_______________________________________________________________________________
        _   _                                                      _   _
       ((___))                                                    ((___))
       [ x x ]                 cDc communications                 [ x x ]
        \   /                      presents...                     \   /
        (` ')                                                      (` ')
         (U)                                                        (U)

                          BETTER HOMES AND BLUE BOXING
                        Part II:  Practical Applications 

                              By Mark Tabas  -LoD-

                      >>> A CULT Publication......1987 <<<
                        -cDc- CULT OF THE DEAD COW -cDc-
_______________________________________________________________________________


(It is assumed that the reader has read and understood Part I of this series).

  The essential purpose of blue boxing in the beginning was merely to receive
toll services free of charge. Though this can still be done, blue boxing has
essentially outlived its usefulness in this area. Modern day "extenders" and
long distance services provide a safer and easier way to make free fone calls.
However, you can do things with a blue box that just can't be done with any-
thing else. For ordinary toll-fraud, a blue box is impractical for the 
following reasons:

  1. Clumsy equipment required (blue box or equivalent)

  2. Most boxed calls must be made through an extender. Not for
     safety reasons, but for reasons I'll explain later.

  3. Connections are often sacrificed because considerable distances
     must be dialed to cross a seizable trunk, in addition to
     awkward routing.

  As stated in reason #2, boxed calls are usually made through an extender.
This is for billing reasons. If you recall from Part i, 2600Hz is used as a
"supervisory" signal. That is, it signals the status of a trunk--
"on-hook" or "off-hook." When you seize a trunk (by briefly sending
2600Hz), your end (the CALLING end) goes on hook for the duration of the
2600Hz and then goes off-hook once again when the 2600Hz is terminated.
The CALLED end recognizes that a call is on the way and attaches a register,
which inerprets the digits which are to be sent. Now, understand that even
though your end has come off-hook (no 2600Hz present), the other end is
still on-hook. You may wonder then, why, if the other end (the CALLED end)
is still on-hook, there is no 2600Hz coming the other way on the trunk,
when there should be. This is correct.  2600Hz *IS* present on the trunk when
you seize it and afterwards, but you cannot hear it because of a Band
Elimination Filter (BEF) at your central office.
  Back to the problem. Remember that when you seize a trunk, 2600Hz is
indeed coming the other way on the trunk because the CALLED end is still
on-hook, but you don't actually hear it because of a filter. However, the
Bell equipment knows it's there (they can "hear" it). The presence of the
2600Hz is telling the billing equip-ment that your call has not yet been
completed (i.e., the CALLED end is still on-hook). When finally you do
connect with your boxed call, the 2600Hz from the called end terminates.
This tells the billing equipment that someone picked up the fone at the
CALLED end and you should begin to be billed. So you do start to get billed,
but for the call to the trunk, NOT the boxed call. Your billing equipment
thinks that you've connected with the number you used to seize the trunk.

Illustration:

  1. You call 1+806-258-2222
     (directly)
  2. Status of trunks:

<----------------------------------->
(You)                    806-258-2222
No 2600Hz-------> <------------2600Hz

  When you seize a trunk (before the number you called answers) there is
no affect on your billing equipment.  It simply thinks that you're still
waiting for the call to complete (the CALLED end is still on-hook; it
is ringing, busy, going to recorder or intercept operator.
  Now, let's say that you've seized a trunk (806-258-2222) and for example, 
KP+314+949+1705+ST. The call is routed from the tandem you seized to:
314-949-1705.

Illustration:

<------------------>O<--------------->
(You)              806         314-949
                 tandem  
No 2600Hz----------> <----------2600Hz

  Note that the entire path towards the right (the CALLED end) has no
2600Hz present and is therefore "off-hook." The entire path towards the left
(the CALLING end) does have 2600Hz present on it, indicating that the
CALLED end has not picked up (or come "off-hook"). When 314-949-1705 answers,
"answer supervision" is given and the 2600Hz towards the left (the CALLING
end) terminates. This tells your billing equipment, which thinks that
you're still waiting to be connected with 806-258-2222, that you've
finally connected. Billing then begins to 806-258-2222. Not exactly an
auspicious beginning for an aspiring young phone phreak.
  To avoid this, several actions may be taken. As previously mentioned,
one may avoid being charged for the number called to seize a trunk by
using an extender (in which case the extender will get billed). In some
areas, boxing may be accomplished using an 800 number, generally in the
format of 800-858-xxxx (many Amarillo numbers) or 800-NN2-xxxx (special
intra-state class in-WATS numbers).  However, boxing off of 800 numbers is
impossible in many areas. In my area, Denver, I am served by #1A ESS and it
is impossible for me to box off of any 800 number.
  Years ago, in the early days of blue boxing (before my time), phreaks often
used directory assistance to box off of because they were "free" long
distance calls. However, because of competetive long distance companies,
directory assistance surcharges are now $0.50 in many areas. It is
additionally advised that directory assistance numbers not be used to box
from because of the following: 
  Average DA calls last under 2 minutes. When you box a call, chances
are that it will last considerably longer. Thus, the Bell billing equip-
ment will make a note of calls to directory assistance that last a long
time. A call to a directory assistant lasting for 4 hours and 17 minutes
may appear somewhat suspicious.
  Although the date, time, and length of a DA call do not appear on the bill,
it is recorded on AMA tape and will trip a trouble report if it were to
last too long. This is how most phreaks were discovered in the old
days. Also, sometimes too many calls lasting too long to one 800 number
may raise a few eyebrows at the local security office.
  Assuming you can complete a blue box call, the following are listed routings
for various Bell internal operators.  These are in the format of KP+NPA+
special routing+1X1+ST, which I will explain later. The 1X1 is the actual
operator routing, and NPA and NPA+ special routing are used for out-of-
area code calls and out-of-area code calls requiring special routing,
respectively.

KP+101+ST ...... toll test board
KP+121+ST ...... inward op
KP+131+ST ...... directory assistance
KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, 
          and a few others. It has been replaced with a universal 
          rate & route number, 800+141+1212.
KP+151+ST ...... overseas completion operator (inbound). Works
          only in certain NPAs, such as 303.
KP+181+ST ...... in some areas, toll station for small towns

  Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you
would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806
trunk, an area code would be required.  Thus, you would dial KP+312+121+ST.
Finally, some places in the network require special routing, in addition to
an area code. An example is Franklin Park, Ill. It requires a special
routing of 032. For this, you would dial KP+312+032+121+ST for a Franklin
Park inward operator.
  Special routings are in the format of 0XX. They are used primarily for
load balance, so that traffic flow may be evenly distributed. About half
of the exchanges in the network require special routing. Note that
special routings are NEVER EVER EVER used to dial normal telephone numbers,
only operators.

  Operator functions:

TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing.
They are not used by operators, only switchmen.

INWARD- Assists the normal TSPS (0+) operator in completing calls out of
the TSPS's area. Also, inwards perform emergency inerrupts when the number to
be interrupted is out of the area code of the original (TSPS) operator. For
example, a 303 operator has a customer that needs an emergency interrupt on
215-647-6969. The 303 operator gets the routing for the inward that covers
215-647, since she cannot do the interrupt herself. The routing is
found to be only 215+ (no special routing required). So, the 303 operator
keys KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this
is Denver. I need an emergency interrupt on 215-647-6969. My
customer's name is Mark Tabas." The inward will then do the interrupt (off
the line, of course). If the number to be interrupted had required special
routing, such as, say, 312-456-1234 (spec routing 032), then the 303
operator would dial KP+312+032+121+ST for the inward to do that interrupt.

DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that
assist customers with obtaining telefone directory listings. Not much
toll-fraud potential here, except maybe $0.50.

RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST.
They assist normal (TSPS) operators with rates and routings (thus the
name). The only uses I typically have for them are the following:

1. Routing information. In the above example, when the 303 operator needed
to dial an inward that served 215-647, she needed to know if any special
routing was required and, if so, what it was. Assuming she would use rate
and route, she would dial them and say nicely, "Operator's route, please, for
215-647." Rate & route would respond with "215 plus." This means that the
operator would dial KP+215+121+ST to reach the inward that serves 215-647.
If there were special routing required, such as in 312-456, rate & route would
respond with "312 plus 032 plus." In that case, the operator would dial
KP+312+032+ST for the inward that serves 312-456.
  It is good practice to ask for "operator's route" specifically, as
there are also "numbers route" and "directory routes." If you do not
specifically ask for operator's route, rate & route will generally assume
that is what you want anyway.
  "Numbers" route refers to overseas calls. Example, you want to know how to
reach a number in Geneva, Switzerland (and you already have the number). You
would call routing and say "Numbers route, please, Geneva, Switzerland."
The operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22"
The "Mark 41+22" has to do with billing, so disregard it. The 011+041
is access to the overseas gateway (to be discussed in Part iii) and the 041+
22+ is the routing for Geneva from the overseas sender.
  "Directory" routings are for directory assistance overseas. Example:
you want a DA in Rome, Italy. You would call rate & route and say, "Directory
routing please, for Rome, Italy." They would respond with "011+039+ST (plus)
039+1108 STart." As in the previous example, the 011+039 is access to the
overseas gateway. The 039+1108 is a directory assistant in Rome.

2. Nameplace information. Rate & Route will give you the location of an NPA+
exchange. Example: "Nameplace please, for 215-648." The operator would
respond with "Paoli, Pennsylvania." This isn't especially useful, since you
can get the same information (legally) by dialing 0, but using rate & route is
often much faster and it avoids having to hang up when you are already on a
trunk.

*NOTE on Rate & Route: As a blue boxer, always ask for "IOTC" routings. (e.g.,
"IOTC operator's route", "IOTC numbers route", etc.) This tells them that you
want cordboard-type routings, not TSPS, because a blue boxer is actually just a
cordboard position (that Bell doesn't know about).

OVERSEAS COMPLETION OPERATOR (inbound)-
These operators (KP+151+ST) assist in the completion of calls coming in to
the United States from overseas. There are KP+151+ST operators only in a few
NPAs in the country (namely 303). To use one, you would seize a trunk and
dial KP+303+151+ST. Then you would tell the operator, for example, 
"This is Bangladesh calling. I need U.S. number 215-561-0562 please." 
[in a broken Indian accent]. She would connect you, and the bill would 
be sent to Bangladesh (where I've been billing my KP+151+ST calls for 
two years).

Other internal Bell Operators.

KP+11501+ST ...... universal operator
KP+11511+ST ...... conference op
KP+11521+ST ...... mobile op
KP+11531+ST ...... marine op
KP+11541+ST ...... long distance
                   terminal
KP+11551+ST ...... time & charges op
KP+11561+ST ...... hotel/motel op
KP+11571+ST ...... overseas (outbound)
                   op

  These 115X1 operators are identical in routing to the 1X1 operators listed
previously, with one exception. If special routing is required (0XX),
then the trailing 1 is left off.

Examples:

A 312 universal op ... KP+312+11501+ST
A Franklin Park (312-456) universal op (special routing 032 required)....
................... KP+312+032+1150+ST
[The trailing 1 of 11501 is left off].

Purposes of 115X1 operators.

UNIVERSAL- Used for collect/callback calls to coin stations.

CONFERENCE- This is a cordboard conference operator who will set up a
conference for a customer on a manual operation basis.

MOBILE- Assists in completion of calls to mobile (IMTS) type telefones

MARINE- Assists in completion of calls to ocean going vessels.

LONG DISTANCE TERMINAL- Now obsolete.  Was used for completion of long
distance calls.

TIME & CHARGES- Will give exact costs of calls. Used to time calls and
inform customer of exactly how much it cost.

HOTEL/MOTEL- Handles calls to/from hotels and motels.

OVERSEAS COMPLETION (outbound)- assists in completion of calls to overseas
points. Only works in some, if any NPAs, because overseas assistance has
been centraized to IOCC (covered in Part III).

  Note that all KP+1X1+ST and KP+115X1+ST operators automatically
assume that you are a TSPS or cordboard operator assisting a customer with a
call. DO NOT DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do,
don't call these operators! Find out what to do first.

  This concludes Part II. There is one final part in which I will explain
overseas dialing, IOCC (International Overseas Completion Centre), RQS
(Rate/Quote System), and some basic scanning.

===============================================================================
 (c)1987  Mark Tabas and cDc Communications                         12/16/87-25
 All Rights Worth Shit