======================================= T H E N E W F O N E E X P R E S S ======================================= The newsletter of the Society for the Freedom of Information (SFI) Electronic Edition Central distribution site is Secret Society BBS (314) 831-9039, WWIVNet 3460, 24hrs ------------------------------------------------------------------------------ The publisher, SFI, distribution site(s), and authors contributing to the NFX are protected by the Bill of Rights in the U.S. Constitution, which specifically protects freedom of speech and freedom of the press. The information provided in this magazine is for informational purposes only, and the publisher, SFI, distribution site(s) and authors are not responsible for any problems resulting from the use of this information. Nor is SFI responsible for consequences resulting from authors' actions. This disclaimer is retroactive to all previous issues of the NFX. We accept article submissions of nearly any sort, about hack/phreak/anarchy/gov't/nets/etc. Send mail to the publisher (The Cavalier) at any of these addresses: WWIVnet [15@3460] WWIVlink [442@13468] VMB (301) 771-1151. hit #, then 326. <> Ripco [send mail to Silicon Avalanche] Daydream Nation [send mail to Silicon Avalanche] Internet [1098i9@gmuvax2.gmu.edu] The printed edition of the newsletter is available for $2 (U.S.) for a single copy. Send mail to the New Fone Express, Jackson House Rm 206, President's Park, 10309 Senatorial Lane, Fairfax, VA 22030. Don't forget your name and address. Subscriptions are no longer available. To download the New Fone Express, call Secret Society at (314) 831-9039 and log on as NFX, password NFX, phone# 0000, or see the distribution list elsewhere in this magazine. ------------------------------------------------------------------------------ Highlights for Issue #7/December 1991 ===================================== * Xmascon Info ... by Drunkfux (see article #1) * Caller ID Protocol Specs ... by John F. Woods (see article #2) * Smart Cards ... by Anonymous (see article #3) * Distribution Site List ... edited (see article #4) * Editorial ... by the Cavalier (see article #5) ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Xmascon Info NIA & Phrack Magazine, & dFx International Digest Are Proud To Present: The Second Annual X M A S C O N Who: All Hackers, Journalists, Security Personnel, Federal Agents, Lawyers, Authors and Other Interested Parties. Where: Houston Airport Hilton Inn 500 North Belt East Houston, Texas 77060 U.S.A. Tel: (713) 931-0101 Fax: (713) 931-3523 When: Friday December 27 through Sunday December 29, 1991 Yes, ladies and gentlemen, you read it right... Xmascon has returned! This will undoubtedly be the telecom event of the year. Unlike certain conferences in the past, Xmascon 91 has a devoted and dedicated staff who are putting in an unmentionable amount of time to ensure a large, vast and organized collection of some of the most diversified people in the telecommunications world. The event will be open to the public so that anyone may attend and learn more about the different aspects of computer security. Hotel Information ----------------- The Houston Airport Hilton Inn is located about 6 miles from Intercontinental Airport. The Xmascon group room rates are $49.00 plus tax (15%) per night, your choice of either single or double. There are also 7 suites available, the prices of which vary from $140 to $250. You can call the hotel to find out the differences and availability of the suites, and you will also NEED to tell them you are with the Xmascon Conference to receive the reduced room rate, otherwise, you will be paying $69.00. There is no charge for children, regardless of age, when they occupy the same room as their parents. Specially designed rooms for the handicapped are available. The hotel provides free transportation to and from the airport, as well as neighboring Greenspoint Mall, every 30 minutes on the hour, and on call, if needed. There are 2 restaurants in the hotel. The Wicker Works is open until 11:00 pm, and The Forty Love is open 24 Hours. There will also be breakfast, lunch and dinner buffets each day. There is a piano bar, The Cycle Club, as well as a sports bar, Chaps, which features numerous table games, large screen tv, and a disco with a DJ. Within the hotel compound, there are 3 pools, 2 of which are indoors, a jacuzzi, a miniature golf course, and a fully equipped health club which features universal weights, a whirlpool and sauna. A car rental agency is located in the hotel lobby, and you can arrange to pick your car up at either the airport or the hotel. Xmascon attendees are entitled to a discounted rate. Contact the hotel for more information. Xmascon will last 3 days, with the main conference being held on Saturday, December 28, in the Osage meeting room, starting at 12:00 p.m. and continuing on throughout the evening. This year, we have our own complete wing of the hotel, which is housed around a 3,000 square foot atrium ballroom. The wing is completely separated from the rest of the hotel, so we are strongly encouraging people to make their reservations as far in advance as possible to ensure themselves a room within our area. We are hoping to have a number of people speak on a varied assortment of topics. If you would like to speak, please contact us as soon as possible and let us know who you are, who you represent (if anyone), the topic you wish to speak on, a rough estimate of how long you will need, and whether or not you will be needing any audio-visual aids. There will be a display case inside the meeting room which will hold items of telecom interest. Specific items that will be available, or that we hope to have, include the first issues of 2600, Tap, Mondo 2000, and other magazines, non-computer related magazines that feature articles of interest, a wide array of boxes, the Quaker Oats 2600 mhz whistle, The Metal AE, etc. We will also have a VCR and monitor set up, so if you have any interesting videos (such as the Unsolved Mysteries show featuring Kevin Poulsen), or if you have anything you think people would enjoy having the chance to see, please let us know ahead of time, and tell us if you will need any help getting it to the conference. If all else fails, just bring it to the con and give it to us when you arrive. Media support has been very strong so far. Publications that have agreed to print pre-conference announcements and stories include Computer World, Info World, New York Times, San Francisco Chronicle, Austin Chronicle, Houston Chronicle, Independent Journal, Mondo 2000, CuD, Informatik, a leading Japanese computer magazine, NME, Regeneration (Germany), and a few other European based magazines. PBS stations WHNY, WNET, and KQED, as well as the stations that carry their syndicated shows, will be mentioning the conference also. If you are a journalist and would like to do a story on Xmascon 91, or know someone who would, contact us with any questions you may have, or feel free to use and reprint any information in this file. If anyone requires any additional information, needs to ask any questions, wants to RSVP, or would like to be added to the mailing list to receive the Xmascon updates, you may write to either myself (Drunkfux), Judge Dredd, or Lord Macduff via Internet at: nia@nuchat.sccsi.com Or via US Mail at: Hard Data Corporation ATTN: HoHo P.O. Box 60695 Houston, Texas 77205-9998 U.S.A. We will hopefully have an 800 mailbox before the next update is sent out. If someone cares to donate a decent one, that will stay up throughout the end of the year, please let us know. We should also be listing a few systems as an alternative form of reaching us. Xmascon 91 will be a priceless learning experience for professionals, and gives journalists a chance to gather information and ideas direct from the source. It is also one of the very few times when all the members of the computer underground can come together for a realistic purpose. We urge people not to miss out on an event of this caliber, which doesn't happen very often. If you've ever wanted to meet some of the most famous people from the hacking community, this may be your one and only chance. Don't wait to read about it in all the magazines, and then wish you had attended, make your plans to be there now! Be a part of our largest and greatest conference ever. Remember, to make your reservations, call (713) 931-0101 and tell them you're with Xmascon. In closing... if you miss this one, you're only cheating yourself. >< [TC: ...a public service announcement... heh...] ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Caller ID Protocol Specs Date: Tue Aug 20 1991 17:57:34 From: John F. Woods Subj: Telephone Caller ID specs: Organization: Kendall Square Research Corp. Message-ID: <5104@ksr.com> Newsgroups: sci.electronics Every now and then, someone asks again about Caller ID and how to decode it. It turns out that Radio Electronics published most of the answer in the Hardware Hacker column in their August 1991 issue. A quick summary follows: First, the relevant documents are: 1. NYNEX Catalog of Technical Information, #NIP-7400 (Free). 2. SPCS Customer Premises Equipment Data Interface, #TR-TSY-0030, $25. 3. CLASS Feature: Calling Number Delivery, #FSD-02-1051, $30. 4. CLASS Feature: Calling Number Delivery Blocking, #TR-TSY-000391, $33. Document 2 is the most important, and can be ordered from Bellcore at (800) 521-CORE; they take VISA. The caller ID is transmitted as 1200 baud tones (Mark/1 is one cycle of 1200 Hz, Space/0 is nearly two cycles of 2200Hz), 8 bits asynchronous, one stop bit. The data transmitted is: 30 bytes of 0x55 as a "channel seizure" signal (when demodulated, looks like a 1/4 second 600Hz square wave); 150 milliseconds of all marks; a message-type word (one byte, value 0x04 indicates caller ID); a message length word (one byte, how many digits in the calling number, does not include itself or the checksum); the _ASCII_ digits of the phone number, least significant first; finally, a checksum byte, consisting of the two's-complement of the 8-bit sum of the message-type word, the message-length word, and the data. This is the simplest form that the information will be delivered in, you need the Bellcore specs if you want to get it right in all cases. Sierra Semiconductor has two IC's which handle most of the analog portion of caller-ID, the SC11211N and the SC11210 (which needs an external oscillator and deletes some of the features); these chips output a digital stream ready for digestion by a uC. >< [TC: This file was not written for the NFX; however, it is reasonable to assume that the author can be reached on the Internet, given that this was originally posted on a newsgroup.] ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Smart Cards Smart cards are beginning to gain popularity among many corporations, yet most people have never seen a 'smart card,' much less know anything about them. All a smart card basically is is a normal plastic credit card with an IC embedded, and the traditional magnetic strip on the back. The chip appears to be a small golden emblem on the left center of the card (see fig. 1) Actually, it's a small microprocessor with several types of memory. We'll be talking about cards made by the DataCard Corporation, which has supposedly been in the smart card business since 1985. ___________________________ ___________ | | |___| ___| | ====== | |___| |___| | | | | |___| |___| | ====== | |___|___|___| | | |___________________________| Fig. 2 Chip appearance Fig. 1 Chip approx. location and size The chips are produced by a variety of outside companies, such as Oki, Asahi, Texas Instruments, Motorola, Hitachi, and Toshiba. Each chip has ROM, RAM, and EEPROM built in. The customer can pick an IC module with the specific features they desire. The IC modules are shipped to DataCard, where they are implanted in a custom plastic card. The ROM on the IC module is burned at this time and contains (in DataCard's case) DataCard's proprietary operating system, SCOS (or Smart Card Operating System). The customer then has the choice of programming the cards personally or shipping the data to DataCard, who will program each card individually. Example Tech Specs ------- ---- ----- Let's take, as an example, DataCard's MIC-1600 Microprocessor Card. It contains 1920 bytes of EEPROM and enough ROM space to hold SCOS. (The amount of temporary RAM space was unspecified.) Memory is partitioned into individual 'files,' which contain a number of fixed-length records. Data can be read sequentially or randomly by record number. Files marked non-erasable when created cannot be modified. Files may also be declared 'circular,' where the oldest record is overwritten when the file wraps around. Files are protected from 'unauthorized access' by the use of 8 security keys. Only correct key entries are confirmed, and if eight submissions are incorrect, a special type of key called the "Issuer" key is required to unlock access. Ten keys are actually stored in memory: the 8 Application keys, 1 PIN (Personal Identification Number) key, and 1 Issuer key. The Issuer key is programmed by the company that issued the card. The keys may be anywhere from one to eight characters long. Communication with the card is accomplished through the use of a special card reader. Card communication is based on the standard ISO 7816/3 protocol, and the metallic contacts conform to ISO 7816/2 specifications. The contacts measure 86mm by 54mm by 84mm and have a 5 year life. Optionally, the Pc3 protocol may be used to communicate with the chip, but I'd expect the ISO 7816/3 protocol to be more prevalent. Communication is serial, at a speed of 9600 bps async using 8 bit bytes. The transmit turnaround delay is 5 ms, with the line timeout on the chip being 1.0 sec. The response delay is < 10 ms maximum, and the reset response is $3B, $A8, $00, $01, "PC16E4xx" (the first four digits are hexadecimal, of course). The microprocessor in the MIC-1600 is the 62C580, running at a 3.57 MHz clock (rather convenient - it's the frequency put out by an NTSC colorburst crystal, quite cheap). It runs on +5 volts, plus/minus .5 volts. The reset duration is 10 ms minimum. There is a 20 ms overhead on each command, and the card can be erased in 20 seconds. The read time is 1.25 ms per byte, and the write time is 11.25 ms per byte. Command | Description | Clearance ---------|----------------------------------------------|---------- RESET | Initialize and Return ID | None SUBMIT | Submit Password Key | None RDFDT | Read File Definition | None RDSNO | Read Serial Number | None FINDZ | Find File Name (Zone) | None RDSEQ | Read Last Record | Read RDRAN | Read Random Record | Read SEARCH | Search File | Read WRSEQ | Write Next Record | Write WRRAN | Write Random Record | Write EMPTY | Empty File | Write ERASE | Erase Card | Issuer WRFDT | Write File Definition | Issuer WRKBY | Write Key Definition | Issuer ---------|----------------------------------------------|---------- Chip Interface Devices ---- --------- ------- DataCard markets two types of "Chip Interface Devices," basically card readers. The Series 50 unit appears to be somewhat smaller than a 3.5" floppy drive, has a black bezel and a slot for the card in front. (Exact measurements: 1.5"x2.6"x3.2") This unit is obviously designed to be implanted in an enclosure; there is bare circuitry on the top and bottom, and a good deal of it is surface-mount. A "one-time programmable EPROM" (whatever the hell that is) can be plugged in, or an optional application board allows you to load applications into on-board EPROM/RAM. The Series 50 supports three interfaces for reader-to-host communication: the RS-485, TTL or RS-232 interfaces. It communicates at 19,200 bps half-duplex with transfer error-detection. The Series 100 CID comes in a white box and has two card slots. It measures 7"x8"x2.5". It supports a variety of card drivers for IC module- independence. They can be used free-standing, containing an 8031 microprocessor clocked at 7.372 MHz with 32K EPROM and battery-backed 32K RAM. Its interface to the outside world is standard DB-25 RS232. They can also be interfaced to a MS/DOS or Unix host system. The 680-IC Transaction Terminal is a horse of a different color; it is actually a swipe card-style card reader, with the exception of a large white smart card reader on top. It is shipped with 128k of battery backed RAM and is expandable to 512k. Its operating system multitasks and supports applications written in C, with DataCard's OS programming libraries. It has a 29-key keypad, a 2 line by 24 character LCD screen, and a built-in 1200 bps modem. It can optionally read Track 1 magnetic cards, along with the built- in capability to read Track 2 ABA standard cards. It runs on a V25, NEC's 8086-compatible chip clocked at 10 MHz, and the smart card reader uses the 8031 again at 7.372 MHz. It contains 64K of EPROM, and uses the DataCard Multi-Tasking Operating System. Summary ------- First off, I apologize if this article sounds too much like an advertisement for DataCard, but it just happened to be the extent of the information I had. It should have filled you in on the technical aspects of smart cards slightly. Also, they are starting to reach greater market penetration -- suggestions for use include cards for store customers to track marketing information, cards for drivers to make purchases of gasoline and fleet-tracking easier, cards for students on campus to authorize purchases and provide ID, prepaid cards that allow the user to carry around a card in place of cash or coins, or 'administrative cards,' which act as an audit trail, monitoring the user's comings and goings. The potential for invasion of privacy is immense, and most people may be beguiled into it by lures of 'prepaid cards' and 'frequent card-shopper points.' If you would like to try to get your own information from DataCard, try calling their phone line here in Minneapolis at (612) 938-3500. >< [TC: As the author requested anonymity, your best chance for getting in touch with him is to send mail through me at any of the addresses in the header.] ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Distribution Sites As of 11/91, the distribution sites with the New Fone Express include: * Secret Society Blitzkrieg (314) 831-9039 (502) 499-8933 3/1200 bps 3/12/24/9600? WWIVNet 3460 WWIVnet 5211 Central Distribution Site TAP Headquarters Solsbury Hill * The Bamboo Gardens North (301) 428-3268 (512) 385-2941 3/12/24/9600HST 3/12/2400 bps Usenet feed WWIVNet 5285 1500+ text files Cyberpunk & Computer Law BBS A * indicates a system with a 'captive account,' or an account specifically for downloading the NFX. Many thanks to the sysops supporting the NFX. >< ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Editorial "Cyberhippies" Well, you're at the end of Issue #7. First off, some thank-you's are in order to Hardcore, for reinstating the VMB after a software reinstall.. if you haven't noticed, the VMB was non-functional, and it's back up now under another number. (see header) Also, thank you to Anonymous for the smart card article... I admit to a certain curiosity about the buggers myself...heh.. Thank you to the Desert Fox, Vorpal Bunny, and the rest of the Worldview crew for sending me a copy of one of their issues!.. it is a good magazine and I would encourage you, if you have the means, to contact him at (713) 337-1452, user #623. It appears to be Fidonet from the address he supplies in his newsletter (1:106/995). Re the title of the editorial, "Cyberhippies," I was doing a little bit of thinking a few weeks back, and noticed quite a few parallels between the situation that existed in the late 60's and the one that exists now. The hacker community, like the hippies of the '60s, are fighting against a government that seems to enjoy persecuting us. As they wanted freedom to experience what they wanted, and to protest freely against the Vietnam War, so does the hacker community: information should be free. There are several comparable issues here: the 'novel' idea that if resources are available, whether they be physical (like an Internet hookup, or public land) or intellectual (like a brilliant piece of recursive code, or the right to run one's own life). We are fighting a protracted 'war' in itself, with hackers as the soldiers: Hackers are getting busted, 'drafted' through coercion, manipulation, and falsehoods, and being good little 'narcs', in service of their country. All to fight a war against the free dissemination of information and knowledge, and to stifle political truths. This government doesn't follow its own laws, folks, and I hope none of you would fully believe it if someone told you they did. Case in point: Operation Sundevil. I refuse to rehash the events of Sundevil, but I do want to point out that out of, what, 140 busts or so? ..only one person (to MY knowledge) has been convicted. Equipment has been impounded and some of it has not returned yet. Or the infamous Scott Jackson case -- it all adds up, people. As for the charge that the government hinders the spread of information, consider this: if military-funded scientific research in fields were shared openly, the jump in the progress of science in this world would be exponential. I'm not talking about the Enrico Fermi Atomic Bomb Home Cookbook, I'm talking about high-yield milspec solar cells. I'm talking about particle-beam lasers. I'm watching the citizens and leadership of this country drive towards an ultra- nationalistic right-wing future. President Bush just refused to apologize to the Japanese for dropping the bomb on two cities, for a countless loss of life. World War 2 is over, goddamnit! Don't you see this, Bush? Racism and ultra-nationalism are still prevalent forces in this country, and we need to be aware of those two forces and indeed the mighty armies arrayed against us. We will win, if we can band together and keep our collective purpose in mind. I suppose I should close things up with a "Peace, brother", eh? Good luck to all of you. Until next time. ><