The Mark Tabas encounter series presents...

      =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        Better Homes and Blue Boxing
        Part II
        Practical Applications
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

(It is assumed that the reader has read and understood Part I of
this series.

  The essential purpose of blue boxing in the beginning was
merely to receive toll services free of charge. Though this can
still be done, blue boxing has essentially outlived its
usefulness in this area. Modern day 'extenders' and long
distance services provide a safer and easier way to make free
fone calls. However, you can do things with a blue box that just
can't be done with anything else. For ordinary toll-fraud, a
blue box is impractical for the following reasons:

  1. Clumsy equipment required (blue box or equivalent) 

  2. Most boxed calls must be made through an extender. Not for
safety reasons, but for reasons I'll explain later.  

   3.  Connections are often sacrificed because considerable
distances must be dialed to cross a seizable trunk, in addition
to awkward routing.

  As stated in reason #2, boxed calls are usually made through
an extender. This is for billing reasons. If you recall from
Part I, 2600Hz is used as a 'supervisory' signal. That is, it
signals the status of a trunk-- 'on-hook' or 'off-hook.' When
you seize a trunk (by briefly sending 2600Hz), your end (the
CALLING end) goes on hook for the duration of the 2600Hz and
then goes off-hook once again when the 2600Hz is terminated. The
CALLED end recognizes that a call is on the way and attaches a
register, which inerprets the digits which are to be sent. Now,
understand that even though your end has come off-hook (no
2600Hz present), thE other end is still on-hook. You may wonder
then, why, if the other end (the CALLED end) is still on-hook,
there is no 2600Hz coming the other way on the trunk, when there
should be. This is correct. 2600Hz *IS* present on the trunk
when you seize it and afterwards, but you cannot hear it because
of a Band Elimination Filter (BEF) at your central office.

  Back to the problem. Remember that when you seize a trunk,
2600Hz is indeed coming the other way on the trunk because the
CALLED end is still on-hook, but you don't actually hear it
because of a filter. However, the Bell equipment knows it's
there (they can 'hear' it). The presence of the 2600Hz is
telling the billing equipment that your call has not yet been
completed (i.e., the CALLED end is still on-hook). When finally
you do connect with your boxed call, the 2600Hz from the called
end terminates. This tells the billing equipment that someone
picked up the fone at the CALLED end and you should begin to be
billed. So you do start to get billed, but for the call to the
trunk, NOT the boxed call. Your billing equipment thinks that
you've connected with the number you used to seize the trunk.

Illustration:

  1. You call 1+806-258-2222 (directly)
  2. Status of trunks:

<----------------------------------->
(You)    806-258-2222
No 2600Hz-------> <------------2600Hz

  When you seize a trunk (before the number you called answers)
there is no affect on your billing equipment. It simply thinks
that you're still waiting for the call to complete (the CALLED
end is still on-hook; it is ringing, busy, going to recorder or
intercept operator).  Now, let's say that you've seized a trunk
(806-258-2222) and for example, KP+314+949+1705+ST. The call is
routed from the tandem you seized to: 314-949-1705.

Illustration:

<------------------>O<--------------->
(You)     806        314-949
   tandem
No 2600Hz----------> <----------2600Hz

  Note that the entire path tovards the right (the CALLED end)
has no 2600Hz present and is therefore 'off-hook.' The entire
path towards the left (the CALLING end) does have 2600Hz present
on it, indicating that the CALLED end has not picked up (or come
'off-hook'). When 314-949-1705 answers, 'answer supervision' is
givel the 2600Hz towards the left (the CALLING end) terminates.
This tells your billhng equipment, which thinks that you're
still waiting to be connected with 806-258-2222, that you've
finally connected  Billing then begins to 806-258-2222. Not
exactly an auspicious beginning for an aspiring young phone
phreak.

  To avoid this, several actions may be taken. As previously
mentioned, one may avoid being charged for the number called to
seize a trunk by using an extender (in which case the extender
will get billed). In some areas, boxing may be accomplished
using an 800 number, generally in the format of 800-858-xxxx
(many Amarillo numbers) or 800-NN2-xxxx (special intra-state
class in-WATS numbers). In my area, Denver, I am served by #1A
ESS and it is impossible for me to box off of any 800 number.

  Years ago, in the early days of blue boxing (before my time),
phreaks often used directory assistance to box off of because
they were 'free' long distance calls. However, because of
competetive long distance companies, directory assistance
surcharges are now $0.50 in many areas. It is additionally
advised that directory assistance numbers not be used to box
from because of the following:

  Average DA calls last under 2 minutes. When you box a call,
chances are that it will last considerably longer. Thus, the
Bell billing equipment will make a note of calls to directory
assistance that last a long time. A call to a directory
assistant lasting for 4 hours and 17 minutes may appear somewhat
suspicious.

  Although the date, time, and length of a DA call do not appear
on the bill, it is recorded on AMA tape and will trip a trouble
report if it were to last too long. This is how most phreaks
were discovered in the old days. Also, sometimes too many calls
lasting too long to one 800 number may raise a few eyebrows at
the local security office.

  Assuming you can complete a blue box call, the following are
listed routings for various Bell internal operators. These are
in the format of KP+NPA+special routing+1X1+ST, which I will
explain later. The 1X1 is the actual operator routing, and NPA
and NPA+special routing are used for out-of-area code calls and
out-of-area code calls requiring special routing, respectively.

KP+101+ST ...... toll test board
KP+121+ST ...... inward op
KP+131+ST ...... directory assistance
KP+141+ST ...... was rate & route. Now only works in 312,815,
717, and a few  others. It has been replaced with a universal
rate & route number, 800+141+1212.  
KP+151+ST ...... overseas completion 
KP+181+ST ...... in some areas, toll station for small towns.

  Thus, if you seize a trunk in 806 NPA and wanted an inward (in
806), then you would dial KP+121+ST. If you wanted a 312 inward
and were dialing on an 806 trunk, an area code would be
required. Thus, you would dial KP+312+121+ST. Finally, some
places in the network require special routing, in addition to an
area code. An example is Franklin Park, Ill. It requires a
special routing of 032. For this, you dial KP+312+032+121+ST
for a Franklin Park inward operator.

  Special routings are in the format of 0XX. They are used
primarily for load balance, so that traffic flow may be evenly
distributed. About half of the exchanges in the network require
special routing. Note that special routings are NEVER EVER EVER
used to dial normal telephone numbers, only operators.

  Operator functions:

TOLL TEST BOARD- Generally a cordboard position that assists in
trunk testing. They are not used by operators, only switchmen.

INWARD- Assists the normal TSPS (0+) operator in completing
calls out of the TSPS's area. Also, inwards perform emergency
inerrupts when the number to be interrupted is out of the area
code of the original (TSPS) operator. For example, a 303
operator has a customer that needs an emergency interrupt on
215-647-6969. The 303 operator gets the routing for the inward
that covers 215-647, since she cannot do the interrupt herself.
The routing is found to be only 215+ (no special routing
required). So, the 303 operator keys KP+215+121+ST. An inward
answers and the 303 says to her, 'Inward, this is Denver. I need
an emergency interrupt on 215-647-6969. My customer's name is
Mark Tabas.' The inward will then do the interrupt (off the
line, of course). If the number to be interrupted had required
special routing, such as, say, 312-456-1234 (spec routing 032),
then the 303 operator would dial KP+312+032+121+ST for the
inward to do that interrupt.

DIRECTORY ASSISTANCE- These are the normal NPA+555+1212
operators that assist customers with obtaining telefone
directory listings. Not much toll-fraud potential here, except
maybe $0.50.

RATE AND ROUTE- These operators are reached by dialing
KP+800+141+1212+ST. They assist normal (TSPS) operators with
rates and routings (thus the name). The only uses I typically
have for them are the following:

1. Routing information. In the above example, when the 303
operator needed to dial an inward that served 215-647, she
needed to know if any special routing was required and, if so,
what it was. Assuming she would use rate and route, she would
dial them and say nicely, 'Operator's route, please, for
215-647.' Rate & route would respond with '215 plus.' This means
that the operator would dial KP+215+121+ST to reach the inward
that serves 215-647. If there were special routing required,
such as in 312-456, rate & route would respond with '312 plus
032 plus.' In that case, the operator would dial KP+312+032+ST
for the inward that serves 312-456.

  It is good practice to ask for 'operator's route'
specifically, as there are also 'numbers route' and 'directory
routes.' If you do not specifically ask for operator's route,
rate & route will generally assume that is what you want anyway.

  'Numbers' route refers to overseas calls. Example, you want to
know how to reach a number in Geneva, Switzerland (and you
already have the number). You would call routing and say
'Numbers route, please, Geneva, Switzerland.' The operator would
respond with: 'Mark 41+22. 011+041+ST (plus) 041+22'.  The 'Mark
41+22' has to do with billing, so disregard it. The 011+041 is
access to the overseas gateway (to be discussed in Part   i) and
the 041+ 22+ is the routing for Geneva from the overseas sender.

  'Directory' routings are for directory assistance overseas.
Example:

You want a DA in Rome, Italy. You would call rate & route and
say, 'Directory routing please, for Rome, Italy.' They would
respond with '011+039+ST (plus) 039+1108 STart.' As in the
previous example, the 011+039 is access to the overseas gateway.
The 039+1108 is a directory assistant in Rome.

2. Nameplace information. Rate & Route will give you the
location of an NPA+ exchange. Example: 'Nameplace please, for
215-648.' The operator would respond with 'Paoli, Pennsylvania.'
This isn't especially useful, since you can get the same
information (legally) by dialing 0, but using rate & route is
often much faster and it avoids having to hang up when you are
already on a trunk.

*NOTE on Rate & Route: As a blue boxer, always ask for 'IOTC'
routings. (e.g., 'IOTC operator's route', 'IOTC numbers route',
etc.) This tells them that you want cordboard-type routings, not
TSPS, because a blue boxer is actually just a cordboard position
(that Bell doesn't know about).

OVERSEAS COMPLETION OPERATOR (inbound)- These operators
(KP+151+ST) assist in the completion of calls coming in to the
United States from overseas. There are KP+151+ST operators only
in a few NPAs in the country (namely 303). To use one, you would
seize a trunk and dial KP+303+151+ST. Then you would tell the
operator, for example, 'This is Bangladesh calling. I need U.S.
number 215-561-0562 please.' [in a broken Indian accent]. She
would connect you, and the bill would be sent to Bangladesh
(where I've been billing my KP+151+ST calls for two years).

Other internal Bell Operators.

KP+11501+ST ...... universal operator
KP+11511+ST ...... conference op
KP+11521+ST ...... mobile op
KP+11531+ST ...... marine op
KP+11541+ST ...... long distance terminal
KP+11551+ST ...... time & charges op
KP+11561+ST ...... hotel/motel op
KP+11571+ST ...... overseas (outbound) op

  These 115X1 operators are identical in routing to the 1X1
operators listed previously, with one exception. If special
routing is required (0XX), then the trailing 1 is left off.

Examples:

A 312 universal op ... KP+312+11501+ST
A Franklin Park (312-456) universal op (special routing 032 required)....
................... KP+312+032+1150+ST
[The trailing 1 of 11501 is left off].

Purposes of 115X1 operators.

UNIVERSAL- Used for collect/callback calls to coin stations.

CONFERENCE- This is a cordboard conference operator who will set
up a conference for a customer on a manual operation basis.

MOBILE- Assists in completion of calls to mobile (IMTS) type
telefones.

MARINE- Assists in completion of calls to ocean going vessels.

LONG DISTANCE TERMINAL- Now obsolete. Was used for completion of
long distance calls.

TIME & CHARGES- Will give exact costs of calls. Used to time
calls and inform customer of exactly how much it cost.

HOTEL/MOTEL- Handles calls to/from hotels and motels

OVERSEAS COMPLETION (outbound)- assists in completion of calls
to overseas points.  Only works in some, if any NPAs, because
overseas assistance has been centralized to IOCC (covered in
part III).

  Note that all KP+1X1+ST and KP+115X1+ST operators
automatically assume that you are a TSPS or cordbord operator
assisting a customer with a call. DO NOT DO ANYTHING TO
JEOPARDIZE THIS!  If you do not know what to do, don't call
these operators! Find out what to do first.

This concludes Part II.  There is the final part in which I will
explain overseas dialing, IOCC (International Overseas
Completion Centre), RQS (Rate/Quote System), and some basic
scanning.

                          Mark Tabas

