An army of networked kiosks is invading New York City. Hundreds of them. They’re large vertical slabs, practically ten feet tall and chock full of sensors. Reminiscent of the mysterious black monoliths from Stanley Kubrick’s movie 2001. These kiosks are replacing the city’s aging public telephone booths and after this initial wave of monoliths hits Gotham there will be thousands more installed throughout the city. John Young, the architect who runs the web site Cryptome, has called this forest of kiosks “the largest urban spying system in the United States.”
And this is merely the tip of the iceberg. The rapid spread of these urban telescreens is an indication of a much larger problem. Under the gaze of the all seeing eye individual privacy is becoming an endangered species. Big Brother is watching and it’s worse than most people think. Particularly for those perceived as a threat to the establishment. But that’s no reason to surrender to gloomy privacy nihilism. With the right strategies and a measure of resolve, it’s still possible to communicate in a manner that significantly reduces the likelihood of compromise.
Process, Not Product
In a manifesto that he wrote during the early days of WikiLeaks, founding member Julian Assange observed that security services, confronting the threat of internal data breaches, would have to be extra vigilant in order to fly under the radar. They would end up paying what he referred to as a “secrecy tax.” Unfortunately, the same dynamic applies to the average joe. With respect to private communication there’s no free lunch despite what Silicon Valley executives say. Genuine security can only be achieved with a carefully designed plan and a tight set of procedures.
It’s not about buying for the latest mobile device. Security isn’t a brand or a feature. It’s about process and tradecraft. Think operations security. History shows that an accomplished practitioner can achieve relatively high levels of communication security with nothing more than basic tools.
What’s difficult is that effective communication security takes consistency and discipline. Under duress, when the adrenaline is flowing, it’s easy to make mistakes. Even cartel leaders and veteran jihadists have been known to make slip-ups. For example, despite a bunch of sexy sounding precautionary measures when actor Sean Penn went to interview Sinaloa Cartel boss Joaquin Guzman, government surveillance teams monitored the whole event. Law enforcement followed “not just Guzman, but everyone in his inner circle including his cook. And everyone his lieutenants contacted including Sean Penn.”
Cellphones are particularly dangerous. According to a member of Pakistani intelligence “there is a widespread belief that Osama bin Laden could not have been traced had it not been the fact that someone close to him used a cell phone, and was found.” One mistake can unravel everything, and once made it cannot be retracted.
This unpleasant reality challenges a mindset that’s fostered by many tech evangelists. A worldview that equates security with products. They prescribe oversimplified recipes that revolve around gadgets and alleged cure-alls. “Peace of mind for only $800!” claims the carnival barker from Sunnyvale. Snake oil, pure and simple.
Thus, it’s hardly surprising that security services have time and again exposed the false promise of tech. Witness security services bypassing supposedly unbreakable iPhone encryption, tracking down presumably anonymous people on the Tor anonymity network, unearthing users who burrowed into the dark web, and placing backdoors into a myriad of security products. Underscoring the painful reality that all its takes is one subtle, well-placed, bug to subvert the whole enchilada. And bugs are particularly nifty because they offer the benefit of plausible deniability.
The public record shows that the trust which users place in hardware and software is closer to primitive superstition rather than common sense. Faith-based security. Or, as the NSA succinctly puts it, many users have naively accepted “the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.”
Step 1 – Get Off the Grid
Protecting sensitive messages against prying eyes entails driving up the cost of both intercepting communications. To do so necessitates a critical evaluation of the global surveillance apparatus and its strengths. In particular, an organization like the NSA has two primary assets:
- centralized control of information flows
- technical mastery
Most of the world’s network traffic flows through the United States. It’s what gives American spies their home-field advantage. And if they can’t access network devices directly through a friendly corporate partner then they’ve got the wherewithal to hack into networks and steal whatever they want. Those military guys don’t call it “full spectrum dominance” for nothing. In fact, spies have become so adept at hacking that they’ve begun to automate it. An entire industry has emerged to meet the demand for offensive tools.
What this means is that anyone using the public infrastructure to communicate is already at a distinct disadvantage. A far safer bet is to get off the grid entirely. Find alternate channels of communication, places where the coveted home-field advantage doesn’t exist.
Does this approach take more work? Absolutely, but keep in mind that the assumed adversary is backed by a $10 billion budget. A sprawling organization with acres of computing power and enough spare dough lying around to literally reconstruct Captain Kirk’s bridge from Star Trek. So, yes, it’s completely worth it. There’s a long procession of rubes who naively ascribed to faith-based, product-centric, Internet security.
Thus back to first principles: this is about making surveillance expensive. Automated network-based intelligence collection is relatively cheap and it scales like nobody’s business. Forcing spies to revert to human-based collection is an effective way to ramp up the cost of interception. It pushes spies out of their comfort zone and into someone else’s.
Officials from the FBI indicate that monitoring someone around the clock requires a group up to roughly forty agents working in multiple shifts. All told the FBI employs something in the ballpark of 35,000 people. Even if the bureau devoted all 35,000 of these people to surveillance (which they don’t), they’d be limited to monitoring less than a thousand targets. And keep in mind that there are up to 10,000 terror investigations active at any point in time. Hopefully this provides some context.
In a worst-case scenario the security services will throw up their hands and call in the experts. Specifically, the CIA has an elite black-bag unit called the Special Collections Service (SCS). They’re assigned to crack hard targets who can’t be monitored using conventional means. This translates into burglary, hidden cameras, concealed microphones, and the like. The silver lining, of course, is that a black-bag team soaks up a ton of resources. The investment needed to research, stage, execute, and clean up after a covert entry can be substantial. So the CIA tends to reserve this option for high-value targets. More on this later.
Step 2 – Go Old School
Once an operator leaves the grid they’ll need to find other ways to send and receive information. There’s nothing wrong with old school spy tradecraft. It worked well during the Cold War and it can still do the job.
For example, spy agencies used to beam out secret messages to spies using shortwave radio. These “radiograms” as they were called, consisted of global broadcasts of spoken digits sent over a specific frequency at a specific time. The beauty of this approach is that there’s no easy way to tell who’s listening to the signal and what their location is. They could be anywhere. All that’s required is a shortwave radio. Unlike a laptop computer or a mobile phone there’s no logical network endpoint identifier (like an IP address or an International Mobile Subscriber Identity) to designate the intended recipient.
Spooks swear by this method. According to Kim Dong-sik, a former spy for North Korea, “the old number broadcasts are still a dependable and preferable means of communication for spies.”
The digits relayed by the radio transmission were typically encoded using a One-Time Pad (OTP). Done correctly this method is mathematically proven to drive any NSA code breaker into a fit (a comforting thought). The OTP technique encodes data by taking the letters of a message and converting them into numbers. These numbers are then added (using noncarrying math) to an equally long sequential series of random values listed on a pad of paper. Each sheet on the pad is used only once, for a single radiogram.
Here’s an illustration. Let’s assign the letters of the alphabet sequential numbers (e.g. A is 0, B is 1, C is 2, and so forth). The word “CIA” would correspond to digits 2, 8, and 1. For the sake of argument assume the next six random values on the one-time pad are 901152. The message digits are added to the random values to produce the final encoded stream: 921953
Message Digits 02 08 01
+ One-Time Pad 90 11 52
Encoded Result 92 19 53
To decode a OTP message, the recipient (who possesses their own copy of the pad) subtracts the random values from the message’s stream to reveal the hidden payload. The recipient will usually dispose of the one-time pad sheet along with the decoded message when they’re done. During the Cold War spies used thin, water-soluble paper so that they could destroy everything quickly if they were caught.
So shortwave explains how intelligence outfits got messages from HQ to their assets in the field. But how did field agents send information back to HQ? Furthermore, how did they exchange data with other field agents?
The time-honored answer to this question is what’s known as a dead drop (also known as a dead letter box or DLB). A dead drop is an ad-hoc mailbox, a small concealed hidey-hole where an agent might leave encrypted messages, documents, instructions, or a wad of money. For instance, when FBI agent Robert Hanssen was leaking secrets to the Russians back in the 1980s they paid him with diamonds and cash which they left for him at dead drop sites.
Detour: The Three Cs
Dead drops encapsulate what’s known in the spy business as the three Cs: Concealment, Cover, and Compartmentalization. First, a dead drop must be located in an obscure area where it can be quickly accessed without being observed (concealment). Next, a dead drop site should also be selected so that both the person loading it and the person emptying it have plausible reasons for visiting the dead drop (cover). Professional spies can become so adept at using a dead drop that the physical act isn’t visible to the naked eye. The desire to attain this degree of skill is one reason why the CIA hired a magician named John Mulholland in the 1950s. Misdirection and sleight of hand are useful because clandestine agents are often under surveillance when they’re operational.
Lastly, dead drops are not intended for long-term storage. Just temporary points of transfer such that the damage of a compromised dead drop site can be limited (compartmentalization). In the best case scenario, a dead drop site will be used only once. This is because patterns are extremely dangerous. A site that’s visited frequently will invariably end up being staked out.
On a peripheral note, when an agent is travelling during an operation there are a myriad of techniques that can be employed to trace their movements. For instance, credit card transactions can be leveraged to pinpoint a person’s location at a given time. In this sense cash is mandatory when working in the field. Then there’s also facial recognition and voice recognition technology. They’re pretty common in urban business centers.
Automobiles, many of which come with GPS functionality (witting or unwitting) can expose an agent in transit. And let’s not forget automated license plate readers. In some cases it’s not unheard of for security services to utilize chemical compounds (“spy dust”) to follow targets in the field. According to the U.S. State Department, for years the Soviets used a special luminescent powder to track American diplomats in Moscow. While all of this might seem a bit excessive keep in mind that fingerprints and DNA trace evidence are essentially forms of spy dust.
The Tedium of One-Time Pads
The problem with using one-time pads is that it’s slow and it also places an upper bound on the amount of information that can reasonably be encoded. In other words, the “secrecy tax” is hefty. One way to speed things up is to use a computer. For example, a field agent could encrypt a freshly purchased USB drive and stash it at a dead drop.
Yet this brings us right back to the risk of technical subversion mentioned earlier. Encryption offers very little protection if spies are able to hack a computer and make off with the password being used to encode data. So the following requirements are essential:
- Establish Air-Gap Segregation
- Protect the Computer from Compromise
A computer sitting on the Internet is a ripe target for hacking. To defend against this threat, all of a computer’s network interfaces (e.g. Ethernet, Bluetooth, Wi-Fi) should be disabled. The optimal way to do this is to yank them out physically. This may not be feasible for portable computers because the networking hardware is built into the laptop’s motherboard. In this case it might be necessary to disable network interfaces through the computer’s BIOS. In a pinch most operating systems also have configuration settings that allow networking functionality to be disabled (though this option can be dicey). Regardless of the method in use the objective is to keep a computer marooned, so that it can’t communicate with other systems.
But maintaining air-gap security isn’t necessarily sufficient. Remember those CIA guys I mentioned a while back? There’s nothing to stop them parking a surveillance van nearby and pointing an arsenal of remote surveillance tools at an air-gapped computer. For example, ever wonder why Ed Snowden put that red jacket over his head in the movie Citizen Four while he typed in his computer password? Let’s just say Ed knew what he was up against. Folks, it’s known as “visual collection.” Pinhole cameras and telescopic lenses have been in use for decades and over time they’ve only gotten better.
But that’s the least of our worries. Most computers emit electromagnetic signals that can be intercepted and processed to determine what a system is up to. The equipment that captures this kind of low level radiation adheres to a secret government standard code named TEMPEST. It’s been around since the mid-1950s. This means that spies have had plenty of time to hone their tools.
Even the sounds that components make, like the keyboard, can be used to capture a password. The technology to acquire this type of acoustic information was developed in the early days of the Cold War, when spies developed what’s known as the laser microphone. It bounces a thin beam of light off of windows and other surfaces to listen to what’s going on inside.
Countermeasures can range from simple to elaborate. To begin, always buy hardware in person. The NSA has been known to intercept computers in transit to install “implants” (electronic monitoring devices, aka “bugs”) that enable them to bridge an air gap. Low-powered tablet computers offer some defense against acoustic monitoring and, given their small profile, are easier to store securely.
Those lucky few with a budget can purchase a specially shielded computer designed to limit electromagnetic emissions. Another alternative is to deploy a security tent like President Obama. It has noise generators to defend against acoustic collection. The fancier models offer “RF shielding” (RF as in radio frequency) which also blocks electromagnetic signals. This sort of electromagnetic black hole is known officially as a “faraday cage.” There’s a tavern owner in England who turned his pub into a faraday cage to keep people off of social media.
The platinum luxury model security tent isn’t actually a tent. It’s a dedicated physical structure called a Sensitive Compartmented Information Facility (SCIF). SCIFs typically range from office size to trailer size. Think of it like a bank vault with furniture. It has all the bells and whistles in terms of keeping information of any kind from leaking out. If resources are limited, a walk-in freezer is a reasonable approximation. Deep underground basements with steel reinforced concrete walls will also do the trick.
Even then, if the CIA was really itching for access to a computer, they might just break into the residence of the targeted computer and install implants on the targeted machine so that they can snatch user credentials. It’s part of the public record that the NSA has a whole catalogue of hardware and software at its disposal for this type of operation. There has also been independent proof of concept work in this area like the evil maid attack and, more recently, the malicious butler attack.
While standard features such as full disk encryption and Secure Boot can help to guard against pedestrian offline attacks, as I just mentioned there are a plethora of advanced attacks and they’re much harder to defend against. Be particularly suspicious of peripheral devices like keyboards or computer mice that have enough free space to house surveillance equipment. The smaller the device, the more difficult it is for spies to embed an implant.
Installing a commercial alarm system offers a degree of protection. But given that spies have been known to excel at picking locks and bypassing alarms –or at least recruit veteran criminals who do— having contingencies in place is prudent. Detection is a must. For instance, an expendable decoy computer could be left out in the open as a lure while the primary device is carefully squirrelled away under a floorboard. In the event that a computer has been tampered with it might be safer simply to buy a new one. This is where opting for cheap commodity hardware has its advantages. To help muddy the trail it might be worthwhile to continue using the compromised machine to mislead the opposition.
Quicker Dead Drops
As with one-time pads, dead drops also soak up time. It’s the security tax associated with this field-proven technique. If an agent’s risk profile can accommodate additional threats the process of communication can be expedited with covert wireless transmissions.
For example, one widely-used tool among professional spies is what’s known as a Short Range Agent Communication (SRAC) device. It’s a small programmable transmitter, roughly about the size of a key-fob, that can be hooked up to a computer. The agent downloads an encrypted message to the SRAC from their computer. Next, they head out the door for a quick drive-by past a dead drop site. The dead drop site is actually a receiver which is mounted somewhere (e.g. on an embassy roof). This offers more flexibility as the agent only needs to somehow get within range of the receiver. When they get close enough the agent will activate the SRAC and fire off a short burst signal which conveys the encrypted message to the receiver. There are plenty of ways to implement this in practice. At one point former FBI agent Robert Hansen suggested to his Soviet handlers that he use a wireless Palm VII in a manner similar to an SRAC.
Another, less palatable, option is to set up a wireless ad-hoc computer network in a crowded area like a food court or a coffee shop. If all goes well there would be only two nodes on this network: the agent and their contact. This can be done with commodity hardware and offers a degree of both cover and concealment. The key to using this technique is speed and brevity. Establish and then shut down the network as quickly as possible. Also it’s essential that the devices involved are configured to disable access to any other network, especially the Internet.
While ad-hoc networks make it easier to move data back and forth rapidly it’s not without additional risk. As stated earlier, agencies like the NSA have deep expertise in this area and to adopt standard networking technology is to wander closer to their home turf. That is, with the right equipment and preparation it’s straightforward to triangulate even a short-burst wireless signal. And covert transmissions will stand out like a sore thumb if the operational site has been staked out in advance.
As stated previously −and it’s hard to understate this point− patterns are risky. Once spies detect and identify a covert channel of interest they’ll attempt to infiltrate it and attack it. Furthermore, the odds are heavily in their favor that they’ll succeed. After all that’s what spies do, they colonize networks and then mine them for sensitive information. If a covert network is up for any amount of time, like clandestine radio towers or a hidden fiber network, it will become a target of interest.
Power structures maintain order using layers of control. In an ostensibly free society like the United States the primary mechanism of social control is what the CIA’s Frank Wisner referred to as the Mighty Wurlitzer. That is, a sophisticated and ubiquitous stream of information that’s directed by a conglomeration of corporate outlets. These media companies use their gatekeeper status to set the agenda of public discourse and define the acceptable parameters of debate.
There are signs lately that the machine is breaking down. For example, during the 2016 election cycle there were genuine rumblings of populist revolt. Though not enough to derail the stranglehold of big money. As predicted Bernie Sanders did his sheep dog trick for the Democrats and Donald Trump no doubt likewise made a backroom deal with powerful members of the GOP establishment. In a political system captured by corporate interests the belief in a lesser evil is pleasant fiction.
It’s a numbers game, really. Not enough people in this country are sufficiently fed up to achieve the critical mass necessary to effect concrete structural change. In fact, considering the sheer number of mobile phone zombies stumbling around a supposedly progressive city like San Francisco it’s entirely plausible that a genuine uprising is unlikely to occur in the United States before the end of this century. Instead it’s more likely that society will experience an increased number of isolated individuals lashing out in despair.
Just remember that the collective mood of society will change as the climate gets warmer and factions of billionaires compete over dwindling resources. The unenlightened self-interest of the global elite will compel the misery index ever upwards in their never-ending quest for economic efficiencies and infinite growth. It’s not a matter of “if” an uprising will occur but rather “when.” Ultimately people will mobilize as a matter of survival. And so your humble narrator, as he watches the baleful telescreens multiply, leaves this guidebook for future activists. Here are some tools. Get out there and use them. Good luck.