Comments

Doug July 11, 2025 2:18 PM

And all this whizbang tech in the hands of, let’s say, an orange headed shitler will be turned against any and all domestic resistance. How f’n lovely. Big brother is here.

Clive Robinson July 11, 2025 2:47 PM

@ Bruce,

With regards,

“… the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance.”

Whilst it feels like spying is ubiquitous, it’s not. Even in London one of the most surveilled places in the Western World it is if you take certain precautions possible to either avoid or avoid the effects of surveillance.

One technique that still works is apparently “random behaviour” where you just appear to wander around.

Look at it this way, even in the arcade game of Pinball it is possible to just keep the ball on the table till you rack up the high score.

Thus just wandering around but walking past a place in a given time looking for “tell tale signs” allows for communication at a very low bit rate.

There are many other “old school spy craft” techniques that work in the modern world even when you are under active surveillance.

The important thing is not to allow those surveilling seeing either an unexplainable pattern, or break in an established pattern that can be correlated or correlated with other events.

The problem is it’s darn difficult to do these days.

Back when surveillance was by people on foot etc following you around. They did not get to see in front of you when somebody else “sets the tell tales”. These days those surveilling you can set up the equivalent of “game cameras” at road junctions and see who went before you by half a day or more.

Which is why a taste for long random walks can be you and your handlers friend.

Just don’t do the daft stuff the CIA has this century developed a bad reputation over.

Similar with the UK SS and the “Moscow Rock” using technology in a covert manner can be a very very bad idea, and people can easily die or worse.

not important July 11, 2025 6:02 PM

This parts:
1)=The CIA’s default answer to tradecraft problems, for decades, was greater reliance on “nonofficial cover” officers, known as NOCs. They could pose as bankers or business consultants, say, rather than as staffers in U.S. embassies.

But NOCs became easier to spot, too, in the age of social media and forever-data. They couldn’t just drop into a cover job. They needed an authentic digital history including things like a “LinkedIn” profile that had no gaps and would never change.=

Only crazy person could go NOC to USA, Russia and China having deep knowledge of their legal and prison systems. Not even talking about N Korea, Iran, you name it.

2)=It turns out that China hasn’t encrypted much of its data — because the authorities want to spy on their own citizens. China is now restricting more data, but Levesque says Strider hasn’t lost its access.=

That is old balance between security and privacy.

Clive Robinson July 11, 2025 7:39 PM

@ not important, ALL,

With regards,

“The CIA’s default answer to tradecraft problems, for decades, was greater reliance on “nonofficial cover” officers, known as NOCs.”

Also known as “contractors” in other countries is a significant issue.

The UK Security Service because it was idiotic over Matrix Churchill blew the gaff on NOC/Contractor work.

The expression “NOC” stands for ‘no official cover’ which means yhe person does not have any kind of diplomatic immunity. So if caught in any country will be treated as a criminal or worse with “no assistance”.

The dumb ass thing the UK Security Services did was turn their back on the directors of Matrix Churchill.

The story is a little complicated but it was to do with Iraqi armament production. The company was near bankrupt and got taken over through another company by Iraqi interests.

Rather than keep clear the UK Security Services told MC Directors how to bypass export regulations to Iraqi.

In return the directors were unpayed spys reporting back to the UK Security Services.

They were not caught in Iraqi, howrver another part of the UK Government decided to start prosecuting the MC Directors…

Several UK Ministers decided not to sign Public Immunity Certs that would have killed the prosecution, instead they threw the four MC Directors to the Wolves.

It would have ended very badly for the directors if the court case had proceeded. However one Minister decided that this was iniquitous and basically alowed the Directors to defend themselves.

To put it politely the Judge was not impressed with either the prosecuting agency or the ministers that had decided to rob the four directors of their right to defend themselves.

It made quite a bit of memorable news at the time.

As some know in the US it’s kind of the other way around there is legislation in place to protect at least serving officers even though they may not be abroad or in hostile territory. For those that don’t remember a little weasel side kick of Dick Cheney by the name of “Scooter Libby” you might want to look up his treasonous activity over the releasing of Valerie Plame’s identity… Oh and who fully pardoned him in 2018 and why,

https://edition.cnn.com/2018/04/13/politics/trump-scooter-libby-pardon/index.html

Ian Stewart July 12, 2025 5:33 AM

I not convinced “gait recognition” cannot be subverted. As a student we used to imitate the way other students walked for fun, often four of us in a single line (I know it sounds silly). I have since worked with dance and choreographers who have a huge range of movement.
There was a television series in the U.K. this year – What It Feels Like For A Girl – that shows how gait can be changed. The actor playing the main character had three ways of walking: when he was a boy, he walked like a boy; when he dressed as a girl he walked like a girl; when he left the youth detention centre on early release he had a very exaggerated, female catwalk model walk, to let the other teenage boys know he was now free.
For every new technique, I am certain a counter-technique can be found. I would think gait is one of the easiest to fake.

Clive Robinson July 12, 2025 11:00 AM

@ Ian Stewart, ALL,

With regards,

“For every new technique, I am certain a counter-technique can be found.”

That is true, but misses the “argument” of those pushing such systems.

In effect they lie with statistics (as has been done by court experts on medical issues).

The trick is pretending “dependent characteristics” are “independent characteristics”

Thus you can multiply the probabilities and come up with an impossibly small number. When in fact another method should be used.

So the argument is your chance of faking a gate-biometric is say 0.01 and thus there is a 99 out of a hundred chance you won’t succeed. They then go on to say they will add armswing-biometric at again 0.01 or 99 out of a hundred you won’t succeed likewise headnod-biometric.

So they say your odds of beating the combined system are 1/100th of 1/100th of 1/100th or 1/1,000,000 thus virtually impossible to do.

But the reality is if you can master faking the gait-biometric you will also very easily master the other two biometrics because they are fairly intimately linked. Thus the reality might only be 1/120th.

For a while –till I got pushed out for telling “honest truths about failings”– I worked in electronic and mechanical Bio-metric ID systems design. And the only system I did not have an easy fake for was retinal scans… And the reason for that was ethics, in that there was no way I’d put somebody’s eyesight at risk by experimenting on them.

However other people have been lets say “more bold” and there are now known attacks against retinal scans…

Bio-metrics are on a large population a complete waste of time and money but they “sound cool” and people can get large sums of money for basically being “snake oil salesmen” that have never had contact with a snake or parts there of.

Ian Stewart July 12, 2025 1:58 PM

@ Clive Robinson

The trick is pretending “dependent characteristics” are “independent characteristics”

Unfortunately scientists can also be insular. I remember a few decades ago seeing an anthropologist on television; he said he was on a canal cruise in Amsterdam and a respected English actress was on the same boat. He told her that the one thing that could never be faked were tears. Immediately she had tears streaming down her face and said ‘like this you mean’? Then just as quickly she stopped crying.
I can see an opportunity for the secret services to employ dancers, actors and actresses to teach people to subvert surveillance. Even if it takes weeks to practise it’s worth it.

Apokrif July 13, 2025 5:50 PM

@Ian Stewart:
“I can see an opportunity for the secret services to employ dancers, actors and actresses to teach people to subvert surveillance”

T.J. Waters, Class 11:

“COURSE CHAIRMAN JOHN briefs us as usual, then clears the auditorium of staff and instructors. He leaves us with no adult supervision, save for a man sitting off to the right next to Wall Street Mike at the end of our row. The man walks up to the front of the room and introduces himself. His name is David, and he is a professor from a prestigious university, specifically the theater arts department. I can hardly believe what is happening. He’s here to give us acting lessons.
When we are undercover, when we are pretending to be someone we are not, we are actors. We must be like any other successful actor. More important, we have to also be directors, producers, and writers. We are engaging in theater and are responsible for everything our target will see and hear. If we are to do that, we must understand what theater is.“Theater is the vicarious enjoyment of manipulation,” he says. “When you go to a play or a movie, you know it’s not real, but it’s still worthwhile. The actor’s job is to manipulate the audience. That’s why people are willing to pay for the experience.””

Clive Robinson July 14, 2025 6:30 AM

@ Ian Stewart, Apokrif, ALL,

With regards,

“He told her that the one thing that could never be faked were tears. Immediately she had tears streaming down her face and said ‘like this you mean’”

And he was correct in a limited respect, but she was correct in a wider respect.

And that in part explains why we have so many issues in security and many other aspects of life…

The reason is the tears can only be produced by a particular type of “chemical” stimulus that is derived from the autonomous nervous system.

The question he failed to consider is,

“If you can not manipulate the system, can you manipulate the inputs to the system?”

To which the actress knew correctly you could.

Engineers and all sorts of other Domain specialists make this same mistake and “security” is where we now see a lot of it.

I’ve never got the hang of “turning the waterworks on” by just thinking up emotions. However I can cry by sticking a pin in my hand and thinking it’s my nose, thus tears will appear.

This can be seen in other ways, people that live with some forms of chronic pain, learn that you can “move the pain with your mind”[1].

Because at the end of the day the actual reality is,

“Pain is all in your mind.”

We know this from “nerve blocking” with chemicals and more recently electrical stimulus[2].

Pain it’s self does not kill people, it’s what it does to the emotions and they in turn do to the near autonomous chemical systems that can and sometimes does kill people (see results of “fight or flight” stress on the cardiovascular system).

The increased understanding of this in the past decade or so has made some interesting improvements in medicine.

And it’s time other fields of endeavor such as ICTsec understand that,

“It’s the whole system not the individual parts that has to be secure.”

In part we say this with the old saw of,

“The chain is only as strong as the weakest link.”

But this is only at best a fraction of the story…

At the end of the day security is not an intrinsic attribute of any physical substance. Thus on the “weakest link theory” nothing could ever be secure, so there has to be “something else”. Part of which is “security” is actually not a fundamental attribute it is actually a state of behaviour or segregation.

To see this, consider a “box when locked” like a closed safe is considered “secure for a much longer time” than the same “box when unlocked”. When distilled down it can be seen that security is about placing a barrier between an entity and an object (where both the entity and object can be physical, informational or both). The barrier has certain properties in that it should have a minimal effect for “authorised entities” accessing the “object” and a more significant or maximal effect against “unauthorised entities”.

And it is here where nearly all security fails because,

1, The difference between authorised and unauthorised is an external concept not an property of an entity or object.
2, There is no reliable way to tie an external concept to an entity or object.

Not understanding this and the consequences that arise is why the domain / field of endeavor security and all it’s sub fields are is messy and imprecise.

Oh and it’s why those who have an understanding of “statistical mechanics”[4] tend to have a better grip on the subject.

[1] Back in the 1930’s through 60’s experiments with glasses that “inverted the world” discovered that it took about three and a half days for a human to see the world the right way up again in their head. And on taking the glasses off it took about the same length of time for the brain to adjust back to normal. Such experiments became known as the “Innsbruck Goggle Experiments” and became quite famous,

https://www.sciencedirect.com/science/article/abs/pii/S0010945217301314

[2] For basic argument we can sort of divide the nervous system up into three basic parts the peripheral nervous system where the actual sensors are, the core central nervous system outside of the brain used to communicate with the brain and the brain it’s self where the signals are processed into feelings, emotions, and thoughts. We use different chemicals / stimulus and different ways to get them where they are needed. By long tradition we still broadly call them “local and general anesthetics” which makes understanding / explaining some what harder.

But as a “general rule of thumb” the more local you can block the nerves to the sensors at the “site of physical insult” the easier it is to do and the safer it is for the patient. Oh and importantly the more functional it leaves the patient, which on a battlefield may actively save their and others lives[3].

[3] Observational studies of using very local anesthesia –of the type dentists use– on soldiers with often quite serious but very localised injuries shows that they can remain not just functional but do not go on to suffer the all to frequent side effects of central nervous system etc anesthesia.

I recently had peripheral surgery and was given the option of the type of anesthesia by the anaesthetist. They were thinking general or spinal and were surprised when I immediately asked if local was an option. We discussed it and they were happy I had a sufficient understanding of what I was asking for and the risks etc. So I became “one of the first” for them and the surgeon who was more perturbed than I. It allowed me to chat amiably through the procedure. But also and more importantly as I’m six and a half feet tall and somewhat broad in stature be able to “move on request” under my own power.

[4] Statistical mechanics concepts cover a much greater range than the name would at first suggest,

“statistical mechanics is a mathematical framework that applies statistical methods and probability theory to large assemblies of microscopic entities. Sometimes called statistical physics or statistical thermodynamics, its applications include many problems in a wide variety of fields such as biology, neuroscience, computer science, information theory and sociology. Its main purpose is to clarify the properties of matter in aggregate, in terms of physical laws governing atomic motion.”

Taken from the Introduction of,

https://en.wikipedia.org/wiki/Statistical_mechanics

Mark Cottle July 16, 2025 9:22 AM

The stuff described in that article is both revolutionary and nothing totally new. It’s not new in that the battle between intelligence and counterintelligence has a long history and technology has often been instrumental in shifting the balance. Obviously the various technologies lumped under the AI banner offer the promise of some big shifts…but as to what the long-term outcome will be I think the jury’s still out. I’m sure there’s a good quote somewhere about how revolutionary technology changes the world but just not in the way its initial advocates imagined. AI is an unhelpfully broad banner that tends to obscure what some of these things actually do.
Perhaps what’s actually happening is a shift in the importance of the role of different types of agency. Much of what’s described in the WP article sits in the territory of agencies such as the NSA and GCHQ, which have extended the signals interception role they started out with and are now broad technology-based intelligence agencies. What I see is technology-based intelligence extending its role further in the counterintelligence field. Counterintelligence has traditionally been one of the main roles of the FBI and MI5, so potentially they’re having some of their territory taken from them (although they, in turn, have extended their identity into the broader field of “internal security”).
So the question is what happens to the likes of the CIA and MI6, which have traditionally focused on human intelligence (accepting, of course, that the CIA has tended to interpret that in quite a wide way, including flying U-2 reconnaissance planes). I think there will always be a role for human intelligence because certain crucial interactions can still only be done in a face-to-face way in the physical world. Sure there will be lots of use of technology to identify sources, arrange contacts and communicate securely, but there are certain situations where nothing but face-to-face will do: situations where one person needs to look into another’s eyes and decide whether to trust them. AI will only get you so far at the moment: it might conjure up a very convincing bot that’ll do online recruiting but robotics will not yet make you a fake physical human (and I think David Ignatius recognizes that the “digital case officer in a backpack” is a little ridiculous). Indeed, the proliferation of bots and the like has the potential to make certain types of people – including people you need to reach – ever more distrusting of digital entities.
AI-based methods for detecting suspicious people or suspicious communication will certainly pose a huge challenge to traditional tradecraft, but at the same time, I’d be willing to bet there are people in the CIA and MI6 asking how these much-hyped technologies might offer up new countermeasures.

Who? July 16, 2025 10:36 AM

The Washington Post article is not very inspiring. There is nothing new here, nothing citizens have not been dealing with for decades. At most, I find surprising how old CIA officials rely on classical tradecraft on an ubiquitous surveillance era.

@ Clive Robinson

The “random behavior” you describe, even not being generally useful on highly targeted operations, is more valuable than the classical tradecraft vs AI-enhanced world nonsense described in the Washington Post article.

From the WaPo article, I believe CIA will end field operations soon and replace them by hacking activities from Langley. I can hardly understand what new developments they are looking for on a oversurveilled world.

The only idea I got from the article is that classical techniques do not work anymore (what a surprise!) and that they need to find new strategies, but they do not have any idea what will solve the day.

Perhaps it is time to stop building backdoors that can be exploited by adversaries in the same way “the good guys” use them. Perhaps it is time to stop mass surveillance.

On the field operations area, I would suggest using “ardened non-official covers (NOCs). These days it is impossible making a credible NOC in a few hours, perhaps it is time to let those NOCs grow for decades until used.

CIA should stop killing adversary operatives, and hire people to start typing on social networks to build difficult to spot NOCs carefully grown over years.

Gilbert July 16, 2025 11:52 AM

russians have detected united states spies for a very long time because russia keeps an eye on students in usa universities. which is THE place where the cia and fbi was looking for future agents. every single student got profiled, and when the fbi or cia went looking in universities, even before they started their training, those futures spies were identified.

understand that today, spying agencies start grabbing names and profiles at schools (even before universities) and all they have to do, is wait. it took decades for the usa to understand how russia was able to find out all their spies. they looked at where and how they were detected, then recruited. before you become an agent…

a major issue is biometry today. if you have used biometry anywhere and it is tied to your real identity, you are burned to become an agent. each state is in total control of the production of their legal papers and passports. so they are able to print and design 100 % authentic papers for their agents. they will spend decades building a legend for their agents. you can get recruited, and be told that you are going to spend the next 10, 15 years living a “usual” life to build your legend, before getting send abroad. you will not use your real name abroad, but you will be living the continuation of your life. spending decades to prepare an agent is what is currently done.

but if you’re sent abroad and your passport is scanned and biometry shows your biometry has also been used for another identity… you can’t change those biometrics. you’re burned. fun fact : this is used to annoy the russians. for all russians where biometry is available, records are generated in various countries tying their biometrics to several identities. fun starts when they get their passport scanned somewhere and discover it. insta-burn while they’re trying to get somewhere for a mission.

spying is still going. but agencies are now very, very cautious on where and how they recruit or look for new agents. this has cost a LOT to the CIA before they could understand what Russia was doing in universities making a profile of everyone. agents are now slowly recruited, and this spans 10, 15 sometimes 20 years between they are choosen, and they are activated. it’s a complete 180 on how things have been done for a long time.

russia has adopted a slighly different approach. most occidental countries do “slow recruiting” being very discrete to recruit future agents, and legend building. once ready, they are used. russia does something else : they send people abroad. those people will live there for decades. they’re sleeping. and after decades, or several decades, they are used. directly in country. as permanent residents. russia has the habit of building their spies directly into the target countries. while occidental countries have the habit of building their future spies in country before sending them abroad.

the most interesting part of this field is the agencies you NEVER hear about, in news or books. Japan spies. you never hear of them. Vatican spies… There are countries you never think about them, or their spies.

Givon Zirkind July 18, 2025 5:51 AM

I haven’t read the whole article yet but, just from the title and an little skimming of the article, I would say; tradecraft and boots on the ground is not dead. Yes, technology has altered the game but, boots on the ground are still capable and necessary. If nothing else, clearly, the Israelis are an example that tradecraft still exists even in the digital age.

The very first example of gait in the article is not a new phenomenon. People instinctively can tell the gait of close friends, relatives and associates, even if the gait isn’t distinctive like a limp. Software for this has been used by the police a while ago.

Actors can mimic such characteristics. While I have never worked for the CIA or any other spy organization and; my knowledge is limited to publicly available information, I am sure that the CIA takes in actors, values acting skills and may even train agents in acting skills for this and other purposes. Or, will start doing so, so that changing your gait or other characteristics will become as common as fake mustaches. The police have been hiring actors for undercover work for decades.

The game of cops and robbers will continue to vacillate between methods of concealment and discovery.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.