

Every piece of telecommunications equipment has statistical and procedural intercepts for analyzing network traffic for performance and troubleshooting - NOT for listening and surveillance, but for managing the network resources.

Bottom line is that all of these things have existed for years and there are NO controls (other than physical access) to keep these feature from being used for surveillance and other purposes for which they were not originally intended. All of these things pre-date the internet by decades.

ganjoa

reply to post by ganjoa


Thank you for the additional details.

I have a few friends in the business who have confirmed the same thing, but have always expressed that they are for troubleshooting and maintenance. It seems as though our spying friends have found more nefarious purposes for them.

~Namaste

Originally posted by SonOfTheLawOfOne
reply to post by Rocker2013

 

Thank you for the feedback. I can tell you from first-hand experience, that they do not have access directly to the servers around the clock, any time they want. They have to have a warrant to get access to the servers or directly to the data within an organization.

The way it works is that they get the warrant, and the company has a certain amount of time to "comply". What compliance means has a lot of definitions. If you look through the documents, the compliance can be either direct access to the servers through a VPN (virtual private network), RDP (remote desktop protocol for Windows machines), or even physical print outs of the information requested. In some cases, the company may make an entire copy of a database or a server and isolate it in a separate part of the network that grants exclusive access to the NSA or Feds. To avoid giving out their private encryption keys, the will also sometimes decrypt the data, and re-encrypt it using a temporary encryption key that they can give to the Feds or NSA without compromising everyone else's data.

Keep in mind, what you've seen online and in the media is just a fraction of the capabilities that they really have. When they tell you they have access to the servers, it's to steer your attention towards them spying on "only 13 big companies" rather than the entire Internet, which is what they are really doing.

~Namaste

Im confused.
Are you saying Edward Snowden was lieing when he said they do not need warrants to access your information?
I under stand the information is encrypted and that your saying they need encryption keys to access the information. But Edward Snowden said he could personally search a data base and look at any ones information even listen to their phone calls live. Data is encrypted, you say it can take weeks for them to decrypt it but hes saying he can listen in on your live phone and chat conversations.

You have allot more knowledge on the subject then I do. Do you know how they trace this information back to a certain individual. Edward Snowden made it seem as if you could search a name and all of their activity could be seen. How do they link the information to that person? Ip addresses and mac addresses?

William Binney said every one should leave a message for the NSA in your emails and post.
I wonder who is choose to be monitored. Is every one connected to this site monitored? It would seem like a offal lot of people to monitor and a big waist of time considering that the majority of people that use this site dont pose a real threat to the Govt at least individually. Just in case....

Mr./Ms. NSA person I understand the meaning behind your intentions. Does monitoring us really make us safer? After all you are a human being with emotional ties, it seems the system can be abused. You might piss off the wrong person, and they might use the data base to manipulate your life. Are we really safer?

reply to post by Infi8nity

Im confused. Are you saying Edward Snowden was lieing when he said they do not need warrants to access your information? I under stand the information is encrypted and that your saying they need encryption keys to access the information. But Edward Snowden said he could personally search a data base and look at any ones information even listen to their phone calls live. Data is encrypted, you say it can take weeks for them to decrypt it but hes saying he can listen in on your live phone and chat conversations.

You have allot more knowledge on the subject then I do. Do you know how they trace this information back to a certain individual. Edward Snowden made it seem as if you could search a name and all of their activity could be seen. How do they link the information to that person? Ip addresses and mac addresses?

He is partially correct. Any traffic that is not explicitly encrypted is fair game and can be inspected or listened in on in a real-time fashion. So they do not need warrants for that. But let's say the only non-secure data you send over the Internet is text messages from your phone? (not encrypted) They can listen to those, and if one of those messages has the right words in it, it will get "flagged". Next, they start focusing on all of your Internet traffic and find that you are doing all email and everything else with SSL encrypted traffic. They can't just decrypt it, but sometimes they can, it depends on the level of encryption. But in most cases, it will take them too long, so they just get the warrant and ask the company that you're using for your email to decrypt it for them and provide them the unencrypted data.

Every single byte of information you send over the net is "packaged" up in TCP/IP stacks. In these stacks, there is routing information that tells where the packet originated from (IP address and MAC address) and where it is going to. That packet "hops" from router to router until it reaches the destination. All they have to do is look at that information to find you, and they can do it with incredible efficiency. With the right tools, you can fingerprint someone's traffic in about 10 seconds and find where they are in 15-30. And those are the laymen tools, not the ones the Government has developed.

~Namaste

Once NSA has all actual phone numbers stored, cannot they sync any specifically-designated numbers interactions (caller-receiver), when activated, with secret eavesdropping satellites to record and/or monitor complete number-to-number conversations in real time?

The ability of the NSA to extra-terrestrially hack directly into corporate cellular satellites is seldom discussed.

reply to post by IAMTAT


To answer your question - no, they don't have to use secret spy satellites for this - they've got back channels into all the commercial satellites as well as the major downlink receivers like COMSAT.

ganjoa

Originally posted by SonOfTheLawOfOne
reply to post by Infi8nity

 

Im confused. Are you saying Edward Snowden was lieing when he said they do not need warrants to access your information? I under stand the information is encrypted and that your saying they need encryption keys to access the information. But Edward Snowden said he could personally search a data base and look at any ones information even listen to their phone calls live. Data is encrypted, you say it can take weeks for them to decrypt it but hes saying he can listen in on your live phone and chat conversations.

You have allot more knowledge on the subject then I do. Do you know how they trace this information back to a certain individual. Edward Snowden made it seem as if you could search a name and all of their activity could be seen. How do they link the information to that person? Ip addresses and mac addresses?

He is partially correct. Any traffic that is not explicitly encrypted is fair game and can be inspected or listened in on in a real-time fashion. So they do not need warrants for that. But let's say the only non-secure data you send over the Internet is text messages from your phone? (not encrypted) They can listen to those, and if one of those messages has the right words in it, it will get "flagged". Next, they start focusing on all of your Internet traffic and find that you are doing all email and everything else with SSL encrypted traffic. They can't just decrypt it, but sometimes they can, it depends on the level of encryption. But in most cases, it will take them too long, so they just get the warrant and ask the company that you're using for your email to decrypt it for them and provide them the unencrypted data.

Every single byte of information you send over the net is "packaged" up in TCP/IP stacks. In these stacks, there is routing information that tells where the packet originated from (IP address and MAC address) and where it is going to. That packet "hops" from router to router until it reaches the destination. All they have to do is look at that information to find you, and they can do it with incredible efficiency. With the right tools, you can fingerprint someone's traffic in about 10 seconds and find where they are in 15-30. And those are the laymen tools, not the ones the Government has developed.

~Namaste

Ok now i understand. I was under the impression that the data was encrypted from the start. So we are back to rout one, it is just as bad as the media says it is because the majority of people dont encrypt their data. Would it be possible for the service provided to encrypt data so that these organizations have to get a warrants to check out the information? This could not be done from the service providers location right? Maybe a computer provided by the service provider just to encrypt data for every day users.
I would think ISP could make a good chunk of change offering encryption's for every day people.
But then again would the Govt even allow ISP to provide a service like that.


"if your doing nothing wrong you have nothing to hide"
The majority of the people on this site would disagree with that statement.
Would the whistle have been blown if the system was not being abused?
If it was being used only to save lifes and the peoples interest why would any one want to expose it when they agreed to use the system in the first place.
But then again we need to be constantly reminded that we do have rights.

reply to post by SonOfTheLawOfOne


Nice breakdown. S&F

reply to post by Infi8nity

Would it be possible for the service provided to encrypt data so that these organizations have to get a warrants to check out the information? This could not be done from the service providers location right? Maybe a computer provided by the service provider just to encrypt data for every day users. I would think ISP could make a good chunk of change offering encryption's for every day people. But then again would the Govt even allow ISP to provide a service like that.

This is actually a really good suggestion! Shhhhh.... The ISPs could encrypt all of your traffic for you, but you'd still have it open to viewing as it transmits to the ISPs central office. However, if you built it in to the routers so that all traffic was sent from your home using encryption, that would definitely make it very very hard on them as it stands today.

Good idea! I'm sure the Feds would put that down like a rabid dog knowing how hard it would make things for them, but it's still a good idea nonetheless. Someone will surely capitalize on it.

~Namaste

Originally posted by EA006
reply to post by SonOfTheLawOfOne

 

Nice breakdown. S&F

Thank you! I hope others will find it as informative and that we can start fixing the problems we're facing.

~Namaste

reply to post by ganjoa
FOR YOUR ENJOYMENT very old school.I read your post and this reminded me of you.


/-/ Phreak Dictionary /-/

Here you will find some of the basic but necessary terms that should be
known by any phreak who wants to be respected at all.

Phreak : 1. The action of using mischevious and mostly illegal
ways in order to not pay for some sort of tele-
communications bill, order, transfer, or other service.
It often involves usage of highly illegal boxes and
machines in order to defeat the security that is set
up to avoid this sort of happening. [fr'eaking]. v.

2. A person who uses the above methods of destruction and
chaos in order to make a better life for all. A true
phreaker will not not go against his fellows or narc
on people who have ragged on him or do anything
termed to be dishonorable to phreaks. [fr'eek]. n.

3. A certain code or dialup useful in the action of
being a phreak. (Example: "I hacked a new metro
phreak last night.")

Switching System: 1. There are 3 main switching systems currently employed
in the US, and a few other systems will be mentioned
as background.

A) SxS: This system was invented in 1918 and was
employed in over half of the country until 1978. It
is a very basic system that is a general waste of
energy and hard work on the linesman. A good way to
identify this is that it requires a coin in the phone
booth before it will give you a dial tone, or that no
call waiting, call forwarding, or any other such
service is available. Stands for: Step by Step

B) XB: This switching system was first employed in 1978
in order to take care of most of the faults of SxS
switching. Not only is it more efficient, but it
also can support different services in various forms.
XB1 is Crossbar Version 1. That is very limited and
is hard to distinguish from SxS except by direct view
of the wiring involved. Next up was XB4, Crossbar
Version 4. With this system, some of the basic things
like DTMF that were not available with SxS can be
accomplished. For the final stroke of XB, XB5 was
created. This is a service that can allow DTMF plus
most 800 type services (which were not always
available.) Stands for: Crossbar.

C) ESS: A nightmare in telecom. In vivid color, ESS is
a pretty bad thing to have to stand up to. It is
quite simple to identify. Dialing 911 for emergencies,
and ANI [see ANI below] are the most common facets of
the dread system. ESS has the capability to list in a
person's caller log what number was called, how long
the call took, and even the status of the conversation
(modem or otherwise.) Since ESS has been employed,
which has been very recently, it has gone through
many kinds of revisions. The latest system to date is
ESS 11a, that is employed in Washington D.C. for
security reasons. ESS is truly trouble for any
phreak, because it is 'smarter' than the other
systems. For instance, if on your caller log they saw
50 calls to 1-800-421-9438, they would be able to do
a CN/A [see Loopholes below] on your number and
determine whether you are subscribed to that service
or not. This makes most calls a hazard, because
although 800 numbers appear to be free, they are
recorded on your caller log and then right before you
receive your bill it deletes the billings for them.
But before that the are open to inspection, which is
one reason why extended use of any code is dangerous
under ESS. Some of the boxes [see Boxing below] are
unable to function in ESS. It is generally a menace
to the true phreak. Stands For: Electronic Switching
System. Because they could appear on a filter
somewhere or maybe it is just nice to know them
anyways.

A) SSS: Strowger Switching System. First
non-operator system available.

B) WES: Western Electronics Switching. Used about 40
years ago with some minor places out west.

Boxing: 1) The use of personally designed boxes that emit or
cancel electronical impulses that allow simpler
acting while phreaking. Through the use of separate
boxes, you can accomplish most feats possible with
or without the control of an operator.

2) Some boxes and their functions are listed below.
Ones marked with '*' indicate that they are not
operatable in ESS.

*Black Box: Makes it seem to the phone company that
the phone was never picked up.
Blue Box : Emits a 2600hz tone that allows you to do
such things as stack a trunk line, kick
the operator off line, and others.
Red Box : Simulates the noise of a quarter, nickel,
or dime being dropped into a payphone.
Cheese Box : Turns your home phone into a pay phone to
throw off traces (a red box is usually
needed in order to call out.)
*Clear Box : Gives you a dial tone on some of the old
SxS payphones without putting in a coin.
Beige Box : A simpler produced linesman's handset that
allows you to tap into phone lines and
extract by eavesdropping, or crossing
wires, etc.
Purple Box : Makes all calls made out from your house
seem to be local calls.

ANI [ANI]: 1) Automatic Number Identification. A service
available on ESS that allows a phone service [see
Dialups below] to record the number that any certain
code was dialed from along with the number that was
called and print both of these on the customer bill.
950 dialups [see Dialups below] are all designed
just to use ANI. Some of the services do not have
the proper equipment to read the ANI impulses yet,
but it is impossible to see which is which without
being busted or not busted first.

Dialups [dy'l'ups]: 1) Any local or 800 extended outlet that allows instant
access to any service such as MCI, Sprint, or AT&T
that from there can be used by handpicking or using
a program to reveal other peoples codes which can
then be used moderately until they find out about
it and you must switch to another code (preferrably
before they find out about it.)

2) Dialups are extremely common on both senses. Some
dialups reveal the company that operates them as
soon as you hear the tone. Others are much harder
and some you may never be able to identify. A small
list of dialups:

1-800-421-9438 (5 digit codes)
1-800-547-6754 (6 digit codes)
1-800-345-0008 (6 digit codes)
1-800-734-3478 (6 digit codes)
1-800-222-2255 (5 digit codes)

3) Codes: Codes are very easily accessed procedures
when you call a dialup. They will give you some sort
of tone. If the tone does not end in 3 seconds,
then punch in the code and immediately following the
code, the number you are dialing but strike the
'1' in the beginning out first. If the tone does
end, then punch in the code when the tone ends.
Then, it will give you another tone. Punch in the
number you are dialing, or a '9'. If you punch in
a '9' and the tone stops, then you messed up a
little. If you punch in a tone and the tone
continues, then simply dial then number you are
calling without the '1'.

4) All codes are not universal. The only type that I
know of that is truly universal is Metrophone.
Almost every major city has a local Metro dialup
(for Philadelphia, (215)351-0100/0126) and since the
codes are universal, almost every phreak has used
them once or twice. They do not employ ANI in any
outlets that I know of, so feel free to check
through your books and call 555-1212 or, as a more
devious manor, subscribe yourself. Then, never use
your own code. That way, if they check up on you due
to your caller log, they can usually find out that
you are subscribed. Not only that but you could set
a phreak hacker around that area and just let it
hack away, since they usually group them, and, as a
bonus, you will have their local dialup.

5) 950's. They seem like a perfectly cool phreakers
dream. They are free from your house, from payphones,
from everywhere, and they host all of the major long
distance companies (950)1044 , 950)1077
, 950-1088 , 950-1033 .) Well, they aren't. They were designed for
ANI. That is the point, end of discussion.

A phreak dictionary. If you remember all of the things contained on
that fileup there, you may have a better chance of doing whatever it is you
do. This next section is maybe a little more interesting...

Blue Box Plans:
---------------

These are some blue box plans, but first, be warned, there have been
2600hz tone detectors out on operator trunk lines since XB4. The idea behind
it is to use a 2600hz tone for a few very naughty functions that can really
make your day lighten up. But first, here are the plans, or the heart of the
file:

700 : 1 : 2 : 4 : 7 : 11 :
900 : + : 3 : 5 : 8 : 12 :
1100 : + : + : 6 : 9 : KP :
1300 : + : + : + : 10 : KP2 :
1500 : + : + : + : + : ST :
: 700 : 900 :1100 :1300 :1500 :

Stop! Before you diehard users start piecing those little tone tidbits
together, there is a simpler method. If you have an Apple-Cat with a
program like Cat's Meow IV, then you can generate the necessary tones, the
2600hz tone, the KP tone, the KP2 tone, and the ST tone through the dial
section. So if you have that I will assume you can boot it up and it works,
and I'll do you the favor of telling you and the other users what to do with
the blue box now that you have somehow constructed it. The connection to an
operator is one of the most well known and used ways of having fun with your
blue box. You simply dial a TSPS (Traffic Service Positioning Station, or
the operator you get when you dial '0') and blow a 2600hz tone through the
line. Watch out! Do not dial this direct! After you have done that, it is
quite simple to have fun with it. Blow a KP tone to start a call, a ST tone
to stop it, and a 2600hz tone to hang up. Once you have connected to it,
here are some fun numbers to call with it:

0-700-456-1000 Teleconference (free, because you are the operator!)
(Area code)-101 Toll Switching
(Area code)-121 Local Operator (hehe)
(Area code)-131 Information
(Area code)-141 Rate & Route
(Area code)-181 Coin Refund Operator
(Area code)-11511 Conference operator (when you dial 800-544-6363)

Well, those were the tone matrix controllers for the blue box and some
other helpful stuff to help you to start out with. But those are only the
functions with the operator. There are other k-fun things you can do with it.

More advanced Blue Box Stuff:

Oops. Small mistake up there. I forgot tone lengths. Um, you blow a
tone pair out for up to 1/10 of a second with another 1/10 second for silence
between the digits. KP tones should be sent for 2/10 of a second. One way to
confuse the 2600hz traps is to send pink noise over the channel (for all of
you that have decent BSR equalizers, there is major pink noise in there.)

Using the operator functions is the use of the 'inward' trunk line.
Thatis working it from the inside. From the 'outward' trunk, you can do such
things as make emergency breakthrough calls, tap into lines, busy all of the
lines in any trunk (called 'stacking'), enable or disable the TSPS's, and
for some 4a systems you can even re-route calls to anywhere.

All right. The one thing that every complete phreak guide should be
without is blue box plans, since they were once a vital part of phreaking.
Another thing that every complete file needs is a complete listing of all of
the 800 numbers around so you can have some more Fu7nC
/-/ 800 Dialup Listings /-/

1-800-345-0008 (6) 1-800-547-6754 (6)
1-800-245-4890 (4) 1-800-327-9136 (4)
1-800-526-5305 (8) 1-800-858-9000 (3)
1-800-437-9895 (7) 1-800-245-7508 (5)
1-800-343-1844 (4) 1-800-322-1415 (6)
1-800-437-3478 (6) 1-800-325-7222 (6)

All right, set Cat Hacker 1.0 on those numbers and have a # of a
day. That is enough with 800 codes, by the time this gets around to you I
dunno what state those codes will be in, but try them all out anyways and
see what you get. On some 800 services now, they have an operator who will
answer and ask you for your code, and then your name. Some will switch back
and forth between voice and tone verification, you can never be quite sure
which you will be upagainst.

Armed with this knowledge you should be having a pretty good time
phreaking now. But class isn't over yet, there are still a couple important
rules that you should know. If you hear continual clicking on the line, then
you should assume that an operator is messing with something, maybe even
listening in on you. It is a good idea to call someone back when the phone
starts doing that. If you were using a code, use a different code and/or
service to call him back.

A good way to detect if a code has gone bad or not is to listen when
the number has been dialed. If the code is bad you will probably hear the
phone ringing more clearly and more quickly than if you were using a
different code. If someone answers voice to it then you can immediately
assume that it is an operative for whatever company you are using. The famed
'311311' code for Metro is one of those. You would have to be quite stupid
to actually respond, because whoever you ask for the operator will always
say 'He's not in right now, can I have him call you back?' and then they
will ask for your name and phone number. Some of the more sophisticated
companies will actually give you a carrier on a line that is supposed to
give you a carrier and then just have garbage flow across the screen like it
would with a bad connection. That is a feeble effort to make you think that
the code is still working and maybe get you to dial someone's voice, a good
test for the carrier trick is to dial anumber that will give you a carrier
that you have never dialed with that code before, that will allow you to
determine whether the code is good or not. For our next section, a lighter
look at some of the things that a phreak should not be without. A vocabulary.
A few months ago, it was a quite strange world for the modem people out
there. But now, a phreaker's vocabulary is essential if you wanna make a
good impression on people when you post what you know about certain subjects.

/-/ Vocabulary /-/

- Do not misspell except certain exceptions:

phone -> fone
freak -> phreak

- Never substitute 'z's for 's's. (i.e. codez -> codes)

- Never leave many characters after a post (i.e. Hey Dudes!#!@#@!#!@)

- NEVER use the 'k' prefix (k-kool, k-rad, k-whatever)

- Do not abbreviate. (I got lotsa wares w/ docs)

- Never substitute '0' for 'o' (r0dent, l0zer).

- Forget about ye old upper case, it looks ruggyish.

All right, that was to relieve the tension of what is being drilled
into your minds at the moment. Now, however, back to the teaching course.
Here are somethings you should know about phones and billings for phones,
etc.

LATA: Local Access Transference Area. Some people who live in large
cities or areas may be plagued by this problem. For instance, let's say you
live in the 215 area code under the 542 prefix (Ambler, Fort Washington). If
you went to dial in a basic Metro code from that area, for instance,
351-0100, that might not be counted under unlimited local calling because it
is out of your LATA. For some LATA's, you have to dial a '1' without the
area code before you can dial the phone number. That could prove a hassle
for us all if you didn't realize you would be billed for that sort of call.
In that way, sometimes, it is better to be safe than sorry and phreak.

The Caller Log: In ESS regions, for every household around, the phone
company has something on you called a Caller Log. This shows every single
number that you dialed, and things can be arranged so it showed every number
that was calling to you. That's one main disadvantage of ESS, it is mostly
computerized so a number scan could be done like that quite easily. Using a
dialup is an easy way to screw that, and is something worth remembering.
Anyways, with the caller log, they check up and see what you dialed. Hmm...
you dialed 15 different 800 numbers that month. Soon they find that you are
subscribed to none of those companies. But that is not the only thing. Most
people would imagine "But wait! 800 numbers don't show up on my phone
bill!". To those people, it is a nice thought, but 800 numbers are picked up
on the caller log until right before they are sent off to you. So they can
check right up on you before they send it away and can note the fact that
you #ed up slightly and called one too many 800 lines.

Right now, after all of that, you should have a pretty good idea of how
to grow up as a good phreak. Follow these guidelines, don't show off, and
don't take unnecessary risks when phreaking or hacking.