
Forthcoming book seeks to visualise, locate and expose many numbers stations - opaque
https://www.vice.com/en_uk/article/8x858k/the-mysterious-radio-stations-broadcasting-secret-messages
======
tpolzer
> If you listen to the same station again and again you start to see a
> pattern. That's what the numbers monitors and enthusiasts are very good at
> doing. Usually when that pattern starts to emerge it fits the profile of the
> kind of cypher called a one-time pad

What did I just read? A true one time pad by definition is truly random
without any patterns.

~~~
imglorp
The encrypted data, yeah, but as a practical matter they would need to have
some metadata telling the recipient which pad to use. As long as the sender
avoids the german tank numbering problem, and never repeats a pad or message,
the metadata should be useless to an attacker.

[https://en.wikipedia.org/wiki/German_tank_problem](https://en.wikipedia.org/wiki/German_tank_problem)

Also, I was initially thinking why bother in the age of Pastebin and Twitter,
and even Craigslist: the receiving equipment is available way more easily than
a shortwave radio. I think the answer is, you can absolutely guarantee nobody
knows if a message was received. Those internet methods could be watched.

~~~
VLM
Radio is also one to many, inherently.

And you can do social engineering head games with counter intel officers. Send
37 distinct repeated messages one day... that would seem to strongly imply 37
individual agents, but in reality you could have anything from 0 to 1000. OTP
message #24256 might be heard by field agents 351 938 and 271 and it means
"check your dead drop signal". One agent sees a chalk mark on the street and
gets a real message at his dead drop, the other two see nothing and chill. OTP
message 91053 could mean "unrestricted warfare begins tomorrow at noon" for
all 1000 agents, perhaps. Or maybe OTP message 91053 means nothing, nothing at
all and its all head games for counter intel.

There are also chain strategies such as I own a "suspicious" shortwave radio
and listen to it (which in some parts of the world that are not USA, is not
unusual or suspicious) and when I get OTP message I am to offer my collectible
Dale Earnhardt mint condition collectors plate for $1599 on ebay. The agent
who's actually doing something interesting is a well known 90s nascar fan and
when he sees my collectors plate offered for $1599 on ebay when the going rate
is $5, that's when he steals the secrets or pushes the button or whatever. I
listen to shortwave which means I could be a spy but all I ever do is try to
sell junk on ebay, whereas the "real" agent is an indistinguishable nascar
fan.

There are protocols using OTP where the metadata could quite easily give away
an agent even if the data is never cracked even with the rubber hose
technology. For example imagine a really bad protocol of page number, word
number. Won't take long to figure this out when the first number increases at
a predictable rate never exceeding 351 pages and the second number never
exceeds the number of words on a page. All you need to do is have customs
record the number of pages in each book travelers import, and when you figure
out the pad rotates at 351 pages you find the guy who entered the country with
a 351 page book, and do absolutely nothing other than alert customs to record
the exact name and edition of every book he has ever or will ever import, at
which point you now have a copy of his one time pad. That's a horrible
protocol that uses OTPs, but its hardly the only crackable one that exists.

Personally, given how incredibly cheap it is to transmit numbers over the
radio, and how incredibly expensive it is for counterintel to try to figure it
out and track it, even if it were obsolete 20 years ago, I'd still keep doing
it as a pure economic attack. That counterintel agent listening to numbers is
one agent who's not inspecting the contents of suspicious looking icmp packets
or multiplayer video game conversations or funny chalk marks in front of
libraries or whatever.

~~~
rl3
> _... inspecting the contents of ... multiplayer video game conversations
> ..._

I've had this theory that chat in multiplayer games is probably one of the
most reliable methods to bypass dragnet surveillance that exists.

Figure that most popular chat protocols are reverse engineered and actively
captured. Moreover, any crypto usage beyond https will simply flag you.

It's concievable that NSA/GCHQ have had people dedicated to reversing
videogame chat protocols for some time now, but given the veritable Cambrian
explosion of games we've seen in recent years thanks to Steam, I have serious
doubts that even major SIGINT agencies can keep up.

Their best hope is that the game uses IRC, a cloud service, or some other
standardized chat protocol as a backing for its in-game chat. If it's some
obscure game with a custom-but-unencrypted chat protocol, I highly doubt it's
automatically interpreted. At best the raw data itself is probably captured
and stored for a short period of time. It is possible however that they're
applying automated methods to anomalous traffic that are able to pull out
unencrypted text streams.

Of course, why use in-game chat when you could just pick a game that has a way
to write out a message in the game itself. Minecraft clones and certain
multiplayer paint apps become more or less perfect steganography in that case.

~~~
zdkl
Faulty assumption. I don't need to pay attention to the tubes if I can look in
on your terminal.

~~~
rl3
That's why I qualified the statement with _dragnet surveillance_.

Obviously if someone's already targeted it's simple for any self-respecting
SIGINT agency to just install implants and get whatever they want. I was
describing measures that would likely foil automated bulk analysis.

Now if you're implying there's some sort of bulk, indiscriminate implantation
program, that would be news to pretty much every private sector security
expert on the planet. May as well just tap fiber for appearances at that
point.

~~~
zdkl
> _Now if you 're implying there's some sort of bulk, indiscriminate
> implantation program, that would be news to pretty much every private sector
> security expert on the planet._

Are you sure? I thought it was widely accepted that you couldn't trust chinese
hardware or most american firmware.

~~~
rl3
Yes, I'm sure. Backdoors are not implants, they are vulnerabilities.

Implants are the payloads that persistently infect target systems, surveil or
modify the envrionment, and exfiltrate data.

So unless you want to suggest the majority of consumer systems are actively
compromised to the point of exfiltrating screen caps on a regular basis, my
original point still stands. Even then, good luck conducting successful
automated analysis on hidden messages made out of blocks in Minecraft.
Reconstructing game state as it went across the wire would be easier than
making sense of screenshots in that scenario.

~~~
zdkl
Does ECHELON ring a bell to you?

I don't believe every computing device ever is exfilling the amount of data
you describe, but I'd be very very surprised if it weren't an option for
nation level actors at the flick of a switch.

Screw minecraft, all I need is access to your USB/ethernet controllers and
that's not remotely difficult.

I believe your threat model is flawed if you don't assume any existing known
vulnerability isn't being at least passively used to surveil remote systems.

~~~
rl3
From one of my previous replies:

 _" I was describing measures that would likely foil automated bulk
analysis."_

Nothing you just said is relevant in that context. Yes, obviously anything can
be easily compromised if it's targeted. I said as much in the very same post.

Automated bulk analysis exists to find targets in the first place.

~~~
zdkl
I think you're vastly overestimating how complicated it is to do what I'm
talking about at scale, but whatever.

~~~
rl3
From a technical perspective it might not be that hard given the depth of
existing capabilities, but from a risk standpoint it would probably be a
terrible idea.

Recall Stuxnet and some of its successors were partially reverse engineered,
and just recently Intel's Management Engine is being torn apart.

~~~
zdkl
I agree about the risk. But we're drifting in a direction where that risk is
becoming lesser and lesser.

Most users simply couldn't give a crap and we're gonna pay for the loss of
accountability at some point

------
mcguire
" _Tyson 's Corner Communications Tower, United States of America. Built in
1952 as part of a program to harden US government systems against nuclear
attack, some more fanciful numbers monitors suggested the tower was a
transmitter for numbers broadcasts._"

My understanding was that it was easy to triangulate the location of a
transmitter (if you're close enough to it and not receiving reflections).
Shouldn't a transmitter in the middle of Virginia be trivial to verify?

~~~
unclesaamm
Tyson's Corner being "in the middle of Virginia" is the perfect Northern
Virginian equivalent of the New Yorker's "View of the World from 9th Ave"

~~~
mcguire
Well, ok, but my point was that it isn't exactly Johnston Atoll.

------
fapjacks
If you're interested in number stations, drop by #priyom on Freenode. There is
some automation and a small dedicated community around tracking and recording
these transmissions.

~~~
pavel_lishin
Clever channel name.

------
JoeDaDude
I fear the book may not have as insightful an analysis of numbers stations
that radio enthusiasts may hope for. I hope I am wrong and please correct me
if so, but the book preview [1] looks like a coffee table book of photographs
and spectrograms with little to no text.

[1]. [http://www.lewisbush.com/shadow-of-the-state-
book/](http://www.lewisbush.com/shadow-of-the-state-book/)

~~~
King-Aaron
Not just _any_ photographs, _google street view photographs_ thank you very
much!

------
jbob2000
The easy way to find out who owns them is to break them, then watch who comes
to fix them.

~~~
jccc
Do you think if they come wearing Verizon hats that means they're Verizon?

~~~
mindcrime
I don't know, but this reminds me of something I always wanted to do:

Buy a small, white, Chevrolet van, plaster AT&T logos on the sides, put a
flashing yellow light on top, and mount a holder for some orange road cones on
the rear bumper. I figure with a vehicle like that, you can park just about
anywhere, wander around, poke at stuff, and do all sort of shit, without
anybody batting an eye. Especially wearing coveralls and a safety vest and
hardhat, and carrying a clipboard.

~~~
z303
Have a look at Telstar logistics

[http://telstarlogistics.typepad.com/telstarlogistics/2006/09...](http://telstarlogistics.typepad.com/telstarlogistics/2006/09/what_is_telstar.html)

~~~
mindcrime
That is the coolest thing I've ever read in my life... :-)

------
drdeadringer
I'm glad I saw this post.

One of my fun projects I have planned is to script a "number station" in
python based on the general patterns these number stations have.

~~~
Zelizz
Heh, broadcast random numbers at a slow, steady rate, set a bot to watch for
news headlines including certain military keywords, have number station start
broadcasting furiously.

~~~
zdkl
...Get a visit from the "renovation team" next time you're out of the house.

