Schneier on Security

Clive Robinson • September 18, 2020 10:53 AM

@ Curious,

I remember searching the internet for ‘charlie one allen’ one time long time ago (after seeing a movie where this phrase was mentioned)

In the movie “The Wild Geese” from the 1980’s or earlier there is a scene in which there is a reference to a “charlie one allen” on the radio.

The script writers kind of assumed people would realise it was a joke refrence to the “Central Intelligence Agency”.

I Don’t know if it appeared in any other movies. But for SciFi cartoon fans who have seen the first Episode of Futurama the “Cyclops” later “love interest of Fry” called Leela, was a police officer and was given the call sign of “Officer 1BDI” in a similar hunourous vein.

Clive Robinson • September 19, 2020 6:49 AM

@ Danny,

Actually everything is just 0 and 1. You, me, the entire Universe.

To quote Seth Lloyd from his Wired “Life the Universe and Everything” article,

“… everything in the universe is made of bits. Not chunks of stuff, but chunks of information — ones and zeros… Atoms and electrons are bits. Atomic collisions are “ops.” Machine language is the laws of physics. The universe is a quantum computer.”

He also wrote a book about that,

https://www.penguinrandomhouse.com/books/102977/programming-the-universe-by-seth-lloyd/

More recently he has been looking into quantum effects in biology. Where the likes of photosynthesis defies our non quantum understanding of phisics and thus chemistry. Quantum effects in biology is something that the polymath Roger Penrose thought might explain why the human mind is above and beyond classical computing and physics. Which if true puts a nail in the coffin of Hard AI research that is not realy any near it’s goal than it was over six decades ago.

Clive Robinson • September 19, 2020 11:55 AM

@ David,

At HF LO detection would work better as there are few sources

There is quite a bit of history behind TV detector vans in the UK.

But as a rule they did not detect the Local Oscilator frequency which was at Band I VHF (later UHF), because the antennas required would be impractical on the Hillman or later Commer vans.

Back in the early days it was not just TV’s but Radio’s that had to be licensed and those were the days of the Hillman vans run bt the the General Post Office (GPO[1] which became BT) they used magnetic loop coil antennas liked a much bigger brother of those coils around ferite or iron powder rods you find in long wave and medium wave AM receivers. Those could pick up a radios LO or IF amp output and could detect the flyback oscillator circuits used to generate the magnetic deflection fields around the Cathode Ray Tube (CRT) later versions could also pick up the the circuit that was used to generate the very high voltage used on the CRT that was modulated by the video signal in the old VHF 405 line black and white TV days. Back then nobody gave a stuff about generating Radio Frequency Interference(RFI) in what we now call consumer electronics, as generaly it was not a problem. Whereas screaning a radio or TV to stop it would have more than doubled the price of a Radio or TV that already cost the better part of a years income even for the middle classes.

The Radio licence was dropped before the use of UHF and later 625 PAL colour television but the TV licence still remains today even in a vastly more convoluted form.

The later Commer vans still run by the GPO were nolonger required to do Radio Licence detection and the equipment was upgraded. Whilst it still did scanning coil and high voltage video signal pick up, they now also did IF output pickup. 405 line TV’s had IF frequencies in a number of places but the 13.5 Mhz (later ISM band due to interference issues) was common. With the third harmonic frequently radiating better at the bottom of the VHF band at around 40MHz due to various factors the UHF TV IF frequency was selected to work at the 405 line third harmonic as it reduced costs for dual mode TV’s. It’s third harmonic fell in the Band II FM broadcast band and as I found out in the late 1960’s[2].

Thus the Commer detector vans used the IF output to “find” and the magnetic loop antennas to “fix” to send an officious little man to “finish”.

On several occasions I got to press my nose up against the side window on the Commer van to see the control desk. Some of the operators usually the young ones were decidedely unfriendly, but the older ones spotting a “keen interest” and learning you had “a bit of knowledge” opened up and were quite encoraging. Some I guess realised I would go and tell other kids about “the adventure” and that it would encorage their parents to pay the licence.

Oddly as I found out one of their duties was to “report new build”. Back then houses, flats and all sorts of other homes were being built as fast as daisies could grow planning permission was a local not national Goverbment issue thus the GPO often did not get told about entire new roads or even housing estates untill long after they were occupied and then not always. Then as now central Government departments realy did not talk to each other and databases were still mainly kept on “record cards” in little draws, much like you used to see in libraries a decade or so back.

Because then as now people still think TV detection was a myth, it was not. Back then due to the lack of RFI screening, RFI got worse and worse even though with transistors the radiated signals were tiny tiny fractions of the old valve/tube receivers and TV’s the problem had to be dealt with and eventually we got ElectroMagnetic Compatability (EMC) legislation.

But now for the “security aspect” that makes me smile. The meyhods used to track radios and TV’s were “Official Secrets” thus they could not be talked about in court. So the very very few cases that went to court actually had “half truths” used instead. Such as “as we approached the property we could hear/see” or “when the resident opened the door we could hear/see” but more often or not people that did answer the door talked their way into court by making excuses such as “I told my husband to pay that weeks ago” or some such.

For those living in the UK there is no law that says you have to answer the door, nor is their aby law that says you have to talk to people at the door or answer their questions, that applies to the police as well. The reverse however is true, they are required by law to prove they are not trespasers or criminals in stolen uniforms or with fake or stolen ID’s are required to answer truthfully. If they don’t not only are they committing trespass they are also commiting one or more of many crimes and you have the legal right to perform a citizens arrest…

By and large TV detection came to an end with EMC legislation taking effect. However technology has moved on and it is now due to still supposadly classified ways to detect TV’s again. As researchers at the UK’s,Cambridge University Computer Labs demonstrated there are now ways to pull even LCD display signals out of the mush in a form of van-Eck freeking and they demonstrated this at over a 20metre distance IIRC at a show where RFI would have been high due to the density of computer equipment. Basically they used a wide band receiver and a big chunk of DSP algorithms.

But to detect modern TV’s is not exactly difficult due to what they stick out in the 2.5GHz ISM and 5GHz bands. Many advertise their presence by WiFi that can be picked up well over 300meters away and exactly in the same way that Google scaned just about every street in the UK to build it’s WiFi to GPS location database vehicle based and hand held devices can do the same. What people forget is that the MAC code contains two parts a manufactutes ID is usually the first half and the serial number the second half. Thus simply hunting for WiFi MAC addresses they have a very very good idea if you have a TV on the premises or not. Due to known vulnerabilities in the software of many if not all flat screen TV’s they can “hack the status and settings” which will show if you are watching what you are watching, what you have watched and even what you might watch later. Similar applies to many settop satellite, cable and DVR units etc. The fact that such vulnerabilities are probably “classified” would not stop them being put in detecting equipment and a story made up to keep secret what is actually going on.

But… EMC issues have come back to haunt us. Most computers, flat screen displays and associated equipment actually fails the EMC emmison requirments by quite a long long wa. However the tests are written in a way that alows the rules to be bent by the likee of simple Spread Spectrum Modulation or what is called in other areas “whitening”. The “chip code sequences” are usually very short and either known or easily guessable. Thus a simple spread spectrum receiver can see the emissions not just at full strength but when synced in other signals disapear into the receiver noise floor. Thus the picture scanning frequencies etc become as clear as day to the reciever and thus van-Eck freeking at considerable distance becomes not trivial but easily within range of low cost off the shelf consumer grade electronics and systems such as SDR receivers and specialised software running on a high end PCs.

But there is another funny in the EMC game. As part of EMC testing something called a LISN (Line ISolating Network) is used to ensure what is being measured is radiated from the equipment not from the powersupply or other signal cables and leads etc attached to it.

In the reverse of the diesel engine emmition test scandle, most modern electronics has such high efficiency power supplies that they are effectively transparent to signals generated by opperation. Thus the tests in TV’s can easily be rigged.

In a large flat pannel screen the bulk of the usage current is the sum of the individual luminance signals which in high quality video has a very large harmonic content. However if the manufacturer displays a single colour lower intensity static screen then the actual harmonic content is based around the “transition edges” if they use the ideas behind the UK Cambridge Labs “Soft Font” EmSec reducing technology they can blur/soften the edges to produce much much lower spectral content thus EMC failing emmissions…

The upshot of which is the unit passes EMC testing on the static test screen but chucks out lots and lots of RFI from the rapidly changing current in the power supply from the luminece signals.

Knowing this you can as I have done find that sufficient information goes down the cable into the house wiring and out to the cables that supply the house with power. Thus a receiver tuned to certain frequencies will pick up the line and frame scanning signals which even a 1USD microcontroller can be programed to flash a light on and off when they detect them… Thus get an indication when they walk near the house power inlet cables that are often not more than a foot or two away from the front door area…

Anyway I hope that gives you the background on the history of TV Detector vans etc.

[1] The GPO was actually a government agency under a Minister of State called The Postmaster General. As such all it’s employees were subject not just by the Defence Of the Realm Act(DORA) but both the first and second Official Secrets Acts(OSA). At various places like Dollis Hill, Malvern and several more it carried out what was Top Secret Research including that which we now call TEMPEST or EmSec, and they were very well aware as were MI5’s technical branch which dealt with equipment used by “Agents of Foreign Powers” what in the early 1970’s became known as Van-Eck attacks later freaking to remotely reconstitute images from CRT screens.

[2] It happened shortly after I got my first transistor radio you could clearly pick up the TV audio as it used an FM subcarrier. That came up above 90MHz and not far from the 100Mhz Police Repeter. I found out because I liked the Gerry and Silvia Anderson puppet TV program “Thunderbirds”. It was transmitted on Saturday mornings on ITV, but due to various reasons I was often not allowed to watch it. Stuck in my bedroom on saturday and desolately tuning around on my FM radio in my room to see if I could find something to listen to, I was surprised to here the audio of Thunderbirds. I did not know then what the actual cause was but my father who had done interesting things in the Royal Signals during WWII certainly knew and when he caught me listening in secretly one Saturday told me what it was. That realy peaked my interest and it was about then my interests in lockpicking subsided for my interest in electronics. This was helped in two ways firstly because my dad encoraged me and secondly lots and lots of valve (tube) radios, tape recorders and other electronic equipment was turning up at “Jumble sales” as people replaced large and heavy unreliable valve equipment for light weight very reliable and above all portable transistorised equipment. Thus I started my own small business before being a teenager. Basically I would buy at jumbles find out if it worked or not and then if not tried to fix it, by looking for valves that did not light up, loose wires that had broken off and componets that had “let out the magic smoke” and had that burnt or blown up look. Mostly I was successfull and my dad who was a Charterd Accountant but at heart a techie taught me to solder and use wire cutters and not kill myself with 240-600 volt screen and anode voltages. By the time I was a teen I was fixing other peoples radios and selling on the old ones when transistor radios and black and white TV’s started turning up at jumbles… So I progressed also tape recorders came along as well and my bedroom looked liked “Doc Brown’s garage”. Not long after that Pirate Radio came almost to the bottom of the garden and my future was cast…

Clive Robinson • September 20, 2020 4:35 PM

@ Cassandra,

As I get older, the problem of securing stuff in ways that are resistant to loss by failing memory or loss of unique identifier/token gets more relevant every day.

It is a “very expensive problem” to look after those who live to exceed retirement. Especially as many parts of the Western life style positively encorages dementia in old age.

As @JonKnowsNothing can confirm various Western Politicians are positively salivating at the idea that “COVID Kills Pensioners” especially those with assets they and their friends can buy up at “fire sale prices” and add to their largess friends “rent seeking portfolios”.

Have a look at the UK news about the latest stunt the UK Chancellor has just announced with regards the disadvantaged and the all ready poorly paid public sector workers…

With regards the pad of my finger, the darn thing keeps opening up. I know if I go to hospital they will not stich it up and they will put a “bo-bo bandage / elastoplast” on it that will not keep the cut closed. So yes I’m very probably going to get yet another scar (hopefully it wont last as long as some I’ve got including one persistant one I got when wearing the green).

But that’s something else with being over 21 for the “cough cough” time, you just don’t heal as fast and vivid scars on old skin just don’t do it for me when I look in the mirror, or I suspect a lot of others if they got a gander of them. So thankfully most of my scars are in areas where keeping them clothed does not attract much attention except on the beach. Don’t know if you’ve noticed but scars tend not to sun tan as well as other bits…

To answer your implied question, no I don’t do bio-metrics. Not for the reasons you mentioned but because the only one I never reliably hacked was retina scans…

The rest I learnt real quickly how to get around easier than picking a lock including DNA testing… Lets put it this way, long long before I was a teen “couch cough” decades ago I found that the red wax around Edam cheese has just the right softening characteristics to make a realy good 3D mould of a finger print (just roll it in the palms of your hands untill soft). Press a finger in gently, then stick the wax ball with the fingerprint impression in it in the fridge/freezer to “fix the ridges”. When fixed apply a fine mist of WD40 as mould release and then carefully paint in with rubber solution glue you get a realy good “fake skin with perfect finger print”, that you could stick to the surface of those stretchy rubber gloves that were just becoming available in modelling shops back then.

When I was a decade and a bit older, I worked as an electronics engineer for a company that was amoung the first to develop fingerprint readers. I made the mistake of telling one of the managers you could easily fake finger prints and he stated that it was impossible[0]… which irked me so did a brief literature search and to my surprise found nothing[1]. So I demonstrated it to some of the other engineers and low and behold the very expensive finger print lock was defeated very very easily, and shortly there after I got “made redundant” rather than be alowed to demonstrate how to fix the problem[2].

However play with bio-metrics long enough and you realise two things,

1, Arthur C Clark’s observation about distinquished scientists applies equalky as well to those involved with security systems.

2, No matter what you do you always end up in a “Red Queen’s Race”.

Both of which should tell anyone who can still think objectively that security can never be 100% secure.

Or if you are of that mind set “There are always black swans coming over the horizon”.

[0] What I did not realise was that manager was actually telling me “not to kill the golden goose” which he planed to profit by greatly as he was a founder… Needless to say for some reason “others must have guessed or known”[1] and the company did not meet market expectations, with the usual fate that entailed in the UK back then…

[1] For various reasons I thought I had been the first to discover this when pre-teen and nobody told me otherwise. However when I did my “Literature Search” turns out it was on the wrong literature and with to much depth and not enough breadth. So some years after that I discovered it was in other “literature” specifically “The Adventure of the Norwood Builder” and low and behold the fictional[3] consulting detective Sherlock Holmes describes in sufficient detail how to do the same thing. But the mold described was made with “melted sealing wax” which would have been in very common usage then. However as I and no doubt others have found out, hot sealing wax can scold delicate skin and you’ld certainly know if you had pressed your finger or thumb in it. But the detail given was sufficient to say that either Arthur Conan Doyle had discovered it by accident or had been told about it by someone who had. Probably many had as “pressing a thumb” in sealing wax was I understand quite common for those that did not have engraved personal signet rings or seals.

[2] Yes there are ways to fix various faults with fingerprint scanners but some are public knowledge part because they have been defeated by people who can think a little more hinky…

[3] I have actually found in practice if you “actually want to find”[4] literature about security. Expensive journals and scientific papers are not the best place to start “fiction” be it crime or science and even fantasy has many many times got there before. For instance read the James Bond book “From Russia with Love” somebody either knew or was told a lot about mechanical cipher systems. Which for the time it was written is quite surprising.

[4] For obvious reasons many wish to limit their literature searches and “breadth” style searches tend not to get done. In fact I’ve found some people limit their literature searches to those done by others in similar papers and from their citations build a tree of citations for their paper and add some often outlier papers… Not sure if it qualifies as “log rolling” but…

Clive Robinson • September 21, 2020 8:40 AM

@ SpaceLifeForm,

originated at Lourdes

Is “apparently” now a University Campus, the previous SigInt buildings having been demolished…

Cuba reportadly made between 90million and 200million USD per year equivalent “rent” on the Lourdes site from 1962-2001.

The dates are not exactly surprising when you consider the Cuban Missile Crisis and the fall of the iron curtain and “supposed end” of the Cold War.

The simple fact is whilst Russia is perhaps the richest nation natural resourse wise, it’s lack of trade to turn this into liquid fiscal wealth ment that come the turn of the century it was effectively bankrupt.

There were stories from Russian news sources a decade and a half later that Russia was going to build the site up again, However the stories were hastily removed.

One of the big problems with “Numbers Stations” is deciding if they are “for real” that is to communicate with spys in foreign countries. I know for a fact that atleast a couple were for “frequency holding” because I built them[1] and sold kit to several others so they could do the same.

But there are other reasons to run Numbers Stations that are inteligence based but not SpyComms. One is “Twenty Committee” (XX in Roman numerals or a “double cross”) type work. All transmitters have a “Coverage Foorprint” if you move the transmitter antenna configuration (see “curtain arrays”) then people will notice and they will make inferences about the reasons for you doing so. Pick your moment with other international events and you can pass the “two independent sources minimum” rule “sniff test” analysts use to try and sanity check what they see, in the world of “Smoke and Mirrors” the modern day version of “The Great Game”.

[1] Let’s say you want to have your own radio station, for various reasons doing this via some processes is long and fraught. Thus people tend to take short cuts and just “grab a frequency” in one of the many Broadcast Bands in the MF to HF spectrum. The thing is people only realy listen at the weekends as they are working the rest of the week. Even if you are not paying anyone producing 24×7 programing has costs[2] which you would not want to incure when the ROI would be zero or worse. But you also know if you do not put out a signal 24×7 as frequency spectrum is a vary scarce resource as sure as milk sours in the sun, someone will come along and grab “your” frequency if you don’t 24×7 hold on to it. You can make a morse code “numbers generator” with an 8bit micro very very easily just as you could four decades ago and these days at very low “pocket change” cost. Today that would mean you would use something like an AVR chip pre built on a little PCB for around 5USD delivered you just need to spend half a day writing the code to do it. Back in the early 1980’s it was more like 300USD but that was still comparitively cheap. So yes I made several units to do just that back, so people had a slightly better chance to hang onto their HF Broadcast band frequencies.

[2] I actually built a voice synth by storing waveforms in ROMs and using a quite expensive at the time 8bit Digital to Analogue Converter as an “education credit project”. Within a year quite cheap in comparison voice synth chips were available so numbers were easy peasy. But technology moves and back around a decade and a half ago the “Festival Voice Synth” software became readily available at a quality that was sufficient for broadcast so I designed the first of a series of “Stations in a Box”. In essence it was antennas, feeder cable to get 1.2kW ERP from a 300W FM transmitter, computer “jukebox” + voice synth and either an ethernet or RS232 serial data input. Basically the computers hard drive stored thousands of MP3 music files and similar encoded audio files that got uploaded in the background. You loaded the “programing” via simple text files with the “DJ” done via the voice synth. Thus you could have a remote radio station up a mountain in Spain or Cyprus that overlooked “tourist spots” that you could fully run from the UK or other part of the world across the Internet[3].

[3] Oddly perhaps the biggest customers were “Governments” and “aid agencies” using them to provide local radio and informatiin services in areas where running any kind of infrustructure that needed more than a solar cell or battery was not there.

Clive Robinson • September 21, 2020 9:20 PM

@ ALL,

Since the topic of “fieldcraft” has been brought up, I guess a little observation on it is due.

What is called “Old School” fieldcraft was tried and tested for hundreds of years and what worked and what did not work was winowed out.

The idea behind fieldcraft is in the case of “dead drops” to create a “disconect” between a Case Officer under Diplomatic cover and an agent who will end up against a wall one morning if the Case Oficer does not do their fieldcraft job right.

Most Case Officers are not just “known” to the host country they are observed continuously not just by the host countries security forces outside the Diplomatic Mission but inside as well by any person the host country has managed to get inside the mission or by any diplomatic personnel the host nations security services have turned.

Thus a case officer has to live and breath their cover 24×7 during their posting. So if your cover is “Trade attache” then you had better live and breath the facts and figures involved meet the people expected. In short “walk the walk and talk the talk” as well as doing your under cover duties like running agents. Which in many people causes “aberent behaviour” that also marks them out such as excess drinking or not drinking at all mood swings and all sorts of other “tells”.

So to get information from an agent as a case officer you have to assume that every move you make is watched, and if you “slip your tail” that will get logged as well.

Back just over a hundred years ago most things technical were still mainly mechanical and chemical and required a human to operate them and humans are due to their size hard to hide. This ment that there was a degree of “parity” between the case officer and the security officer. In that like the theater the actors and audience had to be in the same place at the same time or the performance was missed.

Thus dead drops were about sending messages across time to give the disconnect between the case officer and the agent.

The agent who hopefully is unknown thus unwatched by the host nation security services would place the information in an agreed point. For someone unwatched this is fairly trivial and only needs to apear to be “normal behaviour” to ordinary people thus not attract attention. In effect “The grey man doing grey things” in the more fanciful language some use, more pragmatically unremarked and instantly forgotten if seen.

Then the risky part for the agent, “setting the tell”. In essense doing something innocuous to all but the case officer which flags up that there is information to be retrieved. The problem is “clearing the tell” so the agent knows the message has been recieved. Because there is a high probability the case officer is under observation and they have to check for the agents tell frequently their behaviour patterns must cross the place where the tell is thus the security services will also know where a tell might be although they do not know what or where it is. The case officer clearing the tell is the give away of the what and where, thus patient observation once known to the security officers gives them the agent and thus some thumbs to put screws upon.

But back a hundred years ago that ment trying to get a security officer in place to observe 24×7 for maybe weeks, which is not only very resource intensive the resources need to be the type that can just observe without gettin bored or seen. Which is difficult when the resources are human.

However today with modern technology such as CCTV and low light pin hole cameras this problem goes away for the security officer. They get video tapes they can fast forward through to see the tell being “cleared” and go backwards with a “binary chop” to quickly find the agent setting the tell. Then once they have a face run it through image recognition databases etc untill they know who it is then the agent is dead in the water in as little as a couple of hours…

The solution to this attack by the security officers is to use two entirely different tells in an interlocked protocol of some form. Overly simplistically the agent sets their tell, when the case officer sees it they set their tell as a response. The agent clears their tell as an acknowledgment and when the case officer sees the agents tell is clear they clear their tell to close the prorocol. This way even if the security officer sees the case officer setting and clearing their tell it does not give them the agent or their tell unless the tell is obvious in some way thus gets recognised.

Thus a case officer knowing that their tells may be observed hides the real tell in amongst many other actions that a security officer may think are tells.

In reality for reliability the tells need to follow the PACE idea of multiple contingencies

1, (P)rimary.
2, (A)ltetnate.
3, (C)ontingency.
4, (E)mergency.

But also it is wise to have multiple tells in each contingency such that correlation potential by the observing Security officers is greatly reduced.

Similar protocols apply to the actual “dead letter box drops” as well.

Yes it’s complex but as an agent your life very much depends on it as does not leaving fingerprints or DNA on the information drops…

And it’s that bit where technology is so seductive to Case Officers hence the “Fake Rock”. If the information transfer is “virtual” then the agent does not leave their fingerprints or DNA at the dead drop. If the virtual transfer is done by RF link then there is no need to take any observable physical action that might attract attention such as physically hiding an object. But also is the seductive idea of using cryptography to render the information uninteligable to anyone other than the intended recipient.

Needless to say is that untill recently,

1, Use of RF stands out a lot.
2, Use of Crypto likewise.
3, Observers are easy to hide.

It’s that third issue that burnt the agent with the “fake rock” and it need not have done. Because for all their strengths the Case Officers who came up with the idea did not understand the technology sufficiently well at the time.

The same by the way is true of the Russian’s picked up who were trying to get information related to the Olympics Drug Testing and the Chemical weapons poisoning,

https://www.wired.com/story/russian-spies-indictment-hotel-wi-fi-hacking/

Although they understood the technology from an attackers point of view, they failed to think about it in reverse and what the implications were.

That is the “third issue” of “Observers are easy to hide”.

You can buy SDR dongles and small computers like the Raspberry Pi and with FOSS make the equivalent of network monitoring equipment that detects, logs, and optionaly alarms when unusual events happen in the “RF Landscape” or more directly in the case of the Russian’s the WiFi networks. Such RF monitoring systems once put properly in place are near impossible to detect. They are also inexpensive and work for next to nothing 24×7 and whilst slightly dumb do not get bored or sleep on duty.

If you know this then you can assume such things are in place and modify your behaviours appropriately.

The Russian’s rested on their laurels after catching the fake rock a decade and a half back. Thus they did not learn the lessons from it. So they relived history and likewise got burned a couple of years ago…

Which is all to predictable when people are,

1, Ignorant of domain History.
2, Don’t learn from History.
3, Fail to think forward from the leasons.

In warfare there is a warning that “The victorious do not learn from their victories but the defeated frequently do”. Hence the observation about “Generals fighting the same war” with the same battle plan but this time loosing.

Thus there is a way as a case officer to get virtual dead drops to work. The traditional dead drop purpose was to give seperation in time, as well as a way to “make” the security services manpower observable a hundred years or more ago. With technology especially RF technology you have to learn how to give not just “seperation in time” but “seperation in distance” as well to make observation zones.

Thus you need to create a virtual “killing zone” or “observation zone” in which you put your observation technology in first and effectively ambush the security officers and “catch them in the act” as they try to setup their technology to catch you.

Unfortunately with ubiquitous facial recognition coming to every streat, bus stop, train station and road junction near you the advantage is moving back towards the security officers as they will have their sensors in place before yours, and “keep it all” builds their virtual time machine.

There will be ways to defeate even ubiquitous surveillance but it becomes increasingly difficult to do so.

Clive Robinson • September 22, 2020 6:45 PM

@ SM,

I couldn’t help to think about your post about radiation of TVs and smile when I saw this:

Which inturn made me think “can I buy it off of him”, I could put it to good use 0:)

Whilst I have no ill will to the users of Broadband, I’m hoping there is some special place in hell reserved for the designers of it and it’s myriad of delivery systems and their huge and harmfull Radio Frequency Interference(RFI) issues.

But simply as the story indirectly indicates the Broadband service equipment is not “Standards Compliant” thus is not licenced for use. It never was nor can it ever be in many of the delivery systems.

It was a “political job” that unfortunately went badly wrong and a Senior Employee at the UK’s OfCom quite deliberately ran a “cover-up” to please the politico’s and I assume some industry lobbyists that came their way. This is a “we are not going to take action letter” sent out by them,

https://rsgb.services/public/publications/emc/191011_ofcom_letter_re_rsgb_vdsl_meeting_8_october_2019.pdf

You will note from it he explains why he is not going to do anything about considerable and harmful RFI from VDSL Broadband equipment.

However what they fail to mention in the letter is their primary obligation under law to stop the sale or distribution of equipment “on the common market” that is not certified for use or incorrectly certified for use.

When he wrote that letter he was knowingly sitting on a report that informed him in no uncertain terms that the Broadband equipment failed the basic EU Directives gravely thus the equipment should not be on the market (amongst other things it significantly interfeared with the Maritime Distress Frequency at Coastguard / Royal National Life Boat stations / Other land based emergancy services thus lives were being put in peril).

I know from personal experiance the person concerned is more than happy to lie in court as well as tamper with evidence and witnesses. So I guess a cover-up and suppression of evidence is par for the course with them and others within OfCom.

Clive Robinson • October 16, 2020 7:17 AM

@ Rijmenants,

This however does not point provable linking a particular format of messages to that couple, but only to the couple being possibly able to receive these messages correlates to the broadcasts, and in all the court documents and declassified reports I read about various cases, there’s never evidence of messages, identified by OPSEC or traffic analysis, that directly brought them to court.

This I also dealt with above. See my note 1 in,

https://www.schneier.com/blog/archives/2020/09/matt-blaze-on-otp-radio-stations.html/#comment-355480

And subsequent questions and answers.

For some reason I can not realy fathom, detecting which radio station you are tuned into is still treated as “Officially Secret” in the UK thus it does not get mentioned in Court Proceedings. A guess would be that it is still a method in use that is easy to stop these days with just a little technical knowledge and an SDR system. Also if challenged by a technical expert in court, it would get torn appart and held upto being effectively garbage (there is a major “burden of proof” issue, the difference between knowing a receiver is in use and proving that receiver was the one tuned into a given station is large, so whilst fine for anti-agent tracking and identification, it won’t alone be suitable even for non primary circumstantial evidence).

With regards,

You wrote “normally most of the traffic is dummy”. Well, that’s not completely true, and only counts for numbers stations.

It’s numbers stations we are talking about, and for those it is mostly true. The capacity of a numbers station is designed for “high activity” in times when it is of the utmost importance. Which means in normal times it is nearly idle. This is to stop “traffic analysis”, so the rate and length of messages, time they are sent and all other message meta-data needs to be kept the same.

Numbers stations are nevertheless pretty good, as long as the agent is not under surveillance.

Actually not true, agents have bern found by “Find, Fix, Finish” methods. In the cold war in the UK they had a light aircraft flying around to do a “find” on receiver emmissions that indicated the transmitter was being received. This then got handed over to car/van detectors to “Fix” and MI5/Special Branch would do the “Finish” activity, what ever it was that had been deemed appropriate.

We know that the CIA and FBI have not just aircraft but drones as well that do these sorts of activity all the time. The reason is because of the ADS-B Beacons they are required by law to have turned on. Thus enthusiasts “tracked them down” got the aircraft numbers looked them up in registration databases and tracked back through the holding companies on a “follow the money hunt”. Which must have realy annoyed the US Government Agencies concerned, that their cover had been blown by a bunch of “armchair amature analysts”.

The question is not whether numbers stations and OTP are secure, they are 100% secure

No they are not even close to being “100% secure”.

All an OTP gives is a promise of “all messages of that length are equiprobable” if and only if “the OTP is used correctly”.

So the only security the proof offers is “message contents being equally as likely” if usage is correct. Look up project VENNONA Matt mentions it and there is info on it on Wikipedia.

The OTP gives no security at all against several attacks –such as bit flipping etc– and can not in any way give meta-data security as that is down to the traffic transmission system not the message contents.

Question of brute search.

The size of a brute force search is directly related to the message length. If the message is of even moderate size and has no structure, then a brut force search attack would be a waste of time.

However in this day and age people want convenience, that is they word process a message, then drop the resulting file onto an encryption application. The application is frequently not realy an OTP but a “stream cipher”. One of the problems with stream ciphers is “bit flipping” and other “communications noise” effects, thus to improve reliabillity error checking encapsulates the file, which is a very good indicator that you have the right plaintext. But file formats can contain a great deal of static metadata, Microsoft had file headers 4k in size at one point. Such static metadata can also be called “Known Plaintext” which in a stream cipher would give you a nice long length of “key text” which can then be analysed to give either a position in the stream output or the actual stream seed/key or part there of. Thus significantly reducing the Brut Force Search Space. Thus with the error correction means the real plaintext can be not just found but identified with a very very high probability.

There are many application developers who can and do make such mistakes or similar ones. So yes messages can be identified but such things although public knowledge are very unlikely to make it into Court records, for obvious reasons.

The thing is I don’t realy see any problems with the article Matt Blaze put on his blog. Whilst he does initially discusse the crypto aspects, he makes it plain that it’s not the crypto message security that is at issue but the Traffic Analysis that correlated with the activities of two people under surveillance already, for reasons not gone into.

I’ve given an amplification of not just the traffic analysis methods, I’ve also indicated that the two people could have been tracked down just by the use of a radio receiver. It’s all quite factual information and can be verified if you want to do some practical experiments. There is even refrence material in Peter Wright’s book. Where he names Tony Sale as his assistant. I happened to have met and chatted to Tony on a number of occasions due to his connection to Bletchly and the Signals Regiment I used to be in on the technical side as a specialist, which I’ve mentioned before on this blog.

Clive Robinson • October 16, 2020 4:10 PM

@ Rijmenants,

That’s a completely wrong statement, OTP is proven unbreakable and resists all possible current and any future attack.

You obviously do not know what a bit flipping attack is, otherwise you would know what the vulnerability is.

Think on it as a man in the middle attack.

You’ve taken you plaintext and XORed the key text/stream to it and send it. I receive it flip chosen bits and forward it on to who you intended the message for. They get errors in decoding as the bit flips go through the decode XOR process kiving flipped bits in the recovered plaintext.

If I know you are using a message of “standard format” then I have a degree of “known plaintext” that I can change, thus changing what the recipient sees after decode to something I want or just plain garbage.

This can cause various things to happen, not least of which is the message gets retransmitted under the same key vut the sender makes a small error and changes the number of characters sent. I can see the difference in the second ciphertext by just simple comparison, and their are variois things rhat can be done.

Whilst you might say “that’s unkikely” it did indeed happen during WWII and provided Bletchly with the needed information to break the “fish traffic”. There are other tricks in a similar vein that can be exploited.

If you talk about encrypting or decrypting an OTP message on a computer, then we’re no longer talking about OPT

Rubbish, you can use a computer to do OTP in exactly the same way as the UK BID Rockex teletype “super encryptor” did. But instead of using punch paper tapes you use a memory key or CDROM or many other storage technologies to store the OTP KeyMat.

As for,

You also refer to stream ciphers, which also have nothing to do with OTP, as OTP is by definition always performed with true random, which has nothing to do with bit flipping.

I’ve no real idea what you mean by that complete sentence. So to break it down,

The difference between an OTP and a Stream Cipher is not in the mix function (XOR/ADD) but in how the KeyMat is generated, nothing else.

A bit flipping attack as I’ve mentioned above is independent of the KeyMat.

By the way, the KeyMat in a practical OTP is not “true random” for various good and proper reasons I’m not going to go into now as I’ve mentioned them before on this blog.

As for,

Cryptographically secure random and true random are a world of difference, and any CSRNG is not suitable for OTP

The use of a CS-DRBG as a form of OTP has been debated for something like a quater of a cebtury by professional cryptographic designers. Such systems whilst still technically “stream ciphers” are markedly different to the stream ciphers of the last century. We could spend months discussing the finer points but at the end of the day, if you use say AES in CTR mode the security guarantees of AES can be brought across into the system under certain constraints.

And as I’ve already mentioned this is incorrect,

That’s a completely wrong statement, OTP is proven unbreakable and resists all possible current and any future attack.

The guarantee is not “unbreakable” but “equiprobable” if you do not know the difference you need to do a lot more than a little studying.

Which brings us onto,

Only dedicated devices, specially designed for such purposes are safe. We don’t regard normal computers as usable. Normal computers are designed totally insecure, their OSI layers are a security nightmare, build-in processes designed for ease-of-use and compatibility, horrible memory and data storagage management. A wide open door.

I’ve no idea who the “we” is in your statment but the rest of what you say is again not true. I’ve posted much on active and passive EmSec attacks including “Fault injection” attacks I independently discovered and developed back in the 1980’s.

As it happens all systems are “insecure” at some level, for instance there are no secure resistors, capacitors, inductors, or transistors. Nor for that matter by far the majority of other electronic components or electromechanical components.

Thus the fundemental observation of secure system design is,

“All secure systems are made of insecure components.”

Which gives rise to the second observation,

“A system is made secure by design, working with the laws of physics and mathmatics”.

From which other observations can be made such as,

“Segregation by function reduces complexity”.

Eventually the design comes down to the control of energy and bandwidth, and again I’ve been through this on this blog before.

So there is absolutly no reason why an insecure PC/laptop can not be used as part of a secure system, and guess what I’ve previously discussed such designs on this blog before.

Now I do not know if it is a lack of knowledge or a communications issue but either way as I’ve said some of the things you are saying do not make any sense.

Clive Robinson • October 17, 2020 12:56 AM

@ SpaceLifeForm,

So, does an Error Correcting One Time Pad work?

No it breaks the “equiprobable” proof.

However take a OTP ciphertext output and wrap that in an “Error Correcting protocol” and that works fine.

As with “carts and horses” the order you do things in crypto does matter.

But sometimes unless you have experience in the domain you miss things…

For instance “hand carts are pushed not pulled” simple mathmatics tells you it would be easier to pull, control theory likewise tells you to pull is stable to push potentially unstable.

So why do we push?

The answer is “security” when you push your eyes not only see the way to go, but also see the load stays on the handcart[1]. Even the Romans knew about “fell off the back of a lorry guv'”.

One of the troubles software writers have with crypto is they know enough to be dangerous, but not enough to be secure.

[1] It’s part of the reason the Roman “wheel base” distance of carts still remains common in modern vehicles, it gives just enough stability to retain control when pushing without being unmanagable.

Clive Robinson • October 18, 2020 4:12 AM

@ SpaceLifeForm,

Looks like my bait fell off the hook because Rijmenants did not bite.

Or I nibbled it off first (imagine a smiley here as the blog software swallows them whole).

You know I still do not get why Rijmenants[1] said Matt Blaze was wrong…

I’ve read Matt’s blog post three times and can not see anything to object to in it. Likrwise I suspect our host @Bruce has read it and not seen anything to object to in it either.

Rijmenants did say that he had contacted Matt, I wonder if he has got an answer, it might have caused a change in tack, or knocked the wind out of his sails.

[1] Rijmenants is as far as I know a “family name” not a “given name”. So I’m unsure what pronoun to use. As Rijmenants’ web site is blocked by my mobile service providers “content filter” which as usuall does not say why… I turned to DuckDuck which gave up the following,

Please check out Dirk Rijmenants’ great SWL web site, which includes a schematic of his antenna, which is the same as mine (albeit, it would seem, much more nicely executed.)

So I’m assuming they are the same person (thus male).

Oh and DuckDuck also gave,

https://swling.com/blog/tag/dirk-rijmenants/

https://www.semanticscholar.org/author/Dirk-Rijmenants/2402449

All of which suggests a “Shortwave Listener” with an article writers interest in the history of WWII crypto and Coldwar propaganda and Number Stations.

Clive Robinson • October 18, 2020 4:31 PM

@ MarkH,

In truth, they’re not immune to the confusion, disorder, laziness and inattention and corruption which might appear in any organization.

Along with many other sins of the flesh etc. A veritable microcosm of the worst of mankind is what we learn from information that gets out.

Wgilst true for some I suspect it is only for a few, but the “only one rotton apple in the barrel” certainly has meaning.

Hence the avoidance of oversight and over classification of information etc.

But as you note,

Unless there was some office or person specifically tasked with monitoring the quality of dummy transmissions … then probably, nobody did such monitoring.

There are very much such groups often called “Signals Security” Dept/Directorate etc. Most SigInt establishments have them.

If done properly it’s a thankless task, with little or no home life as you are always being sent from one place to another, and working long hours without being able to relax or even talk to people.

However if you don’t do the job properly then there is plenty of opportunity to “goof off in foreign places”. It’s known that in Russia such jobs were for the children of the influential or high in the state hierarchy. The reason being in part it was assumed that they would be less likely to defect etc.

With a rare exception or two such people were not the right people for such jobs. Thus the job was seen more as a perk than a serious and important job. Also there was the aspect of “not finding fault with others, less fault be found with you” as happens in such hierarchies where paternalistic interest can be a significant deterrent for others.

It’s one of the reasons why VENONA went on for so long, not checking security correctly and taking short cuts to meet unrealistic deadlines or make money one the side was endemic in the soviet forces during and long after WWII.

But this sort of issue was by no means a Soviet one alone, behind every spy / traitor story there is a “institutional culture” issue at play and little or no incentive to change it.

But it’s not just the IC where this happens, when you analyze it you quickly realise that it’s the same thing with the Banking Crisis…