____________________________________________________________________________

                               End Of Intro/TOC
                                    Issue #4
The LOD/H Technical Journal, Issue #4: File 02 of 10


                          The AT&T BILLDATS Collector
                                  Written by:
                                   Rogue Fed

==============================================================================


NOTES: This article will hopefully give you a better understanding of how
the billing process occurs. BILLDATS is just one part of the billing picture.
Before I began working for the government, I was a Telco employee and thus,
the information within this article has been learned through experience.
Unfortunately, I was only employed for a few months (including training on
BILLDATS) and am still learning more about the many systems that a telco uses.
There are however, a couple of lists that were compiled and slightly modified
from what little reference material I could smuggle out and my notes from the
training class. This article does require a cursory knowledge of telco and
computer operations (ie. switching, SCCS, UNIX).


INTRODUCTION -
==============

BILLDATS - BILLing DATa System

BILLDATS can be explained in a nutshell by the acronym listed above. If it's
one thing telecommunications providers do well, it's creating acronyms.
Basically, BILLDATS collects billing information (that's why they call it a
Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs
are situated in or close to switching offices and are connected to BILLDATS
either through dedicated or dial-up lines. BILLDATS can be considered as
the "middleman" in the billing process. The system collects, validates, and
adds identification information regarding origination and destination. This
is then transferred to tape (or transmitted directly) to the RPC (Regional
Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO
actually processes the billing information. Typically the BILLDATS system is
located in the same or adjoining building (but can be across town) to
the RPC/RAO.

BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses
a combination of software. The software base is UNIX and the BILLDATS Generic
program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS
switches use).

Some of the more interesting features BILLDATS possesses are:

*        Can be accessed via dialup (always a plus).
*        Runs under UNIX (another plus).
*        Interface with SCCS (yet another plus).
*        Can store about 12 million calls for the first two disks and about
         8 million calls for each additional disk. A total of 6 (675 MB) disks
         can be used.
*        Inserts the sensor type and ID and recording office type and ID onto
         every AMA record that it collects.
*        Capable of collecting information from nearly 600 AMATs.

To better understand how/why you get a bill after making long distance phone
calls, I have delineated the steps involved.

You call Hacker X and tell him all about the latest busts that have occurred,
he exclaims "Oh Shit!" hangs up on you and throws all his hacking information
into the fireplace. The actual call is referred to as a call event. As each
event happens (upon termination of the call) the event is recorded by the
switch. This information is then sent via an AMA Transmitter which formats the
information and then sends it to BILLDATS (commonly called a "Host
Collector"). BILLDATS then provides the information to the RAO/RPC. The
billing computer is located at the RAO/RPC. Do not confuse the actual billing
system with BILLDATS! The billing computer:

*   Contains customer records
*   Credit ratings (in some telcos)
*   Totals and prints the bill
*   Generates messages when customers do not pay (ie. last chance and
    temporary termination of service)

When the billing period is over, (typically 25-30 days), many events (it
depends on how many calls you have made) have accumulated. A bill is then
generated and mailed to you.


COLLECTION -
============

BILLDATS collects information in two ways:

1.       AMATs
2.       Users

AMAT input
----------

BILLDATS collects data from the AMAT either directly from the switch, or from
a front end which performs some processing on the data before giving it to
BILLDATS. The data I am talking about here is usually AMA billing information.
The information is in the usual AMA format (see Phantom Phreaker's article in
the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As
I said earlier, the recording office and sensor types and IDs have to be
added by BILLDATS. The other information that is transmitted is usually
maintenance data.

The data that is transferred between BILLDATS and an AMAT is accomplished
over either dedicated or dialup lines using the BX.25 protocol. This protocol
has been adopted by the telecommunications industry as a whole. It is
basically a modified version of X.25.

User input
----------

This is simply sysadmin and sysop information.


INSERTED INFORMATION -
======================

Once the information is collected, additional data (mentioned earlier)
must be inserted. The information that BILLDATS inserts into the AMA records
it receives depends on whether the AMAT is a single or multi-switch AMAT.
Either way, the data is passed through the DEP. The DEP is a module which
is part of the LHS (Link Handler Subsystem) that actually inserts the
additional data. It also performs other functions which are rather
uninteresting to the hacker. The LHS manages the x-mission of all the
collected information. This is either through dedicated or dialup lines. The
LHS is responsible for:

*   Logging of statistics as related to the performance of links.
*   Polling of remote switches for maintenance and billing information.
*   Passing information to the DEP in which additional information is
    inserted.
*   Storing billing information.
*   Other boring stuff.


AMATS -
=======

Basically an AMAT is a front end to the switch. The AMAT:

*   Gets AMA information from the switch.
*   Formats and processes the information.
*   Transmits it to BILLDATS.
*   An AMAT can also store information for up to 1 week.

The following is a list of switches and their related AMAT equipment that
BILLDATS obtains billing information from:

1A ESS: This is usually connected to a 3B APS (Attached Processor System) or
        BILLDATS AMAT.
2ESS:   This is connected to an IBM Series 1 AMAT.
2BESS:  Connected to a BILLDATS AMAT.
4ESS:   Connects to 3B APS.
5ESS:   Direct connection.
TSPS 3B:Direct connection.
DMS-10: Connects to IBM Series 1 AMAT.

There are other AMATs/Switches but they must be compatible with the BILLDATS
interface.


ACCESSING BILLDATS -
====================

Even though a system is UNIX based, that doesn't mean that it is a piece of
cake to get into. Surprisingly (when you think about the average Intelligence
Quotient of telco personnel) but not surprisingly (when you consider that the
information contained on the system is BILLING information--the life blood of
the phone company) BILLDATS is a little more secure than your average telco
system, except for the fact the all login IDs are 5 lower case characters or
less. BILLDATS can usually be identified by:

bcxxxx 3bunix SV_R2+

where:

bc = B(ILLDATS) C(ollector).
xxxx = The node suffix. This is entered when the current Generic is installed.
3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system.
SV_R2+ = Software Version.

The good news is that there is a default username when the system is
installed. The bad news is that upon logon, the system forces you to choose a
password. The default username is not passworded initially. The added security
feature is simply that the system forces all usernames to have passwords. If
it doesn't have an associated password, the system will give you the message:

"Your password has expired. Choose a new one"

A 6-8 character password must then be entered. After this you will be asked
to enter the terminal type. The ones provided are AT&T terminals (615, 4425,
and 5420 models). Once entered a welcome message will probably be displayed:

"Welcome to the South Western Bell BILLDATS Collector"
"Generic 3, Issue 1"
"Tuesday 01 Aug 1989 12:44:44 PM"

dallas>

The BILLDATS prompt was displayed "dallas>" where dallas is the node name.

There are 3 privilege levels within BILLDATS:

1.       Administrator
2.       Operator
3.       UUCP

*   Administrator privs are basically root privs.
*   An account with Operator privs can still do about anything an Admin can do
    except make data base changes.
*   UUCP privs are the lowest and allow file transfer.


Commands
--------

Just like SCCS, UNIX commands can be entered while using BILLDATS. The format
is:

dallas>run-unx:$unix cmd;

All unix commands must be preceded by "run-unx:" and end with a semicolon ";".
The semicolon is the command terminator character (just like Carriage Return).

BILLDATS isn't exactly user friendly, but it does have on-line help. There are
a number of ways that it can be obtained:

dallas> help-?;  or  help-??;  or  ?-help;  or  ??-help;

If you want specific help:

dallas> help-(command name);

I can list commands forever, but between UNIX (commands every hacker should
be familiar with) and help (any moron can use it), you can figure out which
ones are important.


Error Messages
--------------

Just like SCCS, BILLDATS has some rather cryptic error messages. There are
thousands of error messages, once you know a little about the format they
are easier to understand. When a mistake is made, something similar to
the following will appear:

UI0029      (attempted command) is not a valid input string.

  ^                   ^- error message information
  |
  |--  This is the subsystem and error message number

The following is a brief description of subsystem abbreviations:

BD: BILLDATS system utilities. Errors associated with the use of utility
    programs will be displayed.
DB: Data Base manager. These messages are generated when accessing or
    attempting to access the various Data Bases (explained later) within
    BILLDATS.
DM: Disk Manager. Basically, information pertaining to the system disk(s).
EA: Error and Alarm. As the name implies, system errors and alarms.
LH: Link Handler. Messages related to data link activity, either between
    BILLDATS and the AMAT or BILLDATS and the RAO/RPC.
SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon.
    BILLDATS uses cron to schedule things like when to access remote systems.
TW: Tape Writer. Messages related to storing billing information on tapes
    which will then be transported to the RAO/RPC.
UI: User Interface. This was used in the above example. Displays syntax,
    range or status errors when entering commands.
DL: Direct Link. Instead of BILLDATS information being written to tape, a
    direct link to the RPC/RAO mainframe (the actual billing system computer)
    can be accomplished. This is usually done when BILLDATS is located far
    away from the RPC/RAO office as there is always some risk involved in
    transporting tapes, and that risk increases the farther away the two
    offices are. Another neat thing about Direct Link is that the billing data
    can be sent across a LAN (Local Area Network) also. Obviously this incurs
    some concerns regarding security, but from what I have heard and seen,
    AT&T and the BOC's typically choose to ignore the security of their
    systems which suits me just fine. The Direct Link is an optional BILLDATS
    feature and if it is in use, messages related to its operation are
    displayed with the DL prefix.


BILLDATS DATA BASES -
=====================

The databases contain all kinds of useful information such as usernames,
switch types, scheduled polling times, etc.

The AMAT Data Base contains:

*   Type of switch
*   Sensor type and identification
*   AMAT phone number
*   Channel and port number/group
*   Other boring information

The Port Data Base contains:

*   Communications information (like L-Dialers on UNIX Sys. V)
*   Channel and port information
*   Other boring information

The Collector Data Base contains:

*   Collector office ID
*   Version number of the Data Base
*   Number and speed of any remote terminals
*   When reports are scheduled for output
*   Other boring information


CONCLUSION -
============

If you are not technically oriented, I hope this article helped you understand
how you get your bill. I assumed that you would skip over the commands for
using BILLDATS and similar information.

If you are technically oriented, I hope I not only helped you understand more
about the billing process, but also increased your awareness of how detailed
the whole process is. And if you do happen to stumble onto a BILLDATS system,
you have been pointed in the right direction as far as using it correctly is
concerned.

I tried to leave out all the boring details, but some may have slipped by me.
I reserved the right to omit specific details and instructions regarding any
alteration or deletion of calls/charges for my own use/abuse.

The Rogue Federal Agent