The Phone Punx Network Presents
--Phone Punx Magazine--
----Issue two----
"This Issue is dedicated in Loving Memory of 1-800-487-9240"
August 07, 1999
Last Updated: August 07, 1999


~Intro by Mohawk

~Targeted Long-Distance Dialing on a Siemens 9006 Switch by Biterror

~Countermeasures Revisited by Seuss

~Poor Man's CLLI Locator by Mohawk

~Datu's: the tool of the New Age Phreak by MMX

~SASS Test Number Access by Lineside

~Intro to Paging Networks and POCSAG/FLEX interception by Black Axe

~Satellite Systems: Reception by Black Axe

~The elusive Project Angel by Mohawk

~Zine writing suggestions by Phone Punx Staff

~Cyberpunk Culture by Mohawk


.....The Staff of Phone Punx Magazine.....

Mohawk..................Editor in chief

Seuss ......................Editor/Head tech. writer

Lineside...................Staff writer

Black Axe...............Staff writer

MMX......................Staff writer

Bit Error..............Staff writer

.....Magazine Information.....

All information is protected by the 1st amendment. However, this information should not be used in any other way except education. Our purpose is to provoke thought and we might even entertain you, if you're good. Nothing in this issue has been tested and we do not guarantee that it will work. We cannot ensure your safety both legally and physically and what the hell, mentally if you try anything in this issue.

-Release Dates
Phone Punx Magazine is released about every 4 months, however there is no set release date. Issues can come out a day or a year after the last one but we will try to stick to around 3 to 4 months.

-Writers Wanted
We are always looking for more writers. If you want an article published or if you would like to become a regular writer, send us an email. We would really like to concentrate on phreaking and large phreaking projects. That is why the release date for new issues is 3 to 4 months, instead of 2 months like the OCPP. However, not all articles have to be related to phreaking. We are experimenting with some new sections that will cater to our audience with topics other then phreaking. If you feel that you have an article that would be of interest to phreaks but it is about hacking, cyberpunk-culture, etc, let us know and we will evaluate each article on an individual basis. We are also looking for ways to compensate our writers for their time and effort in writing articles. We will add a link to your webpage but we may also start a page where we will post a banner or two of your choice. Any other suggestions are also welcome.

-Distribution Sites
Help us spread the magazine to a wider audience by becoming a distro site. All you have to do is keep the issues on your website with a link to them somewhere. Not only will this help us reach more people, but our readers will have another place to get the zine if something happens to the site. We need people to distribute the zine and past issues of the OCPP. A list of distro sites is available on the "About PPN" page.

-Network Links
The Phone Punx Network is more than just one webpage. We hope to span several webpages that will encompass member websites and distro sites. To get a network link you must be a staff writer or be involved with the PPN in another way and have a website that is related to phreaking in some way or another. If you can't do that, become a distro site and provide a link back to us. You will also have to add a Phone Punx Network graphic that links back to the site.

-Issue Updates
Issue updates will occur when they are warranted. To make sure you always have the freshest issue of PPM, check the "last updated" date on the top of the issue. It is important that you always have the latest issue because we do screw up often and we are always fixing our mistakes. To be notified of updates of the issues, join the phone punx newsletter.

-Phone Punx Newsletter
To stay up to date with the latest in the Phone Punx Network, sign up for the Newsletter. You will be notified of the release of new issues, updates to past issues, and other PPN news. All email addresses are kept confidential. Just send an email to letting us know you'd like to subscribe. If you would like anything announced or whatever to be added in there, feel free to send it to us.

lease update your OCPP links. Change the name to Phone Punx Network and the URL to, if you have a link to us on your page, let us know and we'll link you back.

We will print your letters. If you would like to make a comment, ask a question, or whatever, send them in and we will publish them. If you don't want your letter published, just let us know. All email address will not be published unless you tell us otherwise.

-Contact info
Our email address is To subscribe to the mailing list send an email to

Copyright info is located at the end of the issue

by Mohawk

This should be considered the first "real" issue. The last issue was a mix of new articles and articles that were going to be published in OCPP. The articles in this issues are some of the best we've ever published. I'm really proud of everyone involved with not just the zine, but the network as a whole. Things have really progressed since last issue. I will no longer be providing updates to the network, the page, etc. in the intro section of the zine. That way, years from now, you don't have to read about pointless news that happened so long ago. News about the website, additions to the network, etc. will be on the News page only from now on. However, I will still talk about changes within the zine itself.

Speaking of which, we've got some new writers for this issue. Black Axe, Bit Error, and MMX all have some great articles in this issue. I'm really happy with the staff we have now. We also have some more new writers that should debut next issue. Of course, if you would like to join the staff, feel free to email me. The network itself will continue to grow with some big things coming up soon thanks to X-Logik. The next issue should be out in about 3 or 4 months. It looks like were gonna try to stick to a quarterly release date but that's just an estimate. We're still getting some loose ends together here and things will only continue to improve. There are still people out there that don't know were still alive.


Targeted Long-Distance Dialing on a Siemens 9006 Switch
by Biterror

This information is for information purposes only. I am not responsible for abuse of the info herein.

With phone systems becoming more and more advanced and companies relying on them to perform increasingly advanced tasks, there are often holes in these systems that can be accessed by the enterprising among us. These holes are often the result of sloppy or misinformed switch programming and may be utilized without tone generators or account codes. Specifically, this file deals with an often-overlooked aspect of programming in the Siemens 9006 office PBX.

The Situation:
Making free calls through a PBX is nothing new. However, the strategy in the past has been to find a local company with a phreakable PBX, hack it, and acquire a dial tone to make long distance calls. This is, of course, illegal and usually results in increased security measures by that company. Why not use 800 numbers to call the city you want to reach and, through a little cleverness on your part, achieve local (long distance to you) phone access that way?

It's easy, it works, and it's totally legal. I have successfully used this plan to call friends near a large metro area for over a year. In that time, no changes have been made to the programming of the switch I am dialing and no Bell agents have knocked on my door. I know that the company's switch I am using is a Siemens 9006 with Phonemail SE so the keystrokes that follow are for that setup. Mileage will vary on other PBXs.

A Note on Tie Trunks:
Geographically dispersed offices of a company have to have a way to communicate with each other. They could just pick up their phones and dial each other long distance, but then the long distance charges would be outrageous. There is an easier, cheaper way to talk to each other: tie trunks.

Tie trunks are usually T-1 lines leased from a local dialtone provider that connect offices together (say an office in Mobile, AL with company HQ in New Orleans). These trunks allow someone in Mobile to dial a 4 digit extension and reach someone in the New Orleans office, instead of having to dial on the 10 digit long distance plan.

Aside from saving money, it's just more convenient to dial long distance as if you were calling someone in the next cubicle. Keeping this in mind, let's try to make some calls.

For example's sake, let's say you want to call your girlfriend who lives in Slidell, LA. The only problem is, you reside in Knob Lick, KY. And since you man the Knob Lick KFC drive through for a living, you don't exactly have wads of bills to drop on phone charges. The first thing you need to do is have your girlfriend whip out a Slidell phone book and find a small to medium-sized company that has an 800 number. Don't pick some huge company like Sprint or Fujitsu, because they won't be using a Siemens 9006 PBX. If she can't find a number in Slidell, check the New Orleans phone book (this example assumes that Slidell is a local call from New Orleans). The Internet is also a good place to look for 800 numbers. Also try to find out if this company has branch offices and where they are located.

Once you find the main toll free number for the company, dial it (after business hours if possible) and wait for the auto attendant to answer. When the attendant asks you to press a key if you know your party's extension, press that key. Or if you prefer, and if the switch menus offer it, you can spell an employees last name and be transferred to their extension. We just want to reach an extension, it doesn't matter whose it is.

You must now enter an extension. If you decide to spell an employee name, go for the obvious Smith and Jones, or you could be there all damn night. Dialing an extension by number is also trial and error. Look at the company's local telephone number and use the last four digits of that number as a basis for guesses. For example, if the local number of the company is 555-8000, try extensions in the 8100's, 8200's, 8300's, etc. Extension numbers may be arbitrary and can have any DID number.

Once you have a working extension, you will be transferred to someone's voicemail. You may be connected on the local company PBX, or you may have transferred to another identical PBX on the corporate tie trunks. You'll know more when you try your outside call. You can listen to the voicemail message you just dialed or bypass it with the proper button. When the voicemail beeps for you to begin your message, hit the * (star) key followed by the # (pound) key. This brings you back to the attendant, but now you should be one level deeper in the 9006's menu tree. The attendant should read you a grocery list of options that you may choose from. When she (or he) tells you the keys to hit to transfer to another extension, do it. Now you dial your girlfriend's extension, preceded by a 9 (to access outside lines) and followed by a # (to let the switch know you have finished inputting the number you want to transfer to.) Hit # again to allow the switch to dial out. It's that easy! Provided you are still on the local switch, your call should go through.

If the Siemens switch you dialed is on a tie trunk and the extension you dialed rings someone at a branch office in say, Mobile, AL, then your call is not likely to go through. Unless of course the idiot switch programmer did not exclude long distance transfers in his dial plan. Then you can transfer to any number anywhere from that extension, but that is not likely. It may not even allow local calls on a transfer, only four digit extensions. If that's the case, you are SOL and will have to find another company to try. I never said this would be easy, but it is a great way to make calls to targeted cities with little expense to either party. The Siemens switch may possibly be running a third party software program called Telemate.

Telemate's sole purpose is to record incoming and outgoing digits which it saves to a file or outputs to a printer. It's mostly for accounting purposes, to see which employees are screwing around and which are actually making legit calls. Your phone number travels the whole way with your call and can be recorded. Calling from a payphone is still your best bet.


Countermeasures Revisited
by Seuss

The most prevalent information on telephone counter-surveillance has been floating around for at least 15 years. Short the pair at the demark and measure resistance. Open the pair at the demark and measure the resistance. Abnormally high or low resistances indicate a phone tap. Forrest Ranger wrote about it in text files, M.L. Shannon and Paul Brookes included it in their books, and an untold number of phone phreaks have employed this technique. Despite its popularity, this technique has its shortcomings: it fails to detect devices installed in the outside plant, split pairs are undetected and transmitters built into the phone are not tested for.

What you'll need:
- Access to a local DATU.
- A multimeter with high impedance scales (several meters that measure into the giga-ohm range are available) and a capacitance meter. - An induction probe.
- A frequency counter or near field detector.
- Something that makes continuous noise, like a tape player.
- Ancillary tools (screwdrivers, a can wrench, etc.)

First, call the Phone Company to ask about your line's readiness for ISDN or DSL. High-speed services demand a line with no loading coils and a minimum amount (less than 2500 ft.) of bridged taps. Either will cause inaccurate measurements.

Begin by taking the phone off hook and turning on your tape player (to turn on voice activated transmitters). Now give your phone a pass with your near field detector or frequency counter. Transmitters in the phone will hopefully be picked up at this point. (Note: some speakerphones are prone to normal RF leakage)

Next measure the capacitance of the line, dividing the value by .83 (the average mutual capacitance for a mile of phone line). This is roughly the length of your line. Write it down, you'll need it later. Remember that .83 is an average value, which can range from .76 to .90 depending on line conditions. To get a more accurate measurement you can fine tune your figure by comparing capacitance measurements on a section of plant cable of a known length, or use a TDR.

Disconnect all the phones from the line you want to test. Go to your demark and disconnect your pair on the customer access side. Short the pair and measure the resistance of the line from the farthest jack with the meter set to its lowest scale. Reverse the polarity of the meter and measure again. If either resistance is more than a few ohms, it would suggest a series device wired into the line somewhere on your property. Now return to your demark, open the pair, and cover the ends in electrical tape. Measure the resistance of the pair with the meter set to its highest scale. A less than infinite resistance would suggest a device wired in parallel to your line.

Testing in the outside plant should be conducted from the telco side of the demark point in order to avoid measurement error from the station protector circuit. Call that DATU and short the pair, then measure the resistance of the line. Compare the value you got for your line's length with the figures below:

Wire Gauge Loaded Pair Unloaded Pair
26ga 84.33 83.33
24ga 52.89 51.89
22ga 33.72 32.39
19ga 17.43 16.10

Note: 5ESS switches incorporate a 'test bus' that will add about 500 ohms to the shorted pair.

These figures will vary with temperature, splices, wet sections, and a host of other reasons. Large deviancies could (but don't necessarily) suggest something wired in series with the line. This measurement may be supplemented by either a resistance to ground measurement of both sides of the pair and a capacitance balance test, or a voltage measurement. A resistive imbalance of more than 10 ohms or a noticeable drop in off-hook voltage calls for further inspection.

To test for parallel devices in the outside plant, open the line with the DATU and repeat the parallel test as described above.

Testing for telephone hook-switch compromises requires an induction probe. Reconnect your pair at the demark and plug all your phones back in. Turn your tape player back on and put it near your phone. Now probe all the lines coming through your demark point. If you hear the tape player through the probe, your phone's hook-switch has been compromised.

Checking for splits on your line requires an induction probe and access to a plant wiring cabinet. Add a tone to either lead of your pair with the DATU. Probe all the conductors in the binder pair, listening for the trace tone. If you hear the tone on more than two leads (the ones connected to the line you're checking) your line has been split. This can be either a bad splicing job, or someone intentionally hooking a pair up to your line.

If any of the above tests suggests that there is something on your line, remember that there are plenty of innocent reasons a test could turn up positive, so a detailed physical search is in order. Disassembling the phone in question and comparing the innards to a schematic would be a wise idea at this point. Take the covers off your phone jacks, dig around in your demark point, peek inside wiring cabinets if you can, and so on. There are some places that are likely out of your reach, but keep in mind that they're likely out of reach to many wiretappers as well.

Seuss maintains the alt.phreaking FAQ


Poor Man's CLLI Locator
by Mohawk

A lot of people are interested in finding buildings with switches in them. Most these people are in the telecommunications, Cable, or some other professional industry. And anyone else, who does, is probably a phreak. This mostly involves Central Offices for reasons such as trashing and breaking into bell vans to steal that treasured Bell hardhat. Any building that has a switch is assigned a CLLI code. Whatever your motivation for finding a switching center, it isn't easy to do for free, until now however. This article will explain what CLLI is and how to locate most switching centers for free.

CLLI is an abbreviation for Common Language Location Identifier. Bell Labs invented Common Language in the 70's. It's purpose was to track all AT&T network components with a consistent coding system. After the break up of AT&T in 1984, Bellcore (now Telcordia) took over ownership of Common Language information products. It was then expanded to cover more then just AT&T network components.

The CLLI code is an 11-character code equipment designation which is coded as follows: Characters 1 through 4 represent the Exchange or Locality, 5 and 6 the State, 7 and 8 the location code within the exchange, 9 through 11 represent the unique equipment type. Sometimes a CLLI code will be represented by 6 normal characters followed by 5 X's. This is a MXC or Miscellaneous Exchange Carrier which usually denotes a switch that handles paging, cellular, PCS, or some other new technology.

CLLI locations are important to the telephone and cable industry for various reasons that will effect how they set up their business and how they serve their customers. To figure out the locations of these CLLI's they use software that uses a CLLI database to determine the location, exchange, NXX's served, LATA, Feature group, etc. The one that we will be discussing is CO Finder and a demo version can be downloaded at

The demo uses an outdated database and has limited features. However, it is still very useful. Two CLLI's can be displayed at the same time so you can compare them and figure out the air-mile distance between them. You can also get the Vertical and Horizontal Coordinates. These are based upon a 1/10 mile grid from a reference point on a U.S. map. These coordinates are converted from Latitude and Longitude and are referenced in tariffs as the official means by which to calculate the interoffice mileage between CLLI codes. This doesn't really do you any good to figure out where the switching center is. The full versions of CO Finder and other CLLI Locator programs have options that give you the address of the switching centers. However, these programs are very expensive. CO Finder is currently going for $100.00 and the updates are even more expensive. However, other CLLI locators are way more expensive then that.

To find a switching center for free open up CO Finder and find a CLLI that you want. If you want to find the CLLI code that serves your local area select your NPA, for example 212. Now click on NXX and type in your NXX, (ex. 209). The CLLI NYCMNYBW21T should pop up with all it's related info. Now to find the exact street location of that switching center, go to and click on "online maps". Instead of entering in an address, scroll down to "Telephone Area Code Search" Now enter in your NPA and NXX. A map will come up with a redstar on it. You didn't specify an address or other location, just a phone number so the red star on the map denotes the exact location of the switching center that serves the NXX you typed in. You can then get driving directions to it and even figure out if there are any Denny's Restaurants along the way within a certain mile radius that you specify.

One drawback to MapQuest is that it can't locate MXC's. To do this, open up the MXC you want to find in one window. Then open up a regular CLLI that can plot on MapQuest. You should use the closest one to the MXC. Click on the miles button between the two windows to calculate the exact air-mile distance. Now open up a map, preferably the phonebook map because they have a really small scale. Using a compass open it up to the distance between the two offices. Try to estimate the exact location of the CLLI you got from MapQuest and then draw a circle. In or around the circle is where you should find the MXC.

The really interesting thing about all this, is that if a terrorist wanted to find the location of a switch to bomb, they could do so anonymously and free. Not only can you find all the switches in a town, but this method will also allow you to locate switches on military bases. It's kinda scary what kind of information is available to people for free over the Internet. Hell, if we were at war with a country, they could have all of our communications mapped out for free.

To compensate for the old database, keep the phonebook handy so you can see what new NXX's have been added to a certain exchange. You can use mapquest to figure out what office serves the new NXX's in your area. If you can't find an NXX listed in CO Finder, type it into Map Quest and see where it points you too. Remember to adjust for NPAs as they existed in January of 1998. For a list of other CLLI locators visit the alt.phreaking FAQ at These programs aren't the greatest though. CO Finder is your best bet. Telecordia will soon release a demo of "Locate It" and we will test that out when it is released. This is still a new idea we are exploring so please email us with your findings.


DATUs - The Tool of the New Age Phreak

Major Note #1: All of the first four paragraphs are adapted/condensed from the administration manual. But be honest with yourself before criticizing me for "stealing" this article. When was the last time "YOU" called Harris and SE'd it out of them? Huh? Didn't think so bitch.

The Harris Direct Access Test Unit Remote Terminal extends the field technician's testing capabilities of subscriber lines through the non-metallic environment of a pair gain system. Typical pair gain systems include SLC-96, SLC-Series 5, etc. The system has three major components (see Figure 1); the Direct Access Test Unit (DATU), the Pair Gain Applique II (PGA II), and the remotely located Metallic Access Unit (MAU).

Direct Access Test Unit - Remote Terminal

The DATU-RT is a printed circuit card that provides microprocessor control of line preparation functions, voice prompted menus and status reports to the technician . It allows technicians to access and perform specific loop conditioning and tone generating functions on any working subscriber line to prepare the line for use with field test equipment. The card is installed in the Metallic Facility Terminal (MFT) bay and connected to the Central Office switch.

Pair Gain Applique II
BR> The PGA II is a printed circuit card that extends the DATU-RT capabilities into the pair gain environment and serves as the interface between the DATU-RT and the switch's Pair Gain Test Controller (PGTC). It determines the status of the PGTC and its metallic DC test pair, provides carrier channel signaling and transmission test results, and controls the DATU-RT's access to the MAU. The card is installed in the MFT frame and connected to the switch.

Metallic Access Unit
BR> The MAU provides the standard DATU-RT line conditioning functions as directed by the DATU-RT. It eliminates the need for metallic bypass pairs from the switch to the remotely located pair gain terminal. The enclosure is installed inside the cabinet housing the pair gain equipment. One DATU-RT and one PGA II, working together in the same switch, may serve a maximum of 212 separate MAU locations. The RT system provides the technicians the ability to perform a series of line preparation functions to subscriber lines. These functions are established and maintained by authorized personnel.

[Now, onto my part of the article]
NOTE #2: I refusing to speak about administrator mode for three reasons:
1) If you accidentally screw something up, the DATU probably won't work.
2) You don't own any DATU that you're using (nor do you have permission),
and therefore committing a crime by accessing one. 3) I think that if I talk about things like changing the NTT Busy Test,
you will do something naughty. VERY naughty.

To access the DATU, dial the telephone number assigned to the DATU. Upon connection, you will hear a 440hz "dial tone" indicating that the DATU has answered and is ready for password entry. Dial the password of the DATU, which is defaulted for technicians at 1111. If the first digit of the password is not entered within seven seconds after the DATU answers, it will release the line. Upon entering a successful password, another DATU dial tone is heard, prompting you to dial the seven-digit subscriber line number (in other words, the number you want to test). Occasionally, something will be wrong at the CO, the DATU will say "Error, bad no-test trunk" and a pulsating 440hz tone will be heard. If you ever get this, than you probably are accessing a DATU at either a CO where someone is asleep at their desk, or in a remote office. I have yet to get this error at a heavily manned CO. You also won't be able to run tests if you get this message. Anyway, after the DATU prompts you to dial the subscriber line number, a few things can happen. If you dialed a number not served by that DATU, you will get the message: "INVALID PREFIX." and another DATU dial tone. Upon dialing a correct number, if the line is idle, the DATU accesses the line and you will hear "Connected to, ddd-dddd. OK. Audio Monitor." You can then select a line conditioning function anytime after the voice message begins, including the 10 seconds of audio monitor before the menu is presented. If the line is busy, the DATU will say "Connected to ddd-dddd. Busy line. Audio Monitor." The busy line will then be monitored for 10 seconds. It should be said at this point that all audio traffic is unintelligible. After the 10 seconds of audio monitor, the DATU will send two 614hz tones in rapid succession to indicate the end of the monitor period. Features that would be disruptive to a call in progress are not available if the DATU-RT detects a busy line condition. These functions include "High-level Tone", "Open Subscriber Line", and "Short Subscriber Line".

Functions of the DATU

Anyway, after learning the status of the line, the functions are presented in a menu format. Main Menu functions are announced as follows:

A quick description of each of the functions:
1 - Announce Main Menu
2 - Audio Monitor
Provides a way to verify that the busy test was correct. Traffic on the line is audible but unintelligible. Audio Monitor is automatically disabled at regular intervals to insure that the DATU-RT is able to detect DTMF tones in the event an exceptionally strong audio signal is present. This occurs at regular six-second intervals and is of approximately two seconds duration.
3 - Short to Ground
The "Short to Ground" function is used to connect the Tip, Ring or both leads to Ground potential. If only a single lead (Tip or Ring) is selected, the opposite lead is unterminated.
4 - High Level Tone
This function places 577-Hz high-level (+22 dBm) interrupted tone bursts on the Tip lead, Ring lead or both. If a single lead is selected, the opposite lead is grounded. This function is typically used for the purpose of conductor or pair identification.
5 - Low Level Tone
This function places 577-Hz low-level (-12 dBm) interrupted tone bursts on both the Tip and Ring leads. Because the tone signal is longitudinal, use of this function does not disrupt traffic on a busy line. Tone bursts can be heard only on a telephone instrument connected between Tip or Ring and Ground. This function is typically used for the purpose of conductor or pair identification on a busy subscriber line.
6 - Open Subscriber Line
The "Open Subscriber Line" function removes Battery and Ground potentials from the subscriber's Tip and Ring leads.
7 - Short Subscriber Line
The "Short Subscriber Line" function provides an electrical short across the subscriber's Tip and Ring leads.
* - Hold Functions (Keep Test After Disconnect)
The "Hold Test" feature provides a means by which a line condition asserted by the DATU-RT is maintained for a specified time interval after disconnecting from the DATU-RT. The duration of the Hold Test interval is entered through the telephone keypad and is specified in minutes. Any interval may be entered, however, the DATU-RT will not maintain a line condition longer than the Access Timeout interval. The programmed function is automatically cancelled by the DATU-RT when the specified time interval or, if of a shorter duration, the Access Timeout interval has elapsed.

[At this point, it should be noted that upon setting up a DATU, the administrator determines the Access Timeout Interval, which is basically a timer to say "goodbye" once you've lounged too long on the DATU. By default, the Access Timeout is 10 minutes. Also, after hitting *, the DATU will prompt you with either "DIAL NUMBER OF MINUTES" or "DIAL 2 DIGITS FOR NUMBER OF MINUTES". With respect to single digit entries, "0" is interpreted as 10 minutes. Also, after you use this function, the DATU will expect you to be finished and will say "PLEASE HANG UP."]

# - New Subscriber Line
This function releases the currently-held subscriber line so that another subscriber line may be accessed.

Before moving on, there is one other function that is worth mentioning.

9 - Permanent Signal Release
The "Permanent Signal Release" function causes the removal of Battery and Ground potentials from a permanent signal line served by a step-by-step switch. This function is typically used to clear a busy condition resulting from a line fault so that normal line tests may be performed. After pressing "9" on the keypad, the DATU responds with "PERMANENT SIGNAL RELEASE." After executing the required sequence of operations, the DATU tests the subscriber line to determine whether the busy condition has been cleared. The result of this test is then announced as either "OK" if the line is idle or "BUSY LINE" if the line is busy. This function is not available unless specifically enabled by the DATU administrator. Unless enabled, any attempt to use this function results in the message "ERROR - PERMANENT SIGNAL RELEASE DISABLED." Permanent Signal Release will function only on a line that the DATU has identified as busy. An attempt to use this function on an idle line results in the message "ERROR - IDLE LINE"

Single Line Access

Moving right along... If you should find yourself "testing" the line that you're calling the DATU with, you will realize that you can't test that line, since you're using it to call the DATU. An interesting predicament. The DATU is prepared as always to handle your problem. By dialing "*" before the subscriber line number, the DATU will wait until you hang up, and "then" test the line. Pretty simple, eh? Oh yes, and for those who wonder why there is no "audio monitor" during single line access: after you select the test function, the DATU will ask you for the "number of minutes". The testing doesn't start until one minute after you hang up.

Sadly, the actual Administrator's Guide went into great detail on the use of each feature of the DATU more than three times by the end of it. Stupid corporate products.

Conditioning of Carrier System Lines

NOTE: Unless you have a fairly basic grasp of the way pair gain systems operate, I would suggest skipping this section.

After dialing the subscriber line number, if the line is on a pair gain system, the DATU announces, ACCESSING and repeats the subscriber telephone number entered. The DATU announces the state of the subscriber line/NTT with one of the following voice messages:

PAIR GAIN LINE, PROCESSING. - if the line is idle and is a pair gain line.

BUSY LINE - if the line is busy.

If the selected line is busy, the DATU cannot determine whether the line is served by a carrier system. It is, therefore, not possible for the DATU to activate the Pair Gain Test Controller (PGTC) and metallically connect the DC Bypass pair at the RT to the subscriber line. Without this metallic connection, the DATU cannot condition the line. In this case, only the "Audio Monitor" and "Low-Level Tone" functions are available to the user. Because it's signal is longitudinal, the Low-Level Tone function is generally not effective when used on a busy carrier system line. If the line is idle, the DATU attempts to activate the Pair Gain Test Controller (PGTC). The PGTC, in turn, tests the carrier channel and communicates the results to the DATU. These operations require additional time and may result in a delay of up to 30 seconds. After successfully completing these steps, the RT system identifies the carrier channel as follows:

SINGLE-PARTY LINE - if a single-party channel unit is detected.
MULTI-PARTY LINE - if a multi-party channel unit is detected.
COIN LINE - if a coin channel unit is detected.

If the DATU is unable to activate the PGTC or the PGTC encounters a problem in testing the carrier channel, the DATU issues one of the following voice messages:

BYPASS PAIR BUSY OR PGTC FAILURE - the DC Bypass pair is in use, all PGTC test circuits are busy or the PGTC cannot complete carrier system connections.

PAIR GAIN SYSTEM ALARM - the carrier system serving the selected line is in a major alarm condition.

CHANNEL NOT AVAILABLE - channel test results were not provided by the PGTC.

BAD CHANNEL - channel tests failed - possible bad channel unit.

After a failure in carrier channel tests or in activating the PGTC, the DATU remains in Menu Item Selection mode so that the central office personnel may more easily determine the problem. If one of the above error messages is heard, however, the DATU is probably not connected to the line to be tested. Therefore, line conditioning commands will be accepted and confirmed by the DATU but the condition may not necessarily exist on the line anytime after one of the above error messages is heard.

Remote Terminal (RT) Access

After the DATU has successfully accessed the subscriber line and acquired channel test results, the DATU will say "PLEASE ENTER PAIR GAIN SYSTEM ID. DIAL STAR TO END." Enter Pair Gain System ID using telephone keypad. To condition line from Central Office using the bypass pair, enter "0*". Use the following section (Alphanumeric Pair Gain System ID Entry) if Pair Gain System ID includes alphabetic or punctuation characters. If selected, the bypass pair must be in place between the host element of the DATU at the Central Office and the RT.

Alphanumeric Pair Gain System ID Entry

This section describes the method by which alphabetical letters may be entered using a standard 12-key DTMF keypad.
a. Enter any leading numbers that are part of the Pair Gain System ID in the normal manner.
b. Enter "**". This key sequence places the RT system in a special mode in which alpha and certain other non-numeric characters may be entered as a series of two-digit key codes.
c. The first key depression simply identifies the key on which the desired character is stamped or printed. Press the key on which the character appears. For example, if character is "A", "B", or "C," press the "2" key.
d. The second key depression identifies a single character from the group (typically three letters) selected with the first keystroke. The character is identified by it's position on the key. To select the first, press "1". If the desired letter is the second of the three, press "2". Press "3" if the desired letter is the third of the group.
e. Repeat steps "c" and "d" for each alpha character in the Pair Gain System ID. When the last character has been entered, enter "**" just as previously done in step "b". This restores the "numeric entry" mode. Special two-key sequences are assigned to the letters "Q", "Z" and certain punctuation characters. The table below outlines these.
f. Enter any trailing numbers that are part of the Pair Gain System ID.
g. Any combination of letters and numbers may be entered in this manner.
Repeat the appropriate steps as necessary.
h. Enter a single star (*) to complete the Pair Gain System ID entry.
i. After the Pair Gain System ID has been successfully entered, the DATU
will say "PLEASE ENTER PAIR NUMBER. DIAL STAR TO END." Enter the pair number for the subscriber's line using the telephone keypad.
j. The DATU provides verification of the Pair Gain System ID entry with a voice message. If a valid ID was entered, the DATU announces "ACCESS" followed by the ID previously entered. If the Pair Gain System ID is not valid or if the bypass pair was selected, the DATU announces "USE BYPASS PAIR".

Two-Key Sequences-Non-Numeric Keypad
2nd Key 1 2 3 4 5
1st key
1 Space Period comma hypen slash
2 A B C
3 D E F
4 G H I
5 J K L
6 M N O
7 P R S Q
8 T U V
9 W X Y Z

Some Words About Male Voiced DATUs

At this point, I should mention at least something about those DATUs with an
incredibly sexy male voice. These are an "extreme" rarity at the date of writing.
In fact, in a list of over 200 DATUs that I have, I only know of one that still
works. Upon speaking to the man at Harris who actually developed the DATU, he said,
"It's so old, you could blow dust off it." However, since it is still in use, I will
soon be writing some words about it. Please note that if you find a DATU-I in use,
that I would love to be told, as I would like to get a recording of the administrator
menu for it.

Last Remarks (for this issue)

To begin my ending, I would like to say to anyone who thinks "hey, cool,
I'll DATU an AOL access number and make it busy," is not only lame and stupid, but
also factually wrong. The NTT can't access hunt lines, and you may inadvertently set
off an audible alarm at your CO by doing so. Oh yes, and the "LO SLEEVE" LED of the
DATU will go on when you try. Next issue, I will go into the wild and crazy world of
the test interface for non standard offices. Following that, well, I'll see what I
can dig up for you. Perhaps something about (dare I say)... Administrator mode?

Physical and Electrical Specifications

(directly copied from administration manual)

Physical Dimensions
Length: 8.0 inches
Width: 7.5 inches
Height: 2.0 inches
Weight: 1.7 pounds

Battery Input Requirement (measured with respect to CO ground):
* -46 to -54 volts DC
* 600 mA maximum
* 2 volts peak-to-peak noise maximum from CO
Access Line Interface (Ground Start)

1. Tip and Ring Parameters in Off-Hook Mode:
* Meets FCC Part 68 requirements
* Resistance is 120 - 280 ohms at 20 to 80 mA
* Minimum DC current required is 20 mA
* Typical AC impedance, at 1 kHz, is 640 ohms

2. Tip and Ring Parameters in On-Hook Mode:
* Meets FCC Part 68 requirements
* Minimum ring detect level is 65 volts AC rms
* Uninterrupted pre-trip ring duration is 300 ms
* Ringer equivalence is 0.5B

3. Secondary Dial Tone:
* Secondary dial tone is provided upon ring trip, password
entry, and new subscriber line selection
* Dial tone is silenced when a digit is dialed or when the DATU-RT times out
* Dial tone level is -16 dBm +/-3 dBm
* Dial tone frequency is 440 Hz +/-8 Hz
* Harmonic distortion is less than 10%

4. DTMF Dial Decoding:
* Each incoming dual-tone signal is translated into one of the 12 character sets shown in Table 6-1
* Frequency deviations of up to +/-2.5% are accepted and all deviations greater than +/-3.5% are rejected
* DTMF tones greater than 50 ms are accepted
* Interdigit timing is greater than 40 ms and less than seven seconds are accepted
* Signal strength per frequency of -20 to 0 dBm are accepted

5. Voice Message Output:
* Average voice level is -13 dBm
* Voice frequency range is 200 to 3,000 Hz

No Test Trunk Interface
1. Tip and Ring Parameters in Idle Mode:
* Resistance is greater than 20M ohms
2. Tip and Ring Parameters in Active Mode:
* Resistance is 100 to 180 ohms at 20 - 90 mA
* Maximum DC current is 90 mA
* Typical AC impedance, at 1 kHz, is 660 ohms
3. MF Output Parameters:
* Each outgoing dual-tone sinusoidal signal is translated from one of the 12 character sets shown in Table 6-1
* Frequency deviation is less than +/-2%
* Signal strength per frequency is -5 to -15 dBm
* Digit duration is 70 ms
* Interdigital pause is 70 ms
4. Dial Pulse Addressing Parameters:
* Percent break is 60%
* Repetition rate is 10 pulses per second
* Interdigital time is 1,000 ms
5. Sleeve Current Parameters:
* Low current mode is 7 to 10 mA into 120 ohm sleeve
* High current mode is 50 to 70 mA into 120 ohm sleeve
* Maximum external sleeve loop resistance is 700 ohms

Test Function Parameters
1. Open test is greater than 20M ohms
2. Tip and ring shorted is less than 2 ohms
3. Tone Test:
* Frequency is 577 Hz
* Frequency error is less than +/-3%
4. Low-Level Tone Test:
* Typical signal strength, measured tip-to-ground or ring-to-ground:
* At the CO is -12 dBm +/-3 dBm
* At 18,000 cable feet from the CO is -19 dBm
5. High Level Tone Test (Differential):
* Tip-to-ring signal strength is +22 dBm +/-3 dBm
* Tip-to-ground or ring-to-ground signal strength is +17 dBm +/-3 dBm.

Tables and Other Assorted References

Table 6-1. DTMF and MF Decoding

Frequency Groups

Character DTMF MF
Set Low High Low High
1 697 1209 700 900
2 (ABC) 697 1336 700 1100
3 (DEF) 697 1477 900 1100
4 (GHI) 770 1209 700 1300
5 (JKL) 770 1336 900 1300
6 (MNO) 770 1477 1100 1300
7 (PRS) 852 1209 700 1500
8 (TUV) 852 1336 900 1500
9 (WXY) 852 1477 1100 1500
* 941 1209
0 941 1336 1300 1500
# 941 1477
KP 1100 1700
ST 1500 1700

Acronyms That You Are Too Stupid To Know

DATU - Direct Access Test Unit
HILARY - Guess :)
PGA - Pair Gain Applique
PGTC - Pair Gain Test Controller
RT - Remote Terminal
SLC - Subscriber Line Carrier (a pair gain system)

Index of Supplemental Files

figure1.gifDATU System Application Diagram
figure2-1.gif Connections for All Systems (Except: 5 ESS With Integrated SLC Only, DMS-10 and DMS-100)
figure2-2.gifSystem Connections for 5 ESS With Integrated SLC’s Only
figure2-3.gif DMS-100 MDF Connections
figure2-4.gif DATU-RT Card Pin Locations
table2-1.gif List of NTT Circuit Numbers
table2-2.gif LED Functions (kinda useless, but good info for SEing)
table4-1.gif DATU Line Access Main Menu

440hz.wav 440hz. The DATU dial tone.
614hz.wav Two beeps heard after initial audio monitor period ends.
badntt.wav A rare recording of a DATU reading a "Bad No Test Trunk." Thank you god, for creating the Greenwood Lake CO.
menu.wav The Main Menu.
prgain.wav DATU RT working through a SLC-96 and finding a multi party line. Listen carefully to hear Digital Matrix telling me that I should "go outside and get him some cake". Don't ask why.

*To get these files, go to the Phone Punx Files page:


SASS Test Number Access
by Lineside

SASS test numbers can be interesting to find and play with. If you've
ever heard of DATU's (Direct Access Test Unit) or have played with one, you'd
find that SASS numbers are very similar to them. (If you want to know more
about DATU's, read MMX's article in this issue.)

For comparison, here are the test functions of a DATU:

-Audio Monitor (busy, idle line, intercept)
-Short ring to ground (tip open)
-Ring Ground
-Short tip to ground (ring open)
-High level tone on tip and ring
-High level tone on ring (tip grounded)
-High level tone on tip (ring grounded)
-Low level tone
-Open line
-Short line
-Permanent signal release
(taken from NPA DATU text)

When calling a SASS number, instead of having to directly enter a security
code it will first of all respond with an ANAC (meaning it gives you the number you
are calling from.) It will do so twice. The time during the second ANAC is when you
enter your 4-digit security code (BellSouth seems to love using 1111 and 1122 for a
lot of their stuff, including their SASS and DATU). After doing so, you get to the menu.

The menu consists of the following functions and tests which you select using different DTMF keys:

4- Busy line verification (for deluxe call waiting/ memory call)
5- A DTMF keypad test
6- Number identification
7- Ringback test
8- Transmission measurement tests:

1- Single tone: choose between 03(304Hz) and 32 (3204Hz)
3- Three tone slope (400Hz,1004Hz, 2804Hz)
5- Quiet termination
6- Milliwatt tone
7- Tone sweep: choose start and end tone between 03(304Hz) to 32 (3204Hz). For a full tone sweep you enter *
8- Number identification sweep: 1200HZ- 2200HZ (for caller id)
9- Data sweep (900Hz- 2800Hz)
0- 10 tone slope (304Hz- 3204Hz)
*- return to main menu

Instead of forcing a disconnect with ## as you would with a DATU, after using the SASS you can just hangup.

SASS functions such as the ANAC, ringback and DTMF test (for finding out those stored #'s in butt-sets???) can be pretty useful. As for finding SASS numbers in your area, the telco may or may not have a designated or often used prefix.

In my area the DATU and SASS numbers seem to be pretty mixed up and spread out while regular test numbers such as ANAC usually share their prefix with lots of other interesting telco numbers. Again, this could be different in your area.

If you have any questions, especially if you are in the south-east area, please contact me with any questions or comments.

Visit Lineside's Telecom Site:


An Intro to Paging Networks and POCSAG/FLEX interception
by Black Axe

Pagers are very, very common nowadays. Coverage is widespread and cheap, and the technology is accepted and understood by most. Ever wonder, though, what happens on these paging networks? Ever wonder what kind of traffic comes across those pager frequencies? Ever listen to your scanner on a pager frequency in frustration, hearing the data stream across that you just can't interpret? Want to tap your radio, get a decoding program, and see what you've been missing?

Before I begin, let's cover just exactly how those precious few digits make it from the caller's keypad to the display of the pager in question (or, perhaps, your monitor). Let's look at this in the perspective of a drug dealer with a pager (Joe), and a confused old lady paging him (Ethel).

First, Ethel picks up her phone, and dials Joe's pager number (555-1234). Ethel hears the message "type in your phone # and hit #, so she complies and enters 555-6969#, and then hangs up.

Here's where the fun starts. This is all dependent on the coverage area of the pager. The paging company receives the page from Ethel, and looks up the capcode of the pager it is to be sent to. A capcode is somewhat akin to an ESN on a cellphone; it identifies each specific pager on a given frequency. The paging company will then send the data up to a satellite (usually), where it is rebroadcasted to all towers that serve that particular paging network. Remember last year, when everyone's pagers stopped working for a few days? It was the satellite that we are now discussing that went out of orbit. The paging towers then transmit the page in all locations that Joe's pager is serviceable in. In this case, let's say that Joe's pager has a coverage area that consists of a chunk of the East Coast, going from Boston down to Washington DC, and out to Philadelphia. The page intended for Joe is transmitted all throughout that region. Since a pager is a one-way device, the network has no idea as to where the pager is, what it's doing, etc., so it just transmits each page all over the coverage area, every time. "So?", you may say, "what's that do for me?" Well, it means two different things: first, that pagers can be cloned with no fear of detection, because the network just sends out the pages, and any pager with that code on that frequency will beep and receive the data. Second, it means that one can monitor pagers that are not based in their area. Based on the example of Joe's pager, Joe might have bought his pager in New York City. He also could live there. However, because the data is transmitted all over the coverage area, monitoring systems in Boston, Washington DC, and Philadelphia could all intercept Joe's pages in real time. Many paging customers are unaware of their paging coverage areas, and usually do not denote the NPA (area code) from which the page is being received. This can cause problems for the monitoring individual, who must always remember that 7-digit pages shown on the decoder display are not necessarily for their own NPA.

The Pager Decoding Setup

Paging networks aren't encrypted. They all transmit data in the clear, generally in one of two formats. The older format is POCSAG; which stands for Post Office Code Standards Advisory Group. POCSAG is easily identified by two separate tones, and then a burst of data. POCSAG is fairly easy to decode. FLEX, on the other hand, is a bit more difficult, but not impossible. FLEX signals have only a single tone preceding the data burst. Here's how to take those annoying signals out of your scanner and onto your monitor. You will need:

1. A scanner or other receiver with a discriminator output. Info on this mod is available on the net and it's fairly easy to perform. This will enable you to get a clean audio signal out of the scanner, as opposed to the amplified crap out of the speaker or headphone jack.

2. A computer.

3. You will need a Soundblaster compatible soundcard. This will let you snag POCSAG traffic. Or, you can build a data slicer and decode FLEX traffic too. Or you can be lazy and buy one from Texas 2-Way for about $80 or so. The Soundblaster method will obviously tie up your computer decoding pages. Using the slicer will let you run decoders on an old DOS box and will let you use your better computer for more important stuff.

4. Antennas, cabling, etc. You will need an RCA cable (preferably shielded) to take the discriminator output either into the soundcard or into the slicer. If using a slicer, you will also need the cable to connect your slicer to your computer. As far as antennas go, pager signals are VERY strong, so you won't need much of an antenna, I generally use a rubber ducky with a right angle adapter, attached right to the back of the radio, works fine. The signals are so damned strong that you might even be able to get away with a paper clip shoved into the antenna jack.

Hook all of this stuff together, it should be obvious as to how it is assembled. Tune yourself a nice, strong (they're all strong, really) paging signal. Where are they? Well, the vast majority of numeric pagers are crystalled between 929 and 932mHz; try there. Or if you want to try decoding some alphanumeric pagers, try 158.1mHz. Now, what about software, you say? That is where things start to get kinda hairy. See, Motorola developed most of this stuff, and holds licenses to it. Any software that decodes POCSAG is some sort of copyright violation or something or other, hell, I don't know. So one day, the morons at Mot decided that they didn't want that software floating around. So they looked up everyone who had copies posted on the Web and told em that if they didn't knock it off, it was court time. The threatened webmasters removed the offending copies, fearing a lawsuit from the well-heeled Motorola with their gangs of lawyers. Ouch. After this, our good friends from the United States Secret Service arrested Bill Cheek and Keith Knipschild for messing around with decoding hardware and software - the SS appeared to want to make data slicers illegal. Of course, these arrests were ridiculous, but nobody wanted to get busted, so the vast majority of resources on American websites disappeared. Checking around English or German sites may yield some interesting results.

Now you're ready. Fire up the software. Get that receiver on a nice, hot frequency. Look at all of the pages streaming across the network. Give it a few hours. Getting bored yet? Okay, now that you have a functional decoding setup, let's make use of it. Know someone's pager that you want to monitor? Here's how to snag em. First you need the frequency; it's usually inscribed on the back of the pager. Also, you can try to determine what paging company they use and then social engineer the freq out of the company. also has a search function where you can locate all of the paging transmitters (and freqs) in your area, listed by who owns em. Not bad. So you have the frequency, now what? Well, wait until you have to actually talk to this person. Get your setup cranking on the frequency that this person's pager is using. Now, page him. Pay close attention to the data coming across the network. See your phone number there? See the capcode that your phone number is addressed to? That's it. Some better decoding programs have provisions to log every single page to a certain capcode to a logfile, this is a good thing. Get a data slicer, set everything up on a dedicated 486, and have fun gathering data.


Satellite Systems: Reception
by Black Axe

Ever look up at the sky, and wonder what's up there? Ever watch someone's satellite TV and wonder, "gee, maybe if I turned the dial and swung the dish around a bit, I could see what else is up there.."? Hopefully, this article can help inform the reader about the most common and easily intercepted forms of satellite communication.

Before we begin, there are a few important concepts, that we must cover. If you know anything about satellites, this part should bore you. All satellites orbit the earth. Some of those satellites orbiting the earth are put into such an orbit that they appear motionless to an earth-based station; in layman's terms, they don't go anywhere. These types of satellites are referred to as geosynchronous. Other satellites will orbit the earth. Because they move in perspective to the earth-based observer, that observer must keep track of where exactly the satellite is at any given time (usually for purposes of antenna calibration). Keplerian Elements, readily available for most (non-spy) satellites, can be entered into a variety of different freeware, shareware, and commercial programs to track the satellites. Some programs can even orient your antennas or dishes for you, to get the best possible signal as the satellite moves across the horizon.

These topics having been covered, let us delve deeper into what our dishes and antennas can fish out of the cosmos.

-Amateur Radio Satellites

One of the easiest types of signals to receive from space is from amateur (Ham) satellites. Most amateur satellites use uplinks and downlinks in the VHF and UHF bands, making antenna requirements easy to fulfill. Most of the time, a properly oriented telescoping whip is all that is needed. Operating modes vary; CW (Morse code) is often used. Other operating modes include SSB (Single Sideband), various digital modes, and FM voice (specifically, the AO-29 satellite). The interesting part about amateur satellites is that not only does one have the ability to listen in, but also the ability to use these satellites for their own communications. Some digital satellites even house entire BBS systems.


One can also communicate with the Russian space station, MIR, and (at certain times) the American Space Shuttle (SAREX). Cosmonauts aboard the space station MIR operate voice and a packet (digital) system onboard in the 144-mHz amateur band. The American Space Shuttle's SAREX (Space Amateur Radio Experiment) is a more clandestine operation, consisting of a handheld radio and a window-mounted antenna. FM voice is used on a number of different frequencies in the 144mHz band. Amateur radio operators are EXTREMELY competitive in making a SAREX contact, usually just for the nice postcard (QSL) that NASA sends.


Now we delve into more of a "grey area" of satellite monitoring. The Inmarsat system consists of four geosynchronous satellites serving the entire surface of the Earth with satellite telephone service. Ridiculously expensive, Inmarsat service is generally only used by well-funded people and organizations. Some Inmarsat traffic is digital. However, there is still an abundance of voice traffic to be intercepted. Transmission mode is companded FM, meaning that signal strength varies with the noise level (used to conserve power consumption); set your squelch accordingly. To intercept Inmarsat traffic, a receiver capable of covering 1500mHz is required, along with a dish and a directional antenna (Yagi). Orient the Yagi (tuned for the band) towards the dish, and affix it to the dish's LNB. Find the satellites in the sky (this will be left as an exercise for the reader); tune the receiver to 1537mHz to find a constant signal transmitted by the satellites. Modulation mode is Narrow FM; steps of 25kHz. Have a tape recorder ready; you never know what you'll hear.


TVRO stands for TeleVision Receive Only. Basically, it is what is known as satellite TV. Although many pay services are common nowadays, it is still possible to intercept a great deal of analog video traffic from TVRO satellites. Basically, what is required is a TV (of course), a satellite receiver, a dish with an LNB (Low Noise Block converter), and rotors to spin the dish around. What's out there, you say? Of course, there's regular network TV, and many other less-common broadcast services. By far, the most interesting part of TVRO is "wild feeds", that is, live video being transmitted from various locations to broadcast studios. For example, during the conflict at Waco, there were four live and uncensored feeds coming out of Waco, 24 hours a day. You'll get to see all the blood and guts that are edited out of the network broadcast, along with reporters you'll recognize very well bitching before a broadcast, smoking a quick cigarette, etc. The world of TVRO is vast and ready for exploration.


The elusive Project Angel
by Mohawk

I first talked about Project Angel in OCPP Issue 3. I was really interested in this revolutionary technology that planned to totally bypass Bell's switches and offer better service at a cheaper price. Not only would this make local competition interesting but this had some very unique implications for the phreaking scene. How would this change the phreaking scene? I couldn't wait for the consumer rollout to see all the new phreaking exploits that were spawned from Project Angel. Two years after Issue 3, I'm still waiting and information about what happened to Project Angel is very scarce. Some of you are probably hearing about this for the first time. This is probably the most complete article you'll find on this topic. There so many different stories as to what's going on it's hard to separate fact from fiction. I had to piece this story together with facts that are spread out in various mediums over a period of several years. If you have any new information, I screwed up on something, or left something out, please email me.

I've been researching project angel for about three years now and it first came into the public eye in early 1997. However, this technology has been in the works for most of the 90's. In early 1993, McCaw Cellular Communications tested a technology known internally as "Project Dino". This wireless local loop technology eventually turned into Project Angel. AT&T bought out McCaw later that year and it becomes part of AT&T's Wireless Services. At the end of 1994 AT&T bid on 10-MHz wireless licenses in FCC auctions. For about an entire year things got quiet again. In early 1996 AT&T sought local telephone certification in all 50 states after the Telecommunications Act of 1996. The ironic thing here is that AT&T is seeking to break into the local telephone monopoly that's held by the baby bells who were all once part of AT&T's telecommunications monopoly that was broken up in 1984. And to do that they have to come up with a new technology.

On February 25th 1997, John Walters reveals Project Angel to the world at the NARUC gathering (see OCPP 3 for his speech). News releases detail how this new technology will work. Central Offices will be replaced be Digital Switching Systems that are outfitted with fiber optic cable. Blocks of 2000 homes are grouped together and share one antenna. Each house will have a pizzabox sized radio transceiver box on the roof that will connect it with the DSS by converting voice and data transmission into digital information and sending it through the air over the 10-MHz radio spectrum to an antenna and then on to the DSS. Each home will get four phonelines and one 128 kb/s data line. AT&T claims that this new technology will provide quality and security at a cheap price. Beta testing is announced for Chicago in the summer of 97 and a full consumer roll out in 1999. The media has a frenzy with all this information and some people predict the end of CO's if everything goes right. This sounds really cool huh? Four phone lines, a fast data connection, a cool new technology to play with, and cheaper then the typical babybell service. Things looked like they were gonna get very interesting.

Flash forward two years later. What the hell happened? It's almost impossible to find any news coverage as to the updates on angel. I'm not gonna bore you with corporate details about who went where but it's important to keep in mind that AT&T juggled around executives for the past couple years and each time a new person comes and go's the emphasis of the company shifts. The Chicago beta test didn't begin until December of 1997, months after it was supposed to take place. This was kept under raps by AT&T for the most part and for good reason. It turns out that the big beta test that would determine the public's opinion of Project Angel was only given out to a few customers (between 5 and 10, an exact number wasn't determined). However, AT&T did say that it was pleased with the Chicago test and the some of the people working on it wore shirts that said "we deliver" which was in reference to the boxes on the houses looking like pizza boxes. A lot of people in the industry saw this as a failure due to the lack of information about the Chicago trial.

In early 1998 AT&T acquired Teleport Communications and most people thought that this signaled the end of Project Angel because Teleport was a local telephone company and this would give AT&T all they needed for local competition. AT&T announced that PA was alive and that it isn't dead and that Teleport would assist with the project. However, at the same time Project Angel shifted from a "Babybell monopoly killer" to just one of the options that AT&T can use to enter the local market. Many people left the project because they felt that they needed to get out why they could. I talked to several people who were involved with the project and they said that the cost of a roll out alone was far higher then originally expected and it was not profitable and therefore had no future. Cost has been an issue since John Walters speech. It was ordered that the cost must be drastically reduced.

For a while, the was just no news on Angel but in May 1999 things were looking up again for this ill-fated technology. The company announced that it would begin testing in Dallas Texas and that it has been testing it out with employees for months. The tests would be free to certain customers and then it will be tested with paying customers this summer. The company reduced it costs from $1149 per customer to $750 still short of the under $500 target that most analysts see as the minimum competitive price. At the same time, AT&T announced that is has started voice over cable service with paying customers in Fremont, California.

And that brings us to now and is spurs the question, What's the future of Project Angel? I just don't see Project Angel becoming this huge thing that just shuts down CO's across the US. AT&T's main emphasis has been on cable and they will most likely use Angel or a version of it to reach it's customers where cable can't. I've heard some rumors that a similar technology is being developed by other companies for the US and Asia. Companies are looking into merging cable, phone, and internet access and becoming your one stop shop for these services. If Angel becomes part of this convergence or just gets filed under the spoke to soon pile remains to be seen. Of course, we'll bring you updates when and IF they come.


Zine Writing Suggestions
by the Phone Punx Staff

Remember a few years ago when having your own group was the k-rad thing to do? How about when your own domain was a sign that you were 31337? Well the new underground status symbol appears to be having your own h/p zine. Sit down, shoot your mouth off, insert some info from a coffee stained printout you found at the CO and you're ready to rock. Simple, no? After watching a host of start-up zines start up and then fall on their faces, the staff here at Phone Punx has decided to lay a little of our hard-earned zine production wisdom out for all of you considering your own publication.

Don't even THINK of releasing your first issue until you have enough material for your first 3 issues. There are few things more sad than seeing a new zine release one issue and then cop out.

Don't try and run the whole thing yourself. We have 2 editors and a handful of stupidly hard working writers who still struggle to meet deadlines.

Proof-read all issues. They call you an 'editor' for a reason.

Spellcheck!!! Nothing looks worse than glaring typos.

Don't include IRC logs. We don't care how cleverly you tormented that poor bastard on #rock. Same goes for prank call logs.

Ask yourself: do you think your readers REALLY care what you thought of a con or what you did there? And if you do put some con reviews and the like in an issue, don't make it the ENTIRE issue.

Keep the fancy graphics to a minimum. Most zine readers aren't astounded by your command of Photoshop nor do they have cable modems to download your graphics with.

Try and act like an adult. A lot of curse words, 31337 spelling, etc. just make you look childish and people will take you less seriously.

We've all seen that same damn list of telco acronyms. Don't publish it again.

Are you planning on including a schematic in your zine? Include it as a graphic, not an ASCII. Circuit diagrams get all kinds of screwed up when they're put up in ASCII pictures.

Sacrifice release dates for completeness. Having an intro and 2 articles every month is nothing compared to a quarterly with lots of good info in it.

Set up a mailing list for readers and a separate one for your staff. Keep your readers informed with releases of new issues and other updates. As for the staff list, keeping them informed as to what's going on will make them feel more involved and in return you'll get a better product. Also, you and your staff can kick ideas back and forth and learn a thing or two from each other.

If you reprint a manual make sure you label it as such. Plagiarizing a manual and passing it off as yours won't really impress people. You'll look pretty damn stupid and even more so when somebody asks you to elaborate on something you "wrote" and you have no clue what you're talking about.

Think long and hard about printing numbers. The fastest way to kill a number is to print it where anyone with an Internet connection can get the number and abuse the hell out of it.

If you want to write an editorial don't just bitch about something. Provide reasons for your opinion and how to fix the problem.

Don't publish an enemies list. Prank calls to random people only amuse the simple minded.

If you post archives of old textfiles, try not to make a huge list of them. A handful of GOOD files, along with a few comments on why you selected them is a better idea.

Be prepared to go the distance. Most people quit zines because of a lack of readership/support and because they can't handle everything else that goes along with writing a quality zine. There is a lot to deal with when writing a zine. If your zine does become the new authority of the H/P zine, are you prepared to handle that responsibility? Also, you shouldn't expect everyone to just worship you from the start. There are so many zines that come and go within an issue or two that not too many people really care. You might have to release several issues before anyone notices you. Now I know your thinking, "what about zine XXXXX that got really huge from issue 1 and they really sucked". Well you have to look at who is backing them. Some zines are backed by groups that have a well known reputation and have a loyal fan base. If a higher up from that group proclaims that some crappy zine is the best thing ever, then so it will be without a second thought. Of course there are a few zines that are good right from the start, but they are far and few.

Last and probably most important, ask yourself why you're doing this in the first place. Most of us with PPM do this because we feel what we are doing is both needed and wanted. In my opinion, writing a zine for just the hell of it, to be k-rad, or just because it's the cool thing to do at the moment is just wrong. However, writing for a zine to get chics is totally acceptable.


Cyberpunk Culture
by Mohawk

I have changed the Cyber Culture section to the Cyberpunk culture section. This will also take the place of the news section. There are plenty of places these days to get the latest news on hackers and Net issues. So I am going to cover various issues that interest and effect those involved in the H/P community. My main focus is going to be on issues that aren't really talked about. Because of this, I'm gonna be playing the Devil's Advocate with some of these issues so that way it sparks your interest and gets you thinking.

-Cyber Speak Candy

It was bound to happen, Computer-related candy. Made by Necco (, they are floppy disk shaped candy that have computer sayings like "Let's Chat", "Email Me", and my reason for writing this article, "Cyber Punk". Cool huh? They're similar to candy hearts that they sell for Valentines day. Candy for nerds and hackers. Kick ass. Actually no. You know those candy wafers that no one ever eats and they just sit in the store for years on end? Well that's what there made out of. They taste pretty bad. They should of at least made them taste like Valentine's Day hearts, they taste a little better. But you should get them though. You could tile your wall with crazy computer sayings. The box is kinda cool looking too. Let's hope the next kind of computer-related candy that comes out actually tastes good.

-Review of "Pirates of Silicon Valley"

The made for TV movie "Pirates of Silicon Valley" recently debuted on TNT to some great reviews. The movie which is based on a true story follows the story of Bill Gates, founder of Microsoft and Steve Jobs, founder of Apple Computer and how they started out. Their lives parallel and they eventually cross paths. This is one of the first movies about computers that doesn't involve dramatic plots about hackers or the government. And the surprising fact is that it is a very good movie. Who ever though that a movie about a couple nerds starting computer companies and screwing people over would make a good movie without any crazy plot twists? I love the movie, just can't watch it enough. However, not everyone in the H/P community shares my opinion. I saw a lot of negative comments about the movies, saying that the movie wasn't true and that they don't like Gates to begin with, etc. First of all, this was "based on a true story", it's not a documentary. The producers took dramatic license on various points in the story. This is where they take a story and change things to make it more dramatic. The general public is gonna get bored out of their mind watching a documentary about Apple and Microsoft. These people should win an award for making the movie interesting. You should also try to put aside your opinions about Jobs and Gates and just enjoy the movie. If it bothers you that much, pretend like it's a complete fiction and just try to enjoy it. Hopefully we'll see more movies about computer-related stories.

- 7-11: the 24-hour hacker target

Next month the roll out for 7-11's technological make over will be finished. They are just one of the latest stores joining the move to get computerized. 7-11 is the largest convenience-store chain but each store only makes a little over a million a year. Because of this information technology has never been a major concern but computer costs are down and the move will increase sales in the long run.

The new system will improve inventory management, sales data, and it position with suppliers. The system includes new software and hardware for each stores checkout counter and back office. At the checkout counter they'll have a scanner and touch screen driver system running DOS on NCR Corps. 7450 and 7453 PC cash registers. Clerk will use wireless handhelds to receive guidance about what product belongs where and it will also aid in ordering products. In the back office, applications for data reporting and analysis, pricing, accounting, and other store functions on Windows NT. The servers which are connected via ISDN are 233-MHz Intel Pentium II machines also from NCR.

At the corporate headquarters, they run a massive Oracle Corp. data warehouse on Hewlett-Packard Unix Servers. I don't know what kind of security they run but it's probably something like disabling certain functions. That's usually the norm in small stores running NT. All of this technology present a huge target for hackers. Many hackers work at convenience stores some time in their hacking lives and employees are often left alone in the store. The store managers are usually clueless about computers and they probably won't consider hacker employees. Add that in with the fact that a majority of computer attacks come from disgruntled employees and convenience stores are full of them. Also, the newly released Back Orifice 2000 adds one more security issue in the mix. All together, this presents a prime opportunity for hackers to really screw up 7-11. With over 95,000 stores I expect we'll be hearing about some interesting 7-11 computer hacks.

-Review of ZDTV's Defcon Coverage

ZDTV, the 24-hour computer channel advertised extensive coverage of DefCon for more then a week before the start of the con. I didn't go to DefCon so I though I'd get to see what was goin on. They local news and CNN usually has poor coverage where the bash hackers for thirty seconds. My Internet connection sucks so I couldn't watch it over the net. Well I watched ZDTV all weekend, waiting for that Defcon coverage they advertised so much. I told a lot of people about it and they too were waiting. They barely even mentioned DefCon until late Sunday. Then they had a five part story about Defcon throughout the week and Silicon Spin also talked about it. However, most of their coverage was focused on just BO2K. They should of showed more of the con and everything that went on. They did show a small part of spot the fed and they interviewed a couple people such as Dildog, Wels Pond, Count Zero, and Gail Thackery. The way they did it though, it seemed that BO2K was the whole thing. They should of had a best of DefCon show or something similar to demystify the con to the general public. I was kinda pissed that they advertised coverage all weekend starting on Friday and they barely said anything until Sunday. I try to be a nice guy and not judge people by their looks but I saw a couple nasty people at DefCon from the coverage they do show. Ok, so not everyone is the coolest looking person in the world, I understand but I wonder if some of you people even own a friggin mirror. I'm talking about straight out of "Revenge of the Nerds". Stop having your mother dress you. Anyway, sorry about that. Someone has to do it.

Despite all of this, ZDTV is still a great channel. Hell, there the only computer channel, that I get anyway, and I hope they learn how to handle things better in the future. One thing I like is that they let both sides talk, they let the hackers give their side, and they let the people against it give theirs. However, I have to take issue with hackers and the media. The message needs to get out more that not all hackers are evil and that were as diverse as any other culture. If anyone reading this ever gets on camera, try to slip that in there somewhere. In my opinion, getting this message out should be top priority and not a program but maybe that's just me.

-Free Internet Access & it's problems

It seems that everything will eventually wind up being free as long as you sit through advertisements to get at it. The latest free service is Internet Access. However, this brings about a range of issues.

Alta Vista will start offering free net access starting in September. All they ask in return is that you view ads and enter information about yourself. They can then sell that information to direct marketers. When something like this happens with the Internet, more companies will come out with their own free access. Banks and department stores will be the one of the first companies to join the bandwagon. Of course their ads will be geared towards them. They'll be handing out free CD based login software at the stores when you buy something. They will also be able to track what websites you visit and for how long.

While this may seem like a good idea to some, there are just so many issues that this raises. Cost is a major factor. How are they going to handle the insane amount of people? It turns out that they still don't really know. Remember when AOL switched to $20 a month for unlimited use? It was crazy. You were lucky if you could even get a busy signal. All the calls practically shut down a switch by me. A Bell tech I talked to said He never saw anything like it in his life. If it's even halfway decent access, a lot of people will want to use it even if it's just for screwing around.

Some people will also be concerned with privacy. I've heard this concern about other free services. If you're that freaked out about it, then don't do anything "sensitive" when your on it.

Another major concern is hackers. This is take anywhere, anonymous access. We've all free had access through one way or another, whether it be the library or hacking into someone's account. However, the difference with this is it "could" be completely untraceable. How will they know if you enter in the wrong information? Having someone enter in a credit card would cut down on this but you that would be strange since it's free. Besides, this would cut out a lot of people. I haven't heard a thing about security with free net access. Since it hasn't been raised yet, it's probably not a big concern to Alta Vista. Therefore, they probably have no security measures. Spammers would also have a field day with this. They'll have to come up with a way to verify your information.

Another issue is how will a flood of new people effect the net. Other ISPs will have to lower their prices and improve service to stay competitive. Could certain websites handle so much extra traffic? We've seen plenty of examples in the past of websites shutting down because they couldn't handle everyone.

There are other issues that could be raised but the main concern with you should be security issues. There going to have a hard time keeping up with the cost of all the people that want the service so I doubt that they spent more then 5 cents on security. Besides, I doubt anyone would use this service for anything bad anyway.



We will print your letters. If you would like to make a comment, ask a question, or whatever, send them in and we will publish them. If you don't want your letter published, just let us know. All email address will not be published unless you tell us otherwise.

From JD

Hey ,
I was just on your interesting and eye opening web site and I was wondering if you have any information on spanish phone lines or could put me in touch with someone who would know about them,
thanx in advance

>Try to get in touch with phreaks in the UK and Germany, they might have info on the rest of Europe.

From: Mark

hi there.what is the best newsgroup to find out about phreaks,cards, emulators etc, etc???
many thanks

>Well the best NG for phreaking is alt.phreaking of course. However, keep cards, emulators, etc. out of there. You'll have to find that info elsewhere.

From: Spcbytch


>Hooked on Phonics, get it, please. If you want boxes try a search engine. There is so much more to phreaking then just boxes, I suggest you forget about them. At least explore the other areas of phreaking. There is so much out there but everyone is concerned with boxes that stopped working years ago.

From: hevnsnit

Hey, I am holding a Who's got the worlds best beige contest going, and I was wondering if I could get a link to it, or any kind of other help with it.. Basically I just want to spread the word..

>Done, mentioned in the newsletter and right here. If anyone has anything else like this that they'd like to promote, feel free to send it over.

From: Port Error

Hey whatz up, im a local NJ phreaker/hacker, i'm from south jersey, cherry hill area, thats all ill say, i'm pretty happy to see...someone has taken charge of the NJ h/p peeps...I was just wondering if yah would exept any articals i have written about certain systems i have worked w/ and certain hardware like cisco routers. I can just say one thing from experience, if yah ever go beige boxin, were gloves, and never ever ever, put your finger on the metal part of the aligator clips when yah hook it up to a TNI or get zaped...haha....but that was when i was learnin, but anywayz, i gtg, email me back w/ some information, thanxs

>You could send us your articles, but please word them better then you did your letter. We haven't taken charge of any "peeps". I use to get them around Easter time but I would just chuck em. I'm not much of a marshmallow person. We don't have much to do with NJ anymore really. Most of us don't even live there. Touching metal while hooking it up to another piece of metal that is hooked up to electricity is never a good idea.

From: Mercury Gear

A few questions for the OCPP:
A: Do u need anyone to write? Seems like a pretty cool mag.
B: Different parts of Jersey, eh? Got any members located in the
Woodbury (Glassboro Township) area? We need phreaks here! There are aprroximately 1.5 (besides myself) that I know of.Mmm, that's it.later

>We could always use more writers. We have a great staff now but the more writers we have, the more faster we could crank out issues. We're not really NJ based anymore, that was the OCPP. We're spread out all over the US.


Copyright 1999 Phone Punx Network. Feel free to distribute this issue however, do not modify this file in any way. All issues are free and are not allowed to be sold in any form. If you are selling issues you can only charge what it cost to reproduce them. Keep the information free. All works are owned by the PPN and/or the authors of the article. If you feel that you own the copyright to a work printed in this issue and have not given the permission of the author to republish it, please email us.