Soviet Spying on US Selectric Typewriters

In the 1980s, the Soviet Union bugged the IBM Selectric typewriters in the US Embassy in Moscow. This NSA document discusses how the US discovered the bugs and what we did about it. Codename is GUNMAN.

Is this the world's first keylogger? Maybe.

Posted on October 12, 2015 at 8:19 AM • 51 Comments

Comments

DanieleOctober 12, 2015 8:41 AM

I fond this quote hilarious: "As a totalitarian society, the Soviet Union valued eavesdropping and thus developed ingenious methods to accomplish it" (page2).

sam the eagleOctober 12, 2015 9:42 AM

The paper seems to be intended to make the NSA look impressive and hardworking, but the effect just shows how naive and incompetent the US and the NSA were, and makes you wonder if they still are.

Bob S.October 12, 2015 9:43 AM

On the other hand,

I am absolutely certain I read the Russian government ordered thousands of old fashioned electric typewriters, maybe from Germany, after the Snowden Revelations. I suppose even today some kind of electronic transmitter could be fitted to typewriters.

I wonder how that relates to the conveniently released NSA document?

So then, manual typewriter and trusted courier? (wax seal?)

Let's face it, on a governmental level anything truly serious and/or secret shouldn't be prepared or communicated on electronics. That seems to be a given anymore.

Conversely, hundreds of millions of people are now exposed to massive corporate-government-criminal spying and surveillance for their personal business (think bank and credit cards), medical records, personal data and recreational communications.

ps: Anyone noticing a the new, special privacy notices going up on major websites? Why is that?


blakeOctober 12, 2015 10:09 AM

@Daniele
I was going to post the same beautiful post-Snowden irony, but you beat me to it.

Instead I'll share these:
> "To the best of NSA’s knowledge, the Soviets did not interfere with any of the equipment that was shipped to the embassy or returned to Fort Meade." (Pages 7-8)

So *either* the op went perfectly, *or else* went really badly, and there's no way to be sure. And:

> "The true nature of the GUNMAN project was successfully masked from most embassy employees"

Equivalently, the true nature of the op was not successfully masked from all embassy employees.

I stopped reading at "NSA personnel demonstrated a tremendous capacity for hard work. They also exhibited deep dedication to the mission".

CallMeLateForSupperOctober 12, 2015 10:14 AM

"Deja vu all over again", Yogi Berra

Yes, very interesting story. I read about GUNMAN in the not-too-distant past, but where? In a Bamford book? After some searching, I found this very paper in my Documents folder. D/L from (somewhere) in June 2014.

It is a good read. Gave a copy to a friend who is a retired IBM Customer Engineer (repairman) who knows Selectrics (and copiers) inside-out, and even he was impressed.

EvanOctober 12, 2015 10:18 AM

@ Bob S: New laws in California and the EU that require sites to inform users about things like cookies.

Mic ChannelOctober 12, 2015 10:28 AM

"Soviet secret police in Moscow have been getting the latest word on sensitive U.S. embassy documents even before U.S. officials read them.”
And the NSA probably does that to the State Dept to this day.

Dr. I. Needtob AtheOctober 12, 2015 11:38 AM

At first I thought maybe the Soviets had scavenged the used carbon ribbons from a dumpster and recovered the typed text from them, like Columbo did in a 1976 episode called Now You See Him.

Slime Mold withMustardOctober 12, 2015 11:45 AM

On page 25, the document mentions that the led to incident led to National Security Decision Directive Number 145 , part of which was the formation of the System Security Steering Group consisting of the Secretary of State , Secretary of Treasury, the Secretary of Defense, the Attorney General, the Director of the Office of Management and Budget, and the Director of Central Intelligence. If it still exists, I guess they were meeting in a suburban New York basement.

The theme of the entire piece is bureaucratic infighting, and (@ blake is right), self-congratulatory.

RibbitOctober 12, 2015 12:30 PM

I remember reading a similar story in the press back in the 1970s wherein the Soviets had managed to read the French diplomatic mission's traffic by planting a bug in their teletypes, which had been sent to Moscow by land without an accompanying guard. Why waste time attacking the crypto when you can get yourself direct access to the clear text...

IIRC, the device was said to be hidden in an capacitor which had a bit too many wires coming out.

I kind of remember that the new US embassy building in Moscow was so hopelessly riddled with bugs cast right into the concrete, that the tenant refused to move into the new premises.

The security at the construction US Embassy in Berlin inaugurated a few years ago was visibly much better than it must have been in Moscow, the site was quite visibly guarded like a fortress. They probably didn't want to see what THEY were installing...

I'm a bit surprised that the host country's electrical supply was used in the Embassy, I would have thought that paranoid security people would have installed a motor-generator group to provide isolation and also obtain 120/60Hz power from the public supply, which in Russia is 50Hz and not 60Hz like the report states.

It's not clear why GUNMAN should have been kept very secret, as the eavesdroppers must have wisened up relatively quickly that the embassy's equipment was being replaced wholesale. Was the NSA trying to secrecy in order to reuse the technique on its own targets?

tyrOctober 12, 2015 2:42 PM


Rus involvement in snooping can be traced to the
Battle of Tannenburg because the German Staff was
reading the Russians messages before the Russians
received them. This was later bragged about and
they have been paranoid about it since them. My
favorite scam was the mini-cam in every Xerox that
photoed every document you copied and was collected
by the serviceman who also reloaded the camera.

Better check your office equipment today since this
kind of thing is routine business practice. Never
let Ang Cui within a hundred yards of anything. : ^ )

RenatoOctober 12, 2015 2:47 PM

From the text: "As a totalitarian society, the Soviet Union valued eavesdropping and thus developed ingenious methods to accomplish it."

Made me laugh... :)

djnOctober 12, 2015 2:54 PM

I like the way everybody even marginally connected to the project sooner or later gets praised and hailed, from every top bureaucrat down to the humblest screwdriver-holder or PowerPoint-juggler.

Everybody - except for those 'other country' folks who actually managed to find out the bug by themselves in first place. :-)

Ray DillingerOctober 12, 2015 3:15 PM

This is clearly a bureaucratese interpretation of the events which, while not necessarily inaccurate, is tailored to claim the maximum possible credit and glory for the NSA and to cast aspersions on the readiness or cooperativeness of their organizational rivals in State and CIA.

That said, it's good reading. Comic in some places and informative in others.

If you want security from electronic bugs built into your machinery, you pretty much have to use manual machinery. Which, post-Snowden, the Russians apparently do. They did not get electric typewriters, they got manual typewriters. The kind that keep right on working when there's no power to plug into. The kind in which ANY wire or battery or a chip showing up on an x-ray would definitely be an indication of something wrong. The kind where the plaintext can usually be recovered with some effort from an audio recording of the typing being done....

TatütataOctober 12, 2015 3:49 PM

@tyr:

" My favorite scam was the mini-cam in every Xerox that photoed every document you copied and was collected by the serviceman who also reloaded the camera. "

Modern multi-function devices combine a scanner back-to-back with a laser printer. How do I know that this document I am simply copying on a Brother or Xerox machine isn't stored and eventually sent on?

If printers mark documents with hidden watermarks [on what legal basis?] and scanners have logic for recognising certain dot patterns on bank notes [again, on what legal basis?], surely one could sneak in code to identify and collect interesting stuff, if the CPU horsepower is there?

On a Canon scanner I once had much difficulty in scanning a perfectly innocent document -- not a bank note or other financial instrument -- , but the damn thing kept resetting on a certain page. I eventually figured by selectively masking out parts of the page that something on the page was accidentally triggering the hidden code.

My Brother professional home office FAX/Scanner/Printer/Copier doesn't seem to have any memory than it strictly needs for the job. And for good measure, my firewall router is configured prevents it from making any outside calls.

But at my former job, the high volume and high speed Xerox machine had a hard disk mounted inside, and in addition had a card reader to read employee badges. People actually got tracked and punished for merely scanning sensitive documents showing management turpitude.

JustinOctober 12, 2015 10:06 PM

@Tatütata

But at my former job, the high volume and high speed Xerox machine had a hard disk mounted inside, and in addition had a card reader to read employee badges. People actually got tracked and punished for merely scanning sensitive documents showing management turpitude.

If you can actually build a case showing "management turpitude," and it's successful, that's one thing, but you've got to expect that any large company would like to maintain control over "sensitive documents." (They don't tend to hire people who "know too much" in the first place.)

Peter GalbavyOctober 13, 2015 3:55 AM

As a totalitarian society, the Soviet Union valued eavesdropping and thus developed ingenious methods to accomplish it.

Oh, the irony.

RuufsOctober 13, 2015 5:51 AM

The breathless schoolgirl prose is funny and sad. Not hard to imagine a retired Russian typewriter "repairman" reading it aloud to a colleague and saying "Wait, it gets better!"

Really, what's embarrassing about this is the high school writing style and the facile analysis.

"How I got to the White House and the story of our outwitting the extraordinarily clever Soviets (after a tipoff)" by Nancy Drew.

All seems very kindergartenlike now. So the US was incapable of keeping this secret, incapable of exploiting the discovery, relied on a foreign source in the first place, had lousy operational security and asset management, and couldn't organise an edit of this gushing, self-congratulatory piffle. LOL is the word.

It's a selfie before its time, and there's a connection all the way to Keith Alexander's holodeck. And to Snowden for that matter. Superheroes in the mirror and a conviction of the enemy's inferiority. There's a lot to be said for self-doubt, putting oneself in the shoes of the other and testing assumptions. The national aversion to this in the self-proclaimed "Greatest country in the world" is remarkable. Hubris as a security weakness has a long history.

Bob S.October 13, 2015 7:42 AM

@Ray

The Russians did indeed buy old fashioned ELECTRIC typewriters:

"German-made Triumph Adler Twen 180 typewriters were popular in the late '80s and early '90s"

http://www.telegraph.co.uk/news/worldnews/europe/russia/10173645/Kremlin-returns-to-typewriters-to-avoid-computer-leaks.html

However, not to be outdone, in 2014 the Germans were thinking about really old fashioned MANUAL typewriters after the Merkel revelations:

http://www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance

One thing is clear Five Eyes sees anything electronic as a bonafide target whether it's grandma's flip phone or Russian intelligence services.

If it was me, and I wanted to make sure something did not go wild, I would not use any electronic device to prepare or communicate the information.

In turn, I would pump white noise by the ton into the rf world. How about a trillion cat pictures per...day...or hour?

Clive RobinsonOctober 13, 2015 7:51 AM

@ Bob.S,

So then, manual typewriter and trusted courier? (wax seal?)

No not these days, just watch CNN ;-)

More seriously, though the sending of "Eyes Only" type paper communications are fraught and rapidly becoming 'security by obscurity', as they are slow, inconvenient, comparativly easy to tamper with, bulky and fairly easily traceable by the enemy due to having a human courier attached to it all the way.

Most of the problematic defects can be taken out of the system in various ways. After all if you are going to send a courier at some point why not instead give them a bunch of blank One Time Pads to take instead. Whilst the Pads have many disadvantages, they do have the advantage of offering the highest security manual cipher there is, and if the paper and ink they are made of is suitably chosen they will both burn very very easily or disolve in water or other liquid very very easily. I've seen permanganate soaked and printed cigarette paper burn compleatly in less than a couple of seconds, and the printing disolve in water in about the same time. Oh and just a wipe with glycerine soaked cotton wool and the paper spontaneously combusts, thus an easy to break glass ampoule would give a fairly easy self destruct device.

However best not given to diplomats, from the Manning Trove, it appears they love to send numerous voluminous messages, full of "appraisal" and "gossip" rather than hard fact, there would be a danger that no matter how big a consignment of Pads was sent they would use them all in short order ;-)

albertOctober 13, 2015 10:47 AM

Very clever stuff from those '2nd-rate' Russkis.

"If you can't know your enemy, don't underrate him."

The paper mentions the number of typewriters required for the embassy was 250! The place must have been awash in paper. This has to be much more than the number of people assigned there. Talk about information overload.
Something tells me that there was a lot of BS being thrown around, or the US personnel were getting tons of Soviet data from somewhere.
Can someone explain this?

I'm assuming that the bugs transmitted 'over air', rather than over the power lines, which raises the question: how did the Soviets receive this data?

Other questions:

Did the Embassy have draconian power line filtering? At minimum, it should be installed at the service entrance, and at each sensitive electrical device.

OT. What about those powerful microwave beams the Soviets blasted at the Embassy? Were they for spying purposes, or just to make folks sick (which they did)?../OT

Did the US use any ECM systems there?

. .. . .. _ _ _

SOctober 13, 2015 10:55 AM

Has anyone any technical details? The report cites a few references at the end, but they do not seem to be online.

AndrewOctober 13, 2015 1:17 PM

Not quite the same, but what about the idea of using a piece of wax to get the shape of an actual key and using it make a duplicate? Would that count as a keylogger? Was that ever done outside movies and before the 80's?

MarkOctober 13, 2015 3:03 PM

Something is fishy here... When I was in college I bought a used I/O Selectric typewriter (one with an RS232 EBCIDIC nterface). During Christmas break in 1978 I brought it home to my father's house and showed it to him. He had retired a decade earlier as colonel in military intelligence. He mentioned that they were forbidden to use Selectrics. A COMSEC officer had demonstrated to them that one could decode the typing from the sound that the mechanism made.

I had a KIM-1 microcomputer board with me at the time... a 1 kB, 6502 processor demo board. I spent a couple of days and hacked together a program that used the cassette tape interface on the KIM-1 as an input and proved that it was rather easy and reliable to do.

So why would our embassies be using Selectrics in the 1980's when it was well known that they were quite insecure as far back as the late 1960's?

Nick POctober 13, 2015 3:39 PM

@ Mark

That's like asking why Minutemen ICBM's still rely on computers from the 70's-80's when one can barely get parts on eBay. Legacy systems in big government or defence organizations are a rabbit hole you don't want to go down. Unless you're cleverly making and servicing emulators like The Logical Company. How much you want to bet someone over here was making money on those Selectrics contracts? ;)

ianfOctober 13, 2015 4:31 PM


@ Mark “So why would our embassies be using Selectrics in the 1980's when it was well known that they were quite insecure as far back as the late 1960's?

You are s.e.r.i.o.u.s.l.y mis under esti mating the departamental inertia and State Dept.'s capacity to live up to its stereotype of a self-winding, irreflective, bureaucracy. They are not there to rock the boat, but to serve.

MarkOctober 13, 2015 4:38 PM

Nick,

I am well versed in ancient tech... I live in the Land of the Obsolete. I am often called upon to support/acquire/repair some ancient piece of technocrap.

For instance the Concorde airliner fuel/balance management system ran on an HP41 calculator. I supplied them replacements/repairs for many years. Also, a drug company was resurrecting a production process that specified the use of an HP-55 hand-held calculator with a timer function in it. I supplied them with several units of that very rare device. In both cases the regulatory hassles/costs of upgrading ancient tech and approved procedures was VERY expensive and daunting.

Also, just because something is old does not mean it is not good. There are numerous examples of tech equipment developed decades, event centuries, ago that have not (and will never be) improved upon (check out the HP3458A 8.5 digit multimeter). Also most old equipment was very well documented and used off-the-shelf components that can still be had today. They tend to be quite robust and easily repairable/modifiable. Compare that to the proprietary, closed, "if it breaks toss it" equipment available today.

But using a known insecure typewriter in a setting that requires very high security is just unforgivable. Kudos to the Ruskies for a job well done. Shame to the US for a royal, easily preventable screw-up that allowed it to happen.

RibbitOctober 13, 2015 4:59 PM

@Mark:

Maybe the Selectric put out a tell tale modulation on the 120V power line?

Memories, memories...

If your terminal wasn't one of those beastly IBM 2741, then it must have been a comparatively elegant Anderson Jacobson AJ841.

IBM had two flavours of Selectric based terminals:

1) Correspondance code
2) a flavour BCD -- not EBCDIC

The "Correspondance-code" machine used the basic Selectric linkages, and was compatible with standard Selectric typeballs. The 6-bit alphabet used had no particular logic beyond mechanical simplicity at the terminal. You had characters for upper/lower case shift, very much like Baudot machines.

For BCD models you needed a special typeball. I had an APL and a standard one. To use other typeballs I would run my output into an ugly little program to perform code substitution. When you logged onto a mainframe, the login prompt would alternate between BCD and Correspondance codes each time you pressed return.

I had a SYM, the new+improved competitor to the KIM. I did try for a while outputting stuff to my Selectric using software-loop serial driver, but never could quite understand the IBM jargon concerning the sequence for locking and unlocking the keyboard. I scrounged my first daisy wheel printer before I could figure it out.

The Soviet hack on the Selectrics themselves was pretty, but the receiving installation must have also been an engineering feat, especially if they didn't simply merely the signal on magnetic or paper for human interpretation, like they did in Britain in WW2, but attempted automatically decoding a signal buried under a TV channel. The NSA doc doesn't seem to say how they must have handled up/down-shift.

Clive RobinsonOctober 13, 2015 5:45 PM

@ Nick P,

The whole document does not ring true in of it's self, let alone before you start comparing it to other information that is now known from that time and earlier.

Makes you wonder if it might have been some elaborate deception... If it was you then have to think "Who would fall for this 'steaming pile'?", to which the obvious answer would be a long term idiot sitting on an oversight committee.

You only have to look back at the Berlin Tunnel Attack --Operation Stopwatch / Gold-- that the UK and US carried out on Russia. The Russian KGB knowing it was going on via the mole George Blake made only tiny changes to the traffic that went down the cable, thus the bulk of the traffic was genuine but not strategic. With it is suspected some false information injected by the KGB to waste the Western IC time.

Then at a politically sensitive time the Russian's "discover" the tunnel and tell the world all about it along with photographs etc.

What has never been explained is that George Blake knew about the TEMPEST attacks around the Russia Cipher machines, that enabled the British to read the "faint ghost of plaintext" direct from the cables thus not having to attempt any cryptanalysis.

Presumably as Blake told the KGB about the tunnel, he also told them about the TEMPEST attacks, why then even after the tunnel was investigated and the British made "technical equipment" for the attacks had been captured and examined did the Russian cipher equipment at fault and still leaking plaintext continue in use for some very considerable time thereafter...

Arguably neither the US or Russians were any good at responding to EmSec issues in their own equipment even though both clearly knew the equipment was faulty. Whilst the British and Canadians however spent considerable time and effort removing the "plaintext ghost" from their Rockex super encipherment and similar equipment.

It has been joked in the past that the Russians never really had to bother recruiting moles in the CIA and US military because "The US Gave it away". Allen Dullas and his relatives were indirectly responsible for much of the leakage by putting way to much belief in direct force[1] and being more than hostile to the scientific and technical staff. So much so that it is known that often the scientific and technical work was carried out by the cash strapped British and passed back.

[1] He was known to espouse the belief that all wars could be stopped with a single bullet. Or as more normally called "Political Assassination". It can be easily shown that both Russia and Israel likewise believe in this, with Putin having pushed through legislation to make it legal and thus ensure protection for the assassins.

MarkOctober 13, 2015 6:48 PM

Ribbit,

My Selectric was an IBM I/O Selectric. It was part of their SER program (special engineering request). Basically an OEM custom machine that they would not support, repair, touch. I bought it to use as a typewriter for school ($600, with service manual). It used standard type balls and had a 150 baud RS232 port that spoke EBCIDIC. Since IBM repair people would not touch it and independent repair shops were pretty much useless I had to learn how to maintain the beast... oh for the love of hooverometers...

DEC machines could talk to it directly. The reason I had brought it home over Christmas was to work on building a replacement circuit board for it that would turn it into a standard ASCII terminal. My board used a 6502 to drive it. It had a large buffer so that you could send 300 baud data to it (the fastest that standard modems would work at in those days). Worked quite well. It paid for itself printing out peoples term papers and dissertations. Word processors and letter quality printers were practically non-existent at the time.

One guy got into a pissing match with his dissertation advisor who would not approve his dissertation unless he made a bunch of rather picayune changes. Changes rather obviously made to cause him to miss a deadline. Well, he edited his text (on a CDC-6600) and we spent the night re-printing all 200 pages. The poor advisor never knew what hit him...

ChrisOctober 14, 2015 10:45 AM

The IBM Selectric typewriter was a marvel of industrial design and the Soviets actually exploited its features. Keystrokes which move the type element have a unique binary code (Page 21 of the report alludes to this). Here's a great video that explains it in detail.
https://www.youtube.com/watch?v=bRCNenhcvpw

One way to think about this is that it was probably one of IBM's earliest zero-day exploits. Also, what seems like an unintentionally revealed item on page 15: The NSA had an entity named the "Tempest Office" for at least a year before Wim van Eck's paper on the concept was published.

Jack BootheOctober 14, 2015 12:36 PM

If you want to be truly secure, I suggest the bromide of a 19th century Boston politician, Martin Lomasney: "Never write if you speak; never speak if you can nod; and never nod if you can wink..." A very tough system to break even with today's advance technology.

Vito CorleoneOctober 14, 2015 7:38 PM

@Jack Boothe:

insert: "never speak when you can mumble, never mumbler when you can nod"

Robert in San DiegoOctober 14, 2015 9:27 PM

I'm not sure this would be the first keystroke logger. I recall from Kahn's

    The Codebreakers
during the First World War induction coils or ground detection loops of some sort were used to intercept telegraph transmissions at the front. Of course that would be logging a single key being stroked :-).

Fredrik WahlgrenOctober 15, 2015 11:13 AM

I can think of a countermeasure to see if things have been tampered with. You could measure physical properties before you send things and thus establish a baseline. You could measure the weight for instance. Of course, you would need a very precise scale. Or you could measure something like resonance frequency. One thing or another would likely change, even if only by a small number.

If you send something wrapped in shrink plastic, you could measure the stress pattern in the plastic. Because it's shrink wrapped, it's not likely to change. That would defend agains an attack where the item has been repackaged

ianfOctober 15, 2015 1:18 PM


@ Fredrik Wahlgren on logistical OpSec (cc: @figureitout)

[…] “If you send something wrapped in shrink plastic, you could measure the stress pattern in the plastic. Because it's shrink wrapped, it's not likely to change. That would defend against an attack where the item has been repackaged

Or you could go with Edward Snowden's low-budget solution of sprinkling soy sauce (or a fast-drying ink) in a random pattern on a napkin, then photographing it for later visual comparison [in H-K Mira hotel]. Measuring stresses in the shrink-wrap of physical objects is not easily done without specialized, and not very portable, equipment.

    ObOpSecContent: tampering with a shrink-wrapped computer tower held as court evidence plays a key role in Scott Turow's novel “Innocent,” which takes place 20 years after the events in his “Presumed Innocent” (1986), and should thus be read in tandem to fully understand the historical "twist" in the case that goes unmentioned in the newer book.

FigureitoutOctober 15, 2015 11:41 PM

Fredrik Wahlgren
Of course, you would need a very precise scale
--This is why something like 64bit timers is important and the pretty huge numbers you can use. Something simple like just pressing and holding a button (better is x,y coordinates on a mouse that Truecrypt/Veracrypt/GPG take advantage of; for arduino it'd be the joystick w/ 0-1023 in each axis) provides a decent pseudo random seed (which is the same problem w/ initialization vector in crypto, getting this seed automatically).

Never know w/ physical tampering during shipping too unless doing it yourself; but those measures would most likely do the job just have a larger shadow of doubt.

ianf
Edward Snowden's low-budget solution
--That picture has to eventually be taken again at "B" and sent back to "A" to verify eh? Then assume a reliable channel between A & B for "A" to send off a positive verification to "B" (a nearly impossible endeavor for non-security people who don't seek it out).

And other than that, best to not talk about personal OPSEC to give up patterns for attackers so there's going to continue to be a lot of bullsh*t surrounding this area (you want to only do actions that have high returns, otherwise doing this 24/7 *every single time* is not worth it and simply a waste of your life).

ianfOctober 16, 2015 4:14 AM

@ Figureitout

Edward Snowden's low-budget solution
    --That picture has to eventually be taken again at "B" and sent back to "A" to verify eh?
FTR, that was all in situ, his method to detect surreptitious entry into the room: by placing so-soy-sauce-sprinkled napkins on the floor by the door. For later visual comparison against photographed ditto & given that wedging a wood splinter in a doorframe method has been severely compromised. Saw this (a reconstruction of) in one of the documentaries about ES, possibly the BBC Open University's episode of “Cybercrime”.

Thanks for the heads-up about PersOpSec. Rest assured that had I had any secrets to withhold, or presented anywhere near palatable profile to the IC, I wouldn't so openly perch here where I can cluck my luck 'til chickens come to roost.

FigureitoutOctober 16, 2015 10:02 PM

ianf
his method to detect surreptitious entry into the room
--Ah ok, thought it was a form of impromptu authentication.

AndyOctober 29, 2015 3:48 PM

Wasn't there also this fiasco with the rebuild of the US embassy in Moscow where the KGB managed to mix thousands of unconnected, essentially harmless electronics components (transistors? thyristors? Something like that) into the sand / concrete mix before the foundation and walls were poured, resulting in those handheld bug detection wands going nuts and producing false positive readouts (bug warnings) in every corner of every room? I seem to recall it resulted in a complete building teardown and rebuild.

Seems like the Russkies had a bit of a leg up on the US back in the day...

Jon EllistonFebruary 13, 2016 8:07 PM

Speaking of Xerox Spies - that was a thing back in the day... and our US NAVY was very paranoid about this - Even though we were doing it to the Russkies.

http://tinyurl.com/jmtovqu

BTW - Ed Snowden: Who uses Soy Sauce on a napkin? What's wrong with the old match stick or a small piece of folded paper near the bottom of the door. If the object is now on the floor next to the door when you return expect someone unexpected is in there or was recently there and left and never sweats the small details (which BTW is in your favor).

ianfFebruary 14, 2016 4:08 AM


@ Andy October 29, 2015 3:48 PM

[…] KGB managed to mix thousands of unconnected, essentially harmless electronics components (transistors? thyristors? Something like that) into the sand / concrete mix before the foundation and walls [of a new US Embassy building in Moscow] were poured, resulting in those handheld bug detection wands going nuts and producing false positive readouts (bug warnings) in every corner of every room?

Never heard of that before, sounds implausible & apocryphal to me. Would mixed-in passive, discrete analog components give off any particular telling "spikes" in the (audio?) output of electromagnetic detection wands? KGB might as well have mixed in spikes, thus giving away the hint that this is but a deflection maneuver. SO WHAT ELSE MIGHT BE THERE?


@ Jon Elliston [same thread, different topic]

[Ed Snowden's OpSec in H-K]: “Who uses Soy Sauce on a napkin? What's wrong with the old match stick or a small piece of folded paper near the bottom of the door.

The wedge in doorframe, or strategically placed strand of hair across entryway is a telltale sign of an OpSec-conscious person, something that the opposition would look out for. Randomly sprinkled napkin on the floor could have fallen off a tray emptied into a wastebasket. Photographed in situ by Ed for later comparison of placement vs. e.g. the doorframe, or relative to the carpet/ wallpaper boundary… a novel approach. Then again, this soy sauce ploy may have been a bit of playacting on his part at that particular stage on the road from spook to whistleblower in front of Laura Poitras' lenses.

Clive RobinsonFebruary 14, 2016 1:50 PM

@ ianf,

    "Never heard of that before, sounds implausible & apocryphal to me. Would mixed-in passive, discrete analog components give off any particular telling "spikes" in the (audio?) output of electromagnetic detection wands?"

Either you know very little about electronics or you are being deliberately disingenuous (I'll let others decide).

You talk of "passive discrete analog components" when Andy was very clearly not talking about "passives" but semiconductors with "active" junctions.

It is reasonably well known that semiconductor junctions are not just active but nonlinear (see any undergraduate introductory text). Further of the form Andy mentioned they also act as diodes, which half wave rectify AC signals such as the RF signal put out by "nonlinear junction detectors" (which can look like wands). If you do a relatively simple analysis of a halfwave rectified waveform you will see it is rich in harmonics, and it is this re-radiated harmonic energy the detector picks up.

Also "discrete analog components" are far from perfect, most have a series of "self resonant frequencies" that can be detected by an "RF Bridge" or "Grid dip oscillator" (GDO) as they effect the effective impedence of the detecting circuit.

Both the nonlinear junction detector and RF Bridge / GDO techniques are used all around the place, and are most often seen at shop doorways to detect those "anti-theft" tags on valuable items.

But with regards your,"sounds implausible & apocryphal to me" don't let the realities of the security effecting issues to do with components used in electronic circuits disturb your world view. Even most so called "security experts" don't, even though described at length in Peter Wright's "Spycatcher" book of the Thatcher era and many standard EMC text books from the 1990's onwards. Especialy as these devices have been discussed to death on numerous occasions in the past on this blog by myself and others. Most recently in the likes of the "radar reflectors" based on the work of Theremin in the "Great Seal Bug" the Russians got into the US Ambassador's residence. I went into quite some detail when explaining how the TAO catalogue devices worked --and could be improved upon--, and on several occasions prior to that. I guess as you say "Never heard of that before" you've not been reading the technical comments that this blog has been famed for, for quite some time.

8775July 10, 2016 7:59 PM

The nsa.gov document link at the top of the article has gone dead. Go figure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.