The LOD Technical Journal: File #1 of 12 Volume 1, Issue 5 Released: June 18, 1993. LOD TECHNICAL JOURNAL --------------------- The Legion of Doom will long be remembered in the computer underground as an innovative and pioneering force, that consistently raised the collective level of knowledge and provided many answers to questions ranging from the workings of the telephone system to the structure of computer operating systems. 5. At all times relevant herein, the Legion of Doom (LOD) was a closely knit group of computer hackers involved in: a. Disrupting telecommunications by entering computerized telephone switches and changing the routing on the circuits of the computerized switches. b. Stealing proprietary computer source code and information from companies and individuals that owned the code and information. c. Stealing and modifying credit information on individuals maintained in credit bureau computers. d. Fraudulently obtaining money and property from companies by altering the computerized information used by the companies. e. Disseminating information with respect to their methods of attacking computers to other computer hackers in an effort to avoid the focus of law enforcement agencies and telecommunication security experts. - Indictment laid down by a US District Court It wasn't the crimes they were committing, but the danger, the potential hazard, the sheer technical power LoD had accumulated, that had made the situation untenable. - Bruce Sterling in The Hacker Crackdown Its been over THREE whole years since we last put out a TJ! May, 20th 1990 to be exact. The LOD TJ, will publish any acceptable and original articles, technical explanations, schematics or other files that deal with computer security/insecurity, telecommunications, data networks, physical security, credit, law enforcement, privacy, cryptology, restricted information, editorial commentary and other topics. To submit an article for publication simply send it to us. Freelance writers are always sought after to provide original articles for the TJ. Bigger is better as far as this Journal goes. The more information, the more instruction and the more people can benefit from it. The LOD also seeks qualified members to fill its ranks. You must possess a strong desire to both learn and teach. Those with an eleeet attitude need not apply. LOD's former membership was a list of some of the brightest and most capable individuals in the underground - names like Mark Tabas, The Mentor, The Prophet and others. Take advantage of your opportunity to join the ranks of the world's greatest underground group. Apply today. What is particularly needed right now is someone in the publishing business to publish all the TJ's on hard copy and make them available for mass sale. Not just another "hacker book company" mind you, but one that will be able to place the TJ in your common book store. As this will both give us legitimacy and make it available to the average person and not just those with modems or net.access. We expect to receive no profit from this so there is an added bonus to any potential publishers. If you are a publisher or can get us in contact with one that can undertake this, by all means contact us. Reach us at: Internet Email: tdc@zooid.guild.org Mail: LOD P.O. Box 104 4700 Keele St. North York, ON M3J-1P3 Voice: +1-416-609-7017 The Legion of Doom is back to... o Provide free education for the public in data and telecom networks, operating systems and other aspects of technology. Through both our Technical Journal and our new Legion of Doom Technical School. o Turn hacking back into its former glory of technical understanding away from its c0de abusing state today. o Publish a high-quality Technical Journal available to all who are interested completely free of charge. o Give fellow hackers an organized group of similar minded individuals to communicate and learn with. Please be advised that we are still getting "back on our feet". So look for much better journals and other things to come from us in the future. It will take at least a couple years to get the Legion back to its former glory so don't expect things to happen instantly. Hopefully these journals can come out every couple of months, instead of our previous year odd gaps between releases. But as finding and writing suitable articles is very difficult it may be sometime before the next issue comes out. If this does happen, don't assume we're dead. More journals will come out, it is only a question of when. For one reason or another the LOD has always been surrounded by an atmosphere of mis-information, confusion and downright lies. Everyone has heard the expression "don't believe everything you hear". This is especially true with anything concerning the LOD. As a general rule if you didn't hear it in this TJ, chances are its untrue or incorrect. This TJ may be freely distributed on either hard or soft copy forms as long as it has not been altered. ----------------------------------------------------------------------------- TABLE OF CONTENTS: Name of article or file Author Size ----------------------------------------------------------------------------- 01 Introduction to the LOD Technical Journal Staff 03K and Table Of Contents for Volume 1, Issue 5 02 The Legion of Doom Technical School: Staff 08K 1993-1994 Program Calendar 03 Index to the LOD Technical Journals: Staff 06K Issues 1-5 04 Communications Technology Unequal Access 24K 05 DMS-100 Maintenance Unequal Access 14K 06 Operator Service Position System (OSPS) The Enforcer 12K 07 Testing Operations Provisioning Administration Mystik Freak 09K System (TOPAS) 08 International Switching Systems Mystik Freak 30K 09 Hacking GANDALF XMUXs Deicide 12K 10 TEMPEST Technology Grady Ward 13K 11 Presidential Security Argon 14K 12 Network News & Notes Staff 63K Total: 12 files 208K ----------------------------------------------------------------------------- Hope you find this Journal to be of some use to you it took a good deal of time to put together. Remember that the mind is like a parachute. It only works when open. Stand back, open your mind and get ready for an influx! (>-------------------------------------------------------------------------<) The LOD Technical Journal: File #2 of 12 1993-1994 PROGRAM CALENDAR L e g i o n of D o o m TECHNICAL SCHOOL Rather than just educating everyone informally in the ways of computer and telephone security and understanding, the LOD has decided to go all the way with it. No longer are we just a hacking group. The LOD is now offering formal courses the way any other accredited Technical School, College of Applied Arts or University does. Several Reasons lay behind this bold new decision... o Educate people in skills that can be applied to today's job market. o Give a general understanding in computers/telecom. o Offer unique courses that other institutions don't offer. o Instead of people wrongly claiming to be a "hacker" they can now become one. o Offer all those interested a chance to enrol. o And to provide them free of charge. Due to limited resources only the three courses we felt to be the most important are being offered. They will be conducted on a "correspondence" basis. It operates as follows. If you are seriously interested in enroling in these courses, send us Email or snail mail with the completed application form at the end of this calendar. That includes your name, address, phone number, Internet address if applicable and a brief outline of your educational and occupational background. Don't worry though all applicants are accepted. We would however advise everyone that previous experience with a computer is recommended. If sending snail mail be sure to provide a 8X11 size SASE for us to reply to you in. A course outline including a list of required readings and assignment due dates will be mailed back to you. In the outline will be full bibliographic information on the books and soft copy materials you'll need for the course. It will work just like any other course does just without the exams and tests as it would be impossible to adjudicate them. However, because of this and to maintain the integrity of the LOD Technical School papers will be marked sternly at post-secondary standards. After you submit your paper to us an LOD member will mark it and return it to you via snail or email with comments and a grade attached. Now for the best part... You can take these LOD courses as "Courses at another institution". Meaning that yes, in addition to getting your degree, included in it can be LOD courses! ALL educational institutions have provisions for courses to be taken at other institutions. Its a fairly simple procedure. You go to your Office of Student Programmes/department/guidance centre etc. and obtain a form for "taking a course at another institution". Attach the course descriptions from this file and gain permission from the director of your faculty/department/program/etc. and then you are set. Providing you pass our courses with a high enough grade your institution will accept the courses as part of your degree requirements. If your institution has no equivalent courses, they can become "electives". Since you are usually required to take up to 3 elective courses to obtain a degree why not do something you enjoy? After all its more exciting than taking Early Italian Literature as your elective. There is no need to worry about our "legitimacy" as long as you obtain permission to take the course through the proper procedure. An institution does not need any kind of formal designation though the Department/Ministry of Education to provide a course. We are just another one of the millions of institutions throughout the world that offer training or formal courses. These courses can also be used to place you in "Advanced Standing" if you aren't at school now but decide to in the future. Or just for the sake of expanding your horizons/mind/abilities etc. Because we have no set semester schedule, courses start at the first of every month and run for five months. Starting 1 November 1993. Take them at your own convenience. A maximum of one course may be taken at a time. Here are the descriptions to the first 3 LOD Technical School Courses: (Full outlines will accompany your enrolment starting 1 November 1993) ------------CUT HERE--------------------------------------------------------- TEL3440 0.5 Credits Telephony With the rise of sophisticated technology telephony is becoming much more complex. The entire telephone network from customer premises equipment to switching systems will be covered. Recent trends such as ISDN, BISDN, fiber optics and data networking will also be studied. CSC3450 0.5 Credits Computer Security With the rise of computers, securing them against criminal or malicious use has become vital. Surprisingly little attention has been devoted to it leaving many systems wide open to abuse. Covered in this course will be the security of LANs, networks and various operating systems. Cryptology will be examined as well. HCK4100 0.5 Credits Intro to Hacking Despite all the attention hackers have received, there is only a small core of no more than a few hundred people in the world that have the skills to actually hack. Starting with the basics of hacking it will guide you into more advanced intrusion techniques with the more popular operating systems. This course may be taken based on your own abilities, so master hacker or just plain novice it will fit you. PSNs, Internets, basic hacking on popular operating systems such as unix and vax will be covered along with other operating systems and nets depending on your time/prior abilities. ------------CUT HERE--------------------------------------------------------- Career Opportunities After passing our courses you will be able to supplement your job skills for finding employment in any sector of the economy - Business, Industry or Government that deals with computers/telecom. Remember these are FREE courses. They have a retail value of around US $1,250 each if taken at a high-quality University in the US. Take advantage of this opportunity to learn something you enjoy doing for FREE. The Legion of Doom believes in disseminating knowledge so is offering these courses as a public service to the world. Finally they are well worth your time. They are done in highly organized with carefully selected readings and assignments. It would take years of self-study to achieve what you can with these courses in just a few months. And because we don't spout out loads of useless and academic theory, math and equations like most institutions you'll learn far more here. Since these are "correspondence" courses you must have a high degree of self- discipline and motivation. If you lack these qualities don't waste your time or ours by attempting them. They will take at least several hours of week on your part, so if you can't put aside such time don't bother with them. If you would like to take these courses send the enclosed application form (either in email or snail mail) to the Legion of Doom Technical School at: Internet: tdc@zooid.guild.org Mail: LOD P.O. Box 104 4700 Keele St. M3J-1P3 -------------CUT HERE-------------------------------------------------------- LOD Technical School Application Form %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Note: The start date for these courses is 1 November, 1993. They are 5 months in duration. Right now applications are only being taken for the 1 November start date. You may take a maximum of one course at a time. PERSONAL DATA (If any of this is left blank, your application will be rejected) Course you wish to sign up for: Surname: Given Name: Daytime Phone Number (include NPA): Office Phone Number w/Ext.: Internet Email address (leave blank if none): Address: Apartment #: City/Town: State/Province: Postal/Zip Code: Country: SUPPLEMENTARY DATA Describe your computer related skills and experience: - - What operating systems are you fluent in? - Briefly describe your educational background: - - - - - Your occupational background: - - - - - Do you have the self-discipline, dedication and time to apply yourself here? - - Please include any other information that you feel we should be aware of, or any questions you may have: - - - - - - - - -------------CUT HERE-------------------------------------------------------- Send the completed form to us at one of the above addresses. ----------------------------------------------------------------------------- The LOD Technical Journal: File #3 of 12 %%%%%%%%%%%%%% Legion of Doom Technical Journal Index Issues 1-5 %%%%%%%%%% Name of article or file Author Size ---------------------------------------------------------------------------- Issue: 1 Released: Jan. 1, 1987 01 Introduction to the LOD/H Technical Journal Staff 04K and Table Of Contents for Volume 1, Issue 1 02 Custom Local Area Signalling Services (CLASS) The Videosmith 17K 03 Identifying and Defeating Physical Security and Lex Luthor 23K Intrusion Detection Systems Part I: The Perimeter 04 The Traffic Service Position System (TSPS) The Marauder 23K 05 Hacking DEC's TOPS-20: Intro Blue Archer 19K 06 Building your own Blue Box (Includes Schematic) Jester Sluggo 16K 07 Intelligence and Interrogation Processes Master Of Impact 18K 08 The Outside Loop Distribution Plant: Part A Phucked Agent 04 25K 09 The Outside Loop Distribution Plant: Part B Phucked Agent 04 23K 10 LOH Telenet Directory: Update #4 (1-1-87) Part A LOH 25K 11 LOH Telenet Directory: Update #4 (1-1-87) Part B LOH 18K 12 Network News & Notes Staff 10K Total: 12 files 223 K Issue: 2 Released: Aug. 10, 1987 01 Introduction to the LOD/H Technical Journal 04K and Table of Contents for Volume 1, Issue 2 02 The Networked Unix Solid State 17K 03 Step By Step (SXS) Switching System Notes Phantom Phreaker 12K 04 A Guide to the PRIMOS Operating System Carrier Culprit 25K 05 Identifying and Defeating Physical Security and Lex Luthor 30K Intrusion Detection Systems Part II: The Exterior 06 A Discrete Unix Password Hacker Shooting Shark 09K 07 Hacking DEC's TOPS-20: Part II Blue Archer 25K 08 Hacking IBM's VM/CMS Operating System, Part A. Lex Luthor 26K 09 Hacking IBM's VM/CMS Operating System, Part B. Lex Luthor 25K 10 Network News & Notes Staff 07K Total: 7 articles, 10 files 180 K Issue: 3 Released: October 21, 1988 01 Introduction to the LOD/H Technical Journal Staff 02K and Table Of Contents for Volume 1, Issue 3 02 Understanding Automatic Message Accounting Part A Phantom Phreaker 22K 03 Understanding Auotmatic Message Accounting Part B Phantom Phreaker 25K 04 Update file: Shooting Shark's UNIX password hacker Shooting Shark 03K 05 An Introduction to Teradyne's 4TEL System Doom Prophet 12K 06 A Cellular Automaton Encryption System The Mentor 29K 07 Hacking the IRIS Operating System The Leftist 13K 08 A Guide to Coin Control Systems Phase Jitter 08K 09 A UNIX password hacker from USENET ------------- 16K 10 Reprint News Article: 'LOD BUST MYTH' -------------- 13K 11 Network News & Notes The Mentor 30K Total: 6 articles, 11 files 173 K Issue: 4 Released: May 20, 1990 01 Introduction to the LOD/H Technical Journal Staff 04K and Table Of Contents for Issue #4 02 The AT&T BILLDATS Collector System Rogue Fed 14K 03 The RADAR Guidebook Professor Falken 17K 04 Central Office Operations Agent Steal 32K 05 A Hackers Guide to UUCP The Mentor 27K 06 The History Of LOD/H Lex Luthor 12K 07 The Trasher's Handbook to BMOSS Spherical Abberation 11K 08 The LOD/H Telenet Directory Update #4 Part A Erik Bloodaxe 65K 09 The LOD/H Telenet Directory Update #4 Part B Erik Bloodaxe 43K 10 Network News and Notes Staff 38K Total: 7 Articles 10 Files 263K Issue: 5 Released: June 18, 1993 01 Introduction to the LOD Technical Journal Staff 03K and Table of Contents for Volume 1, Issue #5 02 The Legion of Doom Technical School: Staff 08K 1993-1994 Program Calendar 03 Index to the LOD Technical Journals: Staff 06K 04 Communications Technology Unequal Access 24K 05 DMS-100 Maintenance Unequal Access 14K 06 Operator Service Position System (OSPS) The Enforcer 12K 07 Testing Operations Provisioning Administration Mystik Freak 09K System (TOPAS) 08 International Switching Systems Mystik Freak 30K 09 Hacking GANDALF XMUXs Deicide 12K 10 TEMPEST Technology Grady Ward 13K 11 Presidential Security Argon 14K 12 Network News & Notes Staff 63K Total: 8 Articles 12 files 208K These journals may be found at ftp.eff.org in the pub/cud/lod directory and on many other sites. Look for a full list in the next TJ. If your board or site would like to carry these TJs to aid in distribution let us know. ---------------------------------------------------------------------------- The LOD Technical Journal: File #4 of 12 =--=--=--=--=--=--=--=--= Communications Technology (tm) Unequal Access LOD June 1993 The title of this article is that of communications technology. Not data communications or telephony but communications. The two have for all practical purposes become one in the same. Voice communications, wireless communication services etc. are now being transmitted by digital means. What was once a simple matter of drawing a line between the two is no more the case. This convergence together with new technologies radically changes the picture of communications. Many former concepts and systems will be obsolete in a few years. To examine the future of communications i'll cover: - ISDN and BISDN - ATM - SONET - Service Net-2000 - Other developments ISDN =--= A comprehensive description of ISDN would be to big to cram in here so a brief definition and update on the status of ISDN will be given. ISDN Defined ------------ ISDN is defined by the CCITT as: ...a network in general evolving from a telephony Integrated Digital Network (IDN), that provides end-to-end digital connectivity to support a wide range of services including voice and non-voice services, to which users have access by a limited set of standard multi-purpose user network interfaces... Basically ISDN is a network that carries voice and data over the same lines. All services exist in digital form and can be switched by one network. Much has been forecasted about how ISDN will change the world with interactive television, home banking, employees conducting business at home, new services etc. with AI systems controlling central databases. Technically defined it provides a digital interface, usually with 2 channel types - B channels for voice and data and D channels for signalling and control. This gives a dedicated channel for the subscribers information and one for control of the interface. The fundamental building block of ISDN is its 64 kbps digital channels. With two main interfaces - Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI handles small scale services such as subscriber lines and PRI handles large scale services such as central databases. Each has both a D channel and X number of B channels. BRI has 2B + D channels and PRI has 23B + D channels. Each B channel is 64 kbps and the D channel is 64 kbps for the PRI and 16 kbps for the BRI. To plan for future increases 384 kbps has been allotted to the H0 channel, 1336 kbps to the H11 channel and 1920 kbps to the H12 channel. Integration ----------- ISDN will have one format, so various devices won't need their own dedicated lines. One common interface will accommodate all applications. By having one set of wires and protocols users won't need to bother with coaxial cables for television, X.25 protocols for packet switched networks (PSNs), telex lines, various leased lines etc. Misconceptions -------------- ISDN itself isn't going to provide anything. It is just the standard for network interface. Anything new will depend upon the services offered on it. The concept of digital switching is not a new one to begin with. Its been in use since the mid 60's. The real "upheaval" with ISDN is that Ma Bell is no longer going to provide just telephone calls but a whole range of services. This list of services along with speed requirements and channel type was taken from the IEEE. Service Speed Required Channel ------- -------------- ------- Voice 8,16,32,64 kbps B Alarms 10-100 bps D Smoke Fire Police Medical Utility metering 0.1-1 kbps D Energy Management 0.1-1 kbps D Interactive information 4.8-64 kbps B Electronic banking Electronic yellow pages Opinion polling High quality audio ~300-700 kbps Slow scan TV 56-64 kbps B Compressed video ~30 Mbps Compressed video conf. ~1.5 Mbps Broadcast video ~100 Mbps Switched video ~100 Mbps Interactive video ~100 Mbps Facsimile graphics 4.8-64 kbps B CCS --- Another vital part of ISDN is Common Channel Signalling (CCS). Which separates signalling information from user data. Rather than being an older form of in-band signalling where signals and data are on the same channel it is out of band, where signals travel on different channels. This allows more services and reduces circuit connection times. ISDN uses SS no.7 (SS7). The initial version SS6 used analog trunks of 2400 bps, SS7 uses digital trunks of 56/64 kbps. Well, you've most likely asking yourself what this all means for our underground activities. It will create a bonanza of new services and opportunities all unified in one network. Just as data and voice communications are merging so to will hacking, phreaking, cable fraud etc. Because ISDN has yet to be implemented on a mass scale in North America its not possible to say specifically how it may be abused. You should still be prepared for its arrival by understanding its design and purpose though. Many supplementary services have been approved for ISDN by the CCITT and more are being approved right now: Number Identification Services: - Direct Dialing In (DDI) - Multiple Subscriber Number (MSN) - Allows different numbers to ring at one number. - Calling Line Identification Presentation (CLIP) - (ANI) - Calling Line Identification Restriction (CLIR) - blocks out an incoming ISDN number. - Connected Line Identification Presentation (CLOP) - Connected Line Identification Restriction (COLR) - Malicious Call Identification and Sub-Addressing (not yet defined by the CCITT). Call Offering Services: - Call Transfer - Lets a call be transferred to a third party. - Call Forwarding Busy (CFB) - Call Forwarding No Reply (CFNR) - Call Forwarding Unconditional (CFU) - Call Deflection Misc. Services: - Private Numbering Plan - Advice of Charge - Allows the caller to find out the cost of a call before, during or after. - Credit Card Calling and Reverse Charging - User-to-User Signalling (UUS) These supplementary services take advantage of SS7's full range of capabilites. ISDN Trials ----------- Since ISDN provides the "digital pipe" and the subscriber selects services; the network, circuits, trunks and customer premises equipment (CPE) are all being tested. Most of the early ISDN trials were quite basic and were intended only to prove the validity of ISDN concepts. The current status of ISDN is with more complex testing and actual implementations. A brief summary follows. Location Organization Date Details -------- ------------ ---- ------- Sweden Televerket/Ericsson 1981 Local network transmission Wisconsin Wisconsin Bell/ 1985 Customer acceptance trials, mobile Siemens unit Munich/Berlin DBP/Various 1984 BIGFON, local wideband ISDN dist. Tokyo NTT 1984 INS trial; 64/16/4/4, B/B/D/D access Venice SIP/Ericsson 1984 I.412 access London BT/Various 1985 IDA trial, commercial 64/8/8, B/B/D access Chicago Illinois Bell/AT&T 1986 I.412 access, fairly basic Phoenix Mountain Bell/NT 1986 I.412, DMS-100, 3 customers Phoenix Mountain Bell/GTE 1986 GTD5 EAX Phoenix Mountain Bell/NEC 1986 Digital adjunct to 1A ESS Portland PacBell/NT 1987 DMS-100, 32 kbps voice channels Atlanta Southern Bell/AT&T 1987 5ESS Boca Raton Southern Bell/ 1987 EWSD Siemens Ottawa Bell Canada/NT 1986 DMS-100, SS7 trials Ottawa Bell Canada/NT 1987 DMS-100, basic and primary access Belgium RTT/BTMC ? System 12, details unknown Germany DBP/Siemens/SEL 1986 EWSD System 12, comprehensive phased trials France CNET 1987 E 10, MT25, "Renan" project Florida Southern Bell/NT 1988 Fiber to home, POTS, ISDN, CATV transport US SWBT 1988 Internetwork 5ESS, DMS-100 and EWSD US MCI 1989 Test with Meridian SL-1 and SL-100s US Sprint 1990 All network switches support ISDN US AT&T 1990 Complete conversion to SS7 US MCI 1990 Complete conversion to SS7 Australia Telecom Australia 1990 ISDN commercially available Japan NTT 1990 ISDN in 200 cities US SWBT 1991 Internetworking of SWBT and IECs, ISDN and SS7 Brazil Telbras 1993 ISDN commercially available UK BT 1993 PRI in place Germany Deutsche Bundepost 1993 Nation wide ISDN, 3 million users Telekom Broadband ISDN (BISDN) ---------------------- Is designed to exploit ISDN's full broadband capabilities. With BISDN everything from alarm monitoring to live action video broadcasts can be handled. BISDN is designed to use optical transmissions and compress its data up to 15 times by using more sophisticated terminal equipment. Thus BISDN can handle video images which require refreshing 30 times a second and would require transfer rates of 100 Mbps with no compression. Because of its complexity BISDN will likely end up in commercial applications in the near future. Transfer Modes -------------- In the design of BISDN standards either the synchronous transfer mode (STM) or the asynchronous transfer mode (ATM) can be used. STM is the POTS way using time division multiplexing. Synchronous multiplexing uses a clock to assign windows for information to be transmitted, regardless of wether transmission takes place at all. Asynchronous multiplexing does without a clock to keep transmissions in place. ATM is virtually the same as this, with faster routines. In ATM windows for transmission are opened when needed and are not arbitrarily assigned. Information indicating the source is in each header. ATM is the more common method being CCITT approved. STM is still being debated as the use of highly accurate atomic clocks will ease multiplexing digital bit streams coming from multiple locations. ATM =-- Is a method of cell oriented switching and multiplexing giving high-speed, low error transmissions. Which combines the efficiency of packet technology with the reliability of circuit switching. It is made up of fixed, 53 character cells. Every cell has 48 characters and a 5 character header to keep track of its source. Incoming data is broken up into smaller uniform cells by ATM equipment, transmitted and reassembled upon reception. Since processing fixed sized cells is such a basic task, ATM is much faster at packet switching than say X.25 is. Giving ATM the ability to deal with such demanding applications as real-time video. ATM switches and transmits all forms of communications - voice, data, narrow and broadband, continuous and two-way dialogue traffic, in this uniform fashion. ATM transmits its data over a "virtual channel" when in connectionless mode. A virtual channel is the channel that connects points on the ATM network. A virtual connection moves a set of virtual channels with the same path identifier over the network. It has a cell header that consists of a virtual path and virtual channel identifier. To allow private networks, crossconnects or virtual path switches create a permanent link or virtual path between both ends of the network. Virtual path switches don't need signalling as ATM switches do. The adoption of a global ATM network will be at the earliest in 1995. Trials with ATM are already underway. The move toward BISDN will require the development of both this ATM network and crossconnects. SONET =--=- The Synchronous Optical Network (SONET) is the ANSI standard for the transmission of ATM frames on optical fiber networks. SONET vastly increases potential transmission rates. It far surpasses today's DS3 speed and has an OC-1 bandwith of 51.84 Mb/s. OC-48 is 2.5 Gb/s, the commercial version will be much slower at OC-3 or 155 Mb/s. In addition to providing greater data transfer rates it is a far more intelligent network, transmitting control directives in its synchronous stream. The subscriber's data is contained in the payload and the control directives in the overhead. Overhead is made up of its section, line and path components. Users can manipulate the network with messages placed in overhead. The section overhead covers frame and error monitoring and controls key equipment on the transmission line such as optical regenerators. Line overhead monitors performance. Path overhead monitors errors and controls the signalling between different points on the SONET network. SONET's synchronous bit streams give very reliable transmissions and multiplexing. SONET more or less integrates the functions of OA&M and as a result fewer systems will be needed to perform them. What this means is fewer access ports will be available to dial into. SONET (and for that matter ISDN, BISDN, SS7 and ATM) are more complicated and have a lot more to them than what's been presented here. Look for specialized files on them and what they can do for you in upcoming journals. Service Net-2000 =--=--=--=--=--= Service Net-2000 is designed to use the capabilites of the 5ESS Switch to provide a better public switched telephone network (PSTN). Improvements that are required by the advent of more technically demanding services such as HDTV, high speed data transmissions, speech recognition etc. These services require faster and faster communications and higher bandwiths. Service Net-2000, is designed to provide higher capacity switching and data networks using SONET technology. The goal being to provide an effective universal information service (UIS). In this Service Net-2000 is a kind of "follow up" to ISDN. Architecture ------------ SS7 is at the heard of this intelligent network. It provides 64 kb/s voice transmissions and 1.54 mb/s (T1) data transmissions, when over fiber optic or other high bandwith lines. The need for Service Net-2000 is high, once you consider the oncoming rush of optical transmissions measured in rates of gigabits/second. Nodes in Service Net-2000 are also "intelligent" being "self-aware", adapting to net changes, making corrections and self improving. The main goal to Service Net-2000 architecture is to provide unification. It combines basic functions such as switching, routing etc. with data transmissions just as ISDN does. The end result being a decentralized CO throughout the system. As individual functions disappear and are replaced by this integrated system. Service Node ------------ This integration is performed by the service node. Based on the 5ESS-2000 system (note that 5ESS is now 5ESS-2000 when used with Service Net-2000 and broadband network services-2000 (BNS2000)) The "2000" group that forms this is based on SONET. Using flexible mapping and frame switching rates at multiples of 51.84 mb/s are supported. The "2000" group consists of the: - Digital data multiplexer (DDM-2000) - Digital access and cross-connect systems IV-2000 (DACS IV-2000) - DACS III-2000 cross connect system - DACScan-2000 controllers - DACScan-2000 workstation - FT-2000 lightware The DACS IV-2000 is able to carry higher speed virtual tributary (VT) channels and not just today's, slower asynchronous ones. Both DACS IV-2000 and DACS III-2000 can support non-SONET hookups too, making them quite versatile. The DACS III-2000 differs from the IV-2000 in offering the DS3/Synchronous Transmission Signal-1 (STS-1) 5ESS-2000 --------- As I mentioned before 5ESS-2000 combines BNS-2000 with the other members of the "2000" group. This boosts the capacity of a 5ESS-2000 Switch to 250,000 lines on 64,000 trunks. Key to this is the improved switching module, the SM-2000. It handles everything associated with a call and can even be used as a stand alone remote office, in which case it's called a EXM-2000. To enable high-speed interfaces, 5ESS-2000 uses digital networking units (DNUs). All a DNU is, is a combination of a 5ESS Switch with say a DACS switch. The DNU-IV is a derivative of the DACS IV-2000 and gives additional high speed possibilities. Due to its high operating speed it can greatly speed up CO operations that are slowed down by older copper wirings. With the DNS-2000 cell switch, the broadband integrated services digital network (BISDN) will be created. Point-to-point packet frame relays can be provided even to those lacking T-1s. As well as offering switched multimegabit data services (SMDS) with up to T3 capabilities. The cell switch is made up of low speed port carriers running at 8 mb/s and high-speed switching systems running in excess of 200 mb/s. BNS-2000 handles both frame relays that require connections and SMDSs which don't. Service Net-2000 has the ability to redirect calls between different areas effortlessly. The service control point (SCP) provides the information for the service circuit node based on call screening options, the date/time etc. Allowing the 5ESS-2000 switch to offer a whole range of options such as call waiting, forwarding, blocking etc. Basically the idea behind Service Net-2000 is to add intelligence to the 5ESS switching system and to drastically improve its speed and call handling abilities. With the purpose of creating a more powerful UIS. Other Developments =--=--=--=--=--=-- Intelligent Network (IN) ------------------------ IN is just distributing AI throughout the network. A trend which pops up numerous times throughout this issue of the journal with Expert Systems, Service-Net 2000 etc. The idea behind IN is to have large and fast central databases connected with the rest of the network with protocols such as X.25, SS7 etc. IN allows global service to be introduced easier with good flexibility. IN is comprised of service switching points (SSPs) and service control points (SCPs). SSP takes calls and sends them to an SCP. SCPs contain the databases themselves such as calling card verification data. Telecommunication Management Network (TMN) ------------------------------------------ TMN as the name implies manages the network. TMN performs OA&M on a CCITT standardized structure. Gigabit Testbeds ---------------- Are now being implemented for experimental purposes by DARPA, NSF and others. Several are being conducted by the Corporation for National Research Initiatives (NRI). They involve telcos, academic, commercial and government researchers for the future National Research and Education Network (NREN) Internet. NREN promises a good deal of services, such as real-time transmission of high-speed data streams, huge automated electronic libraries and Gb/s transmission rates taking us away from ascii into full motion video. One experimental net is Vistanet with ATM and SONET capabilities and 622 Mb/s speed. Another one is Aurora. Bellcore is providing an experimental Sunshine switch and IBM a Planet Packet Transfer Mode (PTM). Unlike ATM, PTM packets have no fixed size being as large as 2k. PTM is not a recognized standard but may end up in commercial use, with ATM serving the network itself from the CO. NT is providing a SONET Digital Multiplex System (S/DMS) that takes up to 16 SONET inputs of 155 Mb/s and multiplexes them to 2.4 Gb/s for Casa a co- operative venture of several organizations in California. The main component of Casa is a high-performance parallel interface (Hippi) gateway for SONET. A European group called RACE (R&D in advanced communications technologies in Europe) is designing Integrated Broadband Communications (IBC) within a BISDN. RACE is also working on Code-Division Multiple Access (CDMA), optical networks, teleshopping, electronic funds transfer over a ATM BISDN, mobile network architecture and the universal mobile telecommunications system (UMTS). The Future ---------- Compared to the last century of relatively stagnant copper wiring the impact of higher bandwiths and optical technologies will - eventually - be monumental. All of this does however depend on the introduction of optical fibers. Because of the narrow-band copper wires that are the last link to the subscriber, evolution to better technology is stunted (in the US at least). The cost of overhauling these copper wires in the US with fiber ones is on the order of 200 billion US. In other nations however, the use of fibers linking residential homes is more than 50%. Fiber technology is however, constantly growing and its price dropping. As an aside to all this, look at what's been done in the last 10 years of communications compared to the last 100 years. We are constantly lessening the doubling time of communications technology. In the next 3 years we will equal the last 10 years of progress. Soon it will drop down to a year and then to a matter of months. Since International standards take 15 + years to work out bureaucracy may become an impediment. --------------------------------------------------------------------------- Sources IEEE 0018-9235/93 Telecommunications Journal April 1993 Various books and articles on ISDN --------------------------------------------------------------------------- The LOD Technical Journal: File #5 of 12 =/=/=/=/=/=/=/=/=/=/=/=/=/=/= Maintenance for DMS-100 Written by - -/- Unequal Access -/- .Introduction In order to maintain Northern Telecom's (NT) DMS-100 Digital Switch an advanced menu driven man-machine interface (MMI) is used. It is comprised of a Visual Display Unit (VDU) which is part of the Maintenance and Administrative Position (MAP) interface. I'm going to outline how it deals with maintenance, alarms, and administration. A quick example of how it handles line and trunk trouble reports and the addition of a new subscriber will be given. .Maintenance and Administrative Position (MAP) Hardware The MAP is the primary interface between the technician and the DMS-100 family of switches. The main hardware components of the MAP are: 1. Visual Display Unit (VDU) - the MAP terminal 2. Alarm Panel - sends an alarm to the VDU. 3. Communications Module - (telephone) to speak with the subscriber voice 4. Test jacks .Remote MAP Since all line and trunk test equipment is an integral part of the DMS-100, no loss in accuracy results when the MAP is remote. Every switch has its own dialup as well. Meaning this is not a theoretical file, you will be able to dial up DMS-100 and perform switch maintenance! Maintenance A sophisticated MMI through the MAP terminal is used, to allow a technician to maintain the switch and keep informed of switch operations. Maintenance of a DMS-100 digital switch is made up of: 1. Manually requested maintenance 2. Scheduled maintenance 3. Automatic maintenance after the detection of faults Alarms The system maintains alarms for the more critical areas of the switch, ie. the central controller. A real-time display of the alarms gives the technician constant status reports. Administration A Table Editor allows the technician to add new lines or trunks. A Service Order facility allows features such as hunt groups and Multiple Address Directory Numbers (MADN) to be added. .Maintenance A common use of line maintenance is in resolving a customer type trouble report. The technician selects the Line Test Position (LTP) option and the selected line is flagged for action by an identifier (ie. directory number, physical location number). The line status information, ie. line state and terminating director number is constantly sent to the MAP terminal by DMS-100. A functional test of the subscriber's dedicated line card is invoked by DIAGNose. Test equipment measures performance of the line card and reports deviations from defined levels. Here is what a LTP with line diagnostic results appears as on the terminal: CC CMC IOD Net PM CCS LNS Trks Ext FDIAG 10 GC M "C" LTP POST DELQ BUSYQ PREFIX 0 Quit- 2 Post- 3 LCC PPTY RNG ... LEN ... DN STAFS LTA TE RESULT 4 LTPMAN IBN PSET HOST 02 1 12 30 772 5016 IDL 5 Busy- 6 RTS- 7 Diagn- HOLD1 722 7861 IDL 8 TstRing HOLD2 722 7862 CPB7227782 9 Almstat- HOLD3 722 7861 IDL D 10 CktLoc Diagn 11 Hold 12 NextH- LEN HOST 01 1 12 30 DN 7225016 13 NextP- DIAGNOSTIC RESULT Card diagnostic OK 14 IBNCON ACTION REQUIRED:None 15 CSDDS CARD TYPE 6X21AA 16 LTPLTA 17 LCO- 18 Prefix- F Time XX:XX Legend: The first line CC CMC... represents the various maintenance subsystem headers. The second line FDIAG 10GC represents a minor alarm condition for line facility diagnostics and a critical alarm condition for 10 trunk groups. Alarm status is given in the third line. Scheduled Line Testing Full testing of a subscriber loop may be performed using MAP's Line Test Position Line Test Access (LTPLTA). Internal line test equipment (LTU) in DMS will be physically connected to a subscriber loop with the Metallic Test Access Bus (MTA). Here's what the results of a manually requested line insulation test appear as: CC CMC IOD Net PM CCS LNS Trks Ext Clk #0 1 LGC 2 GC 2Crit M M CR C "C" "C" LTPLTA POST DELQ BUSYQ PREFIX 0 Quit- 2 Post- LCC PPTY RNG ... LEN ... DN STAFS LTA TE RESULT 3 MonLTA- 4 TalkLTA- 1FR HOST 00 27 621 1234 IDL 5 Orig- 6 Lnst- 7 Vdc- 8 Vac- 9 Res- 10 Cap- LnTST 11 Hold TEST OK 12 NextH- RES CAP VAC VDC 13 NextP- 14 LTA TIP 999..K 0.05OUF 0 0 15 BalNet 16 Coin- RING 999..K 0.05OUF 0 17 Ring- 18 DgtTst TIP TO RING 999..K 0.57OUF GAT2 Time XX:XX Using this command the source of a fault and whether its on the subscriber end or not can be determined. This test is usually run during off-peak hours, using MAP's Automatic Line Test (ALT) and the Automatic Line Insulation Test (ALIT). System Line Initiated Line Testing When call processing detects faulty lines they are automatically scheduled to be diagnosed in queue. The outcome is given to MAP, and a record is printed in an office log. Trunk Maintenance Executes checking, testing, monitoring, status monitoring and verifying functions to make sure trunks are working right. It also provides a means of quick troubleshooting when a trunk problem occurs, using the telescoping process to pinpoint the problem location. An example of a Centralized Automatic Message Accounting 2-Way (CAMA2W) Trunk is given here: CC CMC IOD Net PM CCS LNS Trks Ext 10 GC "C" TTP 0 Quit- POST DELQ BUSYQ DIG 2 Post- TTP 5 3 Seize- CKT TYPE PM NO. COM LANG STASR DOT TE RESULT 4 2WY DP MF TMB 424 CAMA2W 1 IDL 5 Bsy- 6 RST- 7 Tst- 8 9 10 CktLoc Tst 11 Hold TEST OK 12 Next- + TRK107 DEC02 14:41:31 8700 PASS CKT CAMA2W 1 13 Rls 14 Ckt- 15 Tms1Vf- 16 StkSdr- 17 Pads- 18 Level- C Time XX:XX A technician can choose to conduct trunk testing manually from the Trunk Test Position (TTP) or automatically from the Automatic Trunk Testing (ATT) level of the MAP. .Alarms Are reported at three levels according to their degree of urgency. In order of urgency they are Critical, Major and Minor. Alarm thresholds are defined by an administrator. ie. the percentage of a trunk group that is out of service before a minor alarm is sent. Audible and visible indicators can be used locally, in another part of the building or in a remote monitoring center. .Administration The Table Editor Consists of a set of commands that will create or change data. The tables and Table editor is part of the DMS-100's database software. Control is done at the MAP. An example of a new trunk addition to an existing trunk group would be: >table trkmem /* TABLE Trunk Member TABLE TRKMEM: >add otdp1 1 /*Outgoing Trunk Digit Pulse /*Element 1 SGRP: >0 /*Subgroup Number PMTYPE /*Peripheral Module Type >tm 8 /*Trunk Module Type 8 TMNO: /*Trunk Module Number >0 TMCKTNO: /*Trunk Module Circuit Number >8 TUPLE TO BE ADDED: OTDP 1 0 TM8 0 8 ENTER Y TO CONFIRM, N TO REJECT OR E TO EDIT >y TUPLE ADDED (input MUST be in lower case) RANGE will give you a list of legal and advised inputs: >range 1 CLLI COMMON_LANGUAGE_NAME 2 EXTRKNUM EXTERNAL_TRUNK_NAME 3 SGRP TRUNK_SUBGROUP_NUMBER 4 MEMVAR MEM_VAR_AREA LOGICAL TUPLE TYPE: L_TRUNK_MEMBER >range 3 3 SGRP TRUNK_SUBGROUP_NUMBER TYPE TRUNK_SUBGROUP_NUMBER {0 TO 1} Service Orders Are used to: - add/remove subscriber service from lines - add/remove services such as touchtone - change Line Equipment Numbers (LEN) or the Directory Numbers (DN) of lines Here's an example of how you can setup a New Single Party Flat Rate (1FR) with options. In this case the new line will be POTS with touchtone (referred to as dgt). The new line is part of line treatment group 1. The phone number or directory number is 555-1212. The line equipment number is 10 1 12 26 (frame 10, unit 1, drawer 14, card 26) Input in prompt mode: >SERVORD SO: >new SONUMBER: NOW 85 12 02 AM > /* Directory Number >5551212 LCC: /* Line Class Code 1fr /* Single Party Flat Rate LTG: /* Line Treatment Group >1 LEN: /* Line Equipment Number >10 1 14 26 /* Frame 10, unit 1, drawer 14, card 26 OPTION: /* Subscriber Option >dgt /* Digitone Dialing OPTION: >$ COMMAND AS ENTERED NEW NOW 85 12 02 AM 5551212 1FR 1 10 1 14 26 DGT $ ENTER Y TO CONFIRM, N TO REJECT OR E TO EDIT >y Input in no-prompt mode: >new $ 5551212 1fr 1 10 1 14 26 dgt $ COMMAND AS ENTERED NEW NOW 85... etc. >y Here is another example of how to install a new Electronic Business Set (EBS) with DN 800-555-1212 and LEN 2 0 1. The option Special Billing (SPB) is used with special billing DN 555-0000. Input in prompt mode: >SO: >new SONUMBER: NOW 85 12 02 AM > DN_OR_LEN: /* DN or LEN >5551212 LCC: /* Line Class Code >pset /* Proprietary Set (EBS) GROUP /* Customer Group >custname SUBGRP: /* Sub Group >4 NCOS: /* Network Class of Service >10 SNPA: /* Subscriber Numbering Plan Area >800 KEY: /* Key Number of EBS >1 RINGING: /* Audible ringing? >y LEN: > 2 0 1 OPTKEY: /* Option on key >1 /* EBS key number OPTION: >spb /* Special Billing SPBDN: /* Special Billing Directory Number >5550000 OPTKEY: >$ That is the maintenance interface of DMS-100. If you are under the system, or any other DMSs for that matter go searching for its dialup number. As you can tell, there is no end to the things you can configure with it. Such as giving yourself "special billing" or no billing whatsoever. You can also edit numbers in different NPAs so a dialup in another NPA would suffice. ---------------------------------------------------------------------------- The LOD Technical Journal: File #6 of 12 Operator Service Position System (OSPS) By The Enforcer Introduction -*-*-*-*-*-* OSPS is a replacement for the Traffic Service Position System (TSPS). For a description of the TSPS console see The Marauder's article in the LOD Technical Journal Number One, File Four. The main difference between the two is that OSPS can be integrated with the 5ESS Switch itself whereas TSPS was only stand alone. OSPS uses the full capabilites of 5ESS and ISDN to provide more services. OSPS also allows for a high degree of automation and by using standard 5ESS configurations, maint. is simplified. Remote Capabilites -*-*-*-*-*-*-*-*-* By using 5ESS, OSPS takes advantage of its remote capabilites. OSPS can be used to perform any traditional operator functions and just 1 OSPS switch can handle up to 128 operator teams. This enables operators to be located at one centralized location where thousands of operators work. (To picture this, remember that MCI commercial with all the operators in that giant room) Huge operator centres can be located at great distances from their host areas. Conceivably, one huge OSPS centre could serve the entire nation. OSPS can either be made a component of a 5ESS Switch and handle various services or a single switch dealing with only toll or local calls. Control can be transferred from one OSPS to another. If there is low demand, a system crash or other emergency control can be passed on to another secure OSPS. This process is called interflow. One usage is during off-peak hours, when usage goes down for an OSPS centre to close down, and switch everything to another center. OSPS can use any number of signalling systems, with different languages or country specific requirements. Architecture -*-*-*-*-*-* Operator terminals communicate with switches using ISDN paths. This is done by connecting to positioning switch modules (PSMs). PSMs are simply the switching modules (SMs) found on 5ESS. There are numerous other SMs that use analog and digital trunks to perform a variety of services. SMs can be installed remotely in which case they are remote switching modules (RSMs) or optically remote switching modules (ORMs). Operator terminals allow operators to regulate calls and transfer data on a ISDN. Basic rate interface (BRI) is an integrated services line unit (ISLU) that connects up to the PSM. There are four main operator terminals - video display terminal (VDT) for toll assistance, basic services terminal (BST) for listing services, combined services terminal (CST) for both of these functions and intelligent communication workstation (ICW) for International traffic assistance. Knowing these terminals can come in handy when you are dealing with an operator, if you can't get an answer ask to know which terminal they are looking at. OSPS is automated as much as possible. Digital service units (DSUs) on the SMs provide digital automations when required such as requesting you to insert more red box tones (uh, coins) to continue your call. The architecture behind OSPS is based on the call processing architecture of 5ESS, and simply copies many of its functions. To originate and terminate OSPS the originating terminal process (OTP) and terminating terminal process (TTP) are used. The OTP is started when a trunk is seized, usually in the initiation of a toll call, and decides where to place the calls such as to automated billing etc. OTP also monitors the calls as its in progress and conducts billing. Should OTP move the call to an operator, it will label it as one of 128 possible conditions based on the dialled number and trunk group. TTP is started when the call goes out from the switch on outgoing trunks to enable signalling. Automatic Call Distribution (ACD) -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ACD controls incoming calls to operator teams, placing them in queues if needed and directs the call depending on its condition to the right operator. At the OSPS centre, there are 128 teams, 1 for each condition. If there are no available operators ACD will place the call in one for four queue conditions. The first is ringing, the next two are announcements and the fourth is an announcement followed by a hanging-up of the caller. The ACD constantly has the status for every operator. The three conditions are made busy, busy and available. Made busy is an otherwise available operator that isn't ready to receive calls. If an operator team services more than one call type, and if one call type is queued the call with the highest "delay ratio" (the expected wait time) will get the next available operator. Supporting teams, up to 8 of which back up the principle teams act as a "reserve" if the principle ones are busy. Subject to the condition that a queue is backed up higher than the "outflow threshold" and the supporting team doesn't have a queue past the threshold either. The position terminal process (PTP) logs operator status by looking at operator inputs, calls, etc. PTP will then route the call to the operator, place it in a queue or route it to another operator. PTP -*- PTP has four models: virtual terminal (VT) - Takes keystroke inputs, checks them to see if they are legal commands and passes them on. feature model (FM) - Handles the status of the operator, if an operator logs in, it will indicate that the operator is now available. near model (NM) - Processes the operator inputs. call coordination model (CC) - Handles coordination between PTP and other operations. For example signalling between PTP and OTP/TTP. Here is how AT&T describes a typical event: . A seizure is detected on an incoming trunk, and an OTP is created. . Signalling information, such as dialled digits and the back number, is collected and analyzed; the need for an operator is recognized. . Call type is determined from the dialled digits and incoming trunk group to classify this as an OSPS call of type 1. The ACD administrator has assigned type 1 calls with serving team A as the principal team and serving team B as the supporting team. . The OTP sends a message to the ACD requesting an operator. This message identified the call as type 1 and obtains other call information. . The ACD determines that calls of type 1 are being queued. . The call is queued, and the expected delay is calculated. By comparing the expected delay with administratively specified delay thresholds, the ACD determines whether a delay announcement should be provided to the caller. . A message is sent to the OTP with this information. . The OTP first connects the delay announcement, then provides audible ring to the caller. . At this point, an operator from serving team B becomes available, and the call of interest has migrated to the head of call type 1 queue. The ACD determines that no calls are waiting in any of the principal queues for team B, and further determines that the next call in the call type 1 queue is eligible to be intraflowed to team B. The ACD informs the OTP to send the call to the available operator from team B by sending a message to the PTP in the PSM. It then marks that position as busy with a call. . The PTP, via the CC model, establishes the voice path between the caller and the operator and sends appropriate display messages to the operator terminal, via the VT model, to provide the initial call seizure information. . The customer requests a collect call from the operator who depresses the collect key and enters the number to be called. Messages are sent from the operator terminal to the PTP to relay the information. The VT model processes each incoming message and forwards the message to the near model. The near model marks the call as collect and initiates the connection to the forward party via a new CC model. This results in creation of a TTP and appropriate interswitch signalling to ring the forward party. . After the forward party answers, the operator secures agreement for the collect billing and releases the call from the position via the position release key. This keystroke is first processed by VT and passed on to the near model. The PTP notifies the OTP of the collect billing arrangements. The talking paths are reconfigured to eliminate the operator position. The two parties on the call are now speaking directly without an operator on the call. . The operator terminal screen is cleared by VT. The FM reports its status back to the ACD as available to handle another call. . At the conclusion of the call, a billing record is made by the OTP. Automation and Efficiency -*-*-*-*-*-*-*-*-*-*-*-*- OSPS is designed to be as automated as is possible. It is supposed to make as little use of human operators as can be gotten away with. When you think about it that's the result of OSPS - human operators are becoming less and less needed. If it wouldn't be for all the potential uproar, they'd get rid of all human operators entirely. They are regarded as a horribly expensive way to handle calls. OSPS allows operators comfy little terminals and pulls them out of situations where they are needed as soon as they aren't required. For example after obtaining a number for collect billing, the rest of the process - voice acceptance can be automated. Many services in the past that were separate are now combined under OSPS. For example toll and directory assistance operators had to be kept available in large numbers to handle call surges. Meaning toll assistance can be queued up, while directory assistance has available operators. Now with CST, an operator can handle both services. Data Communications -*-*-*-*-*-*-*-*-*- ISDN is used to transfer data in OSPS. External systems can also be reached for such purposes as directory assistance information. Three layers are involved in OSPS operator-switch exchanges: layer 1 - the physical layer - Gives synchronous data transmission from the terminal to the ISLU. layer 2 - the link layer - Provides point-to-point exchanges between the terminal and PSM. layer 3 - the packet layer - Is the layer 3 protocol of X.25. It's a resident virtual circuit for exchanges between the terminals and the SM's processor. Which can be used in switch virtual circuit connections to external databases. Databases -*-*-*-*- OSPS uses databases during most calls. To do such functions as check the validity of calling card accounts to prevent cancelled cards from being used. Millions of database queries take place every 24 hours. Because of the immense size of these databases, they can't all fit in 5ESS. So external databases are used. Common channel interoffice signalling (CCIS) links OSPS with external data. To link with external computers CC7 is used. Data is returned to OSPS from nodes on CCS such as the line info database (LIDB) or billing validation application (BVA). These two nodes handles your Bell's validation of all collect, third number and calling cards. The X.25 protocol is also used to connect OSPS with other databases. Each database has an ISDN directory number. So one can scan out the addresses and access them on the public PSNs. Since your RBOC doesn't want people messing around with their BILLING databases, they are put in a closed user group (CUG). --------------------------------------------------------------------------- The LOD Technical Journal: File #7 of 12 (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) Testing Operations Provisioning Administration System (TOPAS) LOD - Mystik Freak - LOD (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) In order to perform Operations, Administration and Maintenance (OA&M) on switched circuit and facility networks the TOPAS operating system (OS) has been developed. From the "core" of TOPAS the Transport Maintenance Administration System (TMAS) was designed to assist in running the Facility Maintenance and Administration Center (FMAC). As the telephone network became more and more advanced the conduction of OA&M became increasingly difficult. What's brought about this sophistication has been the later versions of electromechanical switching systems, ISDN etc. In order to keep up Artificial Intelligence (AI) ideas are being used as a basis for TOPAS-ES. TOPAS-ES is designed as an Expert System (ES) replacement for TOPAS to handle switch circuit operations. TOPAS-ES performs this circuit maintenance using its AI to find and report on network difficulties. Network Maintenance In the current 5ESS Switch maintenance is performed by TOPAS and the remote measurement system (RMS-D3). Under 4ESS circuit maintenance system 1 (CMS-1) is used. The purpose of RMS-DX is to allow testing on circuits terminating on switches. The network is monitored as the transmission passes through the XESS Switch, the multiplexer (MUX) and the line terminating equipment (LTE). TOPAS and CMS-2 continually monitor the network's status and look for deviations from normal operations and then print up trouble reports. Because so many reported problems are transient or falsely reported as a problem, further testing is done to determine real or "hard" problems. Through such procedures as performing tests on one of more than a million scan points or attempting to receive from one or two ends of the circuit. TOPAS uses two different machines with their own databases when processing: Equipment Interface Tier (EIT) and the Network Support Tier (NST). EIT - An EIT contains a database that has physical information about a Network Element (NE) machines. NST - NST's databases are not interested in NE machines or in physical properties and instead uses mathematical models. Even radical network changes will have only minimal effects. Thus the combination of say fiber and copper wiring on the same circuit or the merging of voice and data communications has no great effect. NST can handle everything from basic trunking to complex multipoint circuits. Both EIT and NST use Common Languages to communicate with each other. NST will for example query NST about specific equipment, while EIT would query NST about network changes. Since EIT and NST are both in the TOPAS core interactions are quite simple. TMAS TMAS followed TOPAS and in its design, developers reused almost half of TOPAS's core. Since TOPAS and TMAS speak a common language cooperation between the two is possible. Many report procedures are identical such as the DS-1 facility alarms. FMAC TMAS is designed to run with the FMAC. By providing updated route databases, alarm monitoring, detection of network faults etc. TMAS also helps administrate by issuing trouble tickets, switch logs and sending out this data to other personnel from the FMAC. Expert Systems (ES) An ES is a system where the program and the knowledge used in decision making are kept apart. The program contains a set of rules, containing what action should be undertook depending on the situation. This is often referred to as a "shell" that controls the activities of its host system (think of the UNIX shell). ESs in Networks The maintenance of complex networks is an ideal application for an ES. By having the equivalent of the most capable repair mind on each switch. As all the ESs are using a common knowledge base that has everything known about the problem and the most effective way to solve it. Several other ESs have predated TOPAS-ES such as ACE, NEMESYS and GTE's COMPASS. As any technical worker will attest to, network operations are particularly troublesome as the call carrying capacity must be maximized while trying to minimize the congestion that results when traffic exceeds the call capacity of the switching and transmission system. TOPAS-ES TOPAS-ES, is as the name indicates, is an ES version of TOPAS. It works with both TOPAS and CMS-1 in the 4ESS and 5ESS environment. TOPAS-ES has a UNIX routine for each of its three subsystems - knowledge base and inference engine, communication and systems interface and user interface. The inference engine used in TOPAS-ES is "forward chaining" or data driven as it is guided available data to fit prestated conditions to obtain an answer. If it used backward chaining, it would search for data to obtain an answer. Forward chaining is a more effective route to take when data is available and answers to a question (using backward chaining) are unneeded or to slow. Generally, forward chaining in network maintenance is preferred. For example, data indicating that Joe Phreaker is blowing 2600 tones is of more use than attempting to answer a question of "Where are all the foreign tones on the circuit originating from?" To keep up with its immense chores of network monitoring, testing and issuing trouble reports, gathering data and figuring out answers TOPAS-ES runs each of its subsystems at the same time, working in "real time" with the network. Distributed AI (DAI) DAI is where multiple processes which normally act independently, co-operate which one another. TOPAS-ES uses DAI to station one TOPAS-ES at one end of the circuit and another on the other end or at the CO. This enables more computing power to be levied at pinpointing the problem and makes for a faster, more reliable system. TOPAS-ES can assume either a director or responder mode. If TOPAS-ES is analyzing a faulty circuit it can request or enlist another TOPAS-ES and place it in the responder mode to assist it. Expert System Trouble Analyzer (ESTA) This is one of TOPAS-ES's subsystems and performs the main operations of: trouble ticket analysis and chronic history analysis (CHA). Trouble ticket analysis: Since few problems reported by TOPAS-ES are genuine ones that require attention, ESTA narrows down the hard from the transient problems. ESTA determines this mostly by ordering TOPAS-ES to wait and perform further monitoring. CHA: This exposes faults after repeated transient trouble indications. If the problem persists for longer than X amount of time, with over Y indications of trouble it will be labelled chronic. CHA is designed to pick up on problems that have been passed off as transients and ignored. For example a problem may exist during peak hours but will be passed off as a transient when monitored during off-peak hours. Expert System Trouble Sectionalizer (ESTS) Once ESTA has determined a trouble to be hard it will pass along a "trouble ticket" indicating such information as its duration, current condition and whether its chronic or not. When ESTS has been handed a hard trouble it will "sectionalize" the indicated area on the circuit. This is done by having technicians at each end examine points on the circuit and performing other tests. ESTS is based on the best sectionalization techniques, being an ES. An ESTS sectionalization strategy would work like this: 2600 tones are being heard on the network, circuits are all in normal condition, 2600s are not in internal use and have been labelled as unauthorized, foreign sounds so ESTS would deduce that someone is trying to bluebox. ESTS has a wide list of strategies to try depending on the situation. The most likely to succeed strategies will be attempted first and if this fails all of its strategies will be tried in order of success probability. Once the fault has been pinpointed the relevant repair crew/station will be notified along with a description of the fault. --------------------------------------------------------------------------- The LOD Technical Journal: File #8 of 12 International Switching Systems by Mystik Freak LOD - LOD One of the goals behind phreaking has always been to delve into the deepest fathoms of the phone system. Since the barriers of expensive international calling are meaningless to the phreak, the exploration of various telephone systems is possible. This file will investigate some of the switching systems you are likely to encounter around the world. In other words non-ESS/DMS using nations outside the United States. Nothing has ever been said about these systems in "the underground" and what little information that exists publicly is skimpy, hard to find, badly translated or not translated at all and very outdated. The foundation of any telephone network is in its switching system so a whole new universe of different switching systems is out there waiting for you. ESS does get boring after a while and there is nothing really novel about if, after all nearly everyone lives under it and there isn't that much to discover about it. So branch out internationally to seek new telephone networks and boldly go where no phreak has gone before! I won't spoil the thrill of hearing new tones and discovering new things by giving out all the juicy things you're liable to find, instead this is going to be a broad based overview of 7 switching systems: Sweden - AXE 10 France - E 12 United Kingdom - DSS Netherlands - PRX-D Germany - EWS-D Italy - PROETEO Japan - NEAX 61 There are far more than just these systems out there as shown by this chart of systems indicates: System Country Type ~~~~~~ ~~~~~~~ ~~~~ AFDT1 Italy local/tandem AXE 10 Sweden local/toll D 1210 US local DCO US local/toll DMS 10 Canada/US local DMS 100 Canada/US local/toll DMS 200 Canada/US toll DMS 250 US tandem DMS 300 Canada tandem DS 1 Japan tandem DSC US local DSS 1210 US local/toll/operator DTN 1 Italy (Sudan) tandem DTS US tandem DTS 1 Japan toll DTS 2 Japan local DTS 500 Netherlands tandem DX 100 Finland local/tandem DX 200 Finland local EWS-D Germany local/toll E10 France local/tandem E10 B France local E10 S France local E12 France toll FETEX 150 Japan local FOCUS 5 US local GTD 5 EAX US local/toll HDX 10 Japan local IFS Switzerland local ITS 4/IMA2 US toll ITS 4/5 US local/toll ITS 5A US local I2000 Yugoslavia local LCS 4/5 US local MSU US local MT 20/25/35 France local/toll NEAX 61 Japan/US local/toll/operator No. 3 EAX US toll No. 4 ESS US toll No. 5 ESS US local PROTEO Italy local/toll PRX-D Netherlands local/toll SPC 2 India local SX8 France local SX 2000 Canada local SYSTEM 12 (1210) US local/toll/operator SYSTEM 12 (1240) Belgium/UK/Germany local TDDSS 1/2 China tandem TN 5 Italy tandem TROPICO Brazil local TSS 5 US local UT 10/3 Italy local UXD 5 UK local 1220/PCM-5 Belgium/France tandem Sweden - AXE-10 (+46) ~~~~~~~~~~~~~~~~ The Swedish AXE 10, was developed by Ericsson and in addition to being found in Sweden itself is also being used by over 30 countries. AXE 10 performs most of the basic functions of international switching, local tandems and offices, national transit etc. It covers everywhere from isolated rural areas with only a few hundred subscribers all the way up to huge transit exchanges of a million subscribers. AXE 10 has 3 main susbsystems: SSS - Subscriber and group (GSS) switching TSS - Trunk signalling and (TCS) traffic control CHS - Charging, OMS and Maintenance Other optional subsystems are: SUS - Subscriber faciltites (OPS) operator functions MTS - Mobile subscriber functions Functions that share the same purpose are allotted to one subsystem. A function block is a group of similar functions within the subsystem. For example the subsystem SSS has a function block called the time switch (TS). Hardware AXE 10 is a digital switching system. Interconnections between subsystems are called "internal digital trunks". To give an example of AXE 10's hardware consider the SSS subsystem. SSS is divided up into lots containing up to 2048 subscribers, up to 128 of these subscribers will then form a line switch module (LSM). Each subscriber has an individual line circuit (LIC) connecting them to the LSM. The LSMs themselves are interconnected by a TS bus (TSB). Each module has a TS that performs switching for the subscriber the TSB and a junctor terminal circuit (JTC). Traffic within subsystems is handled by internal diagnostic links. If the LSM lacks an internal digital link the call is carried by a TSB to another module. Because SSS uses TSS and TSBs the network runs smoothly as a balance is kept between the subscriber nodes and the internal digital links in use. Subscriber information can be kept either centrally or remotely. TS 16 in a PCM is used to control a remote exchange. If the SSS is remotely located an exchange terminal circuit (ETC) is used. The PCM will then signal between the remote SSS and the ETC. The signalling is controlled by a signalling terminal (ST) on the SSS and ETC ends of the circuit. The trunk signalling system (TSS) interfaces external signals into the AXE 10 signalling scheme. One of the benefits to AXE is that any signalling scheme can be interfaced without impacting on other subsystems. Thus AXE is highly adaptable to network conditions. In cases where analogue lines are connected by either incoming trunk (IT) and outgoing trunk (OT) circuits conversion to digital takes place. Tone signalling is conducted by code receivers (CRD) or code senders (CSD). France - E 12 (+47) ~~~~~~~~~~~~~ CIT-Alcatel and Telic (CIT-ALCATEL) developed the E 12 system bases on the earlier E 10 system to handle the functions of: - international gateway - inter-city transit - medium to large urban area transit - subscriber line switching Capacity The capacity of E 12 depends on call duration, signalling etc. The maximum capacity is currently 1536 digital PCM systems of the 30 + 2 type equalling over 40,000 circuits. Processing up to 110 calls a second. Architecture E 12 is based on the architecture of its predecessor - E 10B. The three main components are: - subscriber and circuit connection units - the central switching system and common control - computerized supervisory and maintenance centre (CTI) The CTI is the second control level supervises several exchanges and handles: - line circuit management - traffic load data logging - maintenance and alarms - billing Three subassemblies allow speech transmission. The TST switching network, the subscriber connection units (URA) and the circuit connection units (URM). System Control Is made up of three levels: - a processing level in the line and circuit connection units, where subscriber circuits are controlled - central common switching control - CTI First Level Control Is conducted by: - 2 markers (MQ) - 2 translators (TR) - 2 incurred fee metering units (TX) - 2-6 multiregisters All of these units are related to a single switch and communicate on a bus LM. MQ - interfaces common control to the central switch and subscriber and circuit connection units MR - receives and retransmits information and adjudicates the opening and closing of connections. TR - stores subscriber and circuit data TX - free metering units OC - control interface unit connects the CTI to other subassemblies. Subscriber Connection Unit Because traffic is concentrated on a small number of digital PCM systems, the subscriber connection unit is needed to provide analog to digital conversation. It also handles remote subscribers. The unit connects thousands of lines to a central TS on PCM channels. Software switching programs - perform loop status sensing, condition detection, connection and disconnection, switch identification. maintenance subscriber status memories etc. monitoring programs - monitor the core of CSE, test and fault tracing routines etc. All programs are written in Assembly. Functions E 12 provides: - CCS7 - traffic observation - automatic fault tracing - remote fault tracing - service grade measurement - operator assistance position - automatic call back etc. Organization E 12 is organized into three areas: - the switching network which handles signalling channels and incoming/outgoing multiplexes - the signalling units which handle channel allocation, CMF, CCS, DTF etc. - a main SPC computer All of which are connected to connection units (see the subscriber connection unit). Programs The main programs used are: - program execution system, interfaces with the rest of the systems program - exchange interface IOP (SEST) - data interface IOP (SESI) - signalling processor (SIG) - common programs (PCO) for data - call processor (TAP) Service Management Unit (GES) does man/machine transactions, routing tables and prefixes, signalling type allocations, traffic observation and logs traffic data. Fault Recovery System (DEF) will reconfigure after a detection of a system failure, providing efficient recovery. Tracing and fault isolation (TED) will isolate a fault down to the PCB level and carry out CRCs for fault prevention. Digital Switching Subsystem (DSS) - United Kingdom (+44) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DSS was created by the British Post Office (BPO) to serve as the nations first digital switch. Subsystems DSS uses specific hardware and software functions to interface subsystems. The main DSS interfaces are located at the following subsystems: - call processing system (CPS) - maintenance control subsystem (MCS) - analogue line termination system (ALTS) - network synchronization system (NSS) - management statistics subsystem (MSS) The main connecting interface in DSS is a 2048 kbit/s, 32 channel multiplex. Which is used for example to connect the switchblock and auxiliary units. Trunking DSS is capable of handling international switching centres of up to 20,000 erlangs and over 400 switch requests a second. To meet this the switch must be multistage. The DSS switchblock has identical originating and terminating circuits. A four-wire multiplex has a transit and receive pair on both ends of the circuit. So information on the busy/free state of both is available from one. To achieve spatial routing which is necessary for two channels to be connected, DSS uses integrated circuit multiplexers (encoders). DSS's time dividing in trunking allows single switches to carry large amounts of traffic. The drawback to this is that should a fault occur on this switch, thousands of calls could be disrupted. To ease this risk, synchronous duplication of the TST setup with data comparison and parity checking is done. Subsystem Functions - digital line termination unit (DLT) interfaces the four-wire, 32 time-slot 2048 kbit/s multiplexers with the switchblock - the TS transfers input time slots to output times slots - space switch (SS) is an integrated circuit set for devices that connect links with the trunk - alarm monitor unit (AMU) - relieves the main cpu's load by handling alarm data - primary waveform generator (PWFG) is the clock with DSS is based on. By sending 8 Khz tone start signals and 2048 Khz bit streams, operations are directed - local synchronization utility (LSU) uses incoming PCM links for timing and maintains the frequency of its oscillators using phase locked loop techniques - input/output buffer (IOB) stores messages from the software to the CLU The Time Switch Buffers the time reception with the time allocated from cross-office switching with the space switch and the actual time of transmission. It also does alarm interfacing between monitoring equipment and trunking. The TS is composed of: - speech stores (including DLT interfaces and store refining registers) - control stores - alarm interface unit (AIU) (including DLT and AMU interfaces) - TS racks - a complete send and receive switch within DSS. The two TSs are used in trunking are in 1 rack with 32 DLT units. - space switch - a set of buffer and crosspoint units. Using the 2048 Khz clock, the transmission of traffic is done on the TS interface buffer. Hardware The processor utility (PU) IOB is interfaced with the CCU by the PSS IOB. The IOB communicates with the following: - command field - ordering operations such as measure, trace, opening or the removing of TSs. - address fields - set network termination numbers (NTNs) that define TSs, circuits etc. - message identity field - cross office slot field - makes sure that traces don't duplicate their efforts by setting the points to start from during fault location. AMU AMU handles DSS's specific functions such as the collection and persistence checking of status info and diagnostic hardware. AMU interfaces to the PU and thus advises the DSS maintenance software on fault areas. AMU receives time and fault switchblock indicators from DLT using AIU in the TS. Persistence checks are done to label the alarm as hard or transient. DLT DLT conducts the line associated functions of monitoring, installation etc. DLT also performs switch-related operations. Several are for simple backup duplications of such functions as trunking and switch fault detections. DLT Related Functions The line processor encodes or decodes HDB3 signals and recovers the received clock. The clock is recovered by using a ringing circuit. The clock synchronizes the switching centre by providing a network frequency reference. DLT will identify remote alarm information if the distant alarm bit (usually bit 3 in channel 0 of odd frames) shows a problem. DSS will, using AMU instruct MCS to locate the fault. An alarm indications signal (AIS) shows a transmission equipment failure by tossing out a load of "1s" in the frame. Line errors can be detected locally if HDB3 input goes or if synchronization is off. If this occurs MCS is informed and DSS transmits a distant alarm unit signal. Switch-related DLT functions are usually involved in duplicated trunking, fault location or switching channel 0 spare-bits. The most interesting function is fault location. DLT works with maintenance software to locate and diagnose switchblock faults. By using path checks or loop backs, results are sent via AIU to DLT. Paths are tested using check patterns at both ends of a trunk. They can be sent in and monitored on any channel after switching. Registers are used to store the check patterns and they are controlled by the "central office". Or the DLT will "loop back" its transmit channels to the receive input of trunking. Loop back is sometimes combined with a path check. By changing the switch connections a closed loop can be implemented throughout the trunk. Closed loops are very effective in determining hard faults from transient ones. Netherlands - PRX-D (+31) ~~~~~~~~~~~~~~~~~~~ The Processor Controlled Exchange-Digital (PRX-D) builds upon the PRX system with digital-time division multiplexing (TDM) and with other enhancements. PRX-D was developed by Philips Telecommunication as an intelligent SPC system. The three main areas of PRXs are: - the switching network (SWN) - central control complex (CCC) - operator services (OPS) Two different versions of trunk lines are used. An analog version - PRX-A has six linked stages and reed-relay crosspoints of two or four wires or a digital version of the TST type. Local or remote usage is possible by sending traffic to the trunks. The CCC has two types of telecom processors (TCP) to deal with different size exchanges. TCP 18 covers small-medium exchanges and TCP 36 medium-large exchanges using multiprocessing with synchronized pairs. OPS is controlled by a mini-processor called TCP 7. OPS deals with OA&M and AMA. Architecture PRX-D is made of two layers: - the main layer with the CCC, TCP XX and the control channel processor terminals (CPT), connecting this layer to the control channel (CCH) - another layer of SWN modules and the sub-channel controller (SCC) The digital switching network (DSWN) passes voice and data traffic on 64 kbit/s, 32 channel PCMs. The PSWN has block terminals (TER) which interface to other circuits and allow services and signals to be interconnected by a digital trunk link network (DTN). DTN DTN is a one-way only transmission on a 4 wire connection. The highway-to- group (HGD) and group-to-highway multiplexer (GHM) are 16 inlet ports in 4 X 4 groups. A highway switch (HWS) is a group of up to 128 X 128 highways whose crosspoints can switch from one highway to the next under the control of a highway switch address generator (HSA). A highway-to-group demultiplexer (HGD) does the opposite of the GHM. A digital trunk-line block (DTB) carries a single highway and is controlled by a DTB marker (DTM). DTN utilizes 7 varieties of customized low current- mode logic (CCL) ICs. CCL The central clock (CCL) is made up of the synchronized mode clock generators (CLG), the clock measuring unit (CMU) and sometimes a clock reference unit (CRU). The DTN is sent timing information on 4096 Khz sine waves and 8 Khz alignment pulses. Terminals The 4 main TERs are: - interfacing analog circuits (ACT) - subscriber lines - digital circuits (DLT) - signalling and services (SST) - ACT has a peripheral module controller (AMC), a power supply unit (PSU) and possibly a DTN interface board (DIB). The DIB performs the transmission of timing signals and assigns time slots. - SST handles 2048 kbit/s groups by using DTN for signalling ie. MFC, keytones etc. for services such as voice response systems. Software The operational program for TCP 18 is made up of: - master control program (MCP) - call processing - error management - configuration management The MCP handles the central control unit (CCU), I/O operations and other misc. services. Communication between the main control unit (MCU) and the PMC is done by transport handlers such as the digital trunk marker (DTM), analog circuit terminal (ACT), digital circuit terminal (DCT) and the signalling and service terminal (SST). Call Handling One part of the Telephony Operating System (TOS) is call processing modules. Which distribute calls to an open CCU depending on network conditions. If a secondary control unit (SCU) is available it will receive the calls. If niether is available then the MCU will receive them. Error Maintenance Error detecting hardware does diagnostics such as checking parity, comparing timeout circuits etc. By using hardware to perform tests, checking is done every time the hardware runs and processing time needn't be wasted running testprograms. When the hardware equipment itself needs testing, testprograms are then used. Germany - EWS-D (+49) ~~~~~~~~~~~~~~~ Manufactured by Siemens Telecom, EWS-D is a complete digital switching system, capable of serving from 200 lines to 60,000 trunks. Architecture Subscriber line terminations and interchange trunks are used with trunk/line groups (LTGs) where digital tone generators and digit receivers are located. A TS performs connections inside of the LTG. Digital switching connects the groups to a central processor (CP). Functions carried out by the CP include overall switching, data storage and remote operation of the system. Here's a quick example of how a call would be processed under EWS-D: - the group processor (GP) sense that the phone is off-hook and gives the caller a tone generator and a digit receiver on the LTG using the group switch (GS). - the GP sends the service requested and the dialled digits to the CP. - CP checks the callers COS, locates a path and informs GP of the caller - the callee's GP finishes the connection with its LTG, sends a ringing and places the callee off-hook. LTG Signals from an analog subscriber's line are converted into PCM signals on the line circuit. Up to four interexchange trunk terminations comprise one module. Four modules make up one highway and up to 128 interexchange trunks can be on one LTG. A basic subscriber line circuit interfaces with any signalling system. Notable functions of the subscriber line circuit are the 50/16 kHz call charge meters on the subscriber's premises, access circuitry for testing and paystation signalling. The PCM 30 transmission system has its synchronization, signalling channel and alarm signal on one module. 2.048 Mbit/s highways are connected to the GS. For a connection to the central network, 4 2.048's become one 8.192 Mbit/s signal. Because the network is duplicated, the identical modules can easily be used for testing. Tones such as MFC frequencies are generated digitally on a LTG and sent to the GS. One change here can effect the entire network. Central Switching Network By using a central switching network up to 504 trunk groups, equivalent to 100,000 subscriber lines or 604 trunks can be attained. 8.192 Mbit/s interfaces are used between the network and the LTG. As mentioned before the entire network is duplicated. In case of a fault, the network will switch over to its other half. Control and Common Signalling Channels Control channels are grouped into units of 128 for distribution on the 8.192 Mbit/s network. The channels in time lot 0 are switched to the LTG only on transmission links. Only half - 64 of 128 control channels are used. The other half are for future uses. With SS7 the procedure for switching signalling channels though the LTG is identical to that of the control channels. OA&M Digital systems such as this have far fewer errors than analog SPC systems do due to the smaller number of modules. EWS-D is expected to have fewer than 12 hardware faults per 1000 LTGs with less than 2 hours per fault. Both hardware and test programs are used to diagnose both subscriber line and trunk faults. When testing is done on long distance trunks the equipment on the distant exchange and on the transmission system is done. Measuring equipment such as ATME2 look at the director and responder operations. Most local trunks are still copper and EWSD has contacts on the incoming and outgoing circuits for testing. The monitoring of PCM transmission links is integrated into EWS-D. System status is given by an operating terminal indicating system traffic, the failure/active status of redundant central units, LTGs and equipment inside LTGs, the number of removed from active LTGs, subscriber lines and the number of non-switchable call requests. Remote operations can be done via this terminal. Administration tasks are also performed at the operating terminal. When a remote operator is needed, communication equipment such as Transdata is used to connect to the exchanges over the data transmission channel. Italy - PROTEO (+39) ~~~~~~~~~~~~~~ PROTEO was designed by Societa Italiana Telecomunicazioni SpA (SITS). Architecture It is a fully integrated, digital switching system with SPC. Signals are converted from analog to digital and transmitted over a PCM. Capacity is 30,000 subscribers in 32 peripheral exchanges (CTs) hooked up to a transit network (RT) using 32, 2 channel PCMs. Overall control is by a central computer (CC). A lone CT can handle 2,304 subscriber lines with 18 PCMs, 270 LF trunks and possess 2 line control units (UCL) on a connecting network (RC). Subscribers and trunks are connected through a time division multiplex (TDM) and can go directly to PAM without the analog to digital conversion using voice scanners if need be. The CT, can act as a switch if internal subscribers are being switched to RTs. CT is commonly connected to the RT for interconnections with external switches. The CT has a codecom unit to convert analog to digital or digital to analog for PCM bundle generation or insertion into PAM. A TST connection network is inside the RT and is controlled by the CC using the transit control unit (UCT). The RC switches 64 kbit/s data channels on 2 Mbit/s PCM bundles towards UCS when exchange signalling exists and to UCM when remote signalling comes in on a common channel. If CCS isn't present, then signalling control units (UCS) are used to process signalling codes. Maintenance CC uses LEONE processors in SPC for maintenance and has a BHCA capacity of 150,000. PROTEO handles rural areas quite well as CTs can be located at great distances from the RT. If less than 250 subscribers exist, concentrators will be used to connect them to a CT. Flexibility The modularity of PROTEO is its ability to adapt to different network conditions. By having functions act independently of others, upgrades and maintenance is simplified. Japan - NEAX 61 (+81) ~~~~~~~~~~~~~~~ The NEAX 61 was designed by Nippon Electric Co. and was first installed in the US. But due to its origin it is being included as a Japanese system. It has SPC, PCM TDM and uses a four stage TSST switching network. Specifications circuit capacity: local switching - 100,000 lines, 13,000 trunks toll switching - 60,000 trunks international switching - 30,000 international circuits network capacity - 22,000 erlangs call handling capacity - 700,000 BHCA Architecture NEAX 61 is comprised of 4 subsystems: - application subsystem - several service interface modules each having line and trunk circuits, interface circuits, multiplexers and a controller. This subsystem gives a standard interface to the other subsystems. It controls the terminal circuits and interfaces them with the switching subsystem. Service modules receive information from the processor to establish paths and other actions. Each service module has a terminal and interface circuit, a duplicated controller and primary multiplexer (PMUX) and demultiplexer. The controllers collect terminal circuit scanning data, control the terminal and interface circuits and communicate with the processor. The modules each have their own terminal and interface circuits: - analog trunk interface module - Both the terminal and interface circuits are codecs. Any analog trunk can be used by the module and each trunk has its own codec channel. - analog line interface module - The terminal circuit is an analog line circuit that conducts two to four wire conversion, ringing application, protects against overvoltage and other testing procedures. By using one of four switch selectable balancing networks an insertion loss less than 0.5 dB is possible. - digital line interface module - Connects PCM analog and digital subscriber carrier lines. The interface circuit is a digital line switch that concentrates digital lines by assigning time slots and putting each time slot on a serial bit stream to the PMUX. - operator position interface module - connects the different operator positions such as toll and directory assistance. Operators converse with callers over position trunk circuits. The controller has a capacity of up to 64 operator positions and the PMUX can have up to 120 operators on a position trunk. - processor subsystem - Maintenance and Administration subsystem - Alarm information is shown on the maintenance frame or at a supervisory test desk. The line test desk platforms subscriber line testing. NEC has a technical assistance center where NEC personnel provide support on a subscription basis. --------------------------------------------------------------------------- Sources Various IEEE Documents Helpful International Operators --------------------------------------------------------------------------- The LOD Technical Journal: File #9 of 12 Hacking GANDALF XMUX'S ----------------------- Written by: Deicide on 03/29/93 =========================== *NOTE: While writing this file I assumed that the reader has a working knowledge of PSNs. ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| The Gandalf XMUX is made by Gandalf Technologies Incorporated. It is one of two popular systems Gandalf makes, the other being the Starmaster/PACX. These systems are very closely knit, as you'll see later, but the focus of this g-file is on the XMUX system. I still don't have a XMUX manual, so this file will be a bit incomplete, but it will give you a good sense of the system; How to Identify it, How to Penetrate it, and How to Use it. There are a number of security flaws in the XMUX, all of which can be circumvented but frequently are not. Occasionally you will find an unpassworded console, in that case just move on to the How to Use it section. The Gandalf systems are very frequently found on all the major PSNs, as Gandalf's themselves often serve as network controllers. Most of the major companies, such as Xerox & Bell Canada, use XMUXs, so it is a good idea to become familiar with the system. How To Find Your XMUX & How To Identify It ------------------------------------------ First of all, if you find an unpassworded XMUX it will tell you by the herald "Gandalf XMUX Primary Console Menu" followed by the menu itself. Skip this part for now. But for the rest of you, you probably still need to find your XMUX, and you need to know how to identify it. Before we get further into this, a small amount of knowledge of the whole scope of the XMUX is needed. Every XMUX is made up of at least 4 parts, each present on every single XMUX. These parts are called: - Console - Fox - Logger - Machine The Console is the actual system, the part that has to be hacked, the part that contains the information we are attempting to retrieve. The Fox is a test machine, serving no other purpose except to spout "THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG 1234567890 DE" over and over again. The Logger is displays a line or two of information such as the time & the LCN called, for the most part unimportant. But it does contain the node name. The Machine is basically a system information giver. I have yet to discover all of it's commands, but S gives some systems stats (including the node name) and L is an optional command that supplies the user with a system log (which contains link addresses & UID's). All of these can be useful in some way. The XMUX can be found in a number of ways: - On a standard NUA(XXXX XXXX) - On a standard NUA + extension(XXXX XXXX,XXXXXXXX) - On extensions off of Starmasters & PACXs.(XXXX XXXX,XXXXXXXX) - On LCN's (subaddressing) off any other type of system/OS. ??????????????????????????????????????????????????????????????????????????? NOTE:"Password >" is the password prompt for the XMUX Console, occasionally proceeded by an operator definable system message such as "Vancouver XMUX". To be sure that this is a XMUX prompt, hit . If it returns the message "Invalid Name Names must consist of 1 to 8 alphanumeric characters" Then you are dealing with the XMUX Console. ??????????????????????????????????????????????????????????????????????????? On a standard NUA it will bring you right to the "Password >" prompt, no hassles. You can then proceed to the section that deals with hacking the console. On a standard NUA + extention, it is not so easy. When you first hit the NUA, it will give you the "Remote Directive" error message, telling you that you "forgot" the extention. Now, the error message could mean you forgot the extention for a VAX, also, but we will assume that it is a XMUX on the NUA. This is true only a fraction of the time, but try this on every Remote Directive message, you'll find a good share of XMUX's. First of all, try the LCN (subaddress) of 1 on the NUA. If you come up with the Fox segment of the XMUX (explained earlier) then you have an XMUX Console on the NUA, it's just hiding. If the LCN brings up the Remote Directive message again, then try the extention of LOGGER on the NUA. If it brings up the XMUX Logger, then again, the XMUX Console is there, but with a bit of security added on. If you now know that you are on an XMUX, try the CONSOLE extention. It should bring you to the "Password >" prompt, or occasionally right inside without needing a password. Starmaster's and PACX's almost always have an XMUX attached on to it. Use the Starmaster or PACX's NUA + the extention CONSOLE. It will most likely bring you to the "Password >" prompt. If it doesn't work, try LCN's. If that fails, try "XMUX" or "XCON" from the Starmaster/PACX service prompt. The LCN's off all the other system/OS types is a bit more complicated. You can either guess, pick the likely ones, or try them all. What this is is an XMUX in coexistance with another type of system, such as AOS/VS. The most common way to find these is by adding an LCN of 1 to the NUA of the system. If it comes up with the XMUX FOX section, then you can be sure an XMUX is present. To find the XMUX Console, use LCN's of 4 and above(2 & 3 being Logger and Machine), up to the LCN of 15(maximum on XMUX). If you still haven't found the Console, and it's returning the Remote Directive error message, now's the time to use the CONSOLE extention. In most cases it'll bring up the "Password >" prompt, or right into the Console Menu. HOW TO PENETRATE THE XMUX CONSOLE "PASSWORD >" PROMPT ----------------------------------------------------- To start you off, XMUX Console Passwords MUST be within 1 to 8 alphanumeric characters. Any combination within that boundary is an acceptable password. Now, while it is true that the password could be a random letter/number combination, such as G2Z7SWJ8, and therefore extremely impractical to hack, it is almost a given that the password is a relevant word or abbreviation, with not more than one numeric character, which is usually not even included. Also, you get 4 attempts at a password before being logged off, and remember, you don't even need to find a username. When you first reach the "Password >" prompt it's a good idea to try the defaults(in order of occurance): - Gandalf - Xmux - Console - System Also, Password (no, really), Network, CPU, Switch & Network are also frequently found. Then, if the defaults don't work, it's time for a little calculated brute forcing. If the system has a herald, such as "BenDover Field Communications" then try everything you possible can thing of that is relevant to the herald, such as Bendover, Ben, Dover, BDFC, Field, Telecom, etc. Also, combine these with the defaults, particularly Xmux. As in BenXMUX, or FieldMux, etc. If there is no herald, or all the thing you can think of to do with the herald fail as passwords, then it is time to get the node name. The node name is used very frequently as a password, thus a good thing to try. But where to get the node name with out getting the password first? It is contained in two other places other than the Console, with ALWAYS at least one of the facilities open to you. The Logger (LCN 2, or extention LOGGER) always spurts out the log name first upon connect. This is always available, I have only seen one case in which the Logger information was protected, and that was achieved by wiping it out, which very few administrator's do. The other source is the Machine (LCN 3, or extention MACHINE), a very handy source of information. You will recognize the Machine by its "#" prompt. At this prompt type "S" for system stats. The first thing you see in the system stats is the Node Name. Also, with machines type "L". Occasionally it will be set to show the log, which contains the Link Addresses (usually other netted computers, frequently Gandalfs) and UID's as well. Try the Node Name by itself as a password, then in combination with all the above, such as a combo of Default & Node Name. If you follow all these above methods, 50% of the time you will find the password. If you don't get the password, don't worry, there are many more XMUX's out there with poor security, go for those. But before you move on, try the LCN's from 4-15, frequently you'll find another system, often a private PAD or an outdial. WHAT TO DO WITH THE XMUX CONSOLE ONCE INSIDE -------------------------------------------- For those itching to read other people's mail, or retrieve confidential files, etc, you will be very disappointed. Although once inside the XMUX Console you have virtual Superuser status, the commands are all maintenance related. But, often you will find other systems, quite often networks, PADs, & outdials from inside. You will first encounter the primary menu, which looks similar to this: Gandalf XMUX (date) Rev(version) Primary Console Menu (time) Node:(nodename) Primary Menu: 1. Define 2. Display 3. Maintenance 4. Supervise 5. Exit Primary selection > Now, although there are some other useful and interesting features to the XMUX console, I will only show you the 3 most useful features, those being Abbreviated Command, Service & Call Status. Abbreviated Command is an option found in the Define sub-menu. Hit 7 once inside the Define sub-menu to bring up the Abbreviated Command prompt. Type a ? to show all the abbreviated commands. If there are none, curse your luck and move on to the next feature. If there are some, type them in, one at a time. Each Abbreviated command is really a macro, and a macro of a NUA plus the subaddressing and data character extension needed to enter the system. These can be very useful, not only for the NUA & subaddress, but for the fact that the extension is included. Most times extensions are hard if not impossible to guess, and the macro throws it right in your face. The Abbreviated Command is in the format of XXXXXXXXdEXTENSION, in that the X's are where the NUA is placed, the EXTENSION is the extension characters, and the 'd' is really where the comma goes to separate the two. So if the Abbreviated Command was 55500123dabc, the NUA would actually be - 55500123,abc - Service is a menu option also from the Define sub-menu. What it enables you to do is view all the services available, plus their function & LCN. Type "11" from the define menu, then "?" for a list of the services available. Console, Fox, Logger & Machine will always be present. Anything else is a bonus, and should be capitalized upon. For example, if you see "Modem" as one of the services, then enter "Modem" from the Service sub-sub- menu to see which LCN the modem is on. Display Call Status is a handy command used from the Display sub-menu which gives a log of all the calls the system has handled. In the call log are the NUA's of the system that called, often a netted system such as another Gandalf. --------------------------------------------------------------------------- The LOD Technical Journal: File 10 of 12 Tempest in a Teapot ------------------- Do-it-yourself techniques to inhibit electromagnetic eavesdropping of personal computers. Grady Ward -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQCOAiumM0QAAAED+JPD8OULO2aXRvU2FDksMjJeGT96kGK5eJK1grkXuIHz+6pe jiedYOv72kBQoquycun191Ku4wsWVTz6ox/bpReBs5414OTPzQVJgWQzCW1N4BfV Wr4eEn3qnFsVLXXxk3oYGydIeJcmelSyuPSq/Oq7Q+eHkKgjqxDTjVMu8iEAEQEA AbABh7QuR3JhZHkgV2FyZCAgPGdyYWR5QG5ldGNvbS5jb20+ICAoNzA3KSA4MjYt NzcxNbABAw== =e3rN -----END PGP PUBLIC KEY BLOCK----- Version 1.0 22 March 93 TEMPEST is the code name for technology related to limiting unwanted electromagnetic emissions from data processing and related equipment. Its goal is to limit an opponent's capability to collect information about the internal data flow of computer equipment. Most information concerning TEMPEST specifications is classified by the United States Government and is not available for use by its citizens. The reason why TEMPEST technology is particularly important for computers and other data processing equipment is the kinds of signals components in a computer use to talk to each other ("square waves") and their clock speeds (measured in megahertz) produce a particularly rich set of unintentional signals in a wide portion of the electromagnetic spectrum. Because the spurious emissions occupy so wide a portion of that spectrum, technologies used to block one portion of the spectrum (as pulling the shades closed on a window to stop the visible light portion) are not necessarily effective in another portion. Unintentional emissions from a computer system can be captured and processed to reveal information about the target systems from simple levels of activity to even remotely copying keystrokes or capturing monitor information. It is speculated that poorly protected systems can be effectively monitored up to the order of one kilometer from the target equipment. This note will examine some practical aspects of reducing the susceptibility of your personal computer equipment to remote monitoring using easily-installed, widely available after-market components. I One way of looking at TEMPEST from the lay person's point-of-view is that it is virtually identical to the problem of preventing electromagnetic interference ("EMI") by your computer system to others' radios, televisions, or other consumer electronics. That is, preventing the emission of wide-band radio "hash" from your computers, cabling, and peripherals both prevents interference to you and your neighbours television set and limits the useful signal available to a person surreptitiously monitoring. Viewing the problem in this light, there are quite a few useful documents available form the government and elsewhere attacking this problem and providing a wealth of practical solutions and resources. Very useful for the lay person are: Radio Frequency Interference: How to Find It and Fix It. Ed Hare, KA1CV and Robert Schetgen, KU7G, editors The American Radio Relay League, Newington , CT ISBN 0-87259-375-4 (c) 1991, second printing 1992 Federal Communications Commission Interference Handbook (1991) FCC Consumers Assistance Branch Gettysburg, PA 17326 717-337-1212 and MIL-STD-188-124B in preparation (includes information on military shielding of tactical communications systems) Superintendent of Documents US Government Printing Office Washington, DC 20402 202-783-3238 Information on shielding a particular piece of consumer electronic equipment may be available from the: Electronic Industries Association (EIA) 2001 Pennsylvania Ave NW Washington, DC 20006 Preventing unintended electromagnetic emissions is a relative term. It is not feasible to reduce to zero all unintended emissions. My personal goal, for example, might be to reduce the amount and quality of spurious emission until the monitoring van a kilometer away would have to be in my front yard before it could effectively eavesdrop on my computer. Apartment dwellers with unknown neighbours only inches away (through a wall) might want to even more carefully adopt as many of the following suggestions as possible since signal available for detection decreases as approximately the inverse square of the distance from the monitoring equipment to your computer. II Start with computer equipment that meets modern standards for emission. In the United States, the "quietest" standard for computers and peripherals is known as the "class B" level. (Class A level is a less stringent standard for computers to be use in a business environment.). You want to verify that all computers and peripherals you use meet the class B standard which permits only one-tenth the power of spurious emissions than the class A standard. If you already own computer equipment with an FCC ID, you can find out which standard applies. Contact the FCC Consumers Assistance Branch at 1-717-337-1212 for details in accessing their database. Once you own good equipment, follow the manufacturer's recommendations for preserving the shielding integrity of the system. Don't operated the system with the cover off and keep "slot covers" in the back of the computer in place. III Use only shielded cable for all system interconnections. A shielded cable surrounds the core of control wires with a metal braid or foil to keep signals confined to that core. In the late seventies it was common to use unshielded cable such as "ribbon" cable to connect the computer with, say, a diskette drive. Unshielded cable acts just like an antenna for signals generated by your computer and peripherals. Most computer manufacturer supply shielded cable for use with their computers in order to meet FCC standards. Cables bought from third-parties are an unknown and should be avoided (unless you are willing to take one apart to see for yourself!) Try to avoid a "rat's nest" of wire and cabling behind your equipment and by keeping all cables as short as possible. You want to reduced the length of unintended antennas and to more easily predict the likely paths of electric and magnetic coupling from cable to cable so that it can be more effectively filtered. IV Block radiation from the power cord(s) into the house wiring. Most computers have an EMI filter built into their body where the AC line cord enters the power supply. This filter is generally insufficient to prevent substantial re-radiation of EMI voltages back into the power wiring of your house and neighbourhood. To reduce the power retransmitted down the AC power cords of your equipment, plug them in to special EMI filters that are in turn plugged into the wall socket. I use a model 475-3 overvoltage and EMI filter manufactured by Industrial Communication Engineers, Ltd. P.O. Box 18495 Indianapolis, IN 46218-0495 1-800-ICE-COMM ask for their package of free information sheets (AC and other filters mentioned in this note are available from a wide variety of sources including, for example, Radio Shack. I am enthusiastic about ICE because of the "over-designed" quality of their equipment. Standard disclaimers apply.) This particular filter from ICE is specified to reduce retransmission of EMI by a factor of at least 1000 in its high-frequency design range. Although ideally every computer component using an AC line cord ought to be filtered, it is especially important for the monitor and computer CPU to be filtered in this manner as the most useful information available to opponents is believed to come from these sources. V Block retransmitted information from entering your fax/modem or telephone line. Telephone line is generally very poorly shielded. EMI from your computer can be retransmitted directly into the phone line through your modem or can be unintentionally picked up by the magnetic portion of the EMI spectrum through magnetic induction from power supplies or the yoke of your cathode ray tube "CRT" monitor. To prevent direct retransmission, EMI filters are specifically designed for modular telephone jacks to mount at the telephone or modem, and for mounting directly at the service entrance to the house. Sources of well-designed telephone-line filter products include ICE (address above) and K-COM Box 82 Randolph, OH 44265 216-325-2110 Your phone company or telephone manufacturer may be able to supply you with free modular filters, although the design frequencies of these filters may not be high enough to be effective through much of the EMI spectrum of interest. Keep telephone lines away from power supplies of computers or peripherals and the rear of CRTs: the magnetic field often associated with those device can inductively transfer to unshielded lines just as if the telephone line were directly electrically connected to them. Since this kind of coupling decreases rapidly with distance, this kind of magnetic induction can be virtually eliminated by keeping as much distance (several feet or more) as possible between the power supply/monitor yoke and cabling. VI Use ferrite toroids and split beads to prevent EMI from escaping on the surface of your cables. Ferrites are magnetic materials that, for certain ranges of EMI frequencies, attenuate the EMI by causing it to spend itself in heat in the material rather than continuing down the cable. They can be applied without cutting the cable by snapping together a "split bead" form over a thick cable such as a power cord or by threading thinner cable such as telephone several times around the donut-shaped ferrite form. Every cable leaving your monitor, computer, mouse, keyboard, and other computer peripherals should have at least one ferrite core attentuator. Don't forget the telephone lines from your fax, modem, telephone or the unshielded DC power cord to your modem. Ferrites are applied as close to the EMI emitting device as possible so as to afford the least amount of cable that can act as an antenna for the EMI. Good sources for ferrite split beads and toroids include Amidon Associates, Inc. P.O. Box 956 Torrance, CA 90508 310-763-5770 (ask for their free information sheet) Palomar Engineers P.O. Box 462222 Escondido, CA 92046 619-747-3343 (ask for their free RFI information sheet) and Radio Shack. VII Other practical remedies. Other remedies that are somewhat more difficult to correctly apply include providing a good EMI "ground" shield for your computer equipment and other more intrusive filters such as bypass capacitor filters. You probably ought not to think about adding bypass capacitors unless you are familiar with electronic circuits and digital design. While quite effective, added improperly to the motherboard or cabling of a computer they can "smooth out" the square wave digital waveform -- perhaps to the extent that signals are interpreted erroneously causing mysterious "crashes" of your system. In other cases, bypass capacitors can cause unwanted parasitic oscillation on the transistorized output drivers of certain circuits which could damage or destroy those circuits in the computer or peripherals. Also, unlike ferrite toroids, adding capacitors requires actually physically splicing them in or soldering them into circuits. This opens up the possibility of electric shock, damage to other electronic components or voiding the warranty on the computer equipment. A good EMI ground is difficult to achieve. Unlike an electrical safety ground, such as the third wire in a three-wire AC power system, the EMI ground must operate effectively over a much wider part of the EMI spectrum. This effectiveness is related to a quality known as electrical impedance. You desire to reduce the impedance to as low a value as possible over the entire range of EMI frequencies. Unlike the AC safety ground, important factors in achieving low impedance include having as short a lead from the equipment to a good EMI earth ground as possible (must be just a few feet); the gauge of the connecting lead (the best EMI ground lead is not wire but woven grounding "strap" or wide copper flashing sheets; and the physical coupling of the EMI into the actual earth ground. An 8 ft. copper-plated ground may be fine for AC safety ground, but may present appreciable impedance resistance to an EMI voltage. Much better would be to connect a network of six to eight copper pipes arranged in a six- foot diameter circle driven in a foot or two into the ground, electrically bonded together with heavy ground strap and connected to the equipment to be grounded via a short (at most, several feet), heavy (at least 3/4-1" wide) ground strap. If you can achieve a good EMI ground, then further shielding possibilities open up for you such as surrounding your monitor and computer equipment in a wire-screen Faraday cage. You want to use mesh rather than solid sheet because you must preserve the free flow of cooling air to your equipment. Buy aluminum (not nylon) screen netting at your local hardware store. This netting typically comes in rolls 36" wide by several feet long. Completely surround your equipment you want to reduce the EMI being careful to make good electrical bonds between the different panels of netting and your good earth ground. I use stainless steel nuts, bolts, and lock washers along with special non-oxidizing electrical paste (available from Electrical contractors supply houses or from ICE) to secure my ground strapping to my net "cages". A good Faraday cage will add several orders of magnitude of EMI attenuation to your system. VIII Checking the effectiveness of your work. It is easy to get a general feeling about the effectiveness of your EMI shielding work with an ordinary portable AM radio. Bring it very close to the body of your computer and its cables in turn. Ideally, you should not hear an increased level of static. If you do hear relatively more at one cable than at another, apply more ferrite split beads or obtain better shielded cable for this component. The practice of determining what kind of operating system code is executing by listening to a nearby AM radio is definitely obsolete for an well-shielded EMI-proof system! To get an idea of the power and scope of your magnetic field emissions, an ordinary compass is quite sensitive in detecting fields. Bring a compass within a few inches of the back of your monitor and see whether it is deflected. Notice that the amount of deflection decreases rapidly with distance. You want to keep cables away from magnetic sources about as far as required not to see an appreciable deflection on the compass. VIIII Summary If you start with good, shielded equipment that has passed the FCC level B emission standard then you are off to a great start. You may even be able to do even better with stock OEM equipment by specifying "low-emission" monitors that have recently come on the market in response to consumer fears of extremely low frequency ("ELF") and other electromagnetic radiation. Consistently use shielded cables, apply filtering and ferrite toroids to all cabling entering or leaving your computer equipment. Finally, consider a good EMI ground and Faraday cages. Beyond this there are even more effective means of confining the electrical and magnetic components of your system through the use of copper foil adhesive tapes, conductive paint sprays, "mu metal" and other less common components. --------------------------------------------------------------------------- The LOD