Copy Link
Add to Bookmark
Report
The Legion of Doom Technical Journal 05
The LOD Technical Journal: File #1 of 12
Volume 1, Issue 5 Released: June 18, 1993.
LOD TECHNICAL JOURNAL
---------------------
The Legion of Doom will long be remembered in the computer
underground as an innovative and pioneering force, that
consistently raised the collective level of knowledge and
provided many answers to questions ranging from the workings
of the telephone system to the structure of computer operating
systems.
5. At all times relevant herein, the Legion of Doom (LOD) was a closely
knit group of computer hackers involved in:
a. Disrupting telecommunications by entering
computerized telephone switches and changing the
routing on the circuits of the computerized
switches.
b. Stealing proprietary computer source code and
information from companies and individuals that
owned the code and information.
c. Stealing and modifying credit information on
individuals maintained in credit bureau computers.
d. Fraudulently obtaining money and property from
companies by altering the computerized information
used by the companies.
e. Disseminating information with respect to their
methods of attacking computers to other computer
hackers in an effort to avoid the focus of law
enforcement agencies and telecommunication security
experts.
- Indictment laid down by a US District Court
It wasn't the crimes they were committing, but the danger,
the potential hazard, the sheer technical power LoD had
accumulated, that had made the situation untenable.
- Bruce Sterling in The Hacker Crackdown
Its been over THREE whole years since we last put out a TJ! May, 20th 1990 to
be exact.
The LOD TJ, will publish any acceptable and original articles, technical
explanations, schematics or other files that deal with computer
security/insecurity, telecommunications, data networks, physical security,
credit, law enforcement, privacy, cryptology, restricted information,
editorial commentary and other topics. To submit an article for publication
simply send it to us. Freelance writers are always sought after to provide
original articles for the TJ. Bigger is better as far as this Journal goes.
The more information, the more instruction and the more people can benefit
from it.
The LOD also seeks qualified members to fill its ranks. You must possess a
strong desire to both learn and teach. Those with an eleeet attitude need not
apply. LOD's former membership was a list of some of the brightest and most
capable individuals in the underground - names like Mark Tabas, The Mentor,
The Prophet and others. Take advantage of your opportunity to join the ranks
of the world's greatest underground group. Apply today.
What is particularly needed right now is someone in the publishing business
to publish all the TJ's on hard copy and make them available for mass sale.
Not just another "hacker book company" mind you, but one that will be able to
place the TJ in your common book store. As this will both give us legitimacy
and make it available to the average person and not just those with modems or
net.access. We expect to receive no profit from this so there is an added
bonus to any potential publishers. If you are a publisher or can get us in
contact with one that can undertake this, by all means contact us.
Reach us at:
Internet Email: tdc@zooid.guild.org
Mail:
LOD
P.O. Box 104
4700 Keele St.
North York, ON
M3J-1P3
Voice: +1-416-609-7017
The Legion of Doom is back to...
o Provide free education for the public in data and telecom networks,
operating systems and other aspects of technology. Through both our
Technical Journal and our new Legion of Doom Technical School.
o Turn hacking back into its former glory of technical understanding away
from its c0de abusing state today.
o Publish a high-quality Technical Journal available to all who are
interested completely free of charge.
o Give fellow hackers an organized group of similar minded individuals to
communicate and learn with.
Please be advised that we are still getting "back on our feet". So look for
much better journals and other things to come from us in the future. It will
take at least a couple years to get the Legion back to its former glory so
don't expect things to happen instantly. Hopefully these journals can come
out every couple of months, instead of our previous year odd gaps between
releases. But as finding and writing suitable articles is very difficult it
may be sometime before the next issue comes out. If this does happen, don't
assume we're dead. More journals will come out, it is only a question of
when.
For one reason or another the LOD has always been surrounded by an atmosphere
of mis-information, confusion and downright lies. Everyone has heard the
expression "don't believe everything you hear". This is especially true with
anything concerning the LOD. As a general rule if you didn't hear it in this
TJ, chances are its untrue or incorrect.
This TJ may be freely distributed on either hard or soft copy forms as long
as it has not been altered.
-----------------------------------------------------------------------------
TABLE OF CONTENTS:
Name of article or file Author Size
-----------------------------------------------------------------------------
01 Introduction to the LOD Technical Journal Staff 03K
and Table Of Contents for Volume 1, Issue 5
02 The Legion of Doom Technical School: Staff 08K
1993-1994 Program Calendar
03 Index to the LOD Technical Journals: Staff 06K
Issues 1-5
04 Communications Technology Unequal Access 24K
05 DMS-100 Maintenance Unequal Access 14K
06 Operator Service Position System (OSPS) The Enforcer 12K
07 Testing Operations Provisioning Administration Mystik Freak 09K
System (TOPAS)
08 International Switching Systems Mystik Freak 30K
09 Hacking GANDALF XMUXs Deicide 12K
10 TEMPEST Technology Grady Ward 13K
11 Presidential Security Argon 14K
12 Network News & Notes Staff 63K
Total: 12 files 208K
-----------------------------------------------------------------------------
Hope you find this Journal to be of some use to you it took a good deal of
time to put together. Remember that the mind is like a parachute. It only
works when open. Stand back, open your mind and get ready for an influx!
(>-------------------------------------------------------------------------<)
The LOD Technical Journal: File #2 of 12
1993-1994 PROGRAM CALENDAR
L
e
g
i
o
n
of
D
o
o
m
TECHNICAL SCHOOL
Rather than just educating everyone informally in the ways of computer and
telephone security and understanding, the LOD has decided to go all the way
with it. No longer are we just a hacking group. The LOD is now offering
formal courses the way any other accredited Technical School, College of
Applied Arts or University does.
Several Reasons lay behind this bold new decision...
o Educate people in skills that can be applied to today's job market.
o Give a general understanding in computers/telecom.
o Offer unique courses that other institutions don't offer.
o Instead of people wrongly claiming to be a "hacker" they can now become
one.
o Offer all those interested a chance to enrol.
o And to provide them free of charge.
Due to limited resources only the three courses we felt to be the most
important are being offered. They will be conducted on a "correspondence"
basis. It operates as follows. If you are seriously interested in enroling in
these courses, send us Email or snail mail with the completed application
form at the end of this calendar. That includes your name, address, phone
number, Internet address if applicable and a brief outline of your
educational and occupational background. Don't worry though all applicants
are accepted. We would however advise everyone that previous experience with
a computer is recommended. If sending snail mail be sure to provide a 8X11
size SASE for us to reply to you in. A course outline including a list of
required readings and assignment due dates will be mailed back to you. In the
outline will be full bibliographic information on the books and soft copy
materials you'll need for the course. It will work just like any other course
does just without the exams and tests as it would be impossible to adjudicate
them. However, because of this and to maintain the integrity of the LOD
Technical School papers will be marked sternly at post-secondary standards.
After you submit your paper to us an LOD member will mark it and return it to
you via snail or email with comments and a grade attached.
Now for the best part... You can take these LOD courses as "Courses at
another institution". Meaning that yes, in addition to getting your degree,
included in it can be LOD courses! ALL educational institutions have
provisions for courses to be taken at other institutions. Its a fairly simple
procedure. You go to your Office of Student Programmes/department/guidance
centre etc. and obtain a form for "taking a course at another institution".
Attach the course descriptions from this file and gain permission from the
director of your faculty/department/program/etc. and then you are set.
Providing you pass our courses with a high enough grade your institution will
accept the courses as part of your degree requirements. If your institution
has no equivalent courses, they can become "electives". Since you are usually
required to take up to 3 elective courses to obtain a degree why not do
something you enjoy? After all its more exciting than taking Early Italian
Literature as your elective. There is no need to worry about our "legitimacy"
as long as you obtain permission to take the course through the proper
procedure. An institution does not need any kind of formal designation though
the Department/Ministry of Education to provide a course. We are just another
one of the millions of institutions throughout the world that offer training
or formal courses. These courses can also be used to place you in "Advanced
Standing" if you aren't at school now but decide to in the future. Or just
for the sake of expanding your horizons/mind/abilities etc.
Because we have no set semester schedule, courses start at the first of every
month and run for five months. Starting 1 November 1993. Take them at your
own convenience. A maximum of one course may be taken at a time.
Here are the descriptions to the first 3 LOD Technical School Courses: (Full
outlines will accompany your enrolment starting 1 November 1993)
------------CUT HERE---------------------------------------------------------
TEL3440 0.5 Credits Telephony
With the rise of sophisticated technology telephony is becoming much more
complex. The entire telephone network from customer premises equipment to
switching systems will be covered. Recent trends such as ISDN, BISDN, fiber
optics and data networking will also be studied.
CSC3450 0.5 Credits Computer Security
With the rise of computers, securing them against criminal or malicious use
has become vital. Surprisingly little attention has been devoted to it
leaving many systems wide open to abuse. Covered in this course will be the
security of LANs, networks and various operating systems. Cryptology will be
examined as well.
HCK4100 0.5 Credits Intro to Hacking
Despite all the attention hackers have received, there is only a small core
of no more than a few hundred people in the world that have the skills to
actually hack. Starting with the basics of hacking it will guide you into
more advanced intrusion techniques with the more popular operating systems.
This course may be taken based on your own abilities, so master hacker or
just plain novice it will fit you. PSNs, Internets, basic hacking on popular
operating systems such as unix and vax will be covered along with other
operating systems and nets depending on your time/prior abilities.
------------CUT HERE---------------------------------------------------------
Career Opportunities
After passing our courses you will be able to supplement your job skills for
finding employment in any sector of the economy - Business, Industry or
Government that deals with computers/telecom.
Remember these are FREE courses. They have a retail value of around US $1,250
each if taken at a high-quality University in the US. Take advantage of this
opportunity to learn something you enjoy doing for FREE. The Legion of Doom
believes in disseminating knowledge so is offering these courses as a public
service to the world. Finally they are well worth your time. They are done in
highly organized with carefully selected readings and assignments. It would
take years of self-study to achieve what you can with these courses in just
a few months. And because we don't spout out loads of useless and academic
theory, math and equations like most institutions you'll learn far more here.
Since these are "correspondence" courses you must have a high degree of self-
discipline and motivation. If you lack these qualities don't waste your time
or ours by attempting them. They will take at least several hours of week on
your part, so if you can't put aside such time don't bother with them.
If you would like to take these courses send the enclosed application form
(either in email or snail mail) to the Legion of Doom Technical School at:
Internet: tdc@zooid.guild.org
Mail: LOD
P.O. Box 104
4700 Keele St.
M3J-1P3
-------------CUT HERE--------------------------------------------------------
LOD Technical School Application Form
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Note: The start date for these courses is 1 November, 1993. They are 5 months
in duration. Right now applications are only being taken for the 1 November
start date. You may take a maximum of one course at a time.
PERSONAL DATA
(If any of this is left blank, your application will be rejected)
Course you wish to sign up for:
Surname:
Given Name:
Daytime Phone Number (include NPA):
Office Phone Number w/Ext.:
Internet Email address (leave blank if none):
Address:
Apartment #:
City/Town:
State/Province:
Postal/Zip Code:
Country:
SUPPLEMENTARY DATA
Describe your computer related skills and experience:
-
-
What operating systems are you fluent in?
-
Briefly describe your educational background:
-
-
-
-
-
Your occupational background:
-
-
-
-
-
Do you have the self-discipline, dedication and time to apply yourself here?
-
-
Please include any other information that you feel we should be aware of, or
any questions you may have:
-
-
-
-
-
-
-
-
-------------CUT HERE--------------------------------------------------------
Send the completed form to us at one of the above addresses.
-----------------------------------------------------------------------------
The LOD Technical Journal: File #3 of 12
%%%%%%%%%%%%%%
Legion of Doom
Technical Journal Index
Issues 1-5
%%%%%%%%%%
Name of article or file Author Size
----------------------------------------------------------------------------
Issue: 1 Released: Jan. 1, 1987
01 Introduction to the LOD/H Technical Journal Staff 04K
and Table Of Contents for Volume 1, Issue 1
02 Custom Local Area Signalling Services (CLASS) The Videosmith 17K
03 Identifying and Defeating Physical Security and Lex Luthor 23K
Intrusion Detection Systems Part I: The Perimeter
04 The Traffic Service Position System (TSPS) The Marauder 23K
05 Hacking DEC's TOPS-20: Intro Blue Archer 19K
06 Building your own Blue Box (Includes Schematic) Jester Sluggo 16K
07 Intelligence and Interrogation Processes Master Of Impact 18K
08 The Outside Loop Distribution Plant: Part A Phucked Agent 04 25K
09 The Outside Loop Distribution Plant: Part B Phucked Agent 04 23K
10 LOH Telenet Directory: Update #4 (1-1-87) Part A LOH 25K
11 LOH Telenet Directory: Update #4 (1-1-87) Part B LOH 18K
12 Network News & Notes Staff 10K
Total: 12 files 223 K
Issue: 2 Released: Aug. 10, 1987
01 Introduction to the LOD/H Technical Journal 04K
and Table of Contents for Volume 1, Issue 2
02 The Networked Unix Solid State 17K
03 Step By Step (SXS) Switching System Notes Phantom Phreaker 12K
04 A Guide to the PRIMOS Operating System Carrier Culprit 25K
05 Identifying and Defeating Physical Security and Lex Luthor 30K
Intrusion Detection Systems Part II: The Exterior
06 A Discrete Unix Password Hacker Shooting Shark 09K
07 Hacking DEC's TOPS-20: Part II Blue Archer 25K
08 Hacking IBM's VM/CMS Operating System, Part A. Lex Luthor 26K
09 Hacking IBM's VM/CMS Operating System, Part B. Lex Luthor 25K
10 Network News & Notes Staff 07K
Total: 7 articles, 10 files 180 K
Issue: 3 Released: October 21, 1988
01 Introduction to the LOD/H Technical Journal Staff 02K
and Table Of Contents for Volume 1, Issue 3
02 Understanding Automatic Message Accounting Part A Phantom Phreaker 22K
03 Understanding Auotmatic Message Accounting Part B Phantom Phreaker 25K
04 Update file: Shooting Shark's UNIX password hacker Shooting Shark 03K
05 An Introduction to Teradyne's 4TEL System Doom Prophet 12K
06 A Cellular Automaton Encryption System The Mentor 29K
07 Hacking the IRIS Operating System The Leftist 13K
08 A Guide to Coin Control Systems Phase Jitter 08K
09 A UNIX password hacker from USENET ------------- 16K
10 Reprint News Article: 'LOD BUST MYTH' -------------- 13K
11 Network News & Notes The Mentor 30K
Total: 6 articles, 11 files 173 K
Issue: 4 Released: May 20, 1990
01 Introduction to the LOD/H Technical Journal Staff 04K
and Table Of Contents for Issue #4
02 The AT&T BILLDATS Collector System Rogue Fed 14K
03 The RADAR Guidebook Professor Falken 17K
04 Central Office Operations Agent Steal 32K
05 A Hackers Guide to UUCP The Mentor 27K
06 The History Of LOD/H Lex Luthor 12K
07 The Trasher's Handbook to BMOSS Spherical Abberation 11K
08 The LOD/H Telenet Directory Update #4 Part A Erik Bloodaxe 65K
09 The LOD/H Telenet Directory Update #4 Part B Erik Bloodaxe 43K
10 Network News and Notes Staff 38K
Total: 7 Articles 10 Files 263K
Issue: 5 Released: June 18, 1993
01 Introduction to the LOD Technical Journal Staff 03K
and Table of Contents for Volume 1, Issue #5
02 The Legion of Doom Technical School: Staff 08K
1993-1994 Program Calendar
03 Index to the LOD Technical Journals: Staff 06K
04 Communications Technology Unequal Access 24K
05 DMS-100 Maintenance Unequal Access 14K
06 Operator Service Position System (OSPS) The Enforcer 12K
07 Testing Operations Provisioning Administration Mystik Freak 09K
System (TOPAS)
08 International Switching Systems Mystik Freak 30K
09 Hacking GANDALF XMUXs Deicide 12K
10 TEMPEST Technology Grady Ward 13K
11 Presidential Security Argon 14K
12 Network News & Notes Staff 63K
Total: 8 Articles 12 files 208K
These journals may be found at ftp.eff.org in the pub/cud/lod directory and
on many other sites. Look for a full list in the next TJ. If your board or
site would like to carry these TJs to aid in distribution let us know.
----------------------------------------------------------------------------
The LOD Technical Journal: File #4 of 12
=--=--=--=--=--=--=--=--=
Communications Technology
(tm) Unequal Access
LOD
June 1993
The title of this article is that of communications technology. Not data
communications or telephony but communications. The two have for all
practical purposes become one in the same. Voice communications, wireless
communication services etc. are now being transmitted by digital means. What
was once a simple matter of drawing a line between the two is no more the
case.
This convergence together with new technologies radically changes the picture
of communications. Many former concepts and systems will be obsolete in a few
years.
To examine the future of communications i'll cover:
- ISDN and BISDN
- ATM
- SONET
- Service Net-2000
- Other developments
ISDN
=--=
A comprehensive description of ISDN would be to big to cram in here so a
brief definition and update on the status of ISDN will be given.
ISDN Defined
------------
ISDN is defined by the CCITT as:
...a network in general evolving from a telephony Integrated Digital Network
(IDN), that provides end-to-end digital connectivity to support a wide range
of services including voice and non-voice services, to which users have
access by a limited set of standard multi-purpose user network interfaces...
Basically ISDN is a network that carries voice and data over the same lines.
All services exist in digital form and can be switched by one network. Much
has been forecasted about how ISDN will change the world with interactive
television, home banking, employees conducting business at home, new services
etc. with AI systems controlling central databases.
Technically defined it provides a digital interface, usually with 2 channel
types - B channels for voice and data and D channels for signalling and
control. This gives a dedicated channel for the subscribers information and
one for control of the interface.
The fundamental building block of ISDN is its 64 kbps digital channels. With
two main interfaces - Basic Rate Interface (BRI) and Primary Rate Interface
(PRI). BRI handles small scale services such as subscriber lines and PRI
handles large scale services such as central databases. Each has both a D
channel and X number of B channels. BRI has 2B + D channels and PRI has 23B
+ D channels. Each B channel is 64 kbps and the D channel is 64 kbps for the
PRI and 16 kbps for the BRI. To plan for future increases 384 kbps has been
allotted to the H0 channel, 1336 kbps to the H11 channel and 1920 kbps to the
H12 channel.
Integration
-----------
ISDN will have one format, so various devices won't need their own dedicated
lines. One common interface will accommodate all applications. By having one
set of wires and protocols users won't need to bother with coaxial cables for
television, X.25 protocols for packet switched networks (PSNs), telex lines,
various leased lines etc.
Misconceptions
--------------
ISDN itself isn't going to provide anything. It is just the standard for
network interface. Anything new will depend upon the services offered on it.
The concept of digital switching is not a new one to begin with. Its been in
use since the mid 60's. The real "upheaval" with ISDN is that Ma Bell is no
longer going to provide just telephone calls but a whole range of services.
This list of services along with speed requirements and channel type was
taken from the IEEE.
Service Speed Required Channel
------- -------------- -------
Voice 8,16,32,64 kbps B
Alarms 10-100 bps D
Smoke
Fire
Police
Medical
Utility metering 0.1-1 kbps D
Energy Management 0.1-1 kbps D
Interactive information 4.8-64 kbps B
Electronic banking
Electronic yellow pages
Opinion polling
High quality audio ~300-700 kbps
Slow scan TV 56-64 kbps B
Compressed video ~30 Mbps
Compressed video conf. ~1.5 Mbps
Broadcast video ~100 Mbps
Switched video ~100 Mbps
Interactive video ~100 Mbps
Facsimile graphics 4.8-64 kbps B
CCS
---
Another vital part of ISDN is Common Channel Signalling (CCS). Which
separates signalling information from user data. Rather than being an older
form of in-band signalling where signals and data are on the same channel it
is out of band, where signals travel on different channels. This allows more
services and reduces circuit connection times. ISDN uses SS no.7 (SS7). The
initial version SS6 used analog trunks of 2400 bps, SS7 uses digital trunks
of 56/64 kbps.
Well, you've most likely asking yourself what this all means for our
underground activities. It will create a bonanza of new services and
opportunities all unified in one network. Just as data and voice
communications are merging so to will hacking, phreaking, cable fraud etc.
Because ISDN has yet to be implemented on a mass scale in North America its
not possible to say specifically how it may be abused. You should still be
prepared for its arrival by understanding its design and purpose though.
Many supplementary services have been approved for ISDN by the CCITT and more
are being approved right now:
Number Identification Services:
- Direct Dialing In (DDI)
- Multiple Subscriber Number (MSN) - Allows different numbers to ring at one
number.
- Calling Line Identification Presentation (CLIP) - (ANI)
- Calling Line Identification Restriction (CLIR) - blocks out an incoming
ISDN number.
- Connected Line Identification Presentation (CLOP)
- Connected Line Identification Restriction (COLR)
- Malicious Call Identification and Sub-Addressing (not yet defined by the
CCITT).
Call Offering Services:
- Call Transfer - Lets a call be transferred to a third party.
- Call Forwarding Busy (CFB)
- Call Forwarding No Reply (CFNR)
- Call Forwarding Unconditional (CFU)
- Call Deflection
Misc. Services:
- Private Numbering Plan
- Advice of Charge - Allows the caller to find out the cost of a call before,
during or after.
- Credit Card Calling and Reverse Charging
- User-to-User Signalling (UUS)
These supplementary services take advantage of SS7's full range of
capabilites.
ISDN Trials
-----------
Since ISDN provides the "digital pipe" and the subscriber selects services;
the network, circuits, trunks and customer premises equipment (CPE) are all
being tested. Most of the early ISDN trials were quite basic and were
intended only to prove the validity of ISDN concepts. The current status of
ISDN is with more complex testing and actual implementations. A brief summary
follows.
Location Organization Date Details
-------- ------------ ---- -------
Sweden Televerket/Ericsson 1981 Local network transmission
Wisconsin Wisconsin Bell/ 1985 Customer acceptance trials, mobile
Siemens unit
Munich/Berlin DBP/Various 1984 BIGFON, local wideband ISDN dist.
Tokyo NTT 1984 INS trial; 64/16/4/4, B/B/D/D access
Venice SIP/Ericsson 1984 I.412 access
London BT/Various 1985 IDA trial, commercial 64/8/8, B/B/D
access
Chicago Illinois Bell/AT&T 1986 I.412 access, fairly basic
Phoenix Mountain Bell/NT 1986 I.412, DMS-100, 3 customers
Phoenix Mountain Bell/GTE 1986 GTD5 EAX
Phoenix Mountain Bell/NEC 1986 Digital adjunct to 1A ESS
Portland PacBell/NT 1987 DMS-100, 32 kbps voice channels
Atlanta Southern Bell/AT&T 1987 5ESS
Boca Raton Southern Bell/ 1987 EWSD
Siemens
Ottawa Bell Canada/NT 1986 DMS-100, SS7 trials
Ottawa Bell Canada/NT 1987 DMS-100, basic and primary access
Belgium RTT/BTMC ? System 12, details unknown
Germany DBP/Siemens/SEL 1986 EWSD System 12, comprehensive
phased trials
France CNET 1987 E 10, MT25, "Renan" project
Florida Southern Bell/NT 1988 Fiber to home, POTS, ISDN, CATV
transport
US SWBT 1988 Internetwork 5ESS, DMS-100 and EWSD
US MCI 1989 Test with Meridian SL-1 and SL-100s
US Sprint 1990 All network switches support ISDN
US AT&T 1990 Complete conversion to SS7
US MCI 1990 Complete conversion to SS7
Australia Telecom Australia 1990 ISDN commercially available
Japan NTT 1990 ISDN in 200 cities
US SWBT 1991 Internetworking of SWBT and IECs,
ISDN and SS7
Brazil Telbras 1993 ISDN commercially available
UK BT 1993 PRI in place
Germany Deutsche Bundepost 1993 Nation wide ISDN, 3 million users
Telekom
Broadband ISDN (BISDN)
----------------------
Is designed to exploit ISDN's full broadband capabilities. With BISDN
everything from alarm monitoring to live action video broadcasts can be
handled. BISDN is designed to use optical transmissions and compress its data
up to 15 times by using more sophisticated terminal equipment. Thus BISDN can
handle video images which require refreshing 30 times a second and would
require transfer rates of 100 Mbps with no compression. Because of its
complexity BISDN will likely end up in commercial applications in the near
future.
Transfer Modes
--------------
In the design of BISDN standards either the synchronous transfer mode (STM)
or the asynchronous transfer mode (ATM) can be used. STM is the POTS way
using time division multiplexing. Synchronous multiplexing uses a clock to
assign windows for information to be transmitted, regardless of wether
transmission takes place at all. Asynchronous multiplexing does without a
clock to keep transmissions in place. ATM is virtually the same as this, with
faster routines. In ATM windows for transmission are opened when needed and
are not arbitrarily assigned. Information indicating the source is in each
header. ATM is the more common method being CCITT approved. STM is still
being debated as the use of highly accurate atomic clocks will ease
multiplexing digital bit streams coming from multiple locations.
ATM
=--
Is a method of cell oriented switching and multiplexing giving high-speed,
low error transmissions. Which combines the efficiency of packet technology
with the reliability of circuit switching. It is made up of fixed, 53
character cells. Every cell has 48 characters and a 5 character header to
keep track of its source. Incoming data is broken up into smaller uniform
cells by ATM equipment, transmitted and reassembled upon reception.
Since processing fixed sized cells is such a basic task, ATM is much faster
at packet switching than say X.25 is. Giving ATM the ability to deal with
such demanding applications as real-time video. ATM switches and transmits
all forms of communications - voice, data, narrow and broadband, continuous
and two-way dialogue traffic, in this uniform fashion. ATM transmits its data
over a "virtual channel" when in connectionless mode. A virtual channel is
the channel that connects points on the ATM network. A virtual connection
moves a set of virtual channels with the same path identifier over the
network. It has a cell header that consists of a virtual path and virtual
channel identifier. To allow private networks, crossconnects or virtual path
switches create a permanent link or virtual path between both ends of the
network. Virtual path switches don't need signalling as ATM switches do.
The adoption of a global ATM network will be at the earliest in 1995. Trials
with ATM are already underway. The move toward BISDN will require the
development of both this ATM network and crossconnects.
SONET
=--=-
The Synchronous Optical Network (SONET) is the ANSI standard for the
transmission of ATM frames on optical fiber networks. SONET vastly increases
potential transmission rates. It far surpasses today's DS3 speed and has an
OC-1 bandwith of 51.84 Mb/s. OC-48 is 2.5 Gb/s, the commercial version will
be much slower at OC-3 or 155 Mb/s.
In addition to providing greater data transfer rates it is a far more
intelligent network, transmitting control directives in its synchronous
stream. The subscriber's data is contained in the payload and the control
directives in the overhead. Overhead is made up of its section, line and path
components. Users can manipulate the network with messages placed in
overhead. The section overhead covers frame and error monitoring and controls
key equipment on the transmission line such as optical regenerators. Line
overhead monitors performance. Path overhead monitors errors and controls the
signalling between different points on the SONET network. SONET's synchronous
bit streams give very reliable transmissions and multiplexing.
SONET more or less integrates the functions of OA&M and as a result fewer
systems will be needed to perform them. What this means is fewer access ports
will be available to dial into.
SONET (and for that matter ISDN, BISDN, SS7 and ATM) are more complicated and
have a lot more to them than what's been presented here. Look for specialized
files on them and what they can do for you in upcoming journals.
Service Net-2000
=--=--=--=--=--=
Service Net-2000 is designed to use the capabilites of the 5ESS Switch to
provide a better public switched telephone network (PSTN). Improvements that
are required by the advent of more technically demanding services such as
HDTV, high speed data transmissions, speech recognition etc. These services
require faster and faster communications and higher bandwiths. Service
Net-2000, is designed to provide higher capacity switching and data networks
using SONET technology. The goal being to provide an effective universal
information service (UIS). In this Service Net-2000 is a kind of "follow up"
to ISDN.
Architecture
------------
SS7 is at the heard of this intelligent network. It provides 64 kb/s voice
transmissions and 1.54 mb/s (T1) data transmissions, when over fiber optic or
other high bandwith lines.
The need for Service Net-2000 is high, once you consider the oncoming rush of
optical transmissions measured in rates of gigabits/second. Nodes in Service
Net-2000 are also "intelligent" being "self-aware", adapting to net changes,
making corrections and self improving.
The main goal to Service Net-2000 architecture is to provide unification. It
combines basic functions such as switching, routing etc. with data
transmissions just as ISDN does. The end result being a decentralized CO
throughout the system. As individual functions disappear and are replaced by
this integrated system.
Service Node
------------
This integration is performed by the service node. Based on the 5ESS-2000
system (note that 5ESS is now 5ESS-2000 when used with Service Net-2000 and
broadband network services-2000 (BNS2000))
The "2000" group that forms this is based on SONET. Using flexible mapping
and frame switching rates at multiples of 51.84 mb/s are supported. The
"2000" group consists of the:
- Digital data multiplexer (DDM-2000)
- Digital access and cross-connect systems IV-2000 (DACS IV-2000)
- DACS III-2000 cross connect system
- DACScan-2000 controllers
- DACScan-2000 workstation
- FT-2000 lightware
The DACS IV-2000 is able to carry higher speed virtual tributary (VT)
channels and not just today's, slower asynchronous ones. Both DACS IV-2000
and DACS III-2000 can support non-SONET hookups too, making them quite
versatile. The DACS III-2000 differs from the IV-2000 in offering the
DS3/Synchronous Transmission Signal-1 (STS-1)
5ESS-2000
---------
As I mentioned before 5ESS-2000 combines BNS-2000 with the other members of
the "2000" group. This boosts the capacity of a 5ESS-2000 Switch to 250,000
lines on 64,000 trunks. Key to this is the improved switching module, the
SM-2000. It handles everything associated with a call and can even be used as
a stand alone remote office, in which case it's called a EXM-2000.
To enable high-speed interfaces, 5ESS-2000 uses digital networking units
(DNUs). All a DNU is, is a combination of a 5ESS Switch with say a DACS
switch. The DNU-IV is a derivative of the DACS IV-2000 and gives additional
high speed possibilities. Due to its high operating speed it can greatly
speed up CO operations that are slowed down by older copper wirings.
With the DNS-2000 cell switch, the broadband integrated services digital
network (BISDN) will be created. Point-to-point packet frame relays can be
provided even to those lacking T-1s. As well as offering switched
multimegabit data services (SMDS) with up to T3 capabilities. The cell switch
is made up of low speed port carriers running at 8 mb/s and high-speed
switching systems running in excess of 200 mb/s. BNS-2000 handles both frame
relays that require connections and SMDSs which don't.
Service Net-2000 has the ability to redirect calls between different areas
effortlessly. The service control point (SCP) provides the information for
the service circuit node based on call screening options, the date/time etc.
Allowing the 5ESS-2000 switch to offer a whole range of options such as call
waiting, forwarding, blocking etc.
Basically the idea behind Service Net-2000 is to add intelligence to the 5ESS
switching system and to drastically improve its speed and call handling
abilities. With the purpose of creating a more powerful UIS.
Other Developments
=--=--=--=--=--=--
Intelligent Network (IN)
------------------------
IN is just distributing AI throughout the network. A trend which pops up
numerous times throughout this issue of the journal with Expert Systems,
Service-Net 2000 etc. The idea behind IN is to have large and fast central
databases connected with the rest of the network with protocols such as X.25,
SS7 etc. IN allows global service to be introduced easier with good
flexibility.
IN is comprised of service switching points (SSPs) and service control points
(SCPs). SSP takes calls and sends them to an SCP. SCPs contain the databases
themselves such as calling card verification data.
Telecommunication Management Network (TMN)
------------------------------------------
TMN as the name implies manages the network. TMN performs OA&M on a CCITT
standardized structure.
Gigabit Testbeds
----------------
Are now being implemented for experimental purposes by DARPA, NSF and others.
Several are being conducted by the Corporation for National Research
Initiatives (NRI). They involve telcos, academic, commercial and government
researchers for the future National Research and Education Network (NREN)
Internet. NREN promises a good deal of services, such as real-time
transmission of high-speed data streams, huge automated electronic libraries
and Gb/s transmission rates taking us away from ascii into full motion video.
One experimental net is Vistanet with ATM and SONET capabilities and 622 Mb/s
speed. Another one is Aurora. Bellcore is providing an experimental Sunshine
switch and IBM a Planet Packet Transfer Mode (PTM). Unlike ATM, PTM packets
have no fixed size being as large as 2k. PTM is not a recognized standard but
may end up in commercial use, with ATM serving the network itself from the
CO.
NT is providing a SONET Digital Multiplex System (S/DMS) that takes up to 16
SONET inputs of 155 Mb/s and multiplexes them to 2.4 Gb/s for Casa a co-
operative venture of several organizations in California. The main component
of Casa is a high-performance parallel interface (Hippi) gateway for SONET.
A European group called RACE (R&D in advanced communications technologies in
Europe) is designing Integrated Broadband Communications (IBC) within a
BISDN. RACE is also working on Code-Division Multiple Access (CDMA), optical
networks, teleshopping, electronic funds transfer over a ATM BISDN, mobile
network architecture and the universal mobile telecommunications system
(UMTS).
The Future
----------
Compared to the last century of relatively stagnant copper wiring the impact
of higher bandwiths and optical technologies will - eventually - be
monumental. All of this does however depend on the introduction of optical
fibers. Because of the narrow-band copper wires that are the last link to the
subscriber, evolution to better technology is stunted (in the US at least).
The cost of overhauling these copper wires in the US with fiber ones is on
the order of 200 billion US. In other nations however, the use of fibers
linking residential homes is more than 50%. Fiber technology is however,
constantly growing and its price dropping.
As an aside to all this, look at what's been done in the last 10 years of
communications compared to the last 100 years. We are constantly lessening
the doubling time of communications technology. In the next 3 years we will
equal the last 10 years of progress. Soon it will drop down to a year and
then to a matter of months. Since International standards take 15 + years to
work out bureaucracy may become an impediment.
---------------------------------------------------------------------------
Sources
IEEE 0018-9235/93
Telecommunications Journal April 1993
Various books and articles on ISDN
---------------------------------------------------------------------------
The LOD Technical Journal: File #5 of 12
=/=/=/=/=/=/=/=/=/=/=/=/=/=/=
Maintenance
for DMS-100
Written by -
-/- Unequal Access -/-
.Introduction
In order to maintain Northern Telecom's (NT) DMS-100 Digital Switch an
advanced menu driven man-machine interface (MMI) is used. It is comprised of
a Visual Display Unit (VDU) which is part of the Maintenance and
Administrative Position (MAP) interface. I'm going to outline how it deals
with maintenance, alarms, and administration. A quick example of how it
handles line and trunk trouble reports and the addition of a new subscriber
will be given.
.Maintenance and Administrative Position (MAP)
Hardware
The MAP is the primary interface between the technician and the DMS-100
family of switches. The main hardware components of the MAP are:
1. Visual Display Unit (VDU) - the MAP terminal
2. Alarm Panel - sends an alarm to the VDU.
3. Communications Module - (telephone) to speak with the subscriber voice
4. Test jacks
.Remote MAP
Since all line and trunk test equipment is an integral part of the DMS-100,
no loss in accuracy results when the MAP is remote. Every switch has its own
dialup as well. Meaning this is not a theoretical file, you will be able to
dial up DMS-100 and perform switch maintenance!
Maintenance
A sophisticated MMI through the MAP terminal is used, to allow a technician
to maintain the switch and keep informed of switch operations. Maintenance of
a DMS-100 digital switch is made up of:
1. Manually requested maintenance
2. Scheduled maintenance
3. Automatic maintenance after the detection of faults
Alarms
The system maintains alarms for the more critical areas of the switch, ie.
the central controller. A real-time display of the alarms gives the
technician constant status reports.
Administration
A Table Editor allows the technician to add new lines or trunks. A Service
Order facility allows features such as hunt groups and Multiple Address
Directory Numbers (MADN) to be added.
.Maintenance
A common use of line maintenance is in resolving a customer type trouble
report. The technician selects the Line Test Position (LTP) option and the
selected line is flagged for action by an identifier (ie. directory number,
physical location number). The line status information, ie. line state and
terminating director number is constantly sent to the MAP terminal by
DMS-100.
A functional test of the subscriber's dedicated line card is invoked by
DIAGNose. Test equipment measures performance of the line card and reports
deviations from defined levels. Here is what a LTP with line diagnostic
results appears as on the terminal:
CC CMC IOD Net PM CCS LNS Trks Ext
FDIAG 10 GC
M "C"
LTP POST DELQ BUSYQ PREFIX
0 Quit-
2 Post-
3 LCC PPTY RNG ... LEN ... DN STAFS LTA TE RESULT
4 LTPMAN IBN PSET HOST 02 1 12 30 772 5016 IDL
5 Busy-
6 RTS-
7 Diagn- HOLD1 722 7861 IDL
8 TstRing HOLD2 722 7862 CPB7227782
9 Almstat- HOLD3 722 7861 IDL D
10 CktLoc Diagn
11 Hold
12 NextH- LEN HOST 01 1 12 30 DN 7225016
13 NextP- DIAGNOSTIC RESULT Card diagnostic OK
14 IBNCON ACTION REQUIRED:None
15 CSDDS CARD TYPE 6X21AA
16 LTPLTA
17 LCO-
18 Prefix-
F
Time XX:XX
Legend: The first line CC CMC... represents the various maintenance
subsystem headers.
The second line FDIAG 10GC represents a minor alarm condition for
line facility diagnostics and a critical alarm condition for 10 trunk
groups.
Alarm status is given in the third line.
Scheduled Line Testing
Full testing of a subscriber loop may be performed using MAP's Line Test
Position Line Test Access (LTPLTA). Internal line test equipment (LTU) in DMS
will be physically connected to a subscriber loop with the Metallic Test
Access Bus (MTA). Here's what the results of a manually requested line
insulation test appear as:
CC CMC IOD Net PM CCS LNS Trks Ext
Clk #0 1 LGC 2 GC 2Crit
M M CR C "C" "C"
LTPLTA POST DELQ BUSYQ PREFIX
0 Quit-
2 Post- LCC PPTY RNG ... LEN ... DN STAFS LTA TE RESULT
3 MonLTA-
4 TalkLTA- 1FR HOST 00 27 621 1234 IDL
5 Orig-
6 Lnst-
7 Vdc-
8 Vac-
9 Res-
10 Cap- LnTST
11 Hold TEST OK
12 NextH- RES CAP VAC VDC
13 NextP-
14 LTA TIP 999..K 0.05OUF 0 0
15 BalNet
16 Coin- RING 999..K 0.05OUF 0
17 Ring-
18 DgtTst TIP TO RING 999..K 0.57OUF
GAT2
Time XX:XX
Using this command the source of a fault and whether its on the subscriber
end or not can be determined. This test is usually run during off-peak hours,
using MAP's Automatic Line Test (ALT) and the Automatic Line Insulation Test
(ALIT).
System Line Initiated Line Testing
When call processing detects faulty lines they are automatically scheduled to
be diagnosed in queue. The outcome is given to MAP, and a record is printed
in an office log.
Trunk Maintenance
Executes checking, testing, monitoring, status monitoring and verifying
functions to make sure trunks are working right. It also provides a means of
quick troubleshooting when a trunk problem occurs, using the telescoping
process to pinpoint the problem location. An example of a Centralized
Automatic Message Accounting 2-Way (CAMA2W) Trunk is given here:
CC CMC IOD Net PM CCS LNS Trks Ext
10 GC
"C"
TTP
0 Quit- POST DELQ BUSYQ DIG
2 Post- TTP 5
3 Seize- CKT TYPE PM NO. COM LANG STASR DOT TE RESULT
4 2WY DP MF TMB 424 CAMA2W 1 IDL
5 Bsy-
6 RST-
7 Tst-
8
9
10 CktLoc Tst
11 Hold TEST OK
12 Next- + TRK107 DEC02 14:41:31 8700 PASS CKT CAMA2W 1
13 Rls
14 Ckt-
15 Tms1Vf-
16 StkSdr-
17 Pads-
18 Level-
C
Time XX:XX
A technician can choose to conduct trunk testing manually from the Trunk Test
Position (TTP) or automatically from the Automatic Trunk Testing (ATT) level
of the MAP.
.Alarms
Are reported at three levels according to their degree of urgency. In order
of urgency they are Critical, Major and Minor. Alarm thresholds are defined
by an administrator. ie. the percentage of a trunk group that is out of
service before a minor alarm is sent. Audible and visible indicators can be
used locally, in another part of the building or in a remote monitoring
center.
.Administration
The Table Editor
Consists of a set of commands that will create or change data. The tables and
Table editor is part of the DMS-100's database software. Control is done at
the MAP.
An example of a new trunk addition to an existing trunk group would be:
>table trkmem /* TABLE Trunk Member
TABLE TRKMEM:
>add otdp1 1 /*Outgoing Trunk Digit Pulse
/*Element 1
SGRP:
>0 /*Subgroup Number
PMTYPE /*Peripheral Module Type
>tm 8 /*Trunk Module Type 8
TMNO: /*Trunk Module Number
>0
TMCKTNO: /*Trunk Module Circuit Number
>8
TUPLE TO BE ADDED:
OTDP 1 0 TM8 0 8
ENTER Y TO CONFIRM, N TO REJECT OR E TO EDIT
>y
TUPLE ADDED
(input MUST be in lower case)
RANGE will give you a list of legal and advised inputs:
>range
1 CLLI COMMON_LANGUAGE_NAME
2 EXTRKNUM EXTERNAL_TRUNK_NAME
3 SGRP TRUNK_SUBGROUP_NUMBER
4 MEMVAR MEM_VAR_AREA
LOGICAL TUPLE TYPE: L_TRUNK_MEMBER
>range 3
3 SGRP TRUNK_SUBGROUP_NUMBER
TYPE TRUNK_SUBGROUP_NUMBER {0 TO 1}
Service Orders
Are used to:
- add/remove subscriber service from lines
- add/remove services such as touchtone
- change Line Equipment Numbers (LEN) or the Directory Numbers (DN) of lines
Here's an example of how you can setup a New Single Party Flat Rate (1FR)
with options. In this case the new line will be POTS with touchtone (referred
to as dgt). The new line is part of line treatment group 1. The phone number
or directory number is 555-1212. The line equipment number is 10 1 12 26
(frame 10, unit 1, drawer 14, card 26)
Input in prompt mode:
>SERVORD
SO:
>new
SONUMBER: NOW 85 12 02 AM
> /* Directory Number
>5551212
LCC: /* Line Class Code
1fr /* Single Party Flat Rate
LTG: /* Line Treatment Group
>1
LEN: /* Line Equipment Number
>10 1 14 26 /* Frame 10, unit 1, drawer 14, card 26
OPTION: /* Subscriber Option
>dgt /* Digitone Dialing
OPTION:
>$
COMMAND AS ENTERED
NEW NOW 85 12 02 AM 5551212 1FR 1 10 1 14 26 DGT $ ENTER Y TO CONFIRM, N TO
REJECT OR E TO EDIT
>y
Input in no-prompt mode:
>new $ 5551212 1fr 1 10 1 14 26 dgt $
COMMAND AS ENTERED
NEW NOW 85... etc.
>y
Here is another example of how to install a new Electronic Business Set (EBS)
with DN 800-555-1212 and LEN 2 0 1. The option Special Billing (SPB) is used
with special billing DN 555-0000.
Input in prompt mode:
>SO:
>new
SONUMBER: NOW 85 12 02 AM
>
DN_OR_LEN: /* DN or LEN
>5551212
LCC: /* Line Class Code
>pset /* Proprietary Set (EBS)
GROUP /* Customer Group
>custname
SUBGRP: /* Sub Group
>4
NCOS: /* Network Class of Service
>10
SNPA: /* Subscriber Numbering Plan Area
>800
KEY: /* Key Number of EBS
>1
RINGING: /* Audible ringing?
>y
LEN:
> 2 0 1
OPTKEY: /* Option on key
>1 /* EBS key number
OPTION:
>spb /* Special Billing
SPBDN: /* Special Billing Directory Number
>5550000
OPTKEY:
>$
That is the maintenance interface of DMS-100. If you are under the system, or
any other DMSs for that matter go searching for its dialup number. As you can
tell, there is no end to the things you can configure with it. Such as giving
yourself "special billing" or no billing whatsoever. You can also edit
numbers in different NPAs so a dialup in another NPA would suffice.
----------------------------------------------------------------------------
The LOD Technical Journal: File #6 of 12
Operator Service Position System
(OSPS)
By The Enforcer
Introduction
-*-*-*-*-*-*
OSPS is a replacement for the Traffic Service Position System (TSPS). For a
description of the TSPS console see The Marauder's article in the LOD
Technical Journal Number One, File Four. The main difference between the two
is that OSPS can be integrated with the 5ESS Switch itself whereas TSPS was
only stand alone. OSPS uses the full capabilites of 5ESS and ISDN to provide
more services. OSPS also allows for a high degree of automation and by using
standard 5ESS configurations, maint. is simplified.
Remote Capabilites
-*-*-*-*-*-*-*-*-*
By using 5ESS, OSPS takes advantage of its remote capabilites. OSPS can be
used to perform any traditional operator functions and just 1 OSPS switch can
handle up to 128 operator teams. This enables operators to be located at one
centralized location where thousands of operators work. (To picture this,
remember that MCI commercial with all the operators in that giant room) Huge
operator centres can be located at great distances from their host areas.
Conceivably, one huge OSPS centre could serve the entire nation. OSPS can
either be made a component of a 5ESS Switch and handle various services or a
single switch dealing with only toll or local calls. Control can be
transferred from one OSPS to another. If there is low demand, a system crash
or other emergency control can be passed on to another secure OSPS. This
process is called interflow. One usage is during off-peak hours, when usage
goes down for an OSPS centre to close down, and switch everything to another
center. OSPS can use any number of signalling systems, with different
languages or country specific requirements.
Architecture
-*-*-*-*-*-*
Operator terminals communicate with switches using ISDN paths. This is done
by connecting to positioning switch modules (PSMs). PSMs are simply the
switching modules (SMs) found on 5ESS. There are numerous other SMs that use
analog and digital trunks to perform a variety of services. SMs can be
installed remotely in which case they are remote switching modules (RSMs) or
optically remote switching modules (ORMs).
Operator terminals allow operators to regulate calls and transfer data on a
ISDN. Basic rate interface (BRI) is an integrated services line unit (ISLU)
that connects up to the PSM.
There are four main operator terminals - video display terminal (VDT) for
toll assistance, basic services terminal (BST) for listing services, combined
services terminal (CST) for both of these functions and intelligent
communication workstation (ICW) for International traffic assistance. Knowing
these terminals can come in handy when you are dealing with an operator, if
you can't get an answer ask to know which terminal they are looking at.
OSPS is automated as much as possible. Digital service units (DSUs) on the
SMs provide digital automations when required such as requesting you to
insert more red box tones (uh, coins) to continue your call.
The architecture behind OSPS is based on the call processing architecture of
5ESS, and simply copies many of its functions. To originate and terminate
OSPS the originating terminal process (OTP) and terminating terminal process
(TTP) are used. The OTP is started when a trunk is seized, usually in the
initiation of a toll call, and decides where to place the calls such as to
automated billing etc. OTP also monitors the calls as its in progress and
conducts billing. Should OTP move the call to an operator, it will label it
as one of 128 possible conditions based on the dialled number and trunk
group. TTP is started when the call goes out from the switch on outgoing
trunks to enable signalling.
Automatic Call Distribution (ACD)
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
ACD controls incoming calls to operator teams, placing them in queues if
needed and directs the call depending on its condition to the right operator.
At the OSPS centre, there are 128 teams, 1 for each condition. If there are
no available operators ACD will place the call in one for four queue
conditions. The first is ringing, the next two are announcements and the
fourth is an announcement followed by a hanging-up of the caller. The ACD
constantly has the status for every operator. The three conditions are made
busy, busy and available. Made busy is an otherwise available operator that
isn't ready to receive calls. If an operator team services more than one call
type, and if one call type is queued the call with the highest "delay ratio"
(the expected wait time) will get the next available operator. Supporting
teams, up to 8 of which back up the principle teams act as a "reserve" if the
principle ones are busy. Subject to the condition that a queue is backed up
higher than the "outflow threshold" and the supporting team doesn't have a
queue past the threshold either. The position terminal process (PTP) logs
operator status by looking at operator inputs, calls, etc. PTP will then
route the call to the operator, place it in a queue or route it to another
operator.
PTP
-*-
PTP has four models:
virtual terminal (VT) - Takes keystroke inputs, checks them to see if they
are legal commands and passes them on.
feature model (FM) - Handles the status of the operator, if an operator logs
in, it will indicate that the operator is now available.
near model (NM) - Processes the operator inputs.
call coordination model (CC) - Handles coordination between PTP and other
operations. For example signalling between PTP and OTP/TTP.
Here is how AT&T describes a typical event:
. A seizure is detected on an incoming trunk, and an OTP is created.
. Signalling information, such as dialled digits and the back number, is
collected and analyzed; the need for an operator is recognized.
. Call type is determined from the dialled digits and incoming trunk group to
classify this as an OSPS call of type 1. The ACD administrator has assigned
type 1 calls with serving team A as the principal team and serving team B as
the supporting team.
. The OTP sends a message to the ACD requesting an operator. This message
identified the call as type 1 and obtains other call information.
. The ACD determines that calls of type 1 are being queued.
. The call is queued, and the expected delay is calculated. By comparing the
expected delay with administratively specified delay thresholds, the ACD
determines whether a delay announcement should be provided to the caller. .
A message is sent to the OTP with this information.
. The OTP first connects the delay announcement, then provides audible ring
to the caller.
. At this point, an operator from serving team B becomes available, and the
call of interest has migrated to the head of call type 1 queue. The ACD
determines that no calls are waiting in any of the principal queues for team
B, and further determines that the next call in the call type 1 queue is
eligible to be intraflowed to team B. The ACD informs the OTP to send the
call to the available operator from team B by sending a message to the PTP in
the PSM. It then marks that position as busy with a call.
. The PTP, via the CC model, establishes the voice path between the caller
and the operator and sends appropriate display messages to the operator
terminal, via the VT model, to provide the initial call seizure information.
. The customer requests a collect call from the operator who depresses the
collect key and enters the number to be called. Messages are sent from the
operator terminal to the PTP to relay the information. The VT model processes
each incoming message and forwards the message to the near model. The near
model marks the call as collect and initiates the connection to the forward
party via a new CC model. This results in creation of a TTP and appropriate
interswitch signalling to ring the forward party.
. After the forward party answers, the operator secures agreement for the
collect billing and releases the call from the position via the position
release key. This keystroke is first processed by VT and passed on to the
near model. The PTP notifies the OTP of the collect billing arrangements. The
talking path
s are reconfigured to eliminate the operator position. The two
parties on the call are now speaking directly without an operator on the
call.
. The operator terminal screen is cleared by VT. The FM reports its status
back to the ACD as available to handle another call.
. At the conclusion of the call, a billing record is made by the OTP.
Automation and Efficiency
-*-*-*-*-*-*-*-*-*-*-*-*-
OSPS is designed to be as automated as is possible. It is supposed to make as
little use of human operators as can be gotten away with. When you think
about it that's the result of OSPS - human operators are becoming less and
less needed. If it wouldn't be for all the potential uproar, they'd get rid
of all human operators entirely. They are regarded as a horribly expensive
way to handle calls. OSPS allows operators comfy little terminals and pulls
them out of situations where they are needed as soon as they aren't required.
For example after obtaining a number for collect billing, the rest of the
process - voice acceptance can be automated.
Many services in the past that were separate are now combined under OSPS. For
example toll and directory assistance operators had to be kept available in
large numbers to handle call surges. Meaning toll assistance can be queued
up, while directory assistance has available operators. Now with CST, an
operator can handle both services.
Data Communications
-*-*-*-*-*-*-*-*-*-
ISDN is used to transfer data in OSPS. External systems can also be reached
for such purposes as directory assistance information. Three layers are
involved in OSPS operator-switch exchanges:
layer 1 - the physical layer - Gives synchronous data transmission from the
terminal to the ISLU.
layer 2 - the link layer - Provides point-to-point exchanges between the
terminal and PSM.
layer 3 - the packet layer - Is the layer 3 protocol of X.25. It's a resident
virtual circuit for exchanges between the terminals and the SM's processor.
Which can be used in switch virtual circuit connections to external
databases.
Databases
-*-*-*-*-
OSPS uses databases during most calls. To do such functions as check the
validity of calling card accounts to prevent cancelled cards from being used.
Millions of database queries take place every 24 hours. Because of the
immense size of these databases, they can't all fit in 5ESS. So external
databases are used.
Common channel interoffice signalling (CCIS) links OSPS with external data.
To link with external computers CC7 is used. Data is returned to OSPS from
nodes on CCS such as the line info database (LIDB) or billing validation
application (BVA). These two nodes handles your Bell's validation of all
collect, third number and calling cards.
The X.25 protocol is also used to connect OSPS with other databases. Each
database has an ISDN directory number. So one can scan out the addresses and
access them on the public PSNs. Since your RBOC doesn't want people messing
around with their BILLING databases, they are put in a closed user group
(CUG).
---------------------------------------------------------------------------
The LOD Technical Journal: File #7 of 12
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
Testing Operations Provisioning Administration System
(TOPAS)
LOD - Mystik Freak - LOD
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
In order to perform Operations, Administration and Maintenance (OA&M) on
switched circuit and facility networks the TOPAS operating system (OS) has
been developed. From the "core" of TOPAS the Transport Maintenance
Administration System (TMAS) was designed to assist in running the Facility
Maintenance and Administration Center (FMAC).
As the telephone network became more and more advanced the conduction of OA&M
became increasingly difficult. What's brought about this sophistication has
been the later versions of electromechanical switching systems, ISDN etc. In
order to keep up Artificial Intelligence (AI) ideas are being used as a basis
for TOPAS-ES. TOPAS-ES is designed as an Expert System (ES) replacement for
TOPAS to handle switch circuit operations. TOPAS-ES performs this circuit
maintenance using its AI to find and report on network difficulties.
Network Maintenance
In the current 5ESS Switch maintenance is performed by TOPAS and the remote
measurement system (RMS-D3). Under 4ESS circuit maintenance system 1 (CMS-1)
is used. The purpose of RMS-DX is to allow testing on circuits terminating on
switches. The network is monitored as the transmission passes through the
XESS Switch, the multiplexer (MUX) and the line terminating equipment (LTE).
TOPAS and CMS-2 continually monitor the network's status and look for
deviations from normal operations and then print up trouble reports. Because
so many reported problems are transient or falsely reported as a problem,
further testing is done to determine real or "hard" problems. Through such
procedures as performing tests on one of more than a million scan points or
attempting to receive from one or two ends of the circuit.
TOPAS uses two different machines with their own databases when processing:
Equipment Interface Tier (EIT) and the Network Support Tier (NST).
EIT - An EIT contains a database that has physical information about a
Network Element (NE) machines.
NST - NST's databases are not interested in NE machines or in physical
properties and instead uses mathematical models. Even radical network changes
will have only minimal effects. Thus the combination of say fiber and copper
wiring on the same circuit or the merging of voice and data communications
has no great effect. NST can handle everything from basic trunking to complex
multipoint circuits.
Both EIT and NST use Common Languages to communicate with each other. NST
will for example query NST about specific equipment, while EIT would query
NST about network changes. Since EIT and NST are both in the TOPAS core
interactions are quite simple.
TMAS
TMAS followed TOPAS and in its design, developers reused almost half of
TOPAS's core. Since TOPAS and TMAS speak a common language cooperation
between the two is possible. Many report procedures are identical such as the
DS-1 facility alarms.
FMAC
TMAS is designed to run with the FMAC. By providing updated route databases,
alarm monitoring, detection of network faults etc. TMAS also helps
administrate by issuing trouble tickets, switch logs and sending out this
data to other personnel from the FMAC.
Expert Systems (ES)
An ES is a system where the program and the knowledge used in decision making
are kept apart. The program contains a set of rules, containing what action
should be undertook depending on the situation. This is often referred to as
a "shell" that controls the activities of its host system (think of the UNIX
shell).
ESs in Networks
The maintenance of complex networks is an ideal application for an ES. By
having the equivalent of the most capable repair mind on each switch. As all
the ESs are using a common knowledge base that has everything known about the
problem and the most effective way to solve it. Several other ESs have
predated TOPAS-ES such as ACE, NEMESYS and GTE's COMPASS. As any technical
worker will attest to, network operations are particularly troublesome as the
call carrying capacity must be maximized while trying to minimize the
congestion that results when traffic exceeds the call capacity of the
switching and transmission system.
TOPAS-ES
TOPAS-ES, is as the name indicates, is an ES version of TOPAS. It works with
both TOPAS and CMS-1 in the 4ESS and 5ESS environment. TOPAS-ES has a UNIX
routine for each of its three subsystems - knowledge base and inference
engine, communication and systems interface and user interface. The inference
engine used in TOPAS-ES is "forward chaining" or data driven as it is guided
available data to fit prestated conditions to obtain an answer. If it used
backward chaining, it would search for data to obtain an answer. Forward
chaining is a more effective route to take when data is available and answers
to a question (using backward chaining) are unneeded or to slow. Generally,
forward chaining in network maintenance is preferred. For example, data
indicating that Joe Phreaker is blowing 2600 tones is of more use than
attempting to answer a question of "Where are all the foreign tones on the
circuit originating from?" To keep up with its immense chores of network
monitoring, testing and issuing trouble reports, gathering data and figuring
out answers TOPAS-ES runs each of its subsystems at the same time, working in
"real time" with the network.
Distributed AI (DAI)
DAI is where multiple processes which normally act independently, co-operate
which one another. TOPAS-ES uses DAI to station one TOPAS-ES at one end of
the circuit and another on the other end or at the CO. This enables more
computing power to be levied at pinpointing the problem and makes for a
faster, more reliable system. TOPAS-ES can assume either a director or
responder mode. If TOPAS-ES is analyzing a faulty circuit it can request or
enlist another TOPAS-ES and place it in the responder mode to assist it.
Expert System Trouble Analyzer (ESTA)
This is one of TOPAS-ES's subsystems and performs the main operations of:
trouble ticket analysis and chronic history analysis (CHA).
Trouble ticket analysis: Since few problems reported by TOPAS-ES are genuine
ones that require attention, ESTA narrows down the hard from the transient
problems. ESTA determines this mostly by ordering TOPAS-ES to wait and
perform further monitoring.
CHA: This exposes faults after repeated transient trouble indications. If the
problem persists for longer than X amount of time, with over Y indications of
trouble it will be labelled chronic. CHA is designed to pick up on problems
that have been passed off as transients and ignored. For example a problem
may exist during peak hours but will be passed off as a transient when
monitored during off-peak hours.
Expert System Trouble Sectionalizer (ESTS)
Once ESTA has determined a trouble to be hard it will pass along a "trouble
ticket" indicating such information as its duration, current condition and
whether its chronic or not.
When ESTS has been handed a hard trouble it will "sectionalize" the indicated
area on the circuit. This is done by having technicians at each end examine
points on the circuit and performing other tests. ESTS is based on the best
sectionalization techniques, being an ES. An ESTS sectionalization strategy
would work like this: 2600 tones are being heard on the network, circuits are
all in normal condition, 2600s are not in internal use and have been labelled
as unauthorized, foreign sounds so ESTS would deduce that someone is trying
to bluebox.
ESTS has a wide list of strategies to try depending on the situation. The
most likely to succeed strategies will be attempted first and if this fails
all of its strategies will be tried in order of success probability. Once the
fault has been pinpointed the relevant repair crew/station will be notified
along with a description of the fault.
---------------------------------------------------------------------------
The LOD Technical Journal: File #8 of 12
International Switching Systems
by Mystik Freak
LOD - LOD
One of the goals behind phreaking has always been to delve into the deepest
fathoms of the phone system. Since the barriers of expensive international
calling are meaningless to the phreak, the exploration of various telephone
systems is possible.
This file will investigate some of the switching systems you are likely to
encounter around the world. In other words non-ESS/DMS using nations outside
the United States. Nothing has ever been said about these systems in "the
underground" and what little information that exists publicly is skimpy, hard
to find, badly translated or not translated at all and very outdated.
The foundation of any telephone network is in its switching system so a whole
new universe of different switching systems is out there waiting for you. ESS
does get boring after a while and there is nothing really novel about if,
after all nearly everyone lives under it and there isn't that much to
discover about it. So branch out internationally to seek new telephone
networks and boldly go where no phreak has gone before!
I won't spoil the thrill of hearing new tones and discovering new things by
giving out all the juicy things you're liable to find, instead this is going
to be a broad based overview of 7 switching systems:
Sweden - AXE 10
France - E 12
United Kingdom - DSS
Netherlands - PRX-D
Germany - EWS-D
Italy - PROETEO
Japan - NEAX 61
There are far more than just these systems out there as shown by this chart
of systems indicates:
System Country Type
~~~~~~ ~~~~~~~ ~~~~
AFDT1 Italy local/tandem
AXE 10 Sweden local/toll
D 1210 US local
DCO US local/toll
DMS 10 Canada/US local
DMS 100 Canada/US local/toll
DMS 200 Canada/US toll
DMS 250 US tandem
DMS 300 Canada tandem
DS 1 Japan tandem
DSC US local
DSS 1210 US local/toll/operator
DTN 1 Italy (Sudan) tandem
DTS US tandem
DTS 1 Japan toll
DTS 2 Japan local
DTS 500 Netherlands tandem
DX 100 Finland local/tandem
DX 200 Finland local
EWS-D Germany local/toll
E10 France local/tandem
E10 B France local
E10 S France local
E12 France toll
FETEX 150 Japan local
FOCUS 5 US local
GTD 5 EAX US local/toll
HDX 10 Japan local
IFS Switzerland local
ITS 4/IMA2 US toll
ITS 4/5 US local/toll
ITS 5A US local
I2000 Yugoslavia local
LCS 4/5 US local
MSU US local
MT 20/25/35 France local/toll
NEAX 61 Japan/US local/toll/operator
No. 3 EAX US toll
No. 4 ESS US toll
No. 5 ESS US local
PROTEO Italy local/toll
PRX-D Netherlands local/toll
SPC 2 India local
SX8 France local
SX 2000 Canada local
SYSTEM 12 (1210) US local/toll/operator
SYSTEM 12 (1240) Belgium/UK/Germany local
TDDSS 1/2 China tandem
TN 5 Italy tandem
TROPICO Brazil local
TSS 5 US local
UT 10/3 Italy local
UXD 5 UK local
1220/PCM-5 Belgium/France tandem
Sweden - AXE-10 (+46)
~~~~~~~~~~~~~~~~
The Swedish AXE 10, was developed by Ericsson and in addition to being found
in Sweden itself is also being used by over 30 countries.
AXE 10 performs most of the basic functions of international switching, local
tandems and offices, national transit etc. It covers everywhere from isolated
rural areas with only a few hundred subscribers all the way up to huge
transit exchanges of a million subscribers.
AXE 10 has 3 main susbsystems:
SSS - Subscriber and group (GSS) switching
TSS - Trunk signalling and (TCS) traffic control
CHS - Charging, OMS and Maintenance
Other optional subsystems are:
SUS - Subscriber faciltites (OPS) operator functions
MTS - Mobile subscriber functions
Functions that share the same purpose are allotted to one subsystem. A
function block is a group of similar functions within the subsystem. For
example the subsystem SSS has a function block called the time switch (TS).
Hardware
AXE 10 is a digital switching system. Interconnections between subsystems are
called "internal digital trunks". To give an example of AXE 10's hardware
consider the SSS subsystem.
SSS is divided up into lots containing up to 2048 subscribers, up to 128 of
these subscribers will then form a line switch module (LSM). Each subscriber
has an individual line circuit (LIC) connecting them to the LSM. The LSMs
themselves are interconnected by a TS bus (TSB). Each module has a TS that
performs switching for the subscriber the TSB and a junctor terminal circuit
(JTC).
Traffic within subsystems is handled by internal diagnostic links. If the LSM
lacks an internal digital link the call is carried by a TSB to another
module. Because SSS uses TSS and TSBs the network runs smoothly as a balance
is kept between the subscriber nodes and the internal digital links in use.
Subscriber information can be kept either centrally or remotely. TS 16 in a
PCM is used to control a remote exchange. If the SSS is remotely located an
exchange terminal circuit (ETC) is used. The PCM will then signal between the
remote SSS and the ETC. The signalling is controlled by a signalling terminal
(ST) on the SSS and ETC ends of the circuit.
The trunk signalling system (TSS) interfaces external signals into the AXE 10
signalling scheme.
One of the benefits to AXE is that any signalling scheme can be interfaced
without impacting on other subsystems. Thus AXE is highly adaptable to
network conditions.
In cases where analogue lines are connected by either incoming trunk (IT) and
outgoing trunk (OT) circuits conversion to digital takes place. Tone
signalling is conducted by code receivers (CRD) or code senders (CSD).
France - E 12 (+47)
~~~~~~~~~~~~~
CIT-Alcatel and Telic (CIT-ALCATEL) developed the E 12 system bases on the
earlier E 10 system to handle the functions of:
- international gateway
- inter-city transit
- medium to large urban area transit
- subscriber line switching
Capacity
The capacity of E 12 depends on call duration, signalling etc. The maximum
capacity is currently 1536 digital PCM systems of the 30 + 2 type equalling
over 40,000 circuits. Processing up to 110 calls a second.
Architecture
E 12 is based on the architecture of its predecessor - E 10B. The three main
components are:
- subscriber and circuit connection units
- the central switching system and common control
- computerized supervisory and maintenance centre (CTI)
The CTI is the second control level supervises several exchanges and handles:
- line circuit management
- traffic load data logging
- maintenance and alarms
- billing
Three subassemblies allow speech transmission. The TST switching network, the
subscriber connection units (URA) and the circuit connection units (URM).
System Control
Is made up of three levels:
- a processing level in the line and circuit connection units, where
subscriber circuits are controlled
- central common switching control
- CTI
First Level Control
Is conducted by:
- 2 markers (MQ)
- 2 translators (TR)
- 2 incurred fee metering units (TX)
- 2-6 multiregisters
All of these units are related to a single switch and communicate on a bus
LM.
MQ - interfaces common control to the central switch and subscriber and
circuit connection units
MR - receives and retransmits information and adjudicates the opening and
closing of connections.
TR - stores subscriber and circuit data
TX - free metering units
OC - control interface unit connects the CTI to other subassemblies.
Subscriber Connection Unit
Because traffic is concentrated on a small number of digital PCM systems, the
subscriber connection unit is needed to provide analog to digital
conversation. It also handles remote subscribers. The unit connects thousands
of lines to a central TS on PCM channels.
Software
switching programs - perform loop status sensing, condition detection,
connection and disconnection, switch identification. maintenance subscriber
status memories etc.
monitoring programs - monitor the core of CSE, test and fault tracing
routines etc.
All programs are written in Assembly.
Functions
E 12 provides:
- CCS7
- traffic observation
- automatic fault tracing
- remote fault tracing
- service grade measurement
- operator assistance position
- automatic call back etc.
Organization
E 12 is organized into three areas:
- the switching network which handles signalling channels and
incoming/outgoing multiplexes
- the signalling units which handle channel allocation, CMF, CCS, DTF etc.
- a main SPC computer
All of which are connected to connection units (see the subscriber connection
unit).
Programs
The main programs used are:
- program execution system, interfaces with the rest of the systems program
- exchange interface IOP (SEST)
- data interface IOP (SESI)
- signalling processor (SIG)
- common programs (PCO) for data
- call processor (TAP)
Service Management Unit (GES) does man/machine transactions, routing tables
and prefixes, signalling type allocations, traffic observation and logs
traffic data.
Fault Recovery System (DEF) will reconfigure after a detection of a system
failure, providing efficient recovery.
Tracing and fault isolation (TED) will isolate a fault down to the PCB level
and carry out CRCs for fault prevention.
Digital Switching Subsystem (DSS) - United Kingdom (+44)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DSS was created by the British Post Office (BPO) to serve as the nations
first digital switch.
Subsystems
DSS uses specific hardware and software functions to interface subsystems.
The main DSS interfaces are located at the following subsystems:
- call processing system (CPS)
- maintenance control subsystem (MCS)
- analogue line termination system (ALTS)
- network synchronization system (NSS)
- management statistics subsystem (MSS)
The main connecting interface in DSS is a 2048 kbit/s, 32 channel multiplex.
Which is used for example to connect the switchblock and auxiliary units.
Trunking
DSS is capable of handling international switching centres of up to 20,000
erlangs and over 400 switch requests a second. To meet this the switch must
be multistage. The DSS switchblock has identical originating and terminating
circuits. A four-wire multiplex has a transit and receive pair on both ends
of the circuit. So information on the busy/free state of both is available
from one.
To achieve spatial routing which is necessary for two channels to be
connected, DSS uses integrated circuit multiplexers (encoders).
DSS's time dividing in trunking allows single switches to carry large amounts
of traffic. The drawback to this is that should a fault occur on this switch,
thousands of calls could be disrupted. To ease this risk, synchronous
duplication of the TST setup with data comparison and parity checking is
done.
Subsystem Functions
- digital line termination unit (DLT) interfaces the four-wire, 32 time-slot
2048 kbit/s multiplexers with the switchblock
- the TS transfers input time slots to output times slots
- space switch (SS) is an integrated circuit set for devices that connect
links with the trunk
- alarm monitor unit (AMU) - relieves the main cpu's load by handling alarm
data
- primary waveform generator (PWFG) is the clock with DSS is based on. By
sending 8 Khz tone start signals and 2048 Khz bit streams, operations are
directed
- local synchronization utility (LSU) uses incoming PCM links for timing and
maintains the frequency of its oscillators using phase locked loop techniques
- input/output buffer (IOB) stores messages from the software to the CLU
The Time Switch
Buffers the time reception with the time allocated from cross-office
switching with the space switch and the actual time of transmission. It also
does alarm interfacing between monitoring equipment and trunking. The TS is
composed of:
- speech stores (including DLT interfaces and store refining registers)
- control stores
- alarm interface unit (AIU) (including DLT and AMU interfaces)
- TS racks - a complete send and receive switch within DSS. The two TSs are
used in trunking are in 1 rack with 32 DLT units.
- space switch - a set of buffer and crosspoint units. Using the 2048 Khz
clock, the transmission of traffic is done on the TS interface buffer.
Hardware
The processor utility (PU) IOB is interfaced with the CCU by the PSS IOB. The
IOB communicates with the following:
- command field - ordering operations such as measure, trace, opening or the
removing of TSs.
- address fields - set network termination numbers (NTNs) that define TSs,
circuits etc.
- message identity field
- cross office slot field - makes sure that traces don't duplicate their
efforts by setting the points to start from during fault location.
AMU
AMU handles DSS's specific functions such as the collection and persistence
checking of status info and diagnostic hardware. AMU interfaces to the PU and
thus advises the DSS maintenance software on fault areas. AMU receives time
and fault switchblock indicators from DLT using AIU in the TS. Persistence
checks are done to label the alarm as hard or transient.
DLT
DLT conducts the line associated functions of monitoring, installation etc.
DLT also performs switch-related operations. Several are for simple backup
duplications of such functions as trunking and switch fault detections.
DLT Related Functions
The line processor encodes or decodes HDB3 signals and recovers the received
clock. The clock is recovered by using a ringing circuit. The clock
synchronizes the switching centre by providing a network frequency reference.
DLT will identify remote alarm information if the distant alarm bit (usually
bit 3 in channel 0 of odd frames) shows a problem. DSS will, using AMU
instruct MCS to locate the fault. An alarm indications signal (AIS) shows a
transmission equipment failure by tossing out a load of "1s" in the frame.
Line errors can be detected locally if HDB3 input goes or if synchronization
is off. If this occurs MCS is informed and DSS transmits a distant alarm unit
signal.
Switch-related DLT functions are usually involved in duplicated trunking,
fault location or switching channel 0 spare-bits.
The most interesting function is fault location. DLT works with maintenance
software to locate and diagnose switchblock faults. By using path checks or
loop backs, results are sent via AIU to DLT.
Paths are tested using check patterns at both ends of a trunk. They can be
sent in and monitored on any channel after switching. Registers are used to
store the check patterns and they are controlled by the "central office".
Or the DLT will "loop back" its transmit channels to the receive input of
trunking. Loop back is sometimes combined with a path check. By changing the
switch connections a closed loop can be implemented throughout the trunk.
Closed loops are very effective in determining hard faults from transient
ones.
Netherlands - PRX-D (+31)
~~~~~~~~~~~~~~~~~~~
The Processor Controlled Exchange-Digital (PRX-D) builds upon the PRX system
with digital-time division multiplexing (TDM) and with other enhancements.
PRX-D was developed by Philips Telecommunication as an intelligent SPC
system.
The three main areas of PRXs are:
- the switching network (SWN)
- central control complex (CCC)
- operator services (OPS)
Two different versions of trunk lines are used. An analog version - PRX-A has
six linked stages and reed-relay crosspoints of two or four wires or a
digital version of the TST type. Local or remote usage is possible by sending
traffic to the trunks.
The CCC has two types of telecom processors (TCP) to deal with different size
exchanges. TCP 18 covers small-medium exchanges and TCP 36 medium-large
exchanges using multiprocessing with synchronized pairs.
OPS is controlled by a mini-processor called TCP 7. OPS deals with OA&M and
AMA.
Architecture
PRX-D is made of two layers:
- the main layer with the CCC, TCP XX and the control channel processor
terminals (CPT), connecting this layer to the control channel (CCH)
- another layer of SWN modules and the sub-channel controller (SCC)
The digital switching network (DSWN) passes voice and data traffic on 64
kbit/s, 32 channel PCMs. The PSWN has block terminals (TER) which interface
to other circuits and allow services and signals to be interconnected by a
digital trunk link network (DTN).
DTN
DTN is a one-way only transmission on a 4 wire connection. The highway-to-
group (HGD) and group-to-highway multiplexer (GHM) are 16 inlet ports in 4 X
4 groups. A highway switch (HWS) is a group of up to 128 X 128 highways whose
crosspoints can switch from one highway to the next under the control of a
highway switch address generator (HSA). A highway-to-group demultiplexer
(HGD) does the opposite of the GHM.
A digital trunk-line block (DTB) carries a single highway and is controlled
by a DTB marker (DTM). DTN utilizes 7 varieties of customized low current-
mode logic (CCL) ICs.
CCL
The central clock (CCL) is made up of the synchronized mode clock generators
(CLG), the clock measuring unit (CMU) and sometimes a clock reference unit
(CRU). The DTN is sent timing information on 4096 Khz sine waves and 8 Khz
alignment pulses.
Terminals
The 4 main TERs are:
- interfacing analog circuits (ACT)
- subscriber lines
- digital circuits (DLT)
- signalling and services (SST)
- ACT has a peripheral module controller (AMC), a power supply unit (PSU) and
possibly a DTN interface board (DIB). The DIB performs the transmission of
timing signals and assigns time slots.
- SST handles 2048 kbit/s groups by using DTN for signalling ie. MFC,
keytones etc. for services such as voice response systems.
Software
The operational program for TCP 18 is made up of:
- master control program (MCP)
- call processing
- error management
- configuration management
The MCP handles the central control unit (CCU), I/O operations and other
misc. services.
Communication between the main control unit (MCU) and the PMC is done by
transport handlers such as the digital trunk marker (DTM), analog circuit
terminal (ACT), digital circuit terminal (DCT) and the signalling and service
terminal (SST).
Call Handling
One part of the Telephony Operating System (TOS) is call processing modules.
Which distribute calls to an open CCU depending on network conditions. If a
secondary control unit (SCU) is available it will receive the calls. If
niether is available then the MCU will receive them.
Error Maintenance
Error detecting hardware does diagnostics such as checking parity, comparing
timeout circuits etc. By using hardware to perform tests, checking is done
every time the hardware runs and processing time needn't be wasted running
testprograms. When the hardware equipment itself needs testing, testprograms
are then used.
Germany - EWS-D (+49)
~~~~~~~~~~~~~~~
Manufactured by Siemens Telecom, EWS-D is a complete digital switching
system, capable of serving from 200 lines to 60,000 trunks.
Architecture
Subscriber line terminations and interchange trunks are used with trunk/line
groups (LTGs) where digital tone generators and digit receivers are located.
A TS performs connections inside of the LTG. Digital switching connects the
groups to a central processor (CP). Functions carried out by the CP include
overall switching, data storage and remote operation of the system.
Here's a quick example of how a call would be processed under EWS-D:
- the group processor (GP) sense that the phone is off-hook and gives the
caller a tone generator and a digit receiver on the LTG using the group
switch (GS).
- the GP sends the service requested and the dialled digits to the CP.
- CP checks the callers COS, locates a path and informs GP of the caller
- the callee's GP finishes the connection with its LTG, sends a ringing and
places the callee off-hook.
LTG
Signals from an analog subscriber's line are converted into PCM signals on
the line circuit. Up to four interexchange trunk terminations comprise one
module. Four modules make up one highway and up to 128 interexchange trunks
can be on one LTG. A basic subscriber line circuit interfaces with any
signalling system. Notable functions of the subscriber line circuit are the
50/16 kHz call charge meters on the subscriber's premises, access circuitry
for testing and paystation signalling.
The PCM 30 transmission system has its synchronization, signalling channel
and alarm signal on one module. 2.048 Mbit/s highways are connected to the
GS. For a connection to the central network, 4 2.048's become one 8.192
Mbit/s signal. Because the network is duplicated, the identical modules can
easily be used for testing.
Tones such as MFC frequencies are generated digitally on a LTG and sent to
the GS. One change here can effect the entire network.
Central Switching Network
By using a central switching network up to 504 trunk groups, equivalent to
100,000 subscriber lines or 604 trunks can be attained. 8.192 Mbit/s
interfaces are used between the network and the LTG. As mentioned before the
entire network is duplicated. In case of a fault, the network will switch
over to its other half.
Control and Common Signalling Channels
Control channels are grouped into units of 128 for distribution on the 8.192
Mbit/s network. The channels in time lot 0 are switched to the LTG only on
transmission links. Only half - 64 of 128 control channels are used. The
other half are for future uses.
With SS7 the procedure for switching signalling channels though the LTG is
identical to that of the control channels.
OA&M
Digital systems such as this have far fewer errors than analog SPC systems do
due to the smaller number of modules. EWS-D is expected to have fewer than 12
hardware faults per 1000 LTGs with less than 2 hours per fault.
Both hardware and test programs are used to diagnose both subscriber line and
trunk faults. When testing is done on long distance trunks the equipment on
the distant exchange and on the transmission system is done. Measuring
equipment such as ATME2 look at the director and responder operations. Most
local trunks are still copper and EWSD has contacts on the incoming and
outgoing circuits for testing. The monitoring of PCM transmission links is
integrated into EWS-D.
System status is given by an operating terminal indicating system traffic,
the failure/active status of redundant central units, LTGs and equipment
inside LTGs, the number of removed from active LTGs, subscriber lines and the
number of non-switchable call requests. Remote operations can be done via
this terminal.
Administration tasks are also performed at the operating terminal. When a
remote operator is needed, communication equipment such as Transdata is used
to connect to the exchanges over the data transmission channel.
Italy - PROTEO (+39)
~~~~~~~~~~~~~~
PROTEO was designed by Societa Italiana Telecomunicazioni SpA (SITS).
Architecture
It is a fully integrated, digital switching system with SPC. Signals are
converted from analog to digital and transmitted over a PCM. Capacity is
30,000 subscribers in 32 peripheral exchanges (CTs) hooked up to a transit
network (RT) using 32, 2 channel PCMs. Overall control is by a central
computer (CC). A lone CT can handle 2,304 subscriber lines with 18 PCMs, 270
LF trunks and possess 2 line control units (UCL) on a connecting network
(RC).
Subscribers and trunks are connected through a time division multiplex (TDM)
and can go directly to PAM without the analog to digital conversion using
voice scanners if need be.
The CT, can act as a switch if internal subscribers are being switched to
RTs. CT is commonly connected to the RT for interconnections with external
switches. The CT has a codecom unit to convert analog to digital or digital
to analog for PCM bundle generation or insertion into PAM. A TST connection
network is inside the RT and is controlled by the CC using the transit
control unit (UCT). The RC switches 64 kbit/s data channels on 2 Mbit/s PCM
bundles towards UCS when exchange signalling exists and to UCM when remote
signalling comes in on a common channel. If CCS isn't present, then
signalling control units (UCS) are used to process signalling codes.
Maintenance
CC uses LEONE processors in SPC for maintenance and has a BHCA capacity of
150,000. PROTEO handles rural areas quite well as CTs can be located at great
distances from the RT. If less than 250 subscribers exist, concentrators will
be used to connect them to a CT.
Flexibility
The modularity of PROTEO is its ability to adapt to different network
conditions. By having functions act independently of others, upgrades and
maintenance is simplified.
Japan - NEAX 61 (+81)
~~~~~~~~~~~~~~~
The NEAX 61 was designed by Nippon Electric Co. and was first installed in
the US. But due to its origin it is being included as a Japanese system. It
has SPC, PCM TDM and uses a four stage TSST switching network.
Specifications
circuit capacity:
local switching - 100,000 lines, 13,000 trunks
toll switching - 60,000 trunks
international switching - 30,000 international circuits
network capacity - 22,000 erlangs
call handling capacity - 700,000 BHCA
Architecture
NEAX 61 is comprised of 4 subsystems:
- application subsystem - several service interface modules each having line
and trunk circuits, interface circuits, multiplexers and a controller. This
subsystem gives a standard interface to the other subsystems. It controls the
terminal circuits and interfaces them with the switching subsystem. Service
modules receive information from the processor to establish paths and other
actions. Each service module has a terminal and interface circuit, a
duplicated controller and primary multiplexer (PMUX) and demultiplexer. The
controllers collect terminal circuit scanning data, control the terminal and
interface circuits and communicate with the processor. The modules each have
their own terminal and interface circuits:
- analog trunk interface module - Both the terminal and interface circuits
are codecs. Any analog trunk can be used by the module and each trunk has its
own codec channel.
- analog line interface module - The terminal circuit is an analog line
circuit that conducts two to four wire conversion, ringing application,
protects against overvoltage and other testing procedures. By using one of
four switch selectable balancing networks an insertion loss less than 0.5 dB
is possible.
- digital line interface module - Connects PCM analog and digital subscriber
carrier lines. The interface circuit is a digital line switch that
concentrates digital lines by assigning time slots and putting each time slot
on a serial bit stream to the PMUX.
- operator position interface module - connects the different operator
positions such as toll and directory assistance. Operators converse with
callers over position trunk circuits. The controller has a capacity of up to
64 operator positions and the PMUX can have up to 120 operators on a position
trunk.
- processor subsystem
- Maintenance and Administration subsystem - Alarm information is shown on
the maintenance frame or at a supervisory test desk. The line test desk
platforms subscriber line testing. NEC has a technical assistance center
where NEC personnel provide support on a subscription basis.
---------------------------------------------------------------------------
Sources
Various IEEE Documents
Helpful International Operators
---------------------------------------------------------------------------
The LOD Technical Journal: File #9 of 12
Hacking
GANDALF XMUX'S
-----------------------
Written by:
Deicide
on 03/29/93
===========================
*NOTE: While writing this file I assumed that the reader has a working
knowledge of PSNs.
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The Gandalf XMUX is made by Gandalf Technologies Incorporated. It is
one of two popular systems Gandalf makes, the other being the
Starmaster/PACX. These systems are very closely knit, as you'll see later,
but the focus of this g-file is on the XMUX system. I still don't have a XMUX
manual, so this file will be a bit incomplete, but it will give you a good
sense of the system; How to Identify it, How to Penetrate it, and How to Use
it. There are a number of security flaws in the XMUX, all of which can be
circumvented but frequently are not. Occasionally you will find an
unpassworded console, in that case just move on to the How to Use it section.
The Gandalf systems are very frequently found on all the major PSNs, as
Gandalf's themselves often serve as network controllers. Most of the major
companies, such as Xerox & Bell Canada, use XMUXs, so it is a good idea to
become familiar with the system.
How To Find Your XMUX & How To Identify It
------------------------------------------
First of all, if you find an unpassworded XMUX it will tell you by the
herald "Gandalf XMUX Primary Console Menu" followed by the menu itself. Skip
this part for now.
But for the rest of you, you probably still need to find your XMUX, and
you need to know how to identify it.
Before we get further into this, a small amount of knowledge of the whole
scope of the XMUX is needed. Every XMUX is made up of at least 4 parts, each
present on every single XMUX. These parts are called:
- Console
- Fox
- Logger
- Machine
The Console is the actual system, the part that has to be hacked, the part
that contains the information we are attempting to retrieve.
The Fox is a test machine, serving no other purpose except to spout "THE
QUICK BROWN FOX JUMPS OVER THE LAZY DOG 1234567890 DE" over and over again.
The Logger is displays a line or two of information such as the time & the
LCN called, for the most part unimportant. But it does contain the node name.
The Machine is basically a system information giver. I have yet to discover
all of it's commands, but S gives some systems stats (including the node
name) and L is an optional command that supplies the user with a system log
(which contains link addresses & UID's).
All of these can be useful in some way.
The XMUX can be found in a number of ways:
- On a standard NUA(XXXX XXXX)
- On a standard NUA + extension(XXXX XXXX,XXXXXXXX)
- On extensions off of Starmasters & PACXs.(XXXX XXXX,XXXXXXXX)
- On LCN's (subaddressing) off any other type of system/OS.
???????????????????????????????????????????????????????????????????????????
NOTE:"Password >" is the password prompt for the XMUX Console, occasionally
proceeded by an operator definable system message such as "Vancouver XMUX".
To be sure that this is a XMUX prompt, hit <ENTER>. If it returns the message
"Invalid Name
Names must consist of 1 to 8 alphanumeric characters"
Then you are dealing with the XMUX Console.
???????????????????????????????????????????????????????????????????????????
On a standard NUA it will bring you right to the "Password >" prompt, no
hassles. You can then proceed to the section that deals with hacking the
console.
On a standard NUA + extention, it is not so easy. When you first hit the NUA,
it will give you the "Remote Directive" error message, telling you that you
"forgot" the extention. Now, the error message could mean you forgot the
extention for a VAX, also, but we will assume that it is a XMUX on the NUA.
This is true only a fraction of the time, but try this on every Remote
Directive message, you'll find a good share of XMUX's. First of all, try the
LCN (subaddress) of 1 on the NUA. If you come up with the Fox segment of the
XMUX (explained earlier) then you have an XMUX Console on the NUA, it's just
hiding. If the LCN brings up the Remote Directive message again, then try the
extention of LOGGER on the NUA. If it brings up the XMUX Logger, then again,
the XMUX Console is there, but with a bit of security added on. If you now
know that you are on an XMUX, try the CONSOLE extention. It should bring you
to the "Password >" prompt, or occasionally right inside without needing a
password.
Starmaster's and PACX's almost always have an XMUX attached on to it. Use the
Starmaster or PACX's NUA + the extention CONSOLE. It will most likely bring
you to the "Password >" prompt. If it doesn't work, try LCN's. If that fails,
try "XMUX" or "XCON" from the Starmaster/PACX service prompt.
The LCN's off all the other system/OS types is a bit more complicated. You
can either guess, pick the likely ones, or try them all. What this is is an
XMUX in coexistance with another type of system, such as AOS/VS. The most
common way to find these is by adding an LCN of 1 to the NUA of the system.
If it comes up with the XMUX FOX section, then you can be sure an XMUX is
present. To find the XMUX Console, use LCN's of 4 and above(2 & 3 being
Logger and Machine), up to the LCN of 15(maximum on XMUX). If you still
haven't found the Console, and it's returning the Remote Directive error
message, now's the time to use the CONSOLE extention. In most cases it'll
bring up the "Password >" prompt, or right into the Console Menu.
HOW TO PENETRATE THE XMUX CONSOLE "PASSWORD >" PROMPT
-----------------------------------------------------
To start you off, XMUX Console Passwords MUST be within 1 to 8
alphanumeric characters. Any combination within that boundary is an
acceptable password. Now, while it is true that the password could be a
random letter/number combination, such as G2Z7SWJ8, and therefore extremely
impractical to hack, it is almost a given that the password is a relevant
word or abbreviation, with not more than one numeric character, which is
usually not even included. Also, you get 4 attempts at a password before
being logged off, and remember, you don't even need to find a username.
When you first reach the "Password >" prompt it's a good idea to try the
defaults(in order of occurance):
- Gandalf
- Xmux
- Console
- System
Also, Password (no, really), Network, CPU, Switch & Network are also
frequently found.
Then, if the defaults don't work, it's time for a little calculated brute
forcing. If the system has a herald, such as "BenDover Field Communications"
then try everything you possible can thing of that is relevant to the herald,
such as Bendover, Ben, Dover, BDFC, Field, Telecom, etc. Also, combine these
with the defaults, particularly Xmux. As in BenXMUX, or FieldMux, etc. If
there is no herald, or all the thing you can think of to do with the herald
fail as passwords, then it is time to get the node name. The node name is
used very frequently as a password, thus a good thing to try. But where to
get the node name with out getting the password first? It is contained in two
other places other than the Console, with ALWAYS at least one of the
facilities open to you. The Logger (LCN 2, or extention LOGGER) always spurts
out the log name first upon connect. This is always available, I have only
seen one case in which the Logger information was protected, and that was
achieved by wiping it out, which very few administrator's do. The other
source is the Machine (LCN 3, or extention MACHINE), a very handy source of
information. You will recognize the Machine by its "#" prompt. At this prompt
type "S" for system stats. The first thing you see in the system stats is the
Node Name. Also, with machines type "L". Occasionally it will be set to show
the log, which contains the Link Addresses (usually other netted computers,
frequently Gandalfs) and UID's as well. Try the Node Name by itself as a
password, then in combination with all the above, such as a combo of Default
& Node Name. If you follow all these above methods, 50% of the time you
will find the password. If you don't get the password, don't worry, there are
many more XMUX's out there with poor security, go for those. But before you
move on, try the LCN's from 4-15, frequently you'll find another system,
often a private PAD or an outdial.
WHAT TO DO WITH THE XMUX CONSOLE ONCE INSIDE
--------------------------------------------
For those itching to read other people's mail, or retrieve confidential
files, etc, you will be very disappointed. Although once inside the XMUX
Console you have virtual Superuser status, the commands are all maintenance
related. But, often you will find other systems, quite often networks, PADs,
& outdials from inside.
You will first encounter the primary menu, which looks similar to this:
Gandalf XMUX (date)
Rev(version) Primary Console Menu (time)
Node:(nodename)
Primary Menu:
1. Define
2. Display
3. Maintenance
4. Supervise
5. Exit
Primary selection >
Now, although there are some other useful and interesting features to the
XMUX console, I will only show you the 3 most useful features, those being
Abbreviated Command, Service & Call Status.
Abbreviated Command is an option found in the Define sub-menu. Hit 7 once
inside the Define sub-menu to bring up the Abbreviated Command prompt. Type
a ? to show all the abbreviated commands. If there are none, curse your luck
and move on to the next feature. If there are some, type them in, one at a
time. Each Abbreviated command is really a macro, and a macro of a NUA plus
the subaddressing and data character extension needed to enter the system.
These can be very useful, not only for the NUA & subaddress, but for the fact
that the extension is included. Most times extensions are hard if not
impossible to guess, and the macro throws it right in your face. The
Abbreviated Command is in the format of XXXXXXXXdEXTENSION, in that the X's
are where the NUA is placed, the EXTENSION is the extension characters, and
the 'd' is really where the comma goes to separate the two. So if the
Abbreviated Command was 55500123dabc, the NUA would actually be
- 55500123,abc -
Service is a menu option also from the Define sub-menu. What it enables
you to do is view all the services available, plus their function & LCN.
Type "11" from the define menu, then "?" for a list of the services
available. Console, Fox, Logger & Machine will always be present. Anything
else is a bonus, and should be capitalized upon. For example, if you see
"Modem" as one of the services, then enter "Modem" from the Service sub-sub-
menu to see which LCN the modem is on.
Display Call Status is a handy command used from the Display sub-menu
which gives a log of all the calls the system has handled. In the call log
are the NUA's of the system that called, often a netted system such as
another Gandalf.
---------------------------------------------------------------------------
The LOD Technical Journal: File 10 of 12
Tempest in a Teapot
-------------------
Do-it-yourself techniques to inhibit electromagnetic eavesdropping
of personal computers.
Grady Ward <grady@netcom.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.2
mQCOAiumM0QAAAED+JPD8OULO2aXRvU2FDksMjJeGT96kGK5eJK1grkXuIHz+6pe
jiedYOv72kBQoquycun191Ku4wsWVTz6ox/bpReBs5414OTPzQVJgWQzCW1N4BfV
Wr4eEn3qnFsVLXXxk3oYGydIeJcmelSyuPSq/Oq7Q+eHkKgjqxDTjVMu8iEAEQEA
AbABh7QuR3JhZHkgV2FyZCAgPGdyYWR5QG5ldGNvbS5jb20+ICAoNzA3KSA4MjYt
NzcxNbABAw==
=e3rN
-----END PGP PUBLIC KEY BLOCK-----
Version 1.0 22 March 93
TEMPEST is the code name for technology related to limiting unwanted
electromagnetic emissions from data processing and related equipment. Its
goal is to limit an opponent's capability to collect information about the
internal data flow of computer equipment. Most information concerning TEMPEST
specifications is classified by the United States Government and is not
available for use by its citizens.
The reason why TEMPEST technology is particularly important for
computers and other data processing equipment is the kinds of signals
components in a computer use to talk to each other ("square waves") and their
clock speeds (measured in megahertz) produce a particularly rich set of
unintentional signals in a wide portion of the electromagnetic spectrum.
Because the spurious emissions occupy so wide a portion of that spectrum,
technologies used to block one portion of the spectrum (as pulling the shades
closed on a window to stop the visible light portion) are not necessarily
effective in another portion.
Unintentional emissions from a computer system can be captured and
processed to reveal information about the target systems from simple levels
of activity to even remotely copying keystrokes or capturing
monitor information. It is speculated that poorly protected systems can be
effectively monitored up to the order of one kilometer from the target
equipment.
This note will examine some practical aspects of reducing the
susceptibility of your personal computer equipment to remote monitoring using
easily-installed, widely available after-market components.
I
One way of looking at TEMPEST from the lay person's point-of-view is that it
is virtually identical to the problem of preventing electromagnetic
interference ("EMI") by your computer system to others' radios, televisions,
or other consumer electronics. That is, preventing the emission of wide-band
radio "hash" from your computers, cabling, and peripherals both prevents
interference to you and your neighbours television set and limits the useful
signal available to a person surreptitiously monitoring.
Viewing the problem in this light, there are quite a few useful documents
available form the government and elsewhere attacking this problem and
providing a wealth of practical solutions and resources. Very useful for the
lay person are:
Radio Frequency Interference: How to Find It and Fix It. Ed Hare, KA1CV and
Robert Schetgen, KU7G, editors
The American Radio Relay League, Newington , CT
ISBN 0-87259-375-4 (c) 1991, second printing 1992
Federal Communications Commission Interference Handbook
(1991)
FCC Consumers Assistance Branch
Gettysburg, PA 17326
717-337-1212
and
MIL-STD-188-124B in preparation
(includes information on military shielding of tactical
communications systems)
Superintendent of Documents
US Government Printing Office
Washington, DC 20402
202-783-3238
Information on shielding a particular piece of consumer
electronic equipment may be available from the:
Electronic Industries Association (EIA)
2001 Pennsylvania Ave NW
Washington, DC 20006
Preventing unintended electromagnetic emissions is a relative term.
It is not feasible to reduce to zero all unintended emissions. My personal
goal, for example, might be to reduce the amount and quality of spurious
emission until the monitoring van a kilometer away would have to be in my
front yard before it could effectively eavesdrop on my computer. Apartment
dwellers with unknown neighbours only inches away (through a wall) might want
to even more carefully adopt as many of the following suggestions as possible
since signal available for detection decreases as approximately the inverse
square of the distance from the monitoring equipment to your computer.
II
Start with computer equipment that meets modern standards for emission.
In the United States, the "quietest" standard for computers and peripherals
is known as the "class B" level. (Class A level is a less stringent standard
for computers to be use in a business environment.).
You want to verify that all computers and peripherals you use meet the class
B standard which permits only one-tenth the power of spurious emissions than
the class A standard. If you already own computer equipment with an FCC ID,
you can find out which standard applies. Contact the FCC Consumers Assistance
Branch at 1-717-337-1212 for details in accessing their database.
Once you own good equipment, follow the manufacturer's recommendations for
preserving the shielding integrity of the system. Don't operated the system
with the cover off and keep "slot covers" in the back of the computer in
place.
III
Use only shielded cable for all system interconnections.
A shielded cable surrounds the core of control wires with a metal braid or
foil to keep signals confined to that core. In the late seventies it was
common to use unshielded cable such as "ribbon" cable to connect the computer
with, say, a diskette drive. Unshielded cable acts just like an antenna for
signals generated by your computer and peripherals. Most computer
manufacturer supply shielded cable for use with their computers in order to
meet FCC standards. Cables bought from third-parties are an unknown and
should be avoided (unless you are willing to take one apart to see for
yourself!)
Try to avoid a "rat's nest" of wire and cabling behind your equipment and by
keeping all cables as short as possible. You want to reduced the length of
unintended antennas and to more easily predict the likely paths of electric
and magnetic coupling from cable to cable so that it can be more effectively
filtered.
IV
Block radiation from the power cord(s) into the house wiring.
Most computers have an EMI filter built into their body where the AC line
cord enters the power supply. This filter is generally insufficient to
prevent substantial re-radiation of EMI voltages back into the power wiring
of your house and neighbourhood. To reduce the power retransmitted down the
AC power cords of your equipment, plug them in to special EMI filters that
are in turn plugged into the wall socket. I use a model 475-3
overvoltage and EMI filter manufactured by
Industrial Communication Engineers, Ltd.
P.O. Box 18495
Indianapolis, IN 46218-0495
1-800-ICE-COMM
ask for their package of free information sheets
(AC and other filters mentioned in this note are available from a wide
variety of sources including, for example, Radio Shack. I am enthusiastic
about ICE because of the "over-designed" quality of their equipment. Standard
disclaimers apply.)
This particular filter from ICE is specified to reduce retransmission of EMI
by a factor of at least 1000 in its high-frequency design range. Although
ideally every computer component using an AC line cord ought to be filtered,
it is especially important for the monitor and computer CPU to be filtered in
this manner as the most useful information available to opponents is believed
to come from these sources.
V
Block retransmitted information from entering your fax/modem or
telephone line.
Telephone line is generally very poorly shielded. EMI from your computer can
be retransmitted directly into the phone line through your modem or can be
unintentionally picked up by the magnetic portion of the EMI spectrum through
magnetic induction from power supplies or the yoke of your cathode ray tube
"CRT" monitor.
To prevent direct retransmission, EMI filters are specifically designed for
modular telephone jacks to mount at the telephone or modem, and for
mounting directly at the service entrance to the house.
Sources of well-designed telephone-line filter products include ICE
(address above) and
K-COM
Box 82
Randolph, OH 44265
216-325-2110
Your phone company or telephone manufacturer may be able to supply
you with free modular filters, although the design frequencies of these
filters may not be high enough to be effective through much of the EMI
spectrum of interest. Keep telephone lines away from power supplies of
computers or peripherals and the rear of CRTs: the magnetic field often
associated with those device can inductively transfer to unshielded lines
just as if the telephone line were directly electrically connected to them.
Since this kind of coupling decreases rapidly with distance, this kind of
magnetic induction can be virtually eliminated by keeping as much distance
(several feet or more) as possible between the power supply/monitor yoke and
cabling.
VI
Use ferrite toroids and split beads to prevent EMI from escaping on the
surface of your cables.
Ferrites are magnetic materials that, for certain ranges of EMI
frequencies, attenuate the EMI by causing it to spend itself in heat in the
material rather than continuing down the cable. They can be applied without
cutting the cable by snapping together a "split bead" form over a thick cable
such as a power cord or by threading thinner cable such as telephone several
times around the donut-shaped ferrite form. Every cable leaving your monitor,
computer, mouse, keyboard, and other computer
peripherals should have at least one ferrite core attentuator. Don't forget
the telephone lines from your fax, modem, telephone or the unshielded DC
power cord to your modem. Ferrites are applied as close to the EMI emitting
device as possible so as to afford the least amount of cable that can act as
an antenna for the EMI.
Good sources for ferrite split beads and toroids include
Amidon Associates, Inc.
P.O. Box 956
Torrance, CA 90508
310-763-5770
(ask for their free information sheet)
Palomar Engineers
P.O. Box 462222
Escondido, CA 92046
619-747-3343
(ask for their free RFI information sheet)
and Radio Shack.
VII
Other practical remedies.
Other remedies that are somewhat more difficult to correctly apply
include providing a good EMI "ground" shield for your computer equipment and
other more intrusive filters such as bypass capacitor filters.
You probably ought not to think about adding bypass capacitors unless you are
familiar with electronic circuits and digital design. While quite effective,
added improperly to the motherboard or cabling of a computer they can "smooth
out" the square wave digital waveform -- perhaps to the extent that signals
are interpreted erroneously causing mysterious "crashes" of your system. In
other cases, bypass capacitors can cause unwanted parasitic oscillation on
the transistorized output drivers of certain circuits which could damage or
destroy those circuits in the computer or peripherals. Also, unlike ferrite
toroids, adding capacitors requires actually physically splicing them in or
soldering them into circuits. This opens up the
possibility of electric shock, damage to other electronic components or
voiding the warranty on the computer equipment.
A good EMI ground is difficult to achieve. Unlike an electrical safety
ground, such as the third wire in a three-wire AC power system, the EMI
ground must operate effectively over a much wider part of the EMI spectrum.
This effectiveness is related to a quality known as electrical impedance. You
desire to reduce the impedance to as low a value as possible over the entire
range of EMI frequencies.
Unlike the AC safety ground, important factors in achieving low impedance
include having as short a lead from the equipment to a good EMI earth ground
as possible (mus
t be just a few feet); the gauge of the connecting lead (the
best EMI ground lead is not wire but woven grounding "strap" or wide copper
flashing sheets; and the physical coupling of the EMI into the actual earth
ground. An 8 ft. copper-plated ground may be fine for AC safety ground, but
may present appreciable impedance resistance to an EMI voltage. Much better
would be to connect a network of six to eight copper pipes arranged in a six-
foot diameter circle driven in a foot or two into the ground,
electrically bonded together with heavy ground strap and connected to the
equipment to be grounded via a short (at most, several feet), heavy (at least
3/4-1" wide) ground strap.
If you can achieve a good EMI ground, then further shielding possibilities
open up for you such as surrounding your monitor and computer equipment in a
wire-screen Faraday cage. You want to use mesh rather than solid sheet
because you must preserve the free flow of cooling air to your equipment. Buy
aluminum (not nylon) screen netting at your local hardware store. This
netting typically comes in rolls 36" wide by several feet long. Completely
surround your equipment you want to reduce the EMI being careful to make good
electrical bonds between the different panels of netting and your good earth
ground. I use stainless steel nuts, bolts, and lock washers along with
special non-oxidizing electrical paste (available from Electrical
contractors supply houses or from ICE) to secure my ground strapping to my
net "cages". A good Faraday cage will add several orders of magnitude of EMI
attenuation to your system.
VIII
Checking the effectiveness of your work.
It is easy to get a general feeling about the effectiveness of your EMI
shielding work with an ordinary portable AM radio. Bring it very close to the
body of your computer and its cables in turn. Ideally, you should not hear an
increased level of static. If you do hear relatively more at one cable than
at another, apply more ferrite split beads or obtain better shielded cable
for this component. The practice of determining what kind of operating system
code is executing by listening to a nearby AM radio is definitely obsolete
for an well-shielded EMI-proof system!
To get an idea of the power and scope of your magnetic field emissions, an
ordinary compass is quite sensitive in detecting fields. Bring a compass
within a few inches of the back of your monitor and see whether it is
deflected. Notice that the amount of deflection decreases rapidly with
distance. You want to keep cables away from magnetic sources about as far as
required not to see an appreciable deflection on the compass.
VIIII
Summary
If you start with good, shielded equipment that has passed the FCC level B
emission standard then you are off to a great start. You may even be able to
do even better with stock OEM equipment by specifying "low-emission" monitors
that have recently come on the market in response to consumer fears of
extremely low frequency ("ELF") and other electromagnetic radiation.
Consistently use shielded cables, apply filtering and ferrite toroids to all
cabling entering or leaving your computer equipment. Finally, consider a good
EMI ground and Faraday cages. Beyond this there are even more effective means
of confining the electrical and magnetic components of your system through
the use of copper foil adhesive tapes, conductive paint sprays, "mu metal"
and other less common components.
---------------------------------------------------------------------------
The LOD Technical Journal: File #11 of 12
OOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOO OOOO
[] []
[]Presidential Security[]
[] []
OOOO By Argon/LOD OOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOO
This phile is intended to give a glimpse into what's behind all those stern-
faced, emotionless secret service agents that surround the president and to
give analysis into the security surrounding our executive branch.
Our current President, or more formally Commander in Chief is as everyone
knows is Bill Clinton. Ever since his inauguration he has been under
supposedly "tight" security. However, even with up to double the normal
security allotment he is still at risk. And the list of would be assassins is
large, everyone from Iraqis, Serbians, Islamic fundamentalist militants and
if you listen to these conspiracy theories you can throw in the military
industrial establishment and heck even the religious right has motive for
assassinating the CINC.
Which has given rise to millions of dollars worth of hardware and Secret
Service payrolls for his protection. 200 agents, personal security teams and
body-guards watch our CINC 24 hours a day without rest.
What I intend to analyze is the methods of protection utilized by the SS,
their weaknesses and how they can be rectified. As the most powerful
individual in the world, our president must be safeguarded at all costs, as
he is an extremely high profile target. Nothing could give a terrorist group
more publicity and recognition that assassinating the American president.
Hopefully, the SS can keep this in mind when reading the recommendations
suggested later on when they review this journal for their computer crime
investigations... Perhaps someone will bring this to the CINC's attention, as
for the next 3 odd years the only relevancy of this phile is in ensuring
*his* safety.
4 US Presidents have been assassinated in our nation's history so with such
a risk of assassination no cost in protection is to high. The huge Whitehouse
budget can easily afford to spend more on security and less on bureaucracy.
At first glance, a Presidential assassination seems very simple. After all,
he's in front of the cameras up to 2 hours each day and its's no secret where
to find him, just stroll over to 1600 Pennsylvania Av. The Whitehouse doesn't
appear to be well defended, the windows aren't sandbagged, there is no barbed
wire, electrified fence, guard towers, minefields or even a solid wall. Just
a fragile and cosmetic black gate fence.
This first impression is entirely incorrect. The Whitehouse is ringed in
other tall buildings, giving SS sharpshooters an excellent position to fire
from. Behind all the stonework they have a superb spot to cover the
Whitehouse with. And the uncluttered Whitehouse lawn gives them a clear field
of fire. Anyone stupid enough to simply scale the fence, or ram through it
would be cut down in a hail of fire before making it halfway across the lawn.
Coming from those perched in the surrounding buildings, and the agents inside
the whitehouse. The sharpshooters posted to presidential security are simply
the best at what they do. They don't "miss".
Perhaps the most effective route for a terrorist to take would be to attack
the President while he's airborne in either a helicopter or airplane (in this
case Air Force 1). Here the President is certainly at his most vulnerable.
Infrared (IR) guided surface to air missiles (SAMs) such as the Russian SA-7
or newer SA-14, or the US Stinger could be used with deadly effect to shoot
down the aircraft. All aircraft the President travels in are equipped with IR
jammers such as the ALQ-144, which send out hotter heat waves than the
aircraft does in different directions from a small pylon shaped group of
lenses. Presently most missiles are not advanced enough to pick out the
aircraft from all the other false directed heat. Non IR guided systems can be
utilized though. The British Shorts Blowpipe or Javelin however are optically
guided, by means of a joystick and monocular sight. So IR jamming is useless.
The only way to really avoid them is to silence the person guiding it. And
these are not too difficult to obtain, they have already been used by the
Afgan rebels. So obtaining these and other SAMs is relatively easy, as they
are found in many of the world's hotspots for the right price. There is no
effective safeguard in place by the SS to protect the Presidents aircraft
from an optically guided SAM.
Even if a terrorist has no access to a SAM aerial assassinations are still
possible. A small "Cessna" like aircraft could simply be used in a "Kamikaze"
like role by colliding midair at high-speed with the president's helicopter.
Given the superior speed of a fixed wing aircraft the helicopter pilot would
have to be highly skilled to avoid it. Presidential pilots are trained in
such avoidance techniques but whether they could dodge one in practise is
unclear.
The Soviets used to have a phobia about helicopters because of their low
speed and high vulnerability to SAM's, ground fire and aircraft. Consequently
Secretary Generals and high ranking officials never flew by helicopter. The
President should likewise cease travel by helicopter as well. Conventional
fixed wing flights are much safer. Only during takeoff and landing is the
President vulnerable, and then only to SAM's. Groundfire is ineffective
against large body aircraft and with greater speed and size the risk from
"Kamikaze" style attacks is reduced. Fighter cover, usually from F-14's is
occasionally provided so any hostile aircraft (such as a Kamikaze Cessna)
wouldn't stand a chance. As Air Force 1 moves at slow speeds during landings
or is slowly accelerating off the ground during takeoff's there is an
*alarming* threat from SAM's. Slow moving giants like Air Force 1, are turkey
shoots for agile, supersonic man-portable SAM's. When taking off or landing
at a public airport an assassin has many places to make a hidden lanching
from. With a range of over 2 Km, Air Force 1 is vulnerable for a *long*
period of time. As it climbs, it has no speed or room to manoeuvre. Even if
it could, commercial airliners are not known for their agility. The only hope
then is through IR jamming, electronic jamming, chaff or flares. Since the
assassin knows the runway position, he knows the direction of where Air Force
1 must takeoff or land from. There would be less than 15 seconds before
launch and impact. The launch-warning beeper aboard Air Force 1 would only
just be recognized before Air Force 1 would be blown from the sky.
To reduce this risk, the President should takeoff and land from well-secured,
isolated military airfields when travelling domestically and internationally
and stick as much to ground transport as possible. By using secret travel
plans (such as which airport he will arrive at in New York for example) an
assassin won't know which airport to cover. After all the public doesn't need
to know the Presidents air travel itinerary.
Another policy used by the SS is to keep the specific details of the
Presidents movements secret. Everyone knows when the president will be giving
a speech, but the exact times are always classified. Which complicates the
assassins operation, as careful planning in advance is required.
Whenever the president's exact location has been made known in advance,
security is always *tight*. For example during the State of the Union address
the entire vicinity is sealed off.
However security during these events and regular operations must be
increased. One threat is from anti tank guided weapons (ATGWs). Optically
guided along a thin wire for in-flight corrections they have a range up to 3
Km. Or from bigger air or ground launched missiles such as the Maverick. An
assassin could fire from the other side of DC, into the stands during the
inauguration ceremony for example. Not only the President would be eliminated
but so to would all the supreme court justices, the former President and
Vice-President, the new Vice-President - the whole government. The same
applies when the President addresses a joint session of congress. Using
guided weapons, an aircraft or even an improvised nuclear device (IND) the
*entire* judicial, legislative and executive branches of the US government
would be eliminated! Such a congregation of VIP's is a flawed idea from the
start. Tradition should give way to reason and smaller events should replace
them. Celebrating democracy is great but to risk the entire US government?
So far only advanced methods of assassination have been examined. The
possibility of a "lone gunman" using basic methods, with no more than
personal weapons still remains. Take for example, the president giving an
address to university graduates. It would take less than 2 seconds, for an
assassin to remove his hand from an undercoat, clenching a firearm to aim and
fire one round. Against this it takes a minimum of one second for the SS
agents to react to the initial movement of the assassin's hand, one second to
draw their weapons and another two to aim and fire. The president could be
dead before the SS had finished aiming. Of course in some cases audiences are
searched with metal detectors for weapons. It doesn't take a genius to
smuggle in a small handgun into an audience of a few thousand though.
The only option here is to reduce or eliminate public appearances by the
President. But as the President would no doubt insist on being visible and
open for all the cameras it isn't likely. Better checking of the site
beforehand and on audiences is necessary then.
A similar situation exists with say, the motorcade on inauguration day, where
the President often leaves the car to walk alongside it. Here the SS is out
in great force with rifles trained and ready. But we are back to our
fundamental disadvantage. The assassin will always have at least a 1-2 second
jump on the SS.
As was mentioned before, by moving towards ground transportation instead of
air the President is much safer. As you might already know the President
travels in a "bullet proof" custom built vehicle. It goes everywhere that he
does. When he goes to Russia, so does the car. The car's armour will stop
small arms fire (ie. handguns, automatic weapons, rifles etc.) However, fire
from a crew served 12.5mm gun will penetrate it. Since a gun of this size is
to large and bulky to be concealed from a hundred odd SS agents it's not a
worry. Remotely fired ATGW's or pre-positioned explosives are. Pre-positioned
explosives won't work as the president's exact route is usually classified.
When it's not secret, like on inauguration day or a parade, the route will
have been carefully combed over a dozen times for explosives. And the manhole
covers welded shut to prevent anyone from placing explosives beneath the
road.
The bullet-proof car however isn't ATGW-proof. Their shaped charges are
designed for penetrating main battle tanks (MBTs) with frontal armour a foot
thick. It would be best for our president to travel in a modified M1A1 Abrams
MBT. Some ATGW's may be able to penetrate its rear or perhaps side armour but
no existing ATGW's will penetrate its frontal armour. As its made of top-
secret "cobham" plating which is several times stronger than an equivalent
amount of traditional steel.
Most assassinations are not done through the use of violent force. They are
more subtly done using poison for example. Whitehouse security around the
president's food is almost non-existent. Even if the food was "checked", ie.
some bloke eats portions of it first and is watched for sickness, it could
never reduce the risk poised by long term or delayed acting poisons. What
should be done then? The President should appoint an agent to go out and
randomly purchase food from restaurants and keep it under guard. This way no
one will know which food to poison. A simpler method is to infect one's hand
with it (after consuming an antidote), and then shake the president's hand,
transferring the poison to him. Saddam Hussein, has a solution to this - the
hands of visitors are disinfected prior to meeting the dictator. Airborne
bacteria could be let loose near the president to cause infection too.
Perhaps the Whitehouse should have its own sealed environment to guard
against this.
Our president is as stated earlier in much peril. It's only a matter of time
before a group or faction builds up the nerve to attempt an assassination.
When they do, enough loopholes in the security arrangement today exist for
success. By acknowledging and acting upon some of the recommendations made
here, the global disruption that would result from an assassination or
attempt of one can be prevented. At the very least the president must cease
travelling by helicopters, increase security at public appearances and guard
against poisons. To give our president the security that is truly justified
by his important role, the president must keep appearances to a minimum,
reduce the number of officials at major ceremonies and consider travelling by
armoured vehicle to avoid the dangers poised by ATGW's or RPG's.
---------------------------------------------------------------------------
The LOD Technical Journal: File #12 of 12
Network News & Notes
=------------------=
If some of this seems a little "old", do keep in mind that everything since
'90 has to be covered. As most of the other 'ZiNeZ are narrowly focused on
major publications and miss out on current events in the industry and a lot
of other interesting news.
---------------------------------------------------------------------------
DCS Comes to Russia (Tellabs, April 1993)
A Tellabs TITAN 532E digital cross-connect system (DCS) and 452 series
transcoders have been installed by Moscow Cellular Company, a joint venture
that includes US West and Moscow public telephone network operators, to boost
capacity in its cellular transmission network.
The DCS, which is the first to be installed in Russia, increases the capacity
of the Moscow mobile switching centre (MSC) by "grooming and filling"
partially-filled 2 Mbit/s PCM links from radio base stations. The 452 60-
channel transcoders are used to double the capacity of 2 Mbit/s PCM
transmission links between base stations and the MSC.
----------------------------------------------------------------------------
UK Renumbering (BT, April 1993)
A campaign to prepare its customers for changes to national and international
dialing codes was launched by British Telecom (BT) on 1 February 1993.
The changes announced last year by the Office of Telecommunications (OFTEL),
will take place on 16 April 1995, more than two years hence. BT is starting
its publicity campaign now, however, so that everyone will be ready.
The changes follow extensive and lengthy consultation by OFTEL with
representatives of telephone users, operators and equipment manufacturers.
The creation involves the additional codes and numbers needed to cater for
the growth of the telecom services well into the next century, provide
capacity for new operators entering the market.
Area dialing codes will have a "1" inserted after the initial "0". For
example Cardiff's 0222 becomes 01222 and Central London will change from 071
to 0171.
The international dialing code changes from 010 to 00. This is a European
Community requirement based on CCITT Recommendation E. 160.
Five cites will be given completely new codes and their existing six-digit
local number will be increased to seven digits.
Codes which do not denote a geographic area, for example Freefone 0800
numbers, mobile codes such as 0860 and 0850, and information and
entertainment services on a code such as 0891 will not change.
-----------------------------------------------------------------------------
BT checks into the Holiday Inn (BT, April 1993)
The Holiday Inn hotel chain with more than 1700 hotels in 54 countries, has
signed a 2-million pound sterling three-year contract for BT's global network
services. Under the contract, BT will provide Holiday Inn with a tailor-made
data network which will connect the company's hotels in the Asia-Pacific
region with its headquarters in the US.
One of the main applications of the network will be to run the chain's
Holidex hotel computer reservation system.
Initially, the service will be available in five countries - Hongkong,
Singapore, Japan, Australia and the US. Eventually, the network will be
extended to cover 99 sties in 27 countries in the Asia-Pacific region, the
Middle East, Africa and the US.
-----------------------------------------------------------------------------
Trunk Protection for Telefonica (Telecommunications radioelectriques et
telephoniques (TRT), March, 1993)
Philips Telecommunications the Spanish subsidiary of Philips, has started to
deliver the DCN 212 1+1 switching protection systems to Telefonica. The
equipment will be integrated into the Ibermic network to improve 2-Mbit/s
trunk protection and quality in the national and international links.
The systems ordered by the Dedicated Networks Department will be implemented
in the Iberian Peninsula, in the Balearic and Canary Islands.
One DCN 212 system can permanently supervise 12 independent 2-Mbit/s links.
Its cyclic redundancy checking (CRC4) device enables it to perform an
automatic switch-over between the main and standby links. This not only
allows service to be maintained in the event of link failure but also
provides and improvement of the link performance. DCN 212 is manufactured in
France by TRT.
-----------------------------------------------------------------------------
Nokia DX200 system for Malaysia (Nokia, March 1993)
Nokia will delivers its DX200 digital switching system to Malaysia. A five-
year frame agreement signed with Jabatan Telekom Malaysia calls for the
installation of some 800,000 subscriber lines. The total value of the
project, which also includes installation, commissioning and training is
estimated at more than 700 million Finnish marks. The project will be
implemented by Sapura-Nokia Telecommunications.
Development of the telecom infrastructure has been designated as one of the
highest priorities in Malaysia. the goal is to provide, by the year 2000, for
universal access to the telecom services and to develop a Malaysian telecom
industrial base. The current agreement is part of a plan that calls for the
installation of some 4 million subscriber lines during the next five years.
As part of the switching project, Sapura is establishing the DX200 subscriber
line cards.
With the Telekom Malaysia order, Nokia's DX200 system is now installed or on
order in more than 20 countries.
-----------------------------------------------------------------------------
Polish Mobile Radio (Ericsson, March 1986)
Poland has signed a contract with Ericsson for the delivery and
implementation for a new mobile radio system. The order has, in its initial
phase, a value of 16.5 million US.
The system, known as EDACS, belongs to the new generation of digital trunked
radiocom systems. It will be shared by the Polish police and fire brigade
operating in the Warsaw police district, providing day-to-day instant
communication between individuals and work groups in the field. the system
includes more than 3000 handheld and mobile radios.
EDACS, which will be installed in Warsaw during the second half of 1993, has
digital encrypted voice, mobile data transmission capability, emergency call
facility, WAN and fault-tolerant design.
-----------------------------------------------------------------------------
BT's DMS SuperNode 300 (BT, March 1993)
NT has installed what is said to be the world's largest international gateway
in Madley for BT. The digital multiplex system (DMS) SuperNode 300 is the
first of BT's international gateways to have fully integrated ISDN
capability.
The DMS SuperNode 300 has capacity for 45,000 ports. The switch's capacity to
handle an extremely high volume of calls through its SuperNode central
processing complex is further enhanced by its "non-blocking" matrix network
architecture (ENET). This architecture guarantees each individual cell access
to an international route, thereby reducing the incidence of call failures
resulting from congestion in the exchange.
-----------------------------------------------------------------------------
Taiwan's Fortress Fones (Telecommunication Journal, March 1993)
Taiwan has ordered a further 5000 optical card payphones from Landis & Gyr
Communications, bringing the total to 27,500. Eight million optical coded
phonecards will also be delivered. Landis & Gyr's Communications Division has
now supplied more than 1 million payphones and 350 million phonecards to 65
countries.
-----------------------------------------------------------------------------
Swedish SDH (Telecommunication Journal, February 1993)
Swedish Telecom is building a complete transport network based on synchronous
digital hierarchy (SDH) and has signed an agreement with Marconi SpA and
Ericsson Telecom AB about the supply of equipment for the new network,
including transmission and cross-connect equipment based on SDH technology.
In addition, Ericsson will deliver a management system serving all equipment
in the network.
Among the first parts of the network to be equipped is the "triangle"
Stockholm-Goteborg-Malmo. The transmission equipment on these routes will
have a capacity of 30,000 simultaneous telephone calls; the transmission
capacity is 2.5 Gbit/s per fiber pair, which is the highest capacity
available on the market today.
Over the next few years, the deployment of SDH will mainly meet the needs
imposed by traffic growth. SDH will be introduced in the national long-
distance network, in the regional parts of the network and in the local
network, the ultimate goal being a country-wide SDH network.
-----------------------------------------------------------------------------
Italian GSM network (Ericsson, Feb. 1993)
Societa italiana per l'Esericzio delle Tleecomunicazioni pa (SIP), the
operator of the Italian mobile phone network, has inaugurated its new GSM
digital cellular network which is now on line in all of Italy's major cities.
It will subsequently be extended throughout the country.
Italy has grown faster in mobile telephony than any other country in Europe
since SIP launched its analog total access communication system (TACS) in
April 1990. SIP is now one of Europe's three largest telephone systems
operators, with more than 700,000 subscribers.
The Ericsson Fatme-Italtel consortium is the general supplier of both the
TACS network and all exchanges and base stations controllers in the Italian
GSM network. The consortium is also supplying 75% of the GSM radio base
stations.
-----------------------------------------------------------------------------
NT Introduces CT2 Fone (NT, Feb. 1993)
NT has introduced in Hongkong its Companion wireless communications system,
which uses the widely accepted CT2 common air interface (CT2 CAI) radio
standard.
This is the first phase of a worldwide introduction of the product which in
1993 will include other locations in the Pacific Rim, as well as the US,
Canada, Europe, the Caribbean and Latin America.
The Companion system, uses portable, personal telephones that fit into a
pocket or purse freeing people to move about as the work. It is available as
an enhancement to an existing business telephone system or as a stand-alone
system. More than 1 million US in orders for the product have been received
in the Hongkong area where the system operates in the 864-868 MHz frequency
range.
-----------------------------------------------------------------------------
Lossless 4 X 4 switch (Ericsson, Feb. 1993)
Ericsson recently developed what it claims to be the first "lossless"
monolithic optical 4 X 4 space switch, ie. a switch that does not attenuate
a switched signal, a major problem with previous monolithic optical switches.
Optical space switches of this type are key components in the future
broadband transport network. The experimental indium phosphide (InP) switch
chip comprises 24 integrated optical amplifiers and can be connected to four
input and four output optical single mode fibres.
-----------------------------------------------------------------------------
BT Launches SuperJANET (BT, Feb. 1993)
SuperJANET, a new high-speed fiber optic network to be provided by BT, will
link computer systems in universities and polytechnics in the UK.
BT has been awarded the contract for the network by the Information Systems
Committee (ISC) of the University Funding Council (UFC). Under the contract,
BT will collaborate with the Science and Engineering Research
Council/Universities Funding Council (SERC/UFC) Joint Network Team to design
and implement the new network, to be called SuperJANET (joint academic
network). It will augment the existing private JANET network created during
the early 80s.
SuperJANET will be able to transmit information up to 100,000 times faster
than the standard telephone network, with the initial phase of the project
linking sites as the Cambridge and Manchester universities, Rutherford
Appleton Laboratory, University College London, Imperial College London and
Edinburgh University.
The core network will use a mix of PDH and SDH high performance optical fibre
technologies and pilot phase will be established in March 1993.
The new network will cover a range of transmission speeds, initially from 34
through to 140 Mbit/s.
-----------------------------------------------------------------------------
Swiss ISDN (Telecommunication Journal, January 1993)
SwissNet 2, the second phase in Switzerland's ISDN, is now in service. It
offers narrow-band ISDN capable of transmitting at higher speeds and at
reduced tariffs data, images and conversations which until now had to be
routed over separate networks. Up to eight terminals, of which two can be
used simultaneously, can be connected to the basic ISDN line thus allowing
the transmission of images or data at the same time as a telephone
conversation is taking place. Another important advantage is the possibility
of using Group 5 telefax which has a transmission speed of up to ten times
that of Group 3.
In addition to the transmission service, various supplementary services such
as multiple subscriber number, calling-line identification, call waiting,
call forwarding, are available at no extra charge whilst other optional
services such as direct dialing-in, closed user groups and outgoing call
barring can be obtained against payment.
Monthly charges are 50 Swiss francs (CHF) for a basic connection of two B-
channels at 64 kbit/s and one D-channel at 16 kbit/s and 500 CHF for a
primary connection of 30 B-channels at 64 kbit/s and one D-channel at 64
kbit/s. Installation charges for the two types of connection are respectively
200 and 400 CHF. Communication charges will be made up of three elements
representing the costs of call set-up, call preparation and interruption, and
call duration.
SwissNet 2 conforms to the CCITT Blue Book Recommendations and can therefore
connect to other ISDNs conforming to international standards.
-----------------------------------------------------------------------------
NT's SDH in Russia (Telecommunication Journal, January 1993)
MACOMNET, a new company set up as a joint venture between the Andrew
Corporation and the Moscow Metro, has awarded a 840,000 US contract to NT for
synchronous digital hierarchy transmission equipment.
MACOMNET will use the metro infrastructure to permit the rapid establishment
of a fiber-optic network in key areas of Moscow. Operating as a "carrier's
carrier", it will provide a high-quality, highly reliable managed digital
transport service beginning in spring 1993. Initially it will provide E1 (2
Mbit/s) circuits to other operators and private customers in Moscow.
-----------------------------------------------------------------------------
Cantat-3 direct links to Eastern Europe (Telecommunication Journal, January
1993)
Teleglobe Canada Inc. has formed a consortium with 20 European and United
States carriers to lay a 385 million US high-capacity fibre-optic cable
linking North America with Western and Eastern Europe.
NT's STC Submarine Systems has been chosen as sole supplier of Cantat-3. When
completed in 1994, this first direct fibre-optic link between Canada and
Europe will provide multi-media communication services of greater speed and
capacity than ever before. The new cable will be the first of its kind to
operate to the new international SDH transmission standards and the first at
a transmission speed of 2.5 Gbit/s, offering an unprecedented 30,000 circuits
per fibre pair.
Cantat-3 will be the largest direct link from North America to Germany,
Scandinavia and the UK. It will link directly with the Denmark-Russia and
planned Denmark-Poland cables. An overland link though Germany will give
entrance to the heard of Eastern Europe.
-----------------------------------------------------------------------------
Fibre-optics Under the Pacific (MCI, January 1993)
MCI International, Inc., together with 46 international telecom carriers, has
announced the signing of a construction and maintenance agreement for TPC-5,
the first undersea fibre-optic network in the Pacific.
The 25,000 km fibre optic system interconnects the US mainland at Oregon and
California, extends out to Hawaii, Guam and Miyazaki and Ninomiya in Japan,
and then stretches back to the US to complete the loop.
The network segments between California, Hawaii, Guam, and Miyazaki will be
in service by late 1995. The entire TPC-5 network will be completed by late
1996.
The system can transmit up to 5 Gbit/s per fibre par which is equivalent to
60,480 simultaneous conversations. Once completed the 1.3 billion US network
will provide instantaneous restoration by shifting voice, data and video
signals to a spare fibre on the network. In the unlikely event that a break
occurs somewhere along the cable route, the network's loop configuration
ensures instant restoration by re-routing signals.
-----------------------------------------------------------------------------
NT Announces Contracts (Telecommunication Journal, January 1993)
NT has announced several contracts for its Meridian ISDN network.
The Greek national airline, Olympic Airways, has purchased a 6000 line
network that will provide specialized business communication services for
employees and customers at its major locations.
Kuwait Oil Company has ordered an 8000 line ISDN valued at over 3 million US
to restore, modernize and expand the company's private communications
network.
The five millionth line of Meridian digital centrex was shipped to the US
market to Centel's network in Florida.
NT will also be installing a country-wide network for the Security
Directorate of Jordan. The network of 78 Meridian SL-1 PBX systems is the
largest private network in Jordan and links most of the police centres,
providing voice and data communications across the country.
-----------------------------------------------------------------------------
Croatia Orders AXE (Telecommunication Journal, January 1993)
The Croatian Post and Telecommunication (HPT) has awarded Ericsson a contract
for the delivery of four international telephone exchanges for Croatia. The
AXE exchanges will be installed in the cities of Zagreb, Rijeka, Split and
Osijek. They will be delivered from Sweden and from Nikola Tesla in Zagreb.
-----------------------------------------------------------------------------
911 Enhanced (AT&T Technology, v.7 no.3)
AT&T Network Systems introduced software and equipment that will allow local
telephone companies and other network providers to furnish enhanced 911
emergency calling services to more people nationwide.
Seven new products range from enhancements to AT&T's 5ESS Switch to PC-Based
systems that can pinpoint the location of a person calling to report an
emergency.
The new software and equipment includes:
+ 5ESS Switch enhancements, allowing it to support standard E911 features
such as call routing, and to work with analog answering point equipment in
public and private networks, ISDN answering point equipment in private
networks.
+ Automatic Location Identification/Database Management System (ALI/DMS)
hardware and software. This matches callers' phone numbers with addresses and
provides this information to attendants as they answer calls.
+ The Alive Database System. This PC-base system provides detailed
descriptions of the 911 caller's location. Public Safety Answering Point
Equipment receives the incoming calling number and location information from
the local database and displays it to answering point attendants.
+ Intelligent Public Safety Answering Point Display shows the 911 caller's
number and location along with call-transfer information on a single computer
screen.
+ Computer-Aided Dispatch System helps make decisions on which police cars,
ambulances, or fire trucks to send to an emergency, to find where these
vehicles are located at the time of the call, and to determine the fastest
way to get them to the emergency site.
+ An ISDN Public Safety Answering Point System connects to the telephone
network over ISDN Basic Rate Interface (BRI) channels. The system is
available now to private-network customers such as universities, military
bases, large businesses and airports, and will be available for communities
as ISDN becomes more widely deployed.
-----------------------------------------------------------------------------
First BNS-2000 Delivered (AT&T Technology v.7, no.3)
PacBell and GTE recently accepted delivery of AT&T Network System's first
BNS-2000 broadband networking switches and began installing them to
facilitate their Switched Multimegabit Data Services (SMDS) offerings
scheduled to begin in September.
These are the first BNS-2000 switches to be installed in the PSTN. The BNS-
2000 Switch is fast-packet cell-relay system which uses ATM (asynchronous
transfer mode) cells designed for broadband ISDN applications.
PacBell will install a BNS-2000 Switch in its Los Angeles service area and is
scheduled to initiate SMDS in Los Angeles, San Francisco, Anaheim, and
Sacramento in September.
Similarly, GTE will install its BNS-2000 in Long Beach, California, and plans
to initially offer SMDS, which the company calls MegaConnect, in the Los
Angeles area, also in September.
Next year, GTE plans to extend MegaConnect to Seattle and Everett,
Washington; Beaverton and Portland, Oregon; Raleigh-Durham, North Carolina;
Tampa, Florida and Honolulu, Hawaii.
Up to now, telephone companies had been using early models of the BNS-2000 to
test market SMDS. In one such test, PacBell and GTE interconnected Rockwell
International Corporation's LANs between its Canoga Park office (served by
PacBell) and its Seal Beach Facility (served by GTE).
The differentiator of the BNS-2000 remains its ability t let our customers,
like PacBell and GTE, start SMDS frame relay services now and evolve easily
to additional ATM-based BISDN services.
-----------------------------------------------------------------------------
Russia's Big Steel Buys AT&T PBX (AT&T Technology v.8 no.1)
One of the world's largest steel manufacturing facilities, Magnitogorsk
Metallurgical Works, has signed an agreement to purchase an AT&T DIFINITY
Communications System, replacing its 1930s-vintage telephone system.
The new PBX will provide advanced communications to the more than 60,000
employees in several buildings on the company's campus. The first phase of
the $5 million project-installation of a 4,000 line DEFINITY G3R will be
completed later this year.
AT&T made the sale with NPO Chermetavtomatika, the Russia-based distributor
for AT&T business communications systems. The company, located on the Ural
River, was built with American assistance and technology, and supplied much
of the armament and tanks used during World War II. Today, the multiple-
building campus includes a hospital and a farm, used to grow agricultural
products for the town's residents.
Magnitogorsk is a major exporter of steel products to companies around the
world. It had been using several key systems, as well as two large step-by-
step systems, similar to those in US telephone company COs during the 1930s.
Maintenance had become increasingly difficult, and it needed an advanced
communications system that would enable it to communicate efficiently
internally and with its customers.
According to AT&T, Magnitogorsk selected the DEFINITY system based on the
technology and its capacity to handle the huge company's communications
needs, coupled with the distributor's responsiveness and level of knowledge.
The DEFINITY system's distributed architecture makes it possible for a single
system to handle the communications needs of the entire complex. Campus
buildings will be connected via remote modules, and the cable linking the
modules will run through existing steam tunnels.
-----------------------------------------------------------------------------
Fast Switch for ATM Service (AT&T Technology v.8, no. 1)
Service providers can now offer their customers end-to-end Asynchronous
Transfer Mode (ATM) Services using AT&T Network Systems new GCNS-2000 data-
networking switch. The GCNS-2000 switch will support 20 gigabits per second
of switching capacity, allowing the high-speed, sophisticated applications of
ATM to be brought to the PSTN.
The GCNS-2000 also will become the core switching vehicle for AT&T's
InterSpan ATM Services. Using an ATM network (Also called broadband), for
example executives could participate in a multilocation multimedia conference
call, while exchanging documents and images. Medical specialists in different
hospitals could concurrently review a patient's X-ray or CAT scan. And
customers everywhere could select a movie to watch at any time.
The new switch is part of Network Systems' data networking switching product
line, which includes the BNS-2000 fast-packet cell-relay system. This switch
is deployed by various phone companies in the US and other countries in
support of their frame-relay networks and switched multimegabit data service
offerings.
The GCNS-2000 uses a new core ATM technology, developed by AT&T Bell
Laboratories, a key feature of which is the "shared memory fabric". This
allows the equipment to accommodate simultaneously the distinct and different
natures of voice, data and video transmission, so that all types of signals
can be processed at once. The switch will be available on a limited basis at
the end of 1993, and generally available six months later.
-----------------------------------------------------------------------------
Wireless 5ESS Switch Gets New Capabilities (AT&T Technology v.8, no.1)
The 5ESS Switch for the AUTOPLEX System 1000 will now support AMPS standards
all over the world, and the Global System for Mobile Communications standard.
While the new switch will, at first, provide the same features and services
now available on the AUTOPLEX System 1000 Switch, it will eventually become
a platform for ISDN and advanced intelligent network applications.
The 5ESS Switch with wireless capability represents a new, cost-effective
growth option for AUTOPLEX System networks. Future versions of the switch for
the AUTOPLEX System will make it possible to have analog and digital AMPS, as
well as POTS on the same switch. Switch availability is scheduled for mid-
1994.
-----------------------------------------------------------------------------
800 Service Recognizes Speech (AT&T Technology v.8, no.1)
AT&T recently announced an innovative 800 Service feature that makes it
easier for all callers, including the 39% of US homes and businesses with
rotary and non-touch-tone telephone to obtain information from businesses by
simply speaking. Called AT&T 800 Speech Recognition, this new capability
enables callers to verbally respond to announcement that allow them to
automatically select the information or assistance they want.
AT&T is the first long-distance company to provide voice-activated call
routing in an 800 service network. Past technology only enabled callers using
touch-tone telephones to direct their calls after responding to menu prompts
with their keypads. Now, these callers can route their own calls quickly and
efficiently by simply speaking their choice. And for the first time, callers
with rotary telephones will be able to enjoy the same benefits as callers
with touchtone phones.
AT&T Speech Recognition is a network-based, advanced 800 Service innovation
that prompts callers to speak a number - from "one" to "nine" - corresponding
to a menu of options that identifies the department or location they wish to
reach within the company they're calling.
Supported by state-of-the-art technology from AT&T Bell Laboratories, AT&T
Speech Recognition is able to recognize the spoken number, process the
information, and route the call through the AT&T network to the appropriate
destination. During field tests, AT&T Speech Recognition correctly identified
the spoken number 97.8 percent of the time. this high completion rate was
achieved even taking into account the many dialects and accents that exist
across the US.
AT&T Speech Recognition represents the latest step in AT&T's drive to provide
its customers with complete automated transaction processing. Eventually, the
capability to recognize more advanced words and entire phrases will make it
possible for AT&T 800 Service customers to process orders, dispatch repair
crews, provide account information, or handle countless other functions in a
fully automated, cost-effective way, if they so desire.
-----------------------------------------------------------------------------
Amplifier, Vector Attenuator for Wireless Applications (AT&T Technology, v.8,
no.1)
AT&T Microelectronics recently expanded its wireless applications technology
with two high-performance, high reliability thin-film-on-ceramic devices for
cellular base stations.
The components are the GSM Low Noise Amplifier, an unconditionally stable
amplifier designed for Global System for Mobile Communications (GSM) cellular
base station receivers, and the 1098E Complex Vector Attenuator, a surface
mount device that enables designers to build sophisticated signal
cancellation systems into base station transmit amplifiers.
The GSM low-noise amplifier is a balanced amplifier design. It operates in
the 890- to 915- MHz frequency range and exhibits exceptionally low noise
(1.3 dB maximum) and high third order intercept (38 dBm) with a 32 dB small
signal gain, operating on a single 24 volt DC supply. While the device is
tailored for the GSM band, it provides similar performance in the 824- to
849-MHz AMPS band.
The key benefit to the designer is the device's unconditional stability, a
characteristic important to eliminating oscillation. Due to its thin-film-on-
ceramic implementation, the device also provides, for a given bias condition
lower junction temperatures and therefore longer life and increased system
reliability than a PWB realization.
The 1098E Complex Vector Attenuator is functionally equivalent to the
combination of an endless phase shifter and an attenuator. It is used to
control the phase and amplitude of a signal without introducing
intermodulation distortion, dispersion, or variation in group delay. In
addition, there's no limitation on phase change, which can increase or
decrease continuously without reaching an endpoint.
Production quantities of the GSM low-noise amplifier will be available this
fall, while the 1098E Complex Vector Attenuator is currently available in 124
PIN PQFP packaging. Pricing details and product literature are available from
the AT&T Microelectronics Customer Response Center, 1-800-372-2447 Ext. 869
(In Canada, 1-800-553-2448, Ext. 869); fax 215-778-410 or by writing to AT&T
Microelectronics, Dept. AL500404200. 555 Union Boulevard, Allentown, PA.
18103.
-----------------------------------------------------------------------------
Frame Relay Service (AT&T Technology, v.8, no.1)
AT&T InterSpan Frame Relay Service will now be offered to customers in Canada
(subject to CRTC approval) through Unitel Communications Inc., and in 9
additional European countries through AT&T ISTEL.
Beginning in July 1993, the service will be offered in controlled
introduction to customers in Canada, Ireland, Austria, Portugal, Switzerland,
Denmark, Italy, Luxembourg, Finland and Norway, with general availability
later in the third quarter of 1993.
AT&T InterSpan Frame Relay Service will provide the same seamless global
interconnectivity and high reliability currently enjoyed by InterSpan Frame
Relay customers in the US, UK, Spain, France, Belgium, The Netherlands,
Germany and Sweden.
AT&T provides its InterSpan Frame Relay Service over a common worldwide
architecture that enables seamless global service with fast, reliable
connectivity. As a result of this standards-based architecture, InterSpan
Frame Relay Service provides a wise array of global features including
network management and enhanced permanent virtual circuits for extended
bursts.
InterSpan Frame Relay Service provides a number of value-added features that
are of critical importance to multi-national customers today. For example,
the service provides a single point of contact for installation and
maintenance of InterSpan Frame Relay Service, access and customer premises
routers. Billing for InterSpan Frame Relay Service and associated local
access is combined into a single bill. In one currency of the customer's
choice - US dollars, UK pounds or sterling or Canadian dollars - rendered in
the country of choice. In addition, protocol conversion embedded in the
network will provide interoperability between InterSpsan Frame Relay Service
and emerging InterSpan Asynchronous Transfer Mode (ATM) services to allow
migration to ATM as the customers' business needs dictate. Dedicated
InterSpan Frame Relay Service Network Operations Centres in North American
and Europe monitor and manage the InterSpan Frame Relay Network around the
globe, around the clock.
-----------------------------------------------------------------------------
Modernization Milestone for Ukraine's Telecom (AT&T Technology, v.8, no. 1)
UTEL, Ukraine's telecommunications joint venture responsible for the
modernization of the long-distance telecommunications network, recently
inaugurated its first all-digital long distance telephone switch in L'viv.
The 5ESS Switch, supplied by AT&T Network Systems International, was
officially put into service with a ceremonial inaugural call between the
Minister of Communications of Ukraine, Oleh Prozhyvalsky, in L'viv and Victor
A. Pelson, AT&T Group Executive, Communications Services in NJ.
With the new 5ESS Switch, most citizens n L'viv can now make direct
international calls to many countries in the world. International connections
are completed via an earth station located in Zolochive, which in turn is
connected to an international switching center in Kiev, Ukraine. Just four
months ago, international calls from Ukraine were possible only via their
services of Moscow's telephone operators; on average, outgoing calls required
24 hour's advance notice.
The 5ESS Switch in L'viv includes 4,000 trunk lines and 1,000 subscriber
lines and is the latest generation of telecom equipment utilizing digital
technology to connect voice, data and image messages. UTEL recently signed an
agreement to purchase six additional 5ESS switching systems for Ukraine.
Final assembly of these switches will take place locally in Ukraine at the
Chernighiv Zavod Radioaparatur (Chezara) production plant in Chernigiv.
Following L'viv, the next switches are scheduled to be installed in
Chernivtsi, Uzhorod, Poltava, Luhansk and Kirovohrad, doubling today's
capacity.
-----------------------------------------------------------------------------
XUNET (AT&T Technology, v.8, no.1)
XUNET: Today's Experiments Define Tomorrow's Reality
The Experimental University Network - XUNET - will soon carry 622-Mb/s
traffic
A high-speed experimental network is giving researchers and graduate students
an opportunity to explore issues important to the future of data
communications. The Experimental University Network (XUNET) now consists of
experimental switches, based on the Asynchronos Transfer Mode (ATM) standard,
linked by 45 megabit-per-second (Mb/s) transmission lines.
Host computers on fiber-distributes data interface LANs communicate over
XUNET via routers between the LAN and the ATM backbone. In a few months,
AT&T, the University of Wisconsin at Madison, and the University of Illinois
at Urbana-Champaign will begin to communicate over experimental links at 622
Mb/s.
With the higher-speed links and a higher-performance Peripheral Interface
LAN, a user in a remote location will be able to display the output of a
supercomputer simulation on his or here workstation in real time.
While the XUNET testbed is small, the research program seeks to understand
the problems of a large high-speed data networks. With existing wide-area
data networks, most users communicate at speeds of 1.5 Mb/s or less. Research
on XUNET anticipates that users will interface at speeds up to hundreds of
Mb/s. With higher speeds comes the potential for new applications such as
full-motion video, multimedia conferencing, and distributed computing all
over the public network. The XUNET testbed, which is supported by AT&T Data
Communications Services, is also the basis for BLANCA, one of five gigabit
testbed networks sponsored by the Corporation for National Research
Initiatives.
TESTBED EVOLUTION
The program began with XUNET I in 1986 as a collaboration among AT&T, the
University of California at Berkeley, the University of Illinois, and the
University of Wisconsin. The universities were linked with AT&T Bell
Laboratories using DATKIT VCS switches and transmission links used ACCUNET
T1.5 Services at 1.5 Mb/s.
Students at the universities have a change to try ideas out first hand by
using XUNET as a research tool in running controlled network experiments. For
example, students can remotely download different algorithms into the XUNET
switches to study the effect on a heavily loaded network.
XUNET II became operational in January 1992, offering a thirty-fold increase
in speed over XUNET I by using experimental ATM switches and transmission
lines operating at 45 Mb/s. In addition to AT&T and the universities Pacific
Bell and Bell Atlantic are involved in the XUNET II activity. In July 1992,
Sandia National Laboratories and Lawrence Livermore Laboratories were linked
into the XUNET testbed, and in February 1993 Rutgers University joined. In
addition, students from the University of Pennsylvania and Columbia
University participate in the XUNET program, and students from the
universities have been invited to AT&T Bell Laboratories at Murray Hill to
work with researchers there.
XUNET III, the first portion of which is scheduled for operation this June,
will be more than an order of magnitude faster than XUNET III. A 622 Mb/s
link will connect XUNET switches at an AT&T Chicago CO, the University of
Wisconsin, and the University of Illinois.
RESEARCH RESULTS
The XUNET collaboration includes research in many of the key areas in wide-
area networking, including switch architectures, LAN interfaces, network
operations, managment tools and techniques, and network applications. One
focus of the program has been on congestion control to determine how the
network can meet the quality of service needs for different types of traffic
even in the presence of heavy load.
For example, voice, video and multimedia traffic may require controlled delay
and variation in delay, whereas file transfer traffic may not. Research into
protocols and the trunk service disciplines used in switching nodes have
identified effective ways of carrying many types of traffic in a network
while avoiding congestion and degradation of the quality of service.
XUNET has already provided valuable insight for AT&T's service realities. And
this will continue to be the case as AT&T moves towards its realization of
ATM services in 1994.
By A.G. Fraser, Erik K. Grimmelmann, Charles R. Kalmanek and Giopala S.
Subramanian
-----------------------------------------------------------------------------
DACS II Goes TEMPEST (AT&T Technology, v.7, no.4)
The National Security Agency (NSA) of the US Government has endorsed the
TEMPEST version of the AT&T Digital Access and Cross Connect System II (DACS
II). The TEMPEST is encased in a special cabinet which shields its electronic
output from eavesdropping or monitoring by unauthorized personnel.
The NSA endorsement means it will be included on the Endorsed TEMPEST
products list. Communications Systems Technology, Inc. (CSTI), based in
Columbia, MD, engineers the cabinet under an agreement with AT&T Network
Systems, then markets the TEMPEST as a CS-1544 switch.
The DACS II is a fast and reliable digital cross-connect system developed by
AT&T. Up to 160 standard 1.544 megabits-per-second DSI signals, each
consisting of 24 channels (DSOs) may be terminated on the CS-1544. Each of
the 24 DSOs comprising a DS1 signal may be cross connected to any other DS1.
-----------------------------------------------------------------------------
Swat teams on 24-hour call (IEEE Spectrum, August 1992)
"We all have wonderful war stories to tell about being roused from sleep,"
said Barbara Fraser, one of seven members of the Computer Emergency Response
Team (CERT). Most computer crackers, like common robbers, prefer to break in
during off-hours, she said, and international incidents add to the 24-hour
nature of the job. Mostly, however, CERT's business is conducted between
7:30a.m. and 6 p.m. Pittsburgh time.
CERT's domain is the Internet, a worldwide supranetwork with perhaps a
million host computers and five to eight million users. Roughly half are in
the US, and membership is expanding fast in Europe, the Pacific Rim, and
South America.
Each day, the CERT team responds to an average of 300 hotline calls and email
messages most in English. Last year, they averaged about one "incident" a
day. Now its up to three. (An incident is an actual of attempted intrusion.)
They have responded to serious attacks from Europe ("This is NOT A PRANK"),
put out a major US hackers alert that counselled "Caution (not panic) is
advisable," and warned against email trojan horses that catch passwords from
gullible users.
When a call or message comes, the CERT member on duty supplies technical
guidance to the site so that they can fix the problem and assess damage.
Unless otherwise agreed to, everything is confidential and may even be
anonymous. CERT members determine whether the host was networked, its level
of security, the system configuration, and whether the system's vulnerability
is familiar or new.
CERT director Ed DeHat stresses that any tip is welcome. Last year, for
instance, a person reported a failed attempt to seize his password file. CERT
went back to the originating site and found intruder(s) "were trying to break
into thousands of system." The originating site alerted managment, cut
connections to the outside temporarily and closed the "holes" in its security
system.
CERT does not investigate intrusions with an eye to criminal prosecution, but
it does recommend whom to contact for investigations by law enforcement
groups such as the local police, the FBI, or the SS.
Most of CERT's traffic consists of security chatter; experts call to share
information while others ask CERT advisories or request general advice. Less
often, CERT has to tip off organizations about likely penetrations. "Almost
always, an incident is not stand-alone," said Fraser. It may vary from 10
hosts at a single site to "tens of thousands of hosts over the world."
Many people do not wait for a problem by call CERT for a "sanity check" -
reassurance that their site and its systems are safe. Novices are not
discouraged. "We hold their hands," Fraser said. Help is free and is even
encouraged.
CERT was formed only weeks after the paralysing 1988 attack on Internet by
Robert Morris Jr., son of a computer security scientist. It is funded by the
Pentagon's Defense Advanced Research Projects Agency through the Software
Engineering Institute at Carnegie Mellon University in Pittsburgh.
With its expertise in system vulnerabilities, CERT is expanding its efforts
in education and training as well as research and development for network
security. Already, it sends a security checklist to sites as needed and
advises cores of Unix software vendors of security flaws that need patching.
It also keeps a confidential mailing list of vendors regarding
vulnerabilities in their products. "This is not the textbook type of security
problem," DeHart said. "This is based on what people are doing."
Such companies as Sun Microsystems and NeXT, and more recently IBM, are
mentioned a lot in the CERT advisories, noting fixes to systems flaws. Rather
than being an embarrassment or indictment of their products, this shows that
these companies are committed to security, DeHart said.
CIAC (for Computer Incident Advisory Capability), a sister group of CERT with
responsibility for Department of Energy computers, is located at the Lawrence
Livermore National Laboratory in Livermore, CA. Known for its software an
analytical capabilities, CIAC keeps 20-30 viruses in isolation "for
dissection and reverse engineering."
Steve Mich, CIAC project leader, said they average perhaps one or two
incidents a week, Like CERT, they always wait until a patch is found before
they announce the vulnerability. The flaw is described over email as vaguely
as possible to thwart would-be-crackers. But sometimes, he said, "it's like
trying to describe a hula hoop without moving your hand."
Other countries are responding too. In 1990 Germany's information security
agency created two national incident response teams: the Virus Test Center at
the University of Hamburg and the MicroBIT Virus Center at the University of
Karlsruhe.
The Hamburg center has five staffers and many students who analyze viruses
and monitor activities of the German hackers known as Chaos Computer Club.
The center receives 20-100 reports of virus cases each week from Germany and
Scandinavia., divided equally between government, industry and academia.
Email links aid coordination with other experts in Australia, Europe, Japan
and the US. A current European Community initiative would create serval more
CERT-like groups in diverse countries.
All told, the US Department of Justice reports there are more than a dozen
CERT teams. Not to be left out, its own FBI recently formed the Computer
Analysis and Response Team (CART), which will take its place beside other FBI
laboratories, like those for analysis of DNA, chemicals and poisons, and shoe
and tieprints.
Initial plans call for a staff of 12 agents. CART's main task will be the
forensic examination of computer evidence, according to manager Stephan
McFall. They must also guarantee (somehow) to the satisfaction of US courts
that magnetic data has not been altered or deleted since being confiscated.
McFall declined to give more details other than to say that research is being
done and that CART will also help train agents in the field.
There are so many CERT-like groups in government and industry today that in
1990 the Forum of Incident Response and Security Teams (First) was born. The
group meets regularly and organizes workshops on incident handling. Even
organizations without worm-busting squads can join if approved.
- J.A.A.
-----------------------------------------------------------------------------
Getting Tougher on Long-Dist
ance-Service Thieves (AT&T Technology, v.7, no.4)
Theft of phone service is escalating. AT&T's NetPROTECT program helps
customers secure their communications systems against remote access,
preventing fraud.
Picture this. It's 2 a.m. on a soft spring night on Wall Street. The
buildings lining the canyons of lower Manhattan are dark and silent; even the
cleaning staffs have gone home for the weekend.
But inside the offices of Global Conglomerate, Inc. - GlocCon for short -
it's very, very busy. For several hours GlocCon's PBX has been pressed to
keep up with call-processing demand. Thousands of calls to dozens of domestic
and international locations have poured out of the company's offices since
just past normal closing time. The PBX is so active, in fact, that it offers
a constant busy signal to anyone trying to call in.
For a Saturday morning at 2 a.m., GloCon is doing a land office business. The
problem is that all that business is illegal. GlocCon is being hit by
"callsell" operators - big time. Over the weekend alone, the toll-fraud bill
is going to be substantial, perhaps even outstripping GloCon's normal monthly
phone bill. And, according to the tariffs governing AT&T's services, GlocCon
is responsible for picking up the tab.
Happily, for customers ant AT&T, such an experience may soon be history.
Since August 24, 1992, when tariffs became effective, AT&T has been offering
customers the NetPROTECT family of products and services, an integrated
offering of hardware and software that helps detect, prevent and correct
remote PBX toll fraud.
Such fraud is expensive. Estimates of the financial damage done by hackers
and long distance thieves range from less than $1 billion to over $4 billion
annually. From AT&T's perspective, the best estimate of industry toll fraud
is $1.2 billion annually, a figure issued by the Washington D.C. based
Communications Fraud Control Association.
But by any estimate, the fraud problem is large and growing. For several
years AT&T has offered security seminars aimed at alerting customers to toll
fraud, and has been telling them how they an protect themselves against it.
AT&T actively works with customers to make certain they understand and use
their business telephone system's security features.
AT&T also cooperates with law enforcement agencies and customers in resolving
ongoing investigations of fraud. And it recently has been the forefront of
developing legislation on the state and federal levels that would treat toll
fraud as the serious crime that it is. AT&T worked with the New York State
legislators to make the theft of long distance service a felony; the law
became effective Nov. 1, 1992.
The NetPROTECT Service offering includes fraud protection for customer
premises-based equipment as well as three levels of network protection. With
NetPROTECT Service active seven days a week, around the clock, AT&T's
NetPROTECT Service Security organization can look continuously at network
calling patterns, especially calls to a changing number of high-fraud
countries.
These countries usually are involved in drug trafficking and the "country-of-
the-month" changes frequently changes frequently. Fraudulent calls also are
made to countries from which there's large legal and illegal emigration to
the U.S. A toll switch in the U.S may suddenly start pumping out a large
number of one of these countries from a particular CO. If the calls are found
to originate from a business, AT& contacts the company, says fraud is
suspected, and works with an employee to stop the fraudulent calling from the
PBX.
NetPROTECT Service is made possible by the Toll Fraud Early Detection System
- TFEDS. (See sidebar, next paragraph) TFEDS, a pattern recognition network
monitoring tool, was developed by Business Customer Services - BCB (Business
Customer Billing) and the Network Services Division. TFEDS enables AT&T's
Corporate Security organization to quickly spot and monitor calling patterns
that indicate fraud - as it occurs. NetPROTECT Services offers different
levels of protection that are tailored to customer needs.
Toll Fraud Early Detection System
TFEDS provides AT&T's Corporate Security Group with timely and flexible
monitoring tools to detect and report remote-access PBX fraud. TFEDS also has
access to near-real-time billing data for identifying PBX fraud patterns.
In the past; that is, prior to NetPROTECT Service, the limited amount of call
monitoring that was done used data that was three days to two weeks old. Now,
monitoring reports are generated almost hourly, around the clock, every day.
TFEDS processes data for 800 and international services and, based on
predefined customized parameters, generates reports to later Corporate
Security that a customer's PBX is being hacked, or that there's abnormal
international calling from the PBX. Planned TFEDS enhancements include an
expert system to improve detection accuracy by allowing NetPROTECT Service
Security to maintain generic and customer-specific business rules applicable
to PBX fraud. It also will be possible to maintain customer-specific data for
long-term statistical analysis and trending, and there will be better tools
for fraud case management.
LEVELS OF PROTECTION
Basic Service, the first level of protection, is provided to all AT&T
businesses long distance customers at no charge. With this service, AT&T
monitors its domestic 800 service and international long-distance network
around the clock, seven days a week, in an attempt to spot suspicious
patterns of network usage indicating fraud. Because more than 90 percent of
toll fraud is international traffic to a certain number of high-fraud
countries. Basic Service can catch a significant amount of fraud while its's
in progress.
In early 1992 AT&T received FCC approval to deny hackers access to AT&T's
800-Service network. Using some of its basic monitoring tools, NetPROTECT
Security can monitor repeated 800 call attempts made from a particular phone
number.
In the fictional Wall Street example. high calling volume from GloCon's
headquarters to high-fraud countries after normal business hours would be
flagged as potential fraud. Under the Basic Service option, AT&T would call
a company representative to warn of suspicious traffic from its office, and
the person would shut down the PBX. If the representative can't be contacted
or takes no action, the customer would continue to bear all liability for
whatever fraud occurred.
Advanced Service offers a greater degree of protection, requiring AT&T to
implement several safeguards that include:
o preventing access to the PBX from remote-maintenance ports;
o installing security codes on the PBX so people who dial in, using remote
access and other advanced features of the PBX, must dial a multidigit
security code to dial out;
o safeguarding voice-mail systems so callers can't migrate from the system to
outgoing direct-dial trunks; and
o maintaining backup copies of PBX software so if the PBX is hacked, it can
be shut down and brought back up.
Customers must also provide a list of phone services and a list of phone
numbers they want AT&T to watch, and the names and numbers of three people in
the company who can be called anywhere, anytime if there's a problem. In
exchange the customer's liability is $25,000 per fraud incident, measured
from when the fraud starts until two hours after the customer is notified.
[Eds. The original said "after AT&T is notified" but this makes no sense as
the customer is the one that must shut off the PBX. And the next sentence
deals with AT&T being notified by the customer.] If the customer spots the
fraud first then notifies AT&T, the customer's liability is reduced by 50
percent, to a maximum of $12,500. Once fraud is identified, AT&T works with
the customer to find the source and shut it down. AT&T's liability, however,
stops two hours after the fraud is identified.
Premium Service offers still further protection, requiring customers to
follow more stringent security guidelines. In exchange, Premium Service
customers have no financial liability from the start of fraud to two hours
after notification. As with the Advanced Service option, AT&T will assume
liability for remote toll fraud for only two hours after the fraud is
identified. AT&T also will work with customers to identify and shut down the
sources of fraud.
NetPROTECT Service guarantees coverage of only remote toll fraud - fraud that
occurs when a customer's telecom system has been penetrated from the outside.
While our monitoring will catch fraud, customers are still responsible for
protecting themselves against unauthorized use of their long-distance service
by their own employees or other inside agents.
AT&T Global Business Communications Systems also offers the following
products and services, which help secure customer-premises equipment:
o AT&T Hacker Tracker - software that's used with AT&T's PBX Call Accounting
System for continuous monitoring of all incoming and outgoing calls. This
software causes the system to automatically alert security when it detects
abnormal activity such as a PBX getting high volumes of incoming 800-number
calls after hours, or calls to international destinations.
o Security Audit Service - a consulting service provided by security people
in AT&T's National Technical Service Center in Denver, and Corporate
Security. These people perform individual system audits and recommend
security measures.
o Fraud Intervention Service - provided by AT&T's National Technical Service
Centre. The service helps customers identify and stop fraud while its in
progress. It would give step-by-step guidance, for example on securing the
PBX and installing the back-up copy of the PBX's software. Also available are
several educational offerings and a security handbook.
ADDED SAFEGUARDS
Since NetPROTECT Service was announced, a number of insurance companies have
indicated interest in providing toll-fraud insurance. The Travellers
Companies actually have introduced toll-fraud insurance policies that cover
business customers, indemnifying them for a loss that has occurred. Further
measures also have been taken., Using some of the basic monitoring tools,
AT&T NetPROTECT Service security personnel now can monitor repeated 800 call
attempts made from a particular telephone number.
This is particularly useful because a favourite trick of hackers is to
randomly dial 800 numbers to reach a voice-processing system or other
automated attendant. If the owner of the 800 number hasn't properly secured
the system, a hacker can bypass it and make outgoing calls. Once they
penetrate a particular number, hackers often sell it or may post it on
electronic bulletin boards for other hackers to use. People who exceed a
certain threshold level (which changes hourly or daily) of 800-number
attempts in a predetermined time are locked out of AT&T's 800 network.
Toll fraud isn't committed just by hackers. It's a big and growing business,
often perpetrated by organized crime. Because toll-fraud has generally not
been a high priority for law enforcement officials, toll thieves
traditionally have not faced heavy penalties even if caught. With little risk
and high profits, it's no wonder the toll-fraud business is booming.
NetPROTECT Service is an aggressive program to fight back. Standing squarely
with its customers, AT&T believes it can put an end to the theft of long
distance service.
By James R. McFarland
-----------------------------------------------------------------------------
Coming Soon in Future LOD Technical Journals:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
* An Introduction to starting and operating your own pirate radio station.
* An Update of The Mentor's famous Introduction to Hacking. With new
defaults, new systems and tricks of the trade!
* Bit Stream on Carding Today
* And MUCH, MUCH more!
Remember, the more files submitted the quicker these journals can roll out.
If you'd like to offer anything to the LOD, contact us today.
-----------------------------------------------------------------------------
