Schneier on Security
A blog covering security and security technology.
« The Origins of War |
| Lexical Warfare »
January 14, 2013
It's both an art project and a practical clothing line.
...Harvey's line of "Stealth Wear" clothing includes an "anti-drone hoodie" that uses metalized material designed to counter thermal imaging used by drones to spot people on the ground. He's also created a cellphone pouch made of a special "signal attenuating fabric." The pocket blocks your phone signal so that it can't be tracked or intercepted by devices like the covert "Stingray" tool used by law enforcement agencies like the FBI.
Posted on January 14, 2013 at 1:27 PM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
... because aluminum foil hats are not fashionable... and a little bit obvious.
First off the average adult puts out the same amount of thermal energy as a 100W light bulb (which is why you use them when you use do tests of homes for thermal efficiency etc.)
Simply puting a bit of insulation or metalised material in the way is not going to reduce the energy you put out. As you cannot destroy energy only store it or disipate it you need another mechanism to make your therrmal image any the less. The simplest way is to somehow couple it into the environment in a very diffuse way. And the simplest way to do that is by moving a large quantity of air across a thermaly radiating surface...
As for the mobile phone pocket I'm not quite sure what that is ssupposed to do. If you pasivly attenuate the signal the mobile phone outputs more power to compensate for what it thinks is a remote base station. You actually need to turn it off properly by removing the batteries.
And the Stingray is now old and very expensive technology, I'd actually be more woried by the likes of pocket picocells that hackers cobble together from COTS equipment for less than 200USD.
Actually, as Clive said, pereventing phones from contating the base tower is hard; it is something that is being done with cell phone forensics;
E.g. you want to see what the last cell tower the phone of a dead body connected to. But for that you need to power the thing up in your lab ( batteries die pretty quick).
Thus you need to shield the phone. And there are MANY commercial bags/ enclosures to buy; however if you are close to a tower; you'd be surprised just how much material you need.
Furthermore, a lot of times, you need to see the dispay and press buttons, which makes this even more complicated.
My company ended up generating static in the faraday bag for maximum effect.
I don't know what the field strength is of all the various phones under different conditions, but I can guarantee you it is feasible to shield the device so it cannot communicate with the cell tower and it doesn't require the mass of an armored vehicle to do it.
BTW - how in the world could anyone ever experience the failure to acquire a signal if the phone would always just jack up the power until it did so?
BTW- you can't conveniently remove the batteries from an iPhone but you can run it dead.
I'd be more worried that the reflected RF inside that shielding bag would damage the output circuit in the phone's transmitter section.
Readers interested in the confluence of fashion and privacy should also check out the "CV Dazzle" project by Adam Harvey: http://cvdazzle.com/
That's nothing new. I've been wearing my tinfoil hat for years!
You can carry a pager and a dumb phone turned off, or borrow the use of a phone from somewhere.
Interestingly, there still seem to be a lot of companies out there selling pager service and pagers...
(bikeshed) for reduction of radiated heat one might employ something not totally unlike a couple of layers of fabric wrapped around a spacing framework and a gas expansion system to absorb the likely resulting heat build up. cell service and radio imaging damping might be damped by using an electrically conductive fabric. I vaguely recall reading and article not quite totally unrelated. I am almost certainly wrong about most of that.
Link to a webcomic.
Putting the phone in a shielded pocket is going to make it run the battery down very quickly, as it continuously searches for a signal.
You're better off just switching it into "flight mode".
"... because aluminum foil hats are not fashionable..."
Sounds like a challenge for some aspiring young fashion designer!
Yeah, hiding from thermal imagers. Good luck with that. A bit of metal foil or insulation will not do it.
kme is on for shielding a phone. Good ones eventually sorta give up, but most smartphones aren't good at this and will get really hot and burn the battery in under an hour if you stick them in an RF shielded room.
Gee, a modern tin-foil hat in the form of a hoodie! Does it also keep you invisible to the aliens that monitor us from the dark side of the moon?
"You could wear neoprene heat resistant rubber, or, we can turn the temperature up to 98 degrees which is what we'll probably have to do, because the neoprene would sufficate you." (Sneakers)
Is it possible to have a secondary cellphone (or similar device) acting as a (dummy) tower, placed near the cellphone within the shielding?
"Oh sorry dear, I missed your call because my cell was in my pocket"
Our army smocks were 'IR proof', and I've squinted through both passive and active IR bins at them and, from a distance, they seem to work.
Regards cell phones, you just have to pick the right biscuit tin. When I was working with prototypes, we just used to drop a biscuit tin over them. Some brands were ineffective, others worked great.
What is the use of keeping the phone powered up but then shield it in a pouch?
Either airplane mode or, if you are paranoid, power it down and put it in a shielded pouch.
Btw, why not use a metal canister io a pouch?
The keywork you are looking at is portable celltofem.
> government's claim that just because cellphone users know that their phones are "tracking devices," they should reasonably expect to be tracked by them.
When you have a contract with a phone company, you agree to be tracked by that phone company - not by anyone else (on some phones you can refuse synchronisation with another network).
I wonder what is the name of the network used by the FBI in this case? Do they lie?
Remember conduction, convection, radiation? If you wear low-emissivity clothing you will, indeed, reduce your radiation. You'll just get rid of more heat by convection and conduction, probably via evaporation of sweat as you'll need to be a bit warmer to do so.
"If you wear low-emissivity clothing you will, indeed, reduce your radiation."
Only if the clothing is less warm than your body. If the clothing (hoody) heats up to almost body temperature, nothing changes.
Shielded pocket for phone is intended to block incoming and outgoing signals.
The idea of pocket is to prevent distant actvation of your phone(incoming), and its function such as microphone, camera, tracking your location (outgoing), adding/erasing applications (incoming) without your consent or knowledge.
Regarding protection of your privacy, technical means developed by 'beautiful minds' (crowdsourcing) should be just couple steps ahead of those who disregard the law. And one time again,
laws are working for your protection AFTER your rights are already violated, but technical means - before.
Until the tech can make your thermal signature look like the background won't such countermeasures make a person "who has something to hide" easier to track?
@clive just nit picking but a pane of glass maybe plexi? works very well to shield body heat.
I'm waiting to hear the strike and melted glass jokes when someone slips up in war zone. Saw video of some people setting up a IED wrong and blowing themselves up via drone footage. sad to see such a waste of human life.
I suppose an air barrier might work to shield body heat. thinking of frame and fabric? :) new fashion--burka frame fashion.
Phone shielding would seem to be easy problem. Just my thoughts.
Anybody remember those "space-age" plastic blankets that were supposed to reflect 80%-95% of your body heat?
Didn't mythbusters use plexiglass to get past an IR sensor at one point?
Don't know if anyone has seen the Quantum-Stealth? It claims to "bend" visual, IR, and thermal signatures as well as 95% of wearer's shadow.
So if you see me punching air, don't look at me funny.
just nit picking but a pane of glass maybe plexi? works very well to shield body heat
Yes and no, it all depends...
Let's take the simple case of a glass container.
We have glass cookware, that quite happily passes heat (all be it slowly) by conduction as well as radiation. Ignoring radiation for the minute, after a while cooking ceases when the center of the food reaches the ambient temprature outside the glass container and thermal equilibrium is reached. The time required for this depends on the thermal conduction coefficient of both the glass and the food inside.
Now let us look at another glass container this time double walled with a near vacuum inside even though the glass conducts thermal energy, the food inside will take a very very long time to reach the ambient temperature outside the outer glass wall because a vacuum has a very low thermal conduction coefficient. The main thermal transport mechanisum in this case is radiation which is why for the likes of a thermous flask the inside walls of the two glass surfaces are silvered to reflect radiation.
Now let us replace the food inside a vacuum flask with an energy source and a method of turning the energy in the source into thermal energy.
The simple case is a battery and a resistor. In an open environment the resistor starts at ambient temprature and will once the battery is connected generate thermal energy directly proportional to I^2R (the work being done or what we call power).
The temprature of the resistor will continue to rise untill the resistor fails unless the generated heat can be dissipated by conduction or radiation. That is provided the coefficients of thermal conduction are sufficient then the thermal energy will be transported away from the resistor into the environment at a rate sufficient to stop the temprature of the resistor reaching that at which failure happens (ie it burns out).
There is a simple experiment by which this can be demonstrated, you connect a coil of nichrom wire across the terminals of a variac and adjust the current flow so that the wire glows a dull red. You then put the coil in an oil bath and ensure the current remains constant, the wire ceases to glow simply because the oil has a thermal conduction coefficient around 25 times that of air.
If however you re adjust the current so the coil glows red in the oil bath, when you remove it the coil fairly quickly goes from red to bright orange to a much and then melts...
So if I was to put you inside cloathing with a very low thermal transport coefficient, you would heat up to the point where your body reached around 40C at which point the proteins in your brain would depolarise in the same way the clear of an egg goes white when you fry it and you would in very short order die. The only two ways to stop this are firstly remove the thermal energy, the second stop your liver, muscles and brain generating thermal energy...
The basic definition of heat stroke (hyperthermia) is when your body fails to get rid of heat, and the body temprature rises above ~37C. The basic definition of hypothermia is when your body fails to generate enough thermal energy to maintain the required temprature of ~37C. In either case you tend to die fairly quickly unless control of the bodies temprature is re-established near it's norm of ~37C.
There are limited exceptions to this fo instance aboriginals who live in central Australia have the ability when resting to lower their bodies temprature requirment and thus change the onset point of hypothermia significantly,
Didn't mythbusters use plexiglass to get past an IR sensor at one point
You can hold up anything that does not alow IR from the object behind it to pass through, provided the surface of the thing you hold up remains at the same temprature as the ambient conditions.
My favourate material for bypassing such alarms is the "100 ohm foam" used to store DIL IC's. It's effectivly a conductive carbon loaded foam which is a poor conductor of heat, and is not transmissive of the normal IR frequences, but also as it's carbon loaded also absorbs microwave radiation as well. As it's also sufficiently flexible to roll up like an excercise mat it makes quite a protable "stealth shield" for burglars.
However it should always have a significant air gap between it and the burglar to stop conduction issues. You can make it better by getting a roll of the metal foil backed expanded polystyren foam used to provide insulation behind radiator panels and glue it using rubber solution glue foam to fom with the 100 ohm foam. But remember to get the resulting shield the right way around metal foil is usually a very good relflector of microwave energy and IR.
WRT cell phone tracking my preferred solution is to create a round-robin timed network of cell-phones all with cloned SIM cards. Each powers-up/down at a particular time so that the network only ever has one active SIM, however the network operator sees the active SIM jumping all around the city. Good luck to any LEO presenting that mess of conflicting information as proof of a perp's location. With the advent of cheap solarcell chargers you can even make some of the locations mobile, for the others a motorized directional antenna works wonders.
They also see more than just a SIM. They see an IMEI, ECN (both are not on the SIM, but are stored on the device) among other things. How would you handle a CDMA phone with no SIM?
Speaking of clones (again), you would have to clone more than just the SIM... And then again, how can you be sure there is no other unkown parameter that you missed?
Check some of the 3GPPP specifications. LEO's don't need luck with that...
Had an extra "P"
If you put the email address in the URL by mistake, you may accidentally open a side channel.
Please delete the last post :(
"They also see more than just a SIM. They see an IMEI, ECN...
Well I'd use Chinese white-brand phones for a start, because they all ship we the same IMEI. As near as I can understand they do this so that IP license holders (read Qualcom) can never know exactly how many devices they shipped.
Fortunately I know a lot about the 2G & 2.5G phone systems so I can be reasonably certain that the phones are all exact clones, at least as far as the networks they connect to are concerned.
It would be easy for a TLA to collect extra (phone finger-printing) info from a dedicated picocell but thats a different problem.
If they have the same IMEU, then they would not be Type-approved. I'll have to get a hold of some of these phones to check. You know where I can find them?
" I'll have to get a hold of some of these phones to check. You know where I can find them?"
They sell retail mainly in China and India. you would be looking for phones that use the Spreadtrum or Rockchip chipsets. Third tier phone makers like Ktouch are know in China as Shanzai and they're your best bet.
OK. That is easier to swallow. I thought you meant
I can buy them in the US. Still there are easier ways to shield the phone...
Take a foot and a half of aluminum foil and wrap the phone in it making sure there are no holes - the skin effect will take care of the rest.. For
Phones with external strip antennas on the sides, insulate with a layer of ceram wrap first, other wise the foil may act as an antenna. For the extra paranoid follow these steps:
1: put phone in airplane mode
2: turn phone off
3: remove battery (if possible)
4: make a mummy out of the phone (wrap it as above)
Easier than going to china ;)
Try wrapping a phone then call it and see what happens ;)
WRT cell phone tracking my preferred solution i to create a round-robin timed network of cell phones all with cloned SIM cards...
OK I know the technology side will work fine, but what of the human side?
Unless you have some kind of side channel (such as VM or SMS-EMail) the system is not very usable and thus would be not a lot of use for the usual mobile phone communications. And that alone might be a red flag to a half awake TLA operative (unless I'm misjudging the TLA operatives by over estimating their avarage capabilities ;)
You can by "mobile phone" front end moduals from the likes of Mootorola in Israel, that can be re-flashed fairly easily. You can bet a gold brick to a pinch of salt that there is code for them that has a user selectable IMIE etc so that various persons can make their phones appear to be a targets etc.
Also there is that little issue of how such electronic fingerprints get back to the main network control center. That is with nano and pico cells acting as relays, if you have control of such a relay you can do a Man in the middle and change the number to whatever you like.
Also due to the way some networks are decentralised you can have a clone of a phone on at the same time as the original provided it's in an adjacent cell. Issues only occure when the network control center tries to route traffic such as a phone call or SMS. It surprises people when you tell them that if you move around adjacent cells the fact you are in a different cell does not get reported back to the central control center.
This is due to keeping control signaling as low as possible to keep capacity up for revenue earning traffic. The result is it opens little holes up in the system that can be expolited in various ways.
Speaking of phones having exploitable holes I assume you are aware of the Cisco VoIP phone issue that has caused a few red ears around the place?
I think @Nick P has mentioned the symbiote idea before.
"OK I know the technology side will work fine, but what of the human side?"
I'd always use a burrner phone carried in the OFF state for actual phonecalls. the phone that is ON is strictly for notification basically just a pager/SMS device.
"...the phone that is ON is strictly for notification basically just a pager/SMS device."
That might defeat one of the purposes. They can track you via that phone. The tracking systems they use now for live phones are pinpoint. They might be able to correlate that two phones from same position, one that just came on, are the same person and intercept.
If usage is still obscure, the technique might be ok if you don't mind them knowing your exact physical location and that of anyone you might meet. The trick for secure notifications is not doing them on a phone at all. Gotta leave the rest of that idea to your creativity so my obfuscation isn't blown. ;)
(Good idea on the Chinese phones, btw.)
Since you're over here on this thread... I just got finished downloading and skimming the TPM specifications. The only actual certified TPM I remember finding was an Infineon chip. They make good chips but I wanted your opinion: what's the highest quality TPM chip on the market? Or what *was* if you haven't looked in a while?
@ Nick P
It was Infineon. Hopefully I will not get in trouble for this...
If you are the subject of active realtime surveillance by a skilled TLA than this technique wont work, because one of the locations is real, the rest are fakes and it would not take long for them to establish which is which. And as you say they still have your location via the RF signature, so what exactly have you achieved. Although it is worth considering the real world lock time for the tracking system. Most tracking systems expect contiguous transmissions occurring at certain exact predetermined times within the network. In my system I'm operating in a sort of burst mode. Sometimes just doing the unexpected will be enough to avoid detection (until it becomes expected....and so the game continues)
If you are someone that is concerned about TLA's or LEO's building a case against you by "after the fact" analysis of network cell records than my system provides a suitable obfuscation. This will at least prevent network connection information from being used against you.
BTW I would not be silly enough to actually implement a simple round-robin system when it is just as easy to create a pseudo random scheduling algorithm.
If you are the subject of active realtime surveillance by a skilled TLA...
I agree... No techniques will work. You are basically screwed... Best technique is not being a subject. This game has three simple rules:
1- You can't win
2- You can't break even
3- You can't get out of the game
"1- You can't win
2- You can't break even
3- You can't get out of the game"
I'm not sure I agree, active surveillance is EXPENSIVE, so the individual wins if they adopt techniques which dramatically increase these costs. Basically make the information the agency gets simply not worth the cost.
-a burner phone costs $20 but establishing which burner phone is associated with an individual costs several thousand dollars. If I'm a high value target than I can afford to change phones daily/hourly can the TLA devote the real-time resources needed to track this activity?
It is easy to follow a person who has no reason to believe that they are being followed, but it is difficult to follow someone who suspects they are possibly being followed. Additionally it is practically impossible to covertly follow someone that knows a even few simple anti-surveillance tricks.
If the individual uses his own surveillance team to check for the existence other teams than he becomes an impossible target, for covert surveillance.
The cost advantage always remains with the observed individual because overcoming each layer of counter-surveillance cost at least 10 X the cost of the implementing the technique.
At some point they simply give up, now depending on where you are that can be a good thing or a bad thing, because there are some very cheap permanent solutions to their problem.
This game has three simple rules
Depending on your (religion/) philosophy there are more or less rules. But fundementaly,
Life's a game lost when conceived, thus all is in the play
Being an object of surveillance is a subset of life, it's not a choice you can make, nor as RobertT notes is how it ends.
@ Nick P,
The trick for secure notifications is not doing them on a phone at all. Gotta leave the rest of that idea to your creativity so my obfuscation isn't blown. ;)
Secure notification requires two things,
1, A secure message obsfuscation (crypto etc).
2, A secure channel to send the secure message.
Of the two message obsfuscation is by far the easiest, even if you are trying to hide it in plain sight (simple code such as "how about a Drink/Coffee/Tea? where D/C/T has another meaning)
There are various reasons why channels are harder to implement and to understand this you need to look at the iideas of Claud Shannon and extend them.
Claud Shannon considered a communication channel to have three basic parts of a transmitter, a medium and a receiver. His original work was based in analysing the medium and it's effects on communications (Shannon and others went on to develop coding techniques etc from this).
There are two basic channel types,
3, Broadcast or Point to Point.
That are generaly used either singley or in pairs in two basic modes of operation,
4, Simplex or Duplex.
Where the fun starts is when you pipeline a single channel of communication through one or more relays. Relays can work in two basic ways,
5, Forward, Store.
It can be fairly easily seen at this point the basic IP model used for the Internet has a significant advantage over the telephone network in that it can be simplex and packet switched through many relay points and not required to be either circuit switched or duplex as a telephone generaly is.
Nearly all "trade craft" communications is by simplex communications through relays. That is a courier or "cut out" is a forwarding relay and a dead letter drop is a storage relay.
It can be seen that unless latency is an issue a dead letter drop or storage relay is by far the safer option to use as with a little care it can decouple the sending and receiving parties fairly effectivly. Which a go-between / cut-out cannot, as rubber hoses I'm told are still usefull as aids memoir.
One advantage of the internet is you can expand on using one relay to using two or more relays and unlike humans the idiot savants of the internet can provably forget unless deliberatly designed to do otherwise.
Further unlike physical dead letter drops the Internet can have it's dead letter drops looked at from just about anywhere and fairly anonymously even when under quite intense surveillance.
As I've detailed befor anonymous blogs make good cut outs and search engines make good dead letter drops the trick is knowing how to decouple things even when under 100% surveillance . It's known as the "Prisoners Problem" not to be confused with the "Prisoners Dilemma".
As an example of what was once possible  was to uses a UDP packet where the IP pactet from field was faked. After it had gone through a number of routers it was well neigh impossible to walk back to the original sender.
This was used in a number of attacks one of which was an early DoS amplifier , where you would send a ping or other UDP message to a network address (ie binary adress ends in all zeros) with the address of the target in the from field. The result being that each host in the network would send an ack back to the host identified in the from address. With class C networks that could potentialy give 254 acks sent to the victim host for each ping packet sent by the attacker.
One of the reasons I still like pagers is the simple fact that their location cannot be easily determined.
Not so long ago I designed and built two gateways one to convert mobile phone SMS to pages, the other to convert pages to mobile phone SMS or send through to the Internet via the AT command set supported by mobile phones to provide "Dialup Modem" equivalence.
You can buy an adrinou board with two serial ports and a couple of Motorola G24 quad band modules for a verry small amount of money and make a dial through gateway the size of a packet of cigerets that with "Super-Market Top-Up" on SIM only service is increadably easy to setup.
To make life even easier some Mobile Broadband USB dongles will do the same job with no soldering involved. Two such dongles and a Rasbery Pi and just a simple script to configure the Linux protocols with an "anonymous pre-pay credit card" to pay for the mobile service providers and you can put a cut-out in a different country well out of jurisdiction. When I've a little time I was planning to pop a VoIP relay on such a setup just to see how well it works...
Such a simple device can be built with batteries into a small shoebox size locable weather proof box such as used for external mains power junction boxes. If bolted on the wall behind lift winding equipment or equivalent at the top of a tower block will stay there for years without comment (I put a covert WiFi bridge on a tower block for a client some years ago with a CCTV camera etc and stuck a lable on the outside of it indicating it belonged to a local council Parking Enforcment Company and the last I heard it was still working fine).
 For those interested look up the rather interesting subset of covert channels that are Subliminal  and Newton channels 
 Gustavus J. Simmons. The Prisoners Problem and the Subliminal Channel. In Advances in Cryptology – CRYPTO ’83 pages 51–67, New York, 1984. Lecture Notes in Computer Science, ed. D. Chaum.
 Ross J. Anderson, Serge Vaudenay, Bart Preneel, and Kaisa Nyberg. The Newton Channel. In Proceedings of the First International Workshop on Information Hiding, pages 151–156 London, UK, 1996. Springer-Verlag.
 Many routers sanity check the from address, and even where they don't quite a few log packet information such that the path can be partialy or fully reverse walked. Some border gateway systems detect and kill such activity not to prevent deliberate attacks but to stop accidental loops building up (which is what the TTL field was designed to do all be it inefficiently).
 This attack should nolonger work as most first hop routers these days rather than blindly forward a packet actually sanity check the from address, and drop the packet if the from address is incorrect.
@clive interesting points. I really want get a beagle and raspberry pi to play with on my test bench. There so many things I can imagine for these little guys.
Question. I was told of a big site that insisted design be analog exterior cameras while interior be ip. They were concerned about network compromise. I wondered if you could use something like signal or noise eavsdropping to crack the network's inner workings. Along the lines of using pipes or power. Probably if grounding was off. Coax might be easier than twisted pair. Once saw a signal of 60ma get picked up outside from a teletype back in the old days..word for word....Just a mental exercise or proof of mental... ;)
They don't mention a security weakness. My quick thoughts on the matter are that the IP method has increased complexity and may open opportunities if it's not a dedicated network that connects cameras to viewing system. Or if the viewer is a windows PC. I still see in my head simple technical measures that reduce most of the risk, especially basic isolation techniques.
The first thing that comes to mind, though, is that this sounds much like the analog vs digital phone debate. Many people thought digital phones make it easier for them to listen in. At the time, there were many vendors selling simple devices for tapping analog voice and video lines. The analog models are designed to be easy to decode and work with normal televisions. How easy to do think that is to mess with? ;) Digital adds complexity not just to TCB but to attacker's model as well. Digital implementations also vary. Analog is way easier to screw with, imho.
Let's get real, though: hacking the camera system is something that almost never happens in reality. They're more likely to sabotage your cameras, district whose watching them, or focus on something entirely different. So, follow best practices for cameras, maybe apply a few extra tricks of your own (or inspired by us;), and focus your extra mental effort on other likely risk areas.
Note to Clive and RobertT: I'll reply to your posts after I get some sleep. :)
I gave a quite lengthy answer a few minutes ago, but the phone locked up during TX, so I don't know if the Moderator has got it oor not.
I'll give it a little while and if no show, I guess I'll have to type it from memory again :-(
Yes, I know that it is not likely. It was just a random thought. When someone installs 1500 cameras on a site and insists that exterior cameras be analog for security protection of system, It is going to get my attention.
I agree and told a couple of manufacturers' reps that a network was much more secure and had better performance if designed right. Trying to push MPixel through coax is...interesting? They agreed but customer insisted that they be analog. Thoughts such as isolated network, DMZ, services and port lockdown, mapping ports, new generation firewalls, honey pot or zone with a nasty surprize waiting for someone that gets in. obscure port assignment. Access Control. there are a lot of ways that the system could be protected. If anything a security management system would be easier to protect than just a simple addition to a network.
About 10 years ago IT was a pain to deal with (still is) on installing such systems. The systems ate a lot of bandwidth, etc. The systems were isolated including wiring. The systems were completely separate from any network in place. We essentially installed a complete network, right down to workstations. Now IP is putting things on networks. The argument and design is to lock down a security management system so that it interacts with any network in predictable ways. I personally would prefer air gap, but have to settle for the parameters I discuss above. It is a real advantage to understanding networks when discussing security managment systems. The days of just plugging in wires is gone.
Also, while I'm on subject wireless is prevalent now and presents challenges that simply didn't exist 10 years ago.
Note: I'm talking about security management systems which involve more than cameras. they now have to interact more with other systems. ie. ID cards may be printed by HR, debit card functions, be used for workstation access. the list is long. People want and expect one place to print one card and one card to do many things.
Such systems touch other systems and security is very important. HIPA, government encryption for comms, interaction with HR databases, etc. It can reach out, touch and interact with many other departments, applications, or databases.
A security management system with bad security would an embarassment. ;)
It's not in the queue, I'm afraid.
Pager's are definitely a better comms option for the high value individual especially one operating in a high threat environment. Unfortunately the pager infrastructure is quickly disappearing and is never even available in many developing countries.
I can't imagine it will take very long for someone to find an offensive tactical use for cheap Picocell infrastructure coupled to cheap mobile computing like RasberryPi's. At this point high value targets will have to completely abandon the use of cell phones because the risks will be too high.
It seems to me that the best solution for this is to use mobile VOIP over 3G and relay the VOIP to a 3G capable burner phone (which is changed frequently). Using VOIP separates the individuals ID "phone number" from the connection device ID and SIM. But this is a very different issue from LEO after-the-fact location establishment from network records.
"It seems to me that the best solution for this is to use mobile VOIP over 3G and relay the VOIP to a 3G capable burner phone (which is changed frequently). Using VOIP separates the individuals ID "phone number" from the connection device ID and SIM."
I agree. I've done the same thing in a few designs. The difference is that they were smart[er] phones and the SIM card was what was swapped. My original intent was actually to let me keep one number while being able to swap out cell phones or service providers. Instead of telling people my new number, I could just give it to the relay system. The security-centric use became apparent to me later.
"If you are someone that is concerned about TLA's or LEO's building a case against you by "after the fact" analysis of network cell records than my system provides a suitable obfuscation. This will at least prevent network connection information from being used against you."
It would seem so.
"a burner phone costs $20 but establishing which burner phone is associated with an individual costs several thousand dollars. If I'm a high value target than I can afford to change phones daily/hourly can the TLA devote the real-time resources needed to track this activity?"
Interesting thought. It can be worthwhile to make it more expensive for them while simultaneously giving them nothing usable to justify the budget. Depending on the organization, this might not work at all. I remember hearing of a British spy that wrote memoirs that pissed off the TLS. So, they started spying on him: on foot when he walked and via car if he ran or drove. They tried to be covert (for some reason). His solution was to use roller blades so they couldn't justify a car and couldn'nt easily keep up with him. Their response: they periodically follow him with a chopper.
That story is over five years old. Things have changed a bit so I don't know if the TLA's will waste that kind of effort. So, whats the take with regard to your heuristic? Well, if they are just doing a regular investigation, the heuristic might work. If an agent or group really doesn't like you, they might keep throwing resources at the problem. The near constant surveillance on certain organized crime suspects in the past supports that possibility.
"The cost advantage always remains with the observed individual because overcoming each layer of counter-surveillance cost at least 10 X the cost of the implementing the technique. "
The counter-surveillance definitely provides obstacles for them and might even work. However, we must not pretend they will just try to crack each layer head on in our analysis. At some point, they side-step it and start subverting the organization via infiltration, extortion, etc. Get people on the inside who can supply the information. It's been one of the main strategies for use against organized crime and terrorists.
"1- You can't win
2- You can't break even
3- You can't get out of the game""
It's better for people to think like that. It will keep them from angering TLA's. I've seen that 1 and 2 are incorrect, though. Three is semi-correct in that you can get out of the game albeit with residual risk that sticks with you for life. If one must worry, are they really out? My own personal experience with that question makes me think 3 is valid. Beating them or breaking even is mainly doable when they aren't watching you physically. Remote attacks making proper use of relays, disguised origin points, and ignorant third parties.
@ Clive Robinson
"As I've detailed befor anonymous blogs make good cut outs and search engines make good dead letter drops the trick is knowing how to decouple things even when under 100% surveillance . It's known as the "Prisoners Problem" not to be confused with the "Prisoners Dilemma"."
I hadn't heard of that before. Thanks for the link. It's a bit math heavy for me. That said, I get the basic principle. A portion of my research has been communicating and operating under massive surveillance without enemies gaining information. Then I find some great mind of the past already worked out many of the details. (Rolls eyes) Thanks for the link.
"As an example of what was once possible  was to uses a UDP packet where the IP pactet from field was faked. After it had gone through a number of routers it was well neigh impossible to walk back to the original sender. "
I haven't used that trick in so long I forgot all about it. I think you might have already given me some ideas. They would take a bunch of trial and error on the net to see the effect of router behavior. My first thought is I can use bump-in-the-wire approach between the sending computer and the first internet router to artificially make the packet look older. This is for the event that "from" is checked on a brand new packet, but not on packets that had already hopped a bit.
"I put a covert WiFi bridge on a tower block for a client some years ago with a CCTV camera etc and stuck a lable on the outside of it indicating it belonged to a local council Parking Enforcment Company and the last I heard it was still working fine"
LOL. A friend and I did something like that to build a darknet a few years ago. We used point-to-point wireless with very narrow beams to communicate directly and leak minimal signals. A p-t-p vpn was on top of that. It was fun for a while, but distance killed signal strength. (It was WiFi, not WiMAX...) So, I decided that anyone capable enough would realize we were communicating and so the real goal was confidentiality + extra isolation & control of medium. (Not getting spotted was just a bonus.)
So, I ended up using open(ish...) wifi's for the middle of the network, with disguised directional wifi for endpoints. The crypto-sealed packets went through a dedicated device to someone else's Wifi through the net to another stranger's wifi to hidden node to my friend's computer. Worked like a charm after routing issues were dealt with. In spite of extra hops, it ended up being much faster. And the trusted transport nodes ran MSDOS. Just kidding: OpenBSD. ;)
"To make life even easier some Mobile Broadband USB dongles will do the same job with no soldering involved. Two such dongles and a Rasbery Pi and just a simple script to configure the Linux protocols with an "anonymous pre-pay credit card" to pay for the mobile service providers and you can put a cut-out in a different country well out of jurisdiction. When I've a little time I was planning to pop a VoIP relay on such a setup just to see how well it works..."
I'd like to see the result of all that if you get around to building it. I wish I had learned all that embedded stuff a while back. Would be paying dividends over and over.
On topic of switching phones, how about OpenMoko?
I guess you'd have control over IMEI and you could surely prevent remote spying.
Not that I'm going to do it, but I envision a phone with a virtual SIM card and 100++ SIMs stored on it. When there's wifi around, the phone uses just that, otherwise connects with a random card. Cards get switched randomly during operation.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.