How a Foreign Sanctions Block List Nearly Shut Down An Entire US Community’s Phone Service

Originally published in 2600: The Hacker Quarterly, Winter 2023-2024

Hello, and greetings from the Central Office! It’s winter, which means power interruptions here in the Great Northwest. Most of our power (and telephone) lines are above ground, and the whole region is covered with trees that average over 100 feet tall. Trees and branches are falling constantly causing power interruptions, especially during the fall and winter. It has been getting worse in recent years, though, given that summer weather keeps getting hotter and the rainy season is ever shorter. Making matters worse, we have been getting more “atmospheric rivers” as of late, which deliver several inches of soaking rain at a time, saturating the ground. When a windstorm happens after this, large trees like cedars with shallow root systems simply blow over. They fall onto cars, houses and (of course) power lines. I’ll give you one guess whose power line was taken out by a tree today. If you guessed a Central Office with “Forest” in the name, you’d be right. I’m acting in an incident response capacity today, dealing with possibly the strangest incident that I have ever experienced in my career. But we’ll get deeper into that later. For now, let’s talk about power engineering.

Obviously, downed trees and power interruptions are nothing new in the Pacific Northwest, and we have been prepared for them for a long time–including in the Central Office where I am working today. Now, you probably don’t think of the USDA as a telecommunications regulator (the FCC writes most of the rules), but they have made a significant mark on the telecommunications landscape. I doubt that the company would have been so well prepared for emergencies if it wasn’t contractually required!

If you’re scratching your head, I’ll explain. The USDA, through the Rural Electrification Administration provides subsidized financing to telephone companies. These subsidies were intended to serve rural areas, but as the population of the Pacific Northwest grew, the Company was very effective in its lobbying to secure financing for suburban and exurban locations in its service territory. This saved hundreds of millions of dollars in interest, which could instead be used to buy back shares of company stock and help executives meet their bonus targets.

In a rare case of CEO incentives aligning with public good, the USDA loan program has underwriting requirements which enforce minimum Central Office construction standards. In fact, they publish an entire reference engineering guide, and this includes power supply and backup power requirements. With peak loads assumed, the USDA requires either 8 hours of backup battery power, or 3 hours of battery power plus a diesel generator. In 2007, the FCC eventually weighed in after Hurricane Katrina with Order 07-177, releasing a loophole-ridden, watered down rule applying to all telecommunications facilities (not just ones funded by the USDA). It was then immediately challenged in court.

This particular Central Office is equipped with a 3 hour backup battery system and a diesel backup generator. One room on the ground floor of the Central Office is dedicated to our backup battery system, and the generator is located outdoors. Both systems are required to provide enough power to run the Central Office during peak load, and do so effectively. There are varying requirements on how much of a fuel supply we need, but this Central Office was constructed in 1982, not long after the Mount St. Helens eruption (which happened in 1980). This was obviously fresh in the minds of the engineers who designed subsequent Central Offices. Without knowing what regulations might be forthcoming, they provisioned 72 hours of peak load fuel storage on-site. In practice, we have about 5 days of fuel, because the Central Office doesn’t run at peak load at all anymore, and especially doesn’t do so for 24 hours per day. As with our backup battery contract, we have a fuel services and maintenance contract with an outside vendor.

This all sounds great, right? It’s all good in theory. It’s also good in practice: this stuff is regularly used! We have weather events all the time during Pacific Northwest winters. Most of the problems I’d normally encounter would result from deferred maintenance or a component failing. This time, though, a tree is down, we don’t have utility power, and the clock is ticking. You see, our compliance department abruptly ended our contracts with our fuel service vendor who also happens to be the only fuel depot in the region. The fuel depot doesn’t know why, Compliance wouldn’t tell me why, and it finally took a Washington Utilities and Transportation Commission rule to prompt a solution.

I showed up 3 days in, while we were running on backup power. A landslide had taken out our utility feed to the Central Office, road access to the utility lines, and several utility poles along with it. Although some of our outside plant was impacted, we were lucky: we only had a few subscribers in that direction. Our power was out, though, and it was going to be out for awhile—at least two more days. This wouldn’t normally be a problem; after all, we are well prepared with backup power, and the Central Office itself was accessible via other routes. When I arrived, we had about 1/3 of our fuel remaining for the backup generator, and a battery backup operating with a failed (but redundant) PDU. Normally, none of this would be a big deal. PDU failures happen, especially when switching over to generator power, which is why we have redundant ones. We’d want to fix it before we switched back to utility power (in case the same thing happened again with the switchover), but that was manageable. Fuel is normally no problem, since roads were open and critical utilities like telephone service have priority on constrained supplies (which, in this case, weren’t even constrained). We just needed to call the fuel depot for delivery, and call our electrical vendor to fix the PDU.

This is all easy stuff—well, not easy, but manageable. We have a standard operating procedure for it. All of the contracts are in place. Should be a cake walk, right? That’s what I thought, until I called the fuel depot. “No truck. You guys terminated our contract!” said my contact at the fuel depot. “What? That doesn’t make any sense. I’ll get with the contract guys, but in the meantime, can I get the truck out? We’re running pretty low,” I said, my jaw almost hitting the floor. “Not a chance,” said my contact at the fuel depot. “Cash up front is the only way we can do business without a contract on file, and you guys terminated the contract. Send us a wire, and we’ll deliver fuel. Here are the wire instructions” said my contact at the fuel depot.

Obviously, I didn’t have the ability to wire thousands of dollars of company money to buy fuel, so I called Accounts Payable. They could pay an invoice, but it needed a purchase order. That was the responsibility of Procurement. I contacted Procurement, and they couldn’t issue a purchase order without a contract. They referred me to Contracting. Contracting notified me that they couldn’t issue a contract because they had terminated the contract at the instruction of Compliance. They suggested I talk to Compliance. I called Compliance and left a message, marking it as urgent. In our voicemail back-end system, I could see that Compliance had 143 other urgent voice messages, so I was guessing this might take awhile. OK, fine. Time to notify Compliance Legal. In the state of Washington, we’re required to notify the Utilities and Transportation Commission of critical utility outages, with an explanation as to what caused them. I left a voicemail for Compliance Legal letting them know that I would be filing a major outage report with the UTC if I didn’t hear back from them.

Well, that set off a firestorm. Compliance Legal called me back, and fast! They absolutely did not want me to file an outage report. Could I do anything to prevent this? “Yes. Help me get some fuel,” I said. “Our fuel service contract was cancelled by your department. I have no idea why.” Now, as it turns out, people in Compliance pick up the phone when it’s their own Legal team calling. The next morning, with only 15% fuel remaining, I was finally able to arrange fuel delivery and find out what happened (we paid up front just like the fuel depot asked).

Our fuel services vendor has the same name as a different fuel services company in Malta. It’s not the same company, isn’t run by the same people, and has nothing to do with them. However, there is also an obscure division of the Department of the Treasury called the Office of Foreign Assets Control, aka OFAC. They enforce financial sanctions using a watchlist—you know, sort of like the TSA no fly list and various terrorist watchlists. The OFAC list used to have a few obvious terrorists and terrorist organizations on it, along with countries sanctioned by the US (think Iran, North Korea, Cuba, etc.). These days, it’s a 13.4 megabyte file with thousands of names (including Mike. Just “Mike.” Sorry if your name is Mike). And as you have probably guessed, a soundalike Maltese fuel services company is on the OFAC block list. Now, if anyone involved in this had any common sense at all, they would have investigated a bit more before cutting off my fuel supply. But this is the corporate office we’re talking about, and they bought an AI tool to ensure compliance. So, compliance with an outage report was nearly ensured.

And with that, enjoy your winter. For my part, I still haven’t figured out why our PDU tech hasn’t arrived.


USDA Rural Electrification Administration Power Requirements For Digital Central Office Equipment:

FCC Order 07-177 (Hurricane Katrina Commission):

Washington Utilities and Transportation Commission Outage Reporting:

OFAC Specially Designated Entity list: – What to do if your credit report is OFAC flagged


Telecom Informer columns are fictional accounts based on true stories from the world of telecom. Any resemblance to actual people or events is entirely coincidental.


A New Connected World Of Mobile-Enabled Sensors (Winter 2014-2015)

Hello, and greetings from the Central Office! Since I wrote last, I have been around the world clockwise once again. It was good to catch up with friends and fellow hackers in Europe and China, and to visit the amazing technology markets in Beijing. Technology changes very rapidly in China and despite being only 6 months from my previous visit, I was really surprised to see how much has changed.

basic GSM handset image

This low cost Arcci GSM phone sells for under $8

One of the most exciting recent developments in telecommunications is the astonishing price drop in mobile phone chipsets, particularly for basic GSM technology. This is combined with massive improvements in both battery technology (which has gotten much greater), charging technology (which can reliably operate off of inexpensive solar cells), and power consumption (which has dropped). In Beijing, you can now buy a brand new, quad band, unlocked GSM world phone for less than $8. These phones can remain powered on, able to make and receive calls, with a standby time of up to two weeks in between charges. Talk time is also truly astonishing. I remember when I barely got an hour of talk time on my enormous Motorola brick analog cellular phone, but basic GSM phones now boast talk time of up to 8 hours of continuous usage—if your voice can hold up for that long!

Just stop for a minute and think about that. For under $15, you can buy a phone that works anywhere in the world for voice, text, and data, and a solar charger to go with it, and even if you don’t charge the phone for 2 weeks, it’ll still be able to make and receive text messages and can even log onto the Internet. It’s completely mind-blowing when you think about it. I think the only reason that most people in Western countries haven’t noticed is that because handsets like these aren’t widely available in wealthier places. When your mobile phone carrier’s lineup is populated with the latest smartphones, it’s hard to notice the availability of no-name Chinese brands at astonishingly low prices.

Now, let me be clear: these inexpensive phones aren’t smart phones, and they don’t support even 3G, let alone 4G technologies. However, they do work just fine for voice, low-speed GPRS data and SMS messaging. And this is the retail price, and even includes value added tax! The wholesale price is about half of this, and it’s for a fully assembled phone. So, you can infer that the component parts are even less expensive than this. Want to support the latest networks and fastest data speeds? The price is about 5 times as much, but we’re still talking about $30 for the components. Making things even more interesting, you don’t necessarily need all of the component parts involved in building a phone when you consider GSM scenarios that aren’t phone calls.

“Wait, a minute,” you may ask. “GSM scenarios that use mobile phone components but don’t involve making phone calls, you say? What might those be?” Well, actually, that’s where things have gotten really interesting. Given the confluence of low cost, low power requirements, and creative charging solutions, some new and really exciting scenarios have been unlocked. Sensors are quietly but steadily being deployed to help automate everything from water and electric meter reading to weather monitoring.

Sure, sensors have existed in various forms and in various places for many years, and there have even been previous efforts at “smart meters.” However, there have been a number of key issues. First of all, most sensors had very limited computing power, because the availability of low-cost microcontrollers with low power consumption was limited. So, the technology was there to gather data, but interpreting it had to be done in a centralized location somewhere; you couldn’t fit enough computing power on a sensor to do much meaningful interpretation. Today, with the availability of Arduino and similar microcontrollers, it’s possible to build sensors with substantial onboard computing resources, without needing a whole lot of energy to do it. This means that sensors don’t necessarily have to upload as much data to centralized locations for real-time processing anymore, because software can be more capable at making real-time decisions. Even if you didn’t need to continuously gather data, or needed to centralize processing, the capability didn’t exist to process data over a wireless WAN at high speed. Nowadays, GSM coverage is available almost everywhere, and 4G allows data transfer at speeds similar to WiFi. This combined with the plummeting cost of sensor technology has unlocked some really incredible new scenarios. Some of the most interesting innovations are in utilities and—oddly enough—agriculture.

Arduino picture

Arduino is an ideal platform for many embedded systems.

Many utilities around the country are starting to deploy smart meters, to which the tinfoil hat crowd has responded with predictable fury (they’re mainly concerned about RF emissions). The Salt River Project in Phoenix has already deployed them in most areas, and the Los Angeles Department of Water and Power is beginning to deploy these as well. While the key reason to (and most important application for) implementing the technology is eliminating the need for meter readers, smart meter technology also allows more data to be collected about energy usage, and more creative billing to take place. You might recall that long distance charges used to vary by time of day and day of week. Calls were billed based on a day rate (the highest price), evening rate (around 20% less), and nights or weekends (around 50% less). This was done to provide an incentive to shift usage to off-peak times, so the phone company didn’t have to build a lot of peak capacity that was otherwise underutilized. Your electric utility could offer similar incentives to use power during off-peak times. For example, Sunday evening is the period of lowest power usage in most cities. So, you might choose to do your laundry on Sunday evening if the rate were half as much as doing it on Monday morning.

crop moisture sensor

This sensor monitors crops for moisture

Agriculture is also seeing a lot of really interesting new scenarios in wireless sensors, which are helping to reduce waste and improve efficiency. For example, farmers waste hundreds of millions of dollars a year replacing spoiled livestock feed. Farmers buy feed and put it in storage. The feed gets wet for one reason or another, and then it spoils. Typically, farmers will find out that this happened when they go to use the feed and find that it has spoiled. So, a company called Kongskilde has developed several types of moisture, temperature and humidity sensors that can be stored with the feed. So, if a leak in the roof develops, the sensors will detect this and notify the farmer before his feed becomes spoiled.

Both of the above smart devices typically rely on a local mesh network, typically WiFi, which then uplinks data to a centralized location via mobile Internet. However, there has been a lot of recent research (with some development) on sensors that communicate directly via mobile Internet. Given the water crisis in California, one of the most interesting pieces of research I have seen involves irrigation systems that are sensor-controlled. Most irrigation systems today operate on timers, and the amount of water used isn’t an exact match for what is actually needed. So, most farmers over-water or under-water their crops (typically the former), which isn’t good for either the crops or the water supply. However, given the vast distances, mesh networks don’t make a lot of sense. These devices, along with other smart devices such as pH monitoring, can literally be “planted” along with crops. The power source? Often solar. In the case of irrigation, the amount of water sprayed can be precisely correct for the exact soil moisture level, leading to both higher crop yields and lower water usage. How can we continue to feed a rapidly expanding human population? Technologies like these will go a long way toward doing so, and they’re all enabled by telecommunications.

And with that, it’s time for me to finish eating this turkey sandwich. Hope you had a happy Thanksgiving, and best wishes for the new year! The world only gets more exciting every day.

References – A Smart Meter video from BC Hydro, which provides a good overview of the features and services brought by smart meters. – Excellent FAQ and information from BC Hydro which in particular describes the science of smart meters. Designed for the tinfoil hat crowd. – Excellent technical whitepaper on Mueller Systems smart meters. -Many technical whitepapers, along with sales brochures, for the Kongskilde agricultural sensor system. – Detailed academic paper describing a prototype GPRS-based sensor network for irrigation.


Open Sourcing The Phone System (Fall, 2014)

Hello, and greetings from the Central Office! It has been an exciting summer of travel. I had the opportunity to speak at HOPE and bSides Las Vegas, and was able to connect with hackers from all over the world. It’s always really exciting to meet and talk with really smart people, and based on the conversations I had this summer, I’m convinced that we’re really on the cusp of a technological revolution with one of the greatest convergences of computing and telecommunications the world has ever seen. The future is only going to get more exciting.

If you asked me in 1999 what I thought would be the most game-changing innovation in telecommunications, I would have said VoIP. There was a lot of really exciting stuff happening then, and the VoIP scene did in fact explode over the next few years. Broadband was beginning to become widely available, with speeds of 1.5Mbps or more at affordable prices. The release of the first version of Asterisk brought the exciting possibility of running virtual telephone switchboards completely untethered from the Public Switched Telephone Network (PSTN), and shortly thereafter, Jeff Pulver’s FreeWorldDialup exploded onto the scene with a free, open, and public directory service that anyone could use to reach VoIP services all over the world. Amazingly, the FCC ruled—in a clear nod to encouraging technological development–that FreeWorldDialup was to be considered a “digital information service” and wasn’t subject to any of the regulations encumbering the PSTN. Creating a free, public directory resulted in all sorts of VoIP services being able to reach one another at no cost through virtual “tie lines” without ever touching the public switched telephone network (and generating no long distance charges).

FreeWorldDialup logo

Closer to home for hackers, in an unprecedented crossover of the phreak and hacker worlds, the Telephreak group melded computers with phones and released a full-fledged, grassroots, information and conferencing service that was accessible both via telephone and the Internet. Meanwhile, practically every instant messaging service from MSN Messenger to Skype to the (then-new) Google Chat added voice chat capability. It seemed that VoIP was an unstoppable force. The only thing missing, surprisingly, was the users. Despite technological advances and wide availability, VoIP remained the geeky domain of VoIP hackers, IT workers, and international students keeping in touch with their families and friends at home.

telephreak logo

This is because as quickly as the explosion of broadband made VoIP possible, the world had changed even more quickly. The explosion in mobile phones made our society much more on-the-go, and calling people on the telephone from a fixed location was just too cumbersome. We began communicating in shorter bursts, and SMS became a more popular way than voice to communicate. While voice communications didn’t go away, the nascent VoIP provider market suffered from infighting. Vonage delinked its services from public directories, other VoIP providers suffered from consolidation, lack of differentiation and sometimes bankruptcy, and the market fragmented into retail and wholesale. The PSTN—with all of its attendant regulatory costs and regulatory headaches—maintained its status as directory provider for voice communications. Consumer VoIP services, software-driven, largely migrated onto hardware devices like magicJack, Vonage and Ooma. Skype was a glaring exception, having gained a foothold on university campuses worldwide and gaining popularity as a platform for video chat. On the consumer side of the business, it was simply easier to package and sell VoIP services if they were bundled with a relatively foolproof hardware product.

Although obsolete, Vonage devices are still for sale.

Although obsolete, Vonage devices are still for sale.

Meanwhile, in Central Offices everywhere, circuit-switched telecommunications gear began to be replaced by VoIP. The first big VoIP switch came with mobile phone carriers, which could easily transition long-distance service to VoIP trunks. Later, mobile phone carriers began exchanging traffic directly with one another via VoIP, as they exchanged SMS messages with one another over the Internet. Long distance carriers weren’t far behind, transitioning almost the entirety of their backbones from circuit-switched to VoIP trunks. To maintain quality of service, most “carrier-grade” long distance networks don’t use the Internet to transport calls, even though they use VoIP technologies. Instead, carriers operate their own private IP networks, separate and distinct from the Internet. Nonetheless, the cost of operating VoIP networks is much lower than operating circuit-switched networks, the capacity is greater, and—although it pains me to say it—reliability and cost of maintenance are both better. Late nights hunting down scratchy channels on recalcitrant DS-3s are, these days, a thing of the past.

While traditional POTS land line phones are still circuit-switched, connecting through the same 5ESS and DMS100 offices they did 20 years ago, land lines are largely migrating to VoIP as well. Based on the port-out rate at my Central Office, I would estimate the ratio of landlines is now nearly 50% VoIP. Although Vonage, magicJack and Ooma (among other services) have operated consumer VoIP service for years, even AT&T has gotten into the game with their uVerse product. Cable companies have, for years, offered landline replacement services (operating as CLECs), and these are all VoIP based. Eventually land lines are going to have to be all-VoIP; a 5ESS is practically an antique these days and has less computing power in sum total than my smartphone. It’s getting harder and harder to find replacement parts, and old-timers who still know how to maintain them are retiring at an alarming rate.

5ess switch

This giant piece of switching equipment, filling much of a building, has less computing power than my smartphone.

These days, with the growth of mobile phones, I see an opportunity for another wave of consolidation with VoIP. In order to use a SIP account, a MagicJack, and mobile phone service, I used to need three different devices. However, my $200 unlocked Android smartphone (a Moto G) now comes with four 1.4GHz processor cores, 16GB of solid state storage, and almost 1GB of RAM. When you consider that these specs roughly equal those of a well-equipped PC as little as 5 years ago (and actually exceed those of then-popular netbooks), it’s pretty eye-opening. So much can now be done in software.

Instead of using the magicJack hardware device, I can use their Android app. This is really handy in my new apartment, where mobile phone coverage is poor. Google Voice has its own smartphone app, which makes it practical for me to change my phone number once a month in order to take advantage of “new customer” deals with prepaid mobile phone providers (this is easily possible with an unlocked phone). My mobile phone service now costs me as little as $5 per month. And finally, I can enjoy wholesale rates on long distance calls through a SIP provider. Using the cSIPSimple app, I was able to migrate over the configuration from my SIP ATA, another hardware device. So, three different hardware devices have now consolidated into a single device that both costs less and does more than any one of the single individual devices I had before.

Moto G image

I think that smartphone apps are really the next wave in consumer VoIP and could actually have the Trojan horse potential to become the most disruptive threat the world of telecommunications has ever seen. After all, there isn’t any particular reason why you should need to have a telephone number anymore. They’re long, complicated, and hard to remember. However, in order for this to work, a free, universal and open directory service—which could entirely replace the PSTN—would need to be developed. This would be more or less along the lines of what Jeff Pulver originally envisioned with FreeWorldDialup. However, the market is Balkanized right now, with practically everyone playing in the space—from Google to Microsoft to Facebook—trying to own a “walled garden.” Everything old is new again, and the parallels to Prodigy, CompuServe and AOL two decades ago are astounding. Could the utility of a free and open network with a universal directory service supplant the tired, old model of telephone numbers, as the Internet did CompuServe? With the advent of IPv6 and the possibility of virtually unlimited Internet top level domains, I think that this is—for the first time—a real possibility. The only thing missing is the right software.

Prodigy login screen image

My favorite walled garden community was Prodigy.

Hackers are, as always, true visionaries who drive technology forward, and I think the reason why we often succeed where others fail is that we care about technology for its own sake. Jeff Pulver’s original vision for FreeWorldDialup ultimately failed when the nascent VoIP scene failed to maintain unity (and it really didn’t help that Jeff tried to turn FreeWorldDialup into a business, which ultimately failed). The opportunity is still there, though. Imagine a world where telephone numbers weren’t necessary, and long distance charges—which, honestly, are an absurd concept in the year 2014—were utterly abolished. The only things standing in the way of this vision are essentially every government in the world (for whom surveillance would become more difficult) and the entrenched interests of the telecommunications industry. Yeah, that. Most people would be too intimidated. Hackers and phreaks have never been afraid to speak truth to power, though, and have never been afraid to challenge the status quo. That’s why I’m confident that change is coming. It’ll be exciting to see what app hackers produce in the next few years.

And with that, it’s time for me to run to a meeting. I can’t really talk about what my employer is planning, but nothing good will come of it. Or maybe it ultimately won’t matter. The path forward is really up to you.


Deciphering Tracfone (Spring, 2010)

Hello, and greetings from the Central Office! I’m bundled up, have an electric heater at my feet, and a cup of tea on my desk. Yes, folks, it’s cold and flu season, and I have one or the other of them. Maybe both. It doesn’t matter, though—the company is paying a perfect attendance bonus this month, and all I need to do is make it through at least half of my shift! Outside my Central Office, we have a coin station. It’s an old Western Electric 1D2 set, and it was configured to allow incoming calls until last week. A few months ago, it became one of the busiest coin stations in the city. A shady-looking teenager would hang out all night on Friday and Saturday taking lots of very short incoming calls. A few minutes later, a vehicle would roll into our parking lot, he’d step inside to do business, and then the young entrepreneur would return to his “office.”

An office phone... of sorts.

An office phone… of sorts.

For months, this didn’t bother me. After all, incoming calls generate revenue for the company, the business activities never caused me any trouble, and it made for interesting “service monitoring.” All of that changed last week, though, when a white Camaro pulled into my parking lot at high speed. Squealing tires, skid marks, and the stench of burnt rubber hung in the air… and then the driver did the unthinkable: he burned a donut in my parking lot! Well, that was it. The next morning, my long-neglected coin station had new signage: “OUTGOING CALLS ONLY” – and my young acquaintance moved his business to the mini-mart across the street. His new “office number” became a Tracfone, telecommunications provider to the underworld.

If you have bad credit, run a not-quite-legal business, or are an illegal immigrant, Tracfone is designed for you. No credit checks or identification is required. Better yet, the service is totally anonymous and can be paid for with cash! Owned by Mexican billionaire Carlos Slim, the owner of the dominant Mexican wireline and wireless providers, Tracfone doesn’t actually operate a network in the United States. Instead, it operates as a Mobile Virtual Network Operator, or MVNO, reselling service on both CDMA and GSM networks.

I was interested to learn more about this service, so I purchased a starter kit for about $70 at Wal-Mart. It came with a Samsung T301G handset, 1 year of service, 200 airtime minutes, both wall and car chargers, and a carrying case. The SIM card was pre-installed in the handset, and was designated to AT&T (a “P4” type SIM). Depending upon the market, you may receive a “P5” SIM card, which is designated to T-Mobile.

You can set up the handset either online or over the phone. I set it up online, which was easy and straightforward. To start the process, Tracfone asked for the IMEI of the handset. Next, the site asked for personal information (which isn’t validated—you can enter anything) including a home phone number, and asked if I wanted to opt in for telemarketing and SMS ads (I declined). You can then either port in an existing cellular number or have a new one issued. I chose to have a new number issued. Tracfone requested the ZIP code where I planned to use my phone the most. I entered a Seattle ZIP code and was provided a Seattle number, issued by AT&T Mobility. At that, I was instructed to power cycle the handset. It was automatically programmed over the air and loaded with 210 minutes, with an expiration date 425 days in the future. This was better than the 365 days and 200 minutes promised on the package.

Tracfone has spent a considerable amount of effort to prevent their handsets from being unlocked. This is primarily because of the heavily subsidized nature of their handsets; phones are sold well below cost and the revenue is made up through airtime sales. SIM cards are specialized. They only work on Tracfone-branded handsets loaded with Tracfone “airtime tank” firmware. Once you insert a SIM card for the first time into a Tracfone, it’s forever married to that phone and cannot be used on any other phone. Non-Tracfone SIM cards cannot be used on Tracfone handsets, either.

The firmware of the handset is also locked down, most interestingly in the dial plan. International calls can’t be direct dialed from the handset, even to Canada. Some domestic calls are also blocked even though “Nationwide Long Distance” is promised. Calls to the Commonwealth of the Northern Mariana Islands and Guam are blocked, although calls are permitted to Puerto Rico and the US Virgin Islands. Tracfone does not appear to block calls to high access charge areas, and I was able to complete a call to a chat line in Garrison, Utah (hosted by the independent LEC Beehive Telephone Company). AT&T is the underlying long distance carrier for domestic calls.

To some degree, I was surprised at the friendliness of Tracfone billing. Unlike AT&T Mobility, Tracfone does not bill for ring time beyond the first 30 seconds. Only calls that supervise are charged, and forward audio is even sent on calls that do not supervise. On the other hand, Tracfone bills for calls to customer service, which is unusual for a wireless provider.

While a basic WAP browser is included, you can only visit a pre-approved list of sites linked from the Tracfone portal. Attempting to browse other sites yields a “403 Forbidden” error message. It is possible to download ringtones and some basic applications sold on the Tracfone portal (although some users have worked around this limitation by sending .JAR files to themselves as Gmail attachments). Not surprisingly, Bluetooth is also locked down; only headset profiles are allowed. SMS is allowed (billing 0.3 minutes per message sent or received), but is limited in the dial plan to domestic SMS only.

With all of the efforts made in locking down the handsets and SIM cards, I was curious how much effort Tracfone made to lock down the network. As it turns out, there are a couple of glaring flaws: voicemail and international calling. Voicemail deposits are free with Tracfone, and the AT&T Mobility voicemail platform is used. This service uses a “backdoor number,” to which your handset connects when you check your voicemail. The “backdoor number” is shown briefly on your handset when you hold down the “1” key. Tracfone attempts to conceal this number in the firmware by quickly wiping the display, but by watching carefully and dialing a few times, you’ll be able to capture the number. Calling directly into this number from another phone (such as a land line) prompts you to enter your mobile phone number. You can do this, press * during the announcement, enter your password, and check your voicemail for free. International calling is also free with Tracfone, provided you use a toll-free gateway operated by Auris Technology, a VoIP provider. Calls are of acceptable quality. Most interestingly, the Auris gateway uses only the ANI of your Tracfone for validation, and billing is apparently not synchronized with the AT&T or Tracfone billing platforms. By spoofing the ANI of any Tracfone when dialing this gateway, you can make virtually unlimited long distance calls to over 60 countries.

And… pardon me for a moment. I’m nearly bent in half from coughing fits, and I’m now four hours and one minute into my shift. It’s time for me to go home, and to bring this column to a close. Have a safe and phun spring, and stay healthy!

References – Tracfone official site. – Net10, a Tracfone brand with more expensive phones and cheaper airtime. – Safelink Wireless, a Tracfone product targeted toward recipients of public assistance. – Straight Talk Wireless, a Tracfone brand sold exclusively through Wal-Mart and operating on Verizon’s CDMA platform. – Tracfone tips, tricks and codes.

Other Tracfone Brands

This column focuses on the Tracfone-branded service. For your reference, Tracfone service is marketed under four different brands:

  • Tracfone: The most popular service. Available in all 50 states, offers both GSM and CDMA service depending upon the area in which subscribed. I tested GSM service on the AT&T network. Although monthly plans are available, service is primarily sold by the minute with varying rates depending upon whether the phone subscribed offers “double minutes for life” (DMFL) and the number of minutes purchased at once. Airtime for most cards expires in 90 days, with a 1 year $100 card available. Your minutes roll over if you recharge before they expire.  In general, handsets are heavily subsidized (selling for as little as $10) but minutes are more expensive. International calling is blocked, but dial-around service is available to 60 countries at no additional cost.
  • Net10: Similar to the Tracfone product, using the same billing platform, but all minutes cost 10 cents. Handsets are more expensive and airtime expires sooner. Additionally, international calls cost an extra 5 cents per minute.
  • Safelink Wireless: Operates on the Tracfone billing platform. This service provides a free phone and 55 monthly cellular minutes free for customers who qualify for a federal LifeLine subsidy (generally welfare recipients). Available in 21 states and the District of Columbia.
  • Straight Talk: Marketed exclusively through Wal-Mart, this service is sold with one of two monthly plans costing either $30 (1000 minutes+1000 text+30MB data) or $45 (unlimited text/talk/data). This service includes only Verizon network coverage, with no roaming allowed.

Unraveling The Inner Workings Of magicJack (Winter, 2010)

Hello, and greetings from the Central Office! I’m currently over the North Pacific winging my way back to Seattle. I now know the price of tea in China, the breeding cycle of the giant panda, and just how crazy payphones can get. In fact, you may see some interesting Chinese payphone pictures in an upcoming issue of 2600.

When preparing for my trip to Sichuan, one big consideration was how I’d call back home. Land lines are available and payphones are plentiful throughout China, but costs are very high using US-based calling cards (anywhere from 50 cents to $1 per minute). Slightly more reasonable rates are available using Chinese GSM carriers, but rates still average 20-50 cents per minute. Meanwhile, VoIP is very cheap, weighing in with prices as low as … well, free. That’s what MagicJack advertises, which deserved a closer look.

Of course, it’s not really free, but the promise is tempting: for about $40, you can simply plug in MagicJack and make calls anywhere in the US or Canada for free. Call as long as you want, anywhere you want, for an entire year. Better yet, each subsequent year costs only $20. The product even includes free voicemail and you can select phone numbers in whatever market you like nationwide. And best of all, no fiddling around with headsets or microphones on a computer; just plug one end of the MagicJack into your computer’s USB port, and then connect the other end to an ordinary telephone set. Heck, it was even endorsed as the 2008 PC Magazine product of the year! What could possibly go wrong?

Error screen image 

Well, if you have to ask that in the telecommunications business—especially where VoIP is involved—you probably haven’t been around it for very long. VoIP is a very complicated business, and MagicJack fails to unravel its complexity. In fact, it introduces some complexity of its own. Phone numbers in whatever market you like? Well, you may get one in the same LATA, but the end office might be a toll call to virtually everywhere. Call anywhere you want? Sure, as long as the number isn’t blocked by MagicJack (as many Iowa-based teleconference services are). Make as many calls as you like? Yes, as long as you call fewer than 60 unique numbers per day. When you install the software, the End User License Agreement (EULA) has a few very nasty surprises. And as for that PC Magazine Product of the Year endorsement (which MagicJack still advertises), PC Magazine rescinded it—something never before done in the history of the magazine.

There are four distinct components of MagicJack:

Hardware. This is made by TigerJet, a manufacturer of VoIP hardware. The TigerJet integrated chipset provides a USB audio controller, which serves as the interface between your telephone set and the computer. It also provides a CD-ROM USB device, which is used to install the MagicJack software.

Client software. Written by SJ Labs, this provides a SIP/RTP “soft phone.” It uses the CPU of your computer to encode and decode your conversations, and referencing an index of gateway servers, it uses your Internet connection to reach MagicJack’s SIP/RTP gateways. The software also logs your phone calls, sends information about you to Google, and serves advertising.

Middleware. Provided by, this software runs on MagicJack gateway servers. These are numerous and located throughout the country with reasonable proximity to MagicJack rate centers. This software provides encoding and decoding of SIP/RTP conversations on the server side, and also provides an SS7 interface to the PSTN. SIP servers appear to run on Linux, and Asterisk appears to be the switching platform. RTP servers appear to run on OpenVMS for HP Alpha.

CLEC. MagicJack is a wholly owned subsidiary of YMAX Communications Inc., a fully qualified CLEC in all 50 states. This is the ace in MagicJack’s sleeve, and appears to make possible (albeit with razor-thin margins) unlimited calling to anywhere in the US or Canada.


MagicJack software is available for both Mac and PC. I tested the PC version. Although this is supposed to be a “plug and play” installation experience, it doesn’t work if you have autoplay disabled in your operating system. To install the software, I had to hunt through the root directory of the virtual CD-ROM device (which contains a file called DO NOT USE THIS DRIVE) to find the setup files.

Running the installer downloads the latest installation files from the MagicJack site and starts up the soft phone. This allows immediately making 30 minutes of calls (over a 48 hour period) prior to registration. After you’ve reached either threshold, registration is mandatory. In this “demo” state, 800, 888, 877, 866, 500, 900 calls are blocked, as are international calls (except Canada) and calls to directory assistance.

Registering requires the following information, which is nearly as much as I need to do my taxes:

  • Your email address
  • Your street address.
  • The type of internet connection to be used.
  • Information on what type of television service you have (dish, cable, or neither) – presumably for marketing purposes.
  • Accepting the terms of service.
  • To make outgoing calls, you have to select an “I elect to accept free outgoing service (recommended)” button. It’s not clear why this is here, but it’s probably for legal reasons. MagicJack also attempts to upsell you to a vanity number ($10 per year) or a vanity last 4 digits ($3 per year). (Fig. 2)
  • You can then select a number. As of this writing, Seattle numbers were not available. In the 206 area code, only Vashon numbers were available. Vashon is an island. You have to ride a ferry there, and the island is located 30 minutes away from Seattle or Tacoma. It’s also not a local call to anything except itself and downtown Seattle.
  • MagicJack then offers insurance for $1 per year. The insurance covers damage to or failure of your MagicJack hardware, but whether MagicJack replaces your hardware is in its sole discretion. I declined.
  • MagicJack then attempts to upsell you to 5 years of service for $59.95. This equates to an additional $15 per year (sneakily, MagicJack isn’t selling a 5 year extension to what you already purchased, they’re selling a 4 year extension).
  • If you decline that, you’re offered a 1 year extension of service for $19.95. This is the same as the normal renewal price.
  • You are then offered pre-paid international calling in the $10, $20 or $40 increment.
  • Finally registration is complete. Your number is issued. I got a number ending in 666. One evening when I’m bored, I’ll contact customer service to find out whether I can get a number that doesn’t contain the Mark of the Beast. I’m sure the results will be amusing.

MagicJack upsell screen shot

MagicJack never misses an upsell opportunity

After registering, I received two email messages. The first was a 911 disclosure. It basically says that MagicJack will try to connect 911 calls, but they’re under no obligation to do so and they will only send 911 whatever information you provided at sign-up (which may not be your actual location). I also received a verification email. Clicking on the verification email specifically allows MagicJack to spam you per their Terms of Service.

Once installed, the softphone cannot be uninstalled. Yes, you read this correctly, even if you return the MagicJack the software will remain on your computer, tracking your activity and displaying ads forever (or until you track down and eradicate every piece of it).

Using the software

Once installed correctly, making phone calls is as easy as picking up the phone and dialing. That is, as long as the ports the soft phone uses are open, and as long as it’s able to communicate with the MagicJack SIP and RTP servers. There are a few additional technical requirements that are unlikely to be met on many consumer PCs, leading to a complicated and frustrating troubleshooting experience with MagicJack’s unhelpful customer service (they communicate with you only via Web chat, and generally provide canned answers that don’t apply to your problem).

While running, the client software handles SIP/RTP in the background. The SIP credentials use a salted hash password, which means that it could be cracked via dictionary attack (this could allow you to, for example, clone your MagicJack account to a SIP ATA). The client also displays advertising and secretly sends information about you to Google via the domain. “Don’t be evil,” indeed.

The user interface allows selecting between normal broadband connections and high latency, slower speed aircard connections. Normal broadband connections appear to use the GSM codec, while aircard connections use a poorer quality (but lower bandwidth) codec.

Obviously, as a phreak, I tested the entire dial plan. Here are my observations:

  • Voice quality ranges between poor and terrible. Folks, for $20 a year, you get what you pay for! It’s too poor to pass DTMF in most cases. The quality is also too poor to maintain a data (such as fax or modem) connection, making for a frustrating experience sending faxes or calling dial-up BBSs.
  • As compared to other VoIP services I tested, Skype, Gizmo5, IPKall, and Google Voice all provide a markedly superior VoIP experience. In my market, MagicJack quality is so poor that the service is virtually unusable.
  • Disconnected numbers ring indefinitely and then go to reorder. No SIT tones and no recording, so it’s really difficult to know what went wrong.
  • ANI and Caller ID do pass correctly.
  • Either 10 or 11 digit dialing goes through, but 7 digit dialing is not allowed.
  • All circuits busy recordings are played.
  • Calls to numbers that don’t supervise go through, and they even send forward audio.
  • Calls to Canada and the US are free, including Alaska, Hawaii and Puerto Rico. However, USVI isn’t considered domestic and isn’t allowed without purchasing international credits. Guam and the Commonwealth of the Northern Mariana Islands are also considered international.
  • Calls to 800/888/866/877 numbers go through without issues. However, calls to UIFNs fail without any international calling credit. I’m not sure whether they go through or bill properly with international calling credit on the account, because I didn’t buy any.
  • Calls to a carrier access code plus any number route to a recording that says “You have reached a YMAX Communications test number. This call was successful.”
  • Dialing 0 provides instructions to dial the area code and telephone number. 0+ calls yield the same results.
  • While most calls appear to be routed either through local access tandems or dedicated interconnection trunks, YMAX doesn’t have interconnection agreements with every ILEC, CLEC or wireless carrier. For these calls, AT&T appears to be the long distance carrier (based on all circuits busy recordings). The trunk used is 062T, which is the New York 24 tandem.
  • Call waiting works correctly. There is no 3 way calling available on outbound calls. A 3 way calling feature for inbound calls is available, but I couldn’t get it to work.
  • Voicemail is available, and is surprisingly rich and full featured. The terms of YMAX’s interconnection agreements require a reasonable degree of traffic parity for the “bill and keep” arrangements made, so YMAX definitely wants you to receive calls.
  • Call forwarding is available via the MagicJack website. You can log in to set up forwarding.
  • *67 doesn’t work, and there’s no apparent way to block caller ID (either per-call or permanently).

The Ace in MagicJack’s Sleeve

Unless MagicJack is a giant Ponzi scheme, how could they possibly afford to provide unlimited calling for only $20 per year? This is something I really wanted to find out, given the spectacular collapse of previous VoIP services priced well below market.

What I discovered is that $20 per year may become the new market price for voice service. MagicJack is a subsidiary of YMAX Communications Inc., a fully qualified CLEC with a management team consisting of numerous telecommunications industry veterans. These folks knew what they were doing, and played their cards very shrewdly when setting up the company. In reviewing the interconnection agreements filed between YMAX and AT&T for its 13-state region (handled by, the billing arrangement is consistently “bill and keep” and is not subject to access charges (a topic I’ve written extensively about in previous columns). There is one exception, which is ISP-bound traffic. This is subject to a .0007 cent charge per minute of use, where activity exceeds a 3:1 terminating to originating ratio. This is clearly why MagicJack provides such full-featured voicemail; they need to maintain at least this balance of inbound to outbound calls in order for their business model to work. In fact, it is possible (though unlikely) under this arrangement for YMAX is to receive reciprocal compensation from AT&T for inbound calls to MagicJack lines while terminating calls for free to AT&T’s network. In many states, it’s difficult to obtain access to tariffs without paying. However, I was able to review a Qwest tariff for Montana and a Verizon tariff for Illinois containing similar terms, so it’s reasonable to believe that YMAX has pursued a consistent strategy with respect to interconnection.

While the underlying carrier (YMAX) is a CLEC, MagicJack is specifically not offered as a CLEC product. The terms of service explicitly state that MagicJack is “…a multimedia experience which includes a voice over Internet information service feature. It is not a telecommunications service and is subject to different regulatory treatment from telecommunications services.” This appears to exempt MagicJack from essentially any regulation from either the FCC or local public utility commissions.

And with that, Skram will hate me. I’ve used more space than I’m usually allowed, which will make his job of laying out the magazine more difficult. It’s time to bring this column to a close. Have a safe winter… and if you make it to China, enjoy the Harbin ice sculptures, try some delicious Uighur cuisine, and don’t miss the pandas!

References – Site with lots of interesting information using MagicJack in undocumented ways. – Official MagicJack site. – SJ Labs site. You can download their legacy softphone product here. – Corporate site for YMAX Communications, parent company of MagicJack and SJ Labs. – TigerJet, manufacturer of the chipset used in MagicJack hardware.

Shout outs to: Chronomex, afiler, javantea, maokh, inf0reaper, Dan Kaminsky, and the Metrix Create:Space crew.


Operator, May I Help You? (Fall, 2009)

Hello, and greetings from the Central Office! It’s autumn in Puget Sound country, which means the skies have returned to their usual leaden gray. It also means leaves from my no-good, lazy unemployed neighbor’s trees are covering my lawn. After all, he’s too busy cashing unemployment checks and watching “Jerry Springer” to do any actual work. I’m thinking of returning this week’s batch of leaves in his mailbox, special delivery, with a few extra copies of his overdue phone bill and maybe a rotting salmon carcass for good measure.

All this fuming got me to thinking what would happen if my deadbeat neighbor’s line is disconnected for non-payment. He’ll probably be reduced to calling his parents collect to beg them for money. I’m not a big fan of my neighbor, but I like his parents, and I’d hate for them to be stuck with a whopper of a bill. Although 97% of collect calls are from prisons and jails, there are still a healthy number of collect calls in the mix. And as it turns out, unlike in the good old days of the Bell System where rates were high but at least consistent, today’s collect calling rates range from high to completely outrageous.

Younger readers growing up in the world of unlimited cell phone plans and unlimited long distance may not even know what a collect call is, or how to use other types of operator handled calls. In a world where long distance calling is effectively free, it’s very unusual for many types of operator handled calls to be made these days. However, the following operator handled call types are still available from AT&T long distance operators and from local ILEC phone company operators (although you may have trouble finding an operator who actually knows how to place them).

Picture of telephone operators

Operators in 1952 had no trouble placing any kind of call. (Photo credit: Seattle Municipal Archives)

All billing for operator-handled calls is either based on a station-to-station or person-to-person call:

Station to Station: This is the same billing as just dialing 1+(NPA) NXX-XXXX direct, but you can have an operator dial the call for you. Operator dialed station-to-station calls are generally handled for visually impaired or disabled customers, and extra charges are waived for such customers. In general, operators only dial station-to-station calls for ordinary customers when they report trouble on the line, and surcharges are also waived in such instances. However, station-to-station rates can also apply to calls with special billing arrangements or where time and charges is requested.

Person to Person: When long distance calls were very expensive (particularly international long distance calls), you took a big financial risk by calling station-to-station. If the person you were trying to reach wasn’t there, but someone else answered the phone, you’d still have to pay for the call. With a person-to-person call, the operator takes the name of the person you are attempting to reach and will try to contact that person directly. You are only connected (and charged for the call) if the operator can reach your party. Of course, a hefty surcharge is collected for this service.

Once you decide the type of call you want to make (assumed to be station-to-station if you don’t specify otherwise), you must decide how to pay:

Calling Number: You can bill the phone number from which you’re calling—provided it’s not blocked. This billing method is often used by PBX and VMB phreaks. Believe it or not, some COCOTS allow this too!

Calling card: The ILECs and many independent phone companies issue calling cards. These can be used all over the world to charge calls to your home telephone bill—generally at outrageous rates. These are different than calling cards issued by long distance carriers, for which calls are billed directly rather than being billed through your telephone company. Note long distance carriers can bill ILEC calling cards, but it doesn’t work the other way around.

Collect: When you make a collect call, it’s free to you. However, the person you are calling must agree to pay the charges. Overseas, this is called a “reverse charge” call. Speaking of calling overseas, it’s possible to call phone numbers in the US collect using the dominant fixed line carrier (such as NTT in Japan, BT in the UK, Telkom in South Africa, etc.) and vice-versa.

Third Number: You can bill someone else’s phone number for a call you want to make. In fact, you can call anywhere in the world—as long as they agree to pay the charges. You wouldn’t believe how often people will agree to pay for your calls!

Time and Charges: You can request that a call be placed with “time and charges.” The operator will place the call with the type and billing you direct. After the call is completed, an operator will come back on the line to say how long you talked and how much the call cost.

Busy Line Interrupt: If you claim there is an emergency and agree to pay a fee for the service, an operator can break in and interrupt a call in progress. The operator will not connect your call to the existing call in progress, but will inform the called party that you are trying to reach them.

Busy Line Verification: An operator can verify that a line that rings busy is actually busy (not just off hook).

It’s worth noting that CLEC, independent, mobile phone and competitive long distance carriers are not generally required to offer operator services, except to the disabled. Where they do so, available services may vary. It can be fun finding out which services are offered, and how accurate the billing is.

But I digress. Back to my pitiful neighbor and the collect call he’ll be making to his parents. The traditional way to call collect (from either a fortress phone or a POTS line) is to dial 0 plus the area code and phone number you’re calling. You’ll hear a “bong” tone, at which time you dial 0. Either an operator or (as is usually the case these days) an automated operator will ask you what type of call you are making: collect, billed to a third number, or billed to a calling card. If you’re calling collect or billing a third number, a Line Information Database (LIDB) lookup is processed on the back end to determine whether the number you are calling is authorized for billing. In general, only fixed-line residential and business numbers can be billed for such calls, and most CLECs and VoIP providers do not support this billing type. Assuming that this criteria is met (and believe me, given the number of disconnect orders I’m processing on a daily basis, it’s a rapidly dwindling criteria) you’ll be asked for your name. Otherwise, you’ll be asked to pay another way.

The operator will then dial the number you are billing and will ask if the charges are authorized. If someone at that number accepts the charges, your call will be connected. If it’s a collect call, you’ll be connected to the number you’re billing; if it’s a third-party billed call, you’ll be connected to the number you’re calling.

Third-party billed calls are not always verified before they are connected; this is at the discretion of the carrier and generally depends upon the type of phone you’re calling from. For example, if you’re calling from a home telephone or business line, AT&T will third-party bill calls without verification provided that a LIDB lookup indicates the line can be billed (or the LIDB lookup fails, which happens occasionally). If charges are disputed by the third party, AT&T will back-charge the originating number. However, if the charges are again disputed, AT&T simply eats the loss and blacklists the originating number for future unverified third-party billed calls.

When you follow the standard procedure to place a “0+” call, you will more likely than not be connected to an “alternative operator service” or AOS. OCI was one of the first carriers in this market, charging very high rates to consumers and paying fat commissions to owners of payphones choosing their services. Their operator service platform was poorly designed and their operators were poorly trained, so was frequently exploited by phreaks in the early 1990s. Even today, shady AOS practices continue; consumer complaints are rampant about charges exceeding $5 per minute for collect calls. Muddying the picture further are toll-free “dial-around” services such as 1-800-FAIRCALL and 1-800-COLLECT, which are completely unregulated. Here are some example rates for a collect call:

  • 1-800-ONE-DIME: Operated by Sprint; 10 cents per minute plus a $2.99 operator surcharge.
  • 1-800-COLLECT: Operated by Verizon; $4.99-$6.49 surcharge, 55 cent additional payphone surcharge, $1.59 per minute + 12.9% USF + tax.
  • 1-800-CALL-ATT: This service allows collect calls to prepaid and post-paid cell phones from AT&T, Sprint and T-Mobile post-paid accounts. The charge is a flat $9.99 for up to 20 minutes. If you’re calling a land line using 1-800-CALL-ATT, it’s paradoxically more expensive: there is a $7.50 surcharge and the rate is $1.29 per minute plus 12.9% USF + tax.
  • 1-800-CALL4LES(S): $3.99 surcharge, 25 cents per minute flat, allows billing to cell phones (excluding Verizon and Alltel).
  • Qwest 0+: For intraLATA calls in Washington state, 50 cents to connect and 45 cents per minute.

The ability to call cellular phones collect is a relatively new development. To accomplish this, carriers use the premium SMS platform for billing (I have written about this topic previously).

Well, I’m out of space in this column, so it’s time to rake my lawn again and bring this issue of the Telecom Informer to a close. I’ll see you again in the winter. In the meantime, keep our operators busy making person-to-person third party billed calls with time and charges!


Understanding The Unusual iDEN Network (Summer, 2009)

Hello, and welcome to the Central Office! Spring has turned into summer once again, the most beautiful time of the year here in the Pacific Northwest. Bing Crosby once sang that the bluest skies he’d ever seen are in Seattle. On this gorgeous day, most of which I spent in the Westin Building working on a troublesome tandem trunk, this was certainly the case. Incidentally, I’m beginning to wonder if I’m the only technician left in the state who still knows how to fix anything, or if I’m just the only sucker who was willing to take the job.

The very concept of Skid Row was invented in Seattle. It ended near Pioneer Square, today the center of Seattle’s nightlife. So it’s probably appropriate that this is today’s setting for the ugliest gutter trash bastard child of telephony, the Motorola iDEN system. Visit Pioneer Square any weekend, and young twentysomethings living the Thug Life are everywhere, their Boost Mobile iDEN handsets chirping away in profound, meaningful dialogue: “YO CRACK DAWG WHERE U AT??? I LOOKIN’ FOR DA FEMALES!”

iDEN is a proprietary standard first commercially deployed in 1994 on the Nextel network. Nextel operates in 800-900MHz spectrum called “SMR,” which was originally intended for the purpose of taxi dispatch systems, construction radios, etc. To acquire its spectrum, Nextel literally went from city to city buying dispatch companies and similar businesses. In this manner, Nextel built the first nationwide mobile telephone network free of roaming charges. iDEN handsets look like cellular phones and quack like cellular phones, but legally they aren’t. They are trunked business radios with the ability to make phone calls.

Nextel handset

It looks like a cell phone, but legally it’s a trunked business radio

When Sprint bought Nextel in 2005, the network was already suffering from capacity limitations. Additionally, the SMR spectrum on which Nextel operated was adjacent to numerous public safety frequencies. The iDEN network resulted in considerable interference to users of these frequencies, prompting numerous, urgent complaints to the FCC by public safety agencies. After protracted negotiations, Sprint agreed to vacate portions of the SMR spectrum (through a process called “rebanding”) in exchange for vast swaths of RF spectrum in the 900MHz and 1800MHz bands. This process was completed in the summer of 2008. The general consensus at the time was that Sprint made out like a bandit on the deal.

During rebanding, the Nextel network (which was already capacity constrained) began to experience serious problems with dropped calls, system busy messages, and incoming calls delivered straight to voicemail. Predictably, Nextel users began leaving Sprint in droves, on average more than one million customers per quarter. By early 2009, the dust had finally settled from rebanding mayhem—but there were hardly any Nextel customers left to care. It’s less clear now whether the spectrum swap deal was as good for Sprint as analysts initially assumed.

Meanwhile, Sprint had a largely moribund business to contend with, which was called Boost. While Nextel was still an independent company, they signed a wholesale Mobile Virtual Network Operator (MVNO) arrangement with Boost Mobile, a prepaid lifestyle brand focusing on young urban customers. The brand did very well under independent management, and quickly grew to become one of the largest MVNOs in the country. Shortly after the Sprint-Nextel merger, Sprint acquired the Boost brand and brought it in-house. And then they proceeded to do almost nothing with it.

However, in the second quarter of 2009, finding itself with plenty of spare unused iDEN capacity, Sprint launched the Boost Monthly Unlimited plan. This plan offers “all you can eat” access to voice, data, text, Picture Mail and walkie-talkie services. Literally everything is covered except for international usage, and at half the price of similar “unlimited” services. However, no roaming is available, making the service less expensive for Sprint to offer. This is because coverage on the iDEN network is limited to Nextel’s native footprint and roaming is only available (at extra cost) on a few select foreign carriers in North and South America.

Boost Mobile logo

Boost handsets have a telephone number, an IP address (assigned whether or not you subscribe to data service), and a “Walkie Talkie” number (used for trunked radio). Using the “Walkie Talkie” number, which is in the format 112*nxx*xxxxx, Boost handsets are capable of trunked radio communication with any Boost or Nextel handset (along with select foreign iDEN carriers). However, Boost does not offer a talk group feature, limiting the utility of this feature. The IP address is used by the mobile browser, but is always in the 10.x.x.x IP space (which is non-routable).  There is also a PSTN telephone number, and like other mobile phone services, Boost is capable of sending and receiving SMS and MMS messages.

Telephone service on Boost has some unusual features and limitations for wireless carriers in general, but especially prepaid carriers. Voicemail is available, but it answers after just three rings—and this interval is, incredibly, neither configurable nor adjustable by Customer Service. Caller ID is available, but 3-way calling is not. Call Waiting is, strangely, only available for Monthly Unlimited plan subscribers. Although 3-way calling isn’t available, Boost iDEN supports an unusual feature allowing you to place the active call on hold (of course, billing while the call is on hold) so you can place another call in the background. You can then switch back and forth between calls, but you cannot join them. Another unusual feature allows you to configure your handset so it automatically answers after a specified number of rings. And Boost offers a rich and full featured call forwarding option, allowing you to forward calls to another number either immediately or after a specified pause. Like most prepaid wireless carriers, Boost offers international calling. However, users must contact Customer Service to have it specifically enabled, and many representatives do not know how to accomplish this. International calling rates are better than most prepaid carriers, although STi Mobile (a Sprint CDMA MVNO) offers better pricing overall.

Text messaging is also distinctive on Boost, and uses the MMS standard for backhaul. MMS is more commonly used for picture and video messaging on other carriers. This results in some incompatibilities, particularly with short codes. As of this writing, the 466453 (GOOGLE) short code has been enabled, but the 40404 (Twitter) short code does not work. Performance is also slower than with most other mobile carriers, because messages must be uploaded and downloaded via packet data (rather than by using spare capacity in the control channel, as is the case with MO-SMS on CDMA and SMS on GSM).

iDEN data runs at approximately 14.4Kbps peak, and is a 2G data service. The wIDEN 2.5G standard allows for 144Kbps peak. Sprint deployed wIDEN in major metropolitan areas between 2007 and 2008 and tested it for several months. Inexplicably, they cancelled the upgrade project in mid 2008 and disabled wIDEN. Although many handsets sold on the Nextel and Boost networks are wIDEN-capable, it appears that this project has been mothballed. Customers requiring high speed data services are steered to 1xEV-DO handsets on the CDMA network. As is the case with most data protocols, iDEN does not allow for simultaneous voice and data usage. While users can place outbound calls from within a data session, data transmission stops in the interim.

Although speeds are slow, Boost users with certain handsets (such as the i425) are able to achieve a tethered connection to a Windows laptop. This is surprisingly easy; one need only install the Motorola iDEN driver, connect the handset to the laptop using a USB cable, and then set up a dial-up connection with the telephone number S=#777 (leaving the username and password blank). Even on the least expensive prepaid rate plan, there is no billing for data usage; it is not necessary to have a data plan for this feature to work (an important distinction, because for all plans except Monthly Unlimited, data service costs 35 cents per day regardless of actual usage). While the experience is very low bandwidth, it is suitable for shell access and email.

For a brief period in mid-2008, Sprint launched a Boost product on the CDMA network. This was discontinued in early 2009. If you are still able to find a Boost CDMA handset, many users have reported that it is possible to activate it on an iDEN Boost plan (such as Monthly Unlimited), and it’s even possible to social engineer Boost customer service into performing an ESN change to a Sprint CDMA handset or PDA. Although coverage is limited to the native Sprint CDMA network, and no roaming is allowed, an iDEN plan on this network provides exceptional value (unlimited calls, SMS, and 1xEV-DO data service).

And with that, the time has come once more for me to go. I’m finished here at the Westin Building, and it’s time to put the finishing touches on the Toorcamp main stage! Incidentally, have you heard of Toorcamp? Come to the Pacific Northwest over the 4th of July weekend and be part of the first ever full scale hacker camp in North America. Based at a former nuclear missile silo, the organizers are planning a hacker extravaganza of art, music, cool hacks and fun projects. I’ll see you there!

REFERENCES – Toorcamp – North America’s first ever full-scale hacker camp! 4th of July weekend, 2009. – Boost Mobile official site


  • To Art Brothers and the great folks at the Beehive Telephone Company, thanks very much for your hospitality! I do hope to visit one of your solar powered Central Offices.
  • To ThoughtPhreaker, it’s always phun seeing Portland phriends! Keep exploring, but stay out of trouble. 🙂

The Curious World Of Telecommunications Tariffs (Spring, 2009)

Hello, and welcome to the Central Office! I don’t have a cold but I’m sneezing, which signals spring—my least favorite time of the year here in the Great Northwest. It’s barely discernible from winter, except that everything starts blooming, the roots start attacking my sewer line, and a handkerchief becomes a nearly permanent fixture on my nose.

So, in keeping with my least favorite springtime things, I could write a long rant about the pack of thieving raccoons that lives behind the fence and knocks over my garbage cans. Or about the gopher who pushes up little dirt mountains all over my lawn. I could write a rant about the teenage heavy breathing I barely ever hear anymore during my “service monitoring” because the kids are skipping the talk and just sending compromising picture messages to just the two of them and the whole Internet. Instead, though, I’ll take you through the dank, dripping hallways of any regulated utility’s nemesis: the state public utility commission.

Washington Utilities and Transportation Commission logo

Nearly every aspect of telephone service was once regulated, ranging from directory assistance to the placement of telephone poles to the format of your bill. Actually, all of those things are still regulated, but many other services (such as long distance, Internet, and voicemail) are effectively not. In fact, cell phones, long distance, Internet service, VoIP and most other ways of communicating are all but unregulated. However, traditional telephone service remains a regulated utility, like electric or gas utilities. Services from your telephone company are largely regulated by tariffs, both at the federal and state level. Republicans generally oppose federal regulations, and as they have exerted political control over the past 8 years, there has been a deliberate and substantial dismantling of nearly a century’s worth of federal regulations on telephone service (apart from surveillance requirements, which have increased substantially). In effect, most federal agencies have only token, toothless enforcement mechanisms and commissioners are lap dogs of the industry.

Ostensibly the FCC regulates long distance telephone service, but tariffs are no longer reviewed or approved and are self-reported by the carriers on their own Web sites. There’s a really tough enforcement mechanism for any failures, though; long distance carriers are accountable to themselves to self-report any lapses. If your phone company has accepted certain government funds, it might also be regulated by the Department of Agriculture’s Rural Utilities Service (formerly known as the Rural Electrification Administration) which provides funding for network development in rural areas. As I’ve written previously, the FBI has been granted de-facto regulatory power over the telephone system’s surveillance capability, known as CALEA. The NSA has also (presumably) been granted secret powers to do secret things in secret facilities constructed at tandems across the US, but whether or not they have been granted this authority is in itself a secret.

Room 641A

Room 641A, widely believed to be a NSA facility at AT&T’s San Francisco tandem

Most states have not been as easily convinced as the federal government to give up regulatory authority within their jurisdictions, and unlike the federal government, they generally do not conduct their business in secret. Telephone service—at least the ever-dwindling parts of it under state jurisdiction—is strictly regulated by the PUC’s regulatory tariffs. Here in my Central Office, services are divided and catalogued as regulated and deregulated. Trouble tickets on deregulated services almost never result in overtime, and I can work them more or less at my leisure (strictly within union work rules of course). Telephone companies love deregulated services. They can charge whatever rates they like, change the rates as often as they like, offer whatever promotions and marketing bundles they like, and they’re not accountable to the PUC for delivering any particular level of service quality. After all, if you aren’t satisfied with the service, your only meaningful recourse is generally not to subscribe.

Regulated services are an entirely different matter. Everything from the number of blocked circuits to outside plant demarcation points to billing practices—and most importantly rates—are regulated by the state Public Utilities Commission. The telephone company publishes a service catalog for both regulated and unregulated services, and for regulated services, publishes tariffs. It is accountable for delivering services exactly as advertised in the service catalog, and precisely according to the rates and conditions outlined in the tariff. Deviations are not permitted in any way. Only the services described in the tariff can be offered, at the prices they are advertised, or heavy fines can result.

For the curious phreak, browsing tariffs can result in some fairly interesting discoveries. For example, despite party lines having been obsolete for decades, there still exist tariffs for them in many states that grandfather existing users. I recently disconnected the final remaining party line in my wire center, which belonged to a subscriber who was 92 years old and had maintained the same service since 1946. In effect, she didn’t really have a two-party line anymore; the other party on her line moved away in the early 1980s after party line service was discontinued for new subscribers. However, her rate was grandfathered in under the old tariff, which was last revised in 1971. Other tariffs provide geographical exceptions. When a new Central Office is constructed (an incredibly rare event these days, but not uncommon in the rapidly growing Western US as little as 25 years ago), the serving boundaries are strictly defined by tariff. Accordingly, people living in the area with existing telephone service have to be explicitly allowed to maintain service from their existing wire center. Qwest, in fact, has an entire section of their tariff library in each state dedicated to obsolete tariffs detailing the rates and terms of services that are no longer offered, but are still maintained for existing subscribers.

On a more practical level, browsing tariffs is a good way to learn exactly how much you can squeeze out of your phone company in promotions or retention offers. In general, all of these offers have to be filed with the Public Utility Commission. For example, in Washington, Qwest can offer you a promotional credit in a value equal to three months of the service to which you’re subscribed. They can only do this once every two years, either to win a new subscription or to stave off a cancellation. And that’s all they can offer, but they don’t have to offer you the maximum (and usually won’t as a starting point for negotiations).  Of course, if you read the tariff, you’d settle for nothing less than the maximum.

Finally, understanding which services are in the catalog, their brand name, and the applicable Universal Service Order Code (USOC) can help you save money (sometimes a lot of money) on features. For instance, there is more than one way to skin a cat, and there’s more than one way to have a phone number in a different wire center ring your line in my Central Office.  Most people needing this capability order a foreign exchange circuit, which bills a hefty setup fee and an even heftier monthly fee (including a mileage charge). The bill can easily run to over $100 per month or more. Alternatively, you could order a cheap, obscure and rarely used service called “Market Expansion Line” for business lines, or an even cheaper and more obscure service called “Number Forwarding” that is the exact same thing minus a Yellow Pages listing. These services set up a “ghost number” in the remote office, with permanent call forwarding to your regular number. The business office will sell these services to you, but only if you ask for them specifically; otherwise they’ll sell you a foreign exchange circuit. The only thing you give up is a dialtone from the distant Central Office, which can help you avoid intraLATA toll charges in limited circumstances. These days, long distance is—in almost any usage pattern—less expensive than a foreign exchange circuit. Nonetheless, even though foreign exchange circuits almost never make financial sense, busy Central Offices still do a brisk business in them. One local plumbing company has over a half-dozen foreign exchange circuits, all of which are—in my estimation—completely unnecessary. Unfortunately, I can’t advise them that they’re wasting money because the tariff strictly regulates subscriber privacy, and I’m not allowed to use subscriber information to suggest products or services without the subscriber’s explicit consent. And considering the subscriber has to contact me before I can request that consent, I’ll probably retire before I can save these folks a dime.

And with that, it’s time to bring this issue of the Telecom Informer to a close. Drive carefully while sneezing from all the pollen. And remember that if you wrap your car around a telephone pole despite it all, you can blame the Public Utilities Commission for its placement!

References – Qwest tariff library – AT&T tariff library – Verizon tariff library – Hawaiian Telecom tariff library – Pay site that tracks tariffs across substantially all telecommunications providers – Oregon PUC – Washington Utilities and Transportation Commission


The Magic Of Outside Plant (Winter, 2009)

Hello, and greetings from the Central Office! It’s right around winter solstice here in the Pacific Northwest, where the sun comes up around 8 in the morning and sets just after 4pm. And outside, it’s rainy, windy, and miserable. Yes, just another day of relentless winter assault on the outside plant serving my Central Office.

Around here, most people go to work in the dark and come home in the dark in often dangerous driving conditions. Inevitably, a few cars get wrapped around utility poles this time of year, knocking out electric power and telephone service. Making matters worse, they don’t call Washington the “evergreen state” for nothing. There are literally millions of Douglas fir, Sitka spruce, and Western Red Cedar trees (among others) standing over 200 feet high. Their branches are as large as entire trees in most other parts of the world. When the wind gets up to 100 miles per hour (as it did last year during the Hanukah Eve storm), falling branches can take out utility lines just as easily as falling trees. When phone lines aren’t being knocked down one way or another, they’re being pelted by rain, whipped by wind, and even stolen by thieves motivated by the high price of copper. Add to the fact that telephone cables can be decades old, and it’s sometimes a wonder that anything ever works at all.

A switch is no good if you don’t have a continuous loop to it, and most of that loop is what we call the “outside plant.” Why outside? It’s outside my Central Office. Everything in here—the switch, frame, battery room, etc. (where it’s loud, dry and a balmy 68 degrees) is the “inside plant.” And outside it is… literally millions of miles of cable criss-crossing the globe and linking nearly every household in North America. Long distance trunks are redundant, and networks are designed in ring topologies such that a cable carrying your telephone call can literally be cut in two without any impact to your conversation. Many interoffice trunks are similarly designed. Unfortunately, the most vulnerable part of the network is the loop between the Central Office and your house.

Telephone cables typically either run on poles or underground. Inside of a cable, there are up to 4,200 twisted copper pairs. A pair of thin copper wires, known as tip and ring, is what brings a dialtone to your house. This forms a continuous (albeit often spliced) copper loop between the NID on the side of your house and the frame inside the Central Office. Inside a cable, up to 100 pairs are grouped together in a collection called a “bundle,” which is wrapped in an inner sheathing, and then the bundles are wrapped together in a tough outer sheathing. There are many different types of sheathing, and the type used largely depends upon the area in which a cable is deployed and the age of the cable. For example, in Brazil (where termites are a huge problem), specialized termite-resistant outer sheathing is often used.

Your phone line is somewhere in here.

Your phone line is somewhere in here.

Hungry termites, of course, aren’t the only enemy of a telephone cable, or even the most common one. Here in the Pacific Northwest, the weather is the biggest issue for linemen to contend with. Whether a line is downed by a fallen tree or crashed automobile, police and fire departments are often the first ones to respond. Safety is a major concern of first responders, as they don’t always know whether a downed line is a dangerous high-voltage electrical line or a relatively benign telephone line. Fortunately, there is a service called One-Call, formally known as the Utility Notification Center. By dialing the appropriate telephone number, first responders report downed lines to One-Call as soon as they arrive on the scene. Based on the address and/or other identifying data (such as number plates on the affected telephone pole), One-Call then notifies the affected utilities of the outage, who each respond by rolling a truck.

Anywhere from a few minutes to several hours later (depending upon how nasty the weather is and whether the technician called is union or not—somehow, non-union techs don’t seem to like getting up at 3am in nasty weather for the measly $11 per hour their companies pay them), a truck will roll up to the scene. If multiple lines are down, multiple trucks from multiple utilities will roll. Unfortunately, if a power line is down, nobody can start repair work until the power utility shows up to de-energize the line.

Cable damage resulting from weather isn’t always as dramatic as drunks crashing into telephone poles or tree limbs crashing onto lines. Oftentimes, it happens slowly over many years. Copper does corrode when exposed to moisture, and sheathing on its own is insufficient protection against the elements. In particular, this is the case when cables are older than my mother (as is the case in parts of New York City), and are wrapped with little more than treated paper. As anyone who has ever visited Manhattan knows, there are underground steam lines everywhere—and they leak. This blasts hot, moist steam at anything in the vicinity, including telephone cables. Verizon solves the problem there by pressurizing underground cables with cold nitrogen, delivered from tanks placed throughout the city. This keeps cables dry and mitigates the corrosive impact of steam, as nitrogen is an inert gas. Similar tanks are used by AT&T in the Houston area, due to the moist climate there. You can see them placed at many junction and other equipment boxes. Conversely, in desert areas, such as the Valley of the Sun in Arizona, no measures beyond heavy-duty sheathing are taken to protect cables. This is because what little rain falls in the area evaporates quickly, and rarely penetrates far enough (or hangs around long enough) to result in corrosion damage.

Here in the Pacific Northwest, nitrogen tanks are rarely used. Most of our outside plant dates from the 1960s or later, although in a handful of places there is still cable in use dating from the turn of the 20th century. In this area, most cables are filled with a substance called icky-pic. How did it get its name? Well, icky-pic is the vilest substance known to mankind. If you get it on your clothes, in your hair, etc. you’ll never get it out. It sticks to everything, ruining whatever it touches. Including your eyes; if you get it in your eyes, it will literally blind you. Oh, and to top it off, the stuff is actually flammable (being petroleum based), so it should never be used indoors. But icky-pic is inert, and water can’t penetrate it, and it’s flexible (because it’s a gel) so you can fill cables with it. So for this area, it’s a perfect solution. That is, until the outer sheathing of the cable eventually ruptures after 40 years of neglect and the icky-pic leaks out. Eventually the cable will then corrode, and a splicer will have to repair the damage.

Splicers, incidentally, repair all sorts of interesting damage, on both fiber-optic and copper cables. From euphemistically named “backhoe incidents” (yes, any idiot with a backhoe can knock out phone service to over 1,000 homes) to underwater lines caught by boat anchors to more garden-variety damage such as drug addicts cutting out sections of cable to sell as scrap (yes, this really happens), these folks have a very tough job. Piecing 4,200 individual pairs back together is a very detail-oriented job, but good splicers need to work fast. After all, if a splicer is on the job, it usually means a lot of folks are without phone service.

Working as a lineman can be a dangerous job, since it involves working around electrical cables and more than occasionally working around slipshod, improperly grounded cabling done by low-bidding non-union contractors. For example, bucket trucks come in grounded and non-grounded versions, so as you might imagine, it’s highly important for linemen to know which tool is appropriate for the job. While linemen are not electricians (different union), they are trained in the portions of the National Electrical Code (NEC) applicable to their jobs. Safety meetings, while both frequently required and the bane of any lineman’s existence, are an important tool used to communicate the latest procedures and information.

And with that, it’s time for me to take a nap here at the Central Office. Safety meetings are the bane of my existence too, and I have a required one today. But it’s online, so I can sleep through it without anyone noticing!

REFERENCES – One-Call Utility Notification Center for the Pacific Northwest. – Description of termite-resistant cable sheathing. – Article on nitrogen tanks in New York City. In particular, see the comments from SplicingDan. – Proper grounding is very important in outside plant. This is a great walkthrough of the NEC (National Electrical Code) requirements for grounding. – Great message board thread on proper grounding of punch-down blocks, which is particularly interesting because of the interplay of issues that can occur during backhoe incidents. Incidentally, this particular message board is very informative on the subject of outside plant.


The Remarkable Evolution Of Toll-Free Numbers (Fall, 2008)

It’s hard to believe that another summer has already passed. However, the stages of photosynthesis are drawing to an end here in the Pacific Northwest, at least with the deciduous trees. These have turned brilliant shades of yellow, orange and red along the North Cascades Highway. It’s truly one of the most incredible drives in the country, even when you’re an outside plant technician winding your way toward the latest downed aerial cable. Don’t forget your icky-pic!

Anyway, it’s after midnight here in the Central Office, and I’m watching an infomercial on YouTube. This particular infomercial is for the Ronco Dial-O-Matic, which I’m disappointed to report is not a telephone. Quantities are limited, (I’m sure that’s true), so I’m being urged to call 1-800-486-1806 right away! Operators are standing by!!!

This is not a phone.

This is not a phone.

Well, have you ever wondered what actually happens when you pick up the phone and dial a toll-free number? Yes, I know, a robot or someone in India answers, but have you ever wondered what’s happening on the network side?  Well, don’t let this opportunity slip away! Grab your phone and get ready to dial right away, because we’re taking a trip to SMS/800.

Ha. Fooled you! We’re not going anywhere without a history lesson first. AT&T first invented toll-free 800-number service in 1967. Businesses frequently complained that customers were less likely to contact them if they had to place a long distance call. At the time, there was a toll-free system called the Zenith system, where you could dial an operator and ask for a “Zenith” (or sometimes “Enterprise”) number, but this was inefficient because all calls were operator assisted. Collect calls were another option, but as with Zenith numbers, these were also operator assisted. In response, AT&T defined the 800 NPA, and began offering “In-WATS” service. This offered a huge advantage: calls could be direct-dialed. Switches were programmed to, in effect, bill calls to these numbers as collect calls, but seamlessly to the user.

The early WATS system was rudimentary, and required separate toll-free numbers for intra-LATA versus inter-LATA calling. This often meant that nationwide toll-free numbers didn’t work throughout an entire state (Nebraska was often a problem, as many call centers were located there). Over time, the system became very popular, especially with phreaks who treated toll-free numbers as an on-ramp to the long distance network. They’d call a toll-free number on an analog exchange, then blue-box onward from there. Incidentally, until a few years ago, you could still do this with country direct numbers still using C5 signaling. Maybe you still can. But I digress.

In 1984, with divestiture, the FCC granted other carriers the ability to offer toll-free service. To make this work, specific NXXs were assigned within the 800 NPA to each carrier. The tandem switch was then able to route calls to the appropriate network. Unfortunately, this created a problem. If you wanted to change toll-free carriers, you couldn’t, because your number was locked to a specific carrier. As you might imagine, this largely took away incentive for carriers to provide competitive rates and service, particularly for owners of vanity toll-free numbers (such as 1-800-FAT-GIRL).

In 1991, the situation came sufficiently to a head that the FCC ordered that toll-free numbers become portable. This was, incidentally, the first FCC order requiring number portability, although the FCC has subsequently ordered local number portability (which allows you to port wireline numbers between wireline carriers), wireless number portability, and wireline-to-wireless number portability (note VoIP carriers are treated as wireline carriers for purposes of local number portability). Curiously, you still cannot port a wireless telephone number to a wireline or VoIP carrier, but again, I digress. Hey, it’s my union right with this much seniority!

The FCC order proved to be a genuinely significant technical undertaking, and it wasn’t until May, 2003 (after one short extension) when you were finally able to port your toll-free number. And thus was born SMS/800, the national toll-free service bureau. This service bureau is responsible for, among other things, tracking RespOrgs (long distance carriers and others who sell and/or bill toll-free service) and providing toll-free number reservations to these RespOrgs.

SMS/800 logo

When you want to reserve a toll-free number, your telephone company (RespOrg) checks with SMS/800 to find out what numbers are available. Toll-free numbers are currently available in the 800, 888, 877 and 866 NPAs. The 855 NPA is not currently in use, but will be the next toll-free NPA brought into service. Once you and your carrier identify a toll-free number that you like, and presuming that your carrier is scrupulous (many aren’t, and this is a whole can of worms I won’t open right now), they will reserve it on your behalf and transmit your subscriber information to SMS/800 as required by FCC regulations. SMS/800 associates the toll-free number with the PIC code of your carrier and (usually) the NPA-NXX-XXXX to which it is routed. This information is then replicated to the Service Control Point (SCP) databases, which are located strategically (and redundantly) at various switching facilities around North America.

It’s important to note that you are legally the owner of your toll-free number, and not your long distance carrier. Regardless of billing disagreements with your carrier, contract disputes, or whatever else, the number belongs to you, and you can transfer it to any other carrier you like, anytime you like. Unscrupulous individuals or companies can use this rule to their illicit advantage by switching carriers frequently and skipping out on the bill.

So, what happens after your number is set up, and someone calls it? SS7 initiates a database lookup routine, which is a fairly complicated and not particularly interesting process. Based on the results of the database lookup, your call is routed to the long distance carrier servicing your toll-free number, which routes your traffic over the network—for the most part—as an ordinary long distance call. Except you get the bill, instead of the person calling you.

There are a few things that are very different than a normal long distance call, however. First and foremost, when you dial a toll-free number, the person you are calling is paying the bill. This means that they have a right to your ANI, which is generally your phone number. So, when you call up Ronco to order a shiny new Dial-O-Matic, they have the phone number you’re calling from. Furthermore, once you place an order, they magically have an established business relationship with you, so they can bother you almost any time they like. And if this wasn’t bad enough for privacy, it gets worse. Many carriers don’t wait until they send the bill to send your number. For example, my toll-free service provider translates the ANI of anyone calling me to Caller ID data, so I receive it in realtime. Even if someone blocks their caller ID, I still get their number when they call me. So, the lesson here is that while it’s never a good idea to assume you’re anonymous over the phone, it’s an especially bad idea when calling toll-free numbers.

When you call a toll-free number, in theory, the person you’re calling pays the bill. In fact, the FCC rules are very clear on this point: you cannot legally be billed for calling a toll-free number. This doesn’t stop unscrupulous providers armed with ANI data, though. Phone sex lines love to engage in the practice of “cramming” your bill with extra charges, and even AT&T has engaged in the practice of “back-billing” fraudulent third-party billed calls to the originating number.

The FCC rules allowing easy number portability have led to vulnerabilities that have occasionally been exploited by phreaks. For example, when companies acquire one another, they sometimes disconnect the land lines of an acquired company, but forget to switch off the toll-free numbers. This is particularly common when laying off the PBX administrator before winding down the operation (and seems to happen with startling regularity). Phreaks with a well-tuned ear can recognize the difference between a long distance company disconnect/invalid intercept and a LEC-generated one. As a phreak, if you dial a toll-free number and receive a LEC-generated intercept, you have potentially struck gold because a neglected toll-free number is ripe for either rerouting or porting to a different carrier. Using a technique called pretexting, phreaks have occasionally run up phone bills in the high 6 figures by rerouting toll-free numbers to conference bridges and similar nefarious destinations. They’ve even ported the numbers to other carriers, resulting in the same scenario repeating over and over again. Carriers try to prevent this by introducing bogus technical obstacles to porting numbers where fraud is suspected, but these measures are largely ineffective (by FCC design).

And with that, it’s time to bring another issue of The Telecom Informer to a close. I feel a sudden urge to audit my employer’s toll-free number pool! Drive safely in the rain as the days become ever shorter. And when you pick out your Halloween costume this year, consider a Bernie Ebbers mask as part of the ensemble!

References – SMS/800 service bureau – Detailed write-up and logical topology diagram of SS7 database lookups