Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

VoIP Numbers Stations were Social Experiment

Posted by ScuttleMonkey on Sat Aug 05, 2006 08:34 PM
from the mysteries-always-draw-the-crowds dept.
Encryption Security The Internet
IO ERROR writes "The mysterious phone number stations appearing on Craigslist for the last three months, which resembled their shortwave radio cousins, and which Slashdot reported on in June, were an experiment devised by security researcher Strom Carlson and a group of Los Angeles hackers to determine if encrypted messages could be passed using unwitting third parties to foil traffic analysis by hostile intelligence agencies. Carlson and the hackers presented their findings at DEFCON earlier today and gave away CDs with "Make your own Mein Fraulein station" kits and posted one final number station for people to try to decrypt."
+ -
story

Related Stories

[+] Technology: Numbers Stations Move From Shortwave To VoIP 228 comments
IO ERROR writes "For decades, intelligence agencies have been sending secret messages to their agents in the field using shortwave numbers stations broadcasting encrypted messages for all to hear and puzzle over. Now someone is putting numbers stations on VoIP telephone numbers for anyone to call, and posting messages to Craigslist to alert the recipients to the existence of their messages. One of them went up last month and now a second one has appeared. Will there be a third? Who's behind them? And can you crack the code?"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

VoIP Numbers Stations were Social Experiment 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Another matter (Score:4, Interesting)

    by Anonymous Coward on Saturday August 05 2006, @08:37PM (#15853978)
    Okay, and who's behind HELLO WORLD [wikipedia.org]? It's been running in stops and starts since April 2005.
  • I'm still more interested in the orginals!
  • from the article:
    It seems to have worked.

  • Not much of an experiment (Score:5, Insightful)

    by ericpi (780324) on Saturday August 05 2006, @08:58PM (#15854015)
    experiment ... to determine if encrypted messages could be passed using unwitting third parties They managed to share anonymous information with others using only a site whose purpose is to share anonymous information with others. The fact that the encrypted the info still doesn't make it much of an 'experiment'.
    • They've done it in this fashion to defeat Traffic Analysis [wikipedia.org].
      This is a method of sending a message out, and having someone you want to receive the message, without other third parties being able to tell that a message has been exchanged. I can send you encrypted emails using any one of a number of secure protocols, and you can reply in kind. This is good on one level as reasonably no-one can read these emails, however it is trivial to work out that we're communicating - and this forms a pattern. Even if you can't work out what's being said, just knowing that certain parties are talking to each other is enough to build up a web of who's connected with who.
      Exchanging data in the way mentioned above is a way that an interested third party is unable to work out who's sending, and who is receiving the message - if lots of people can receive it then it becomes harder to tell out of those who can receive it, who is able to read it, or make anything of it - ie, who is actually able to exchange useful information in this fashion.

      • Re:Traffic Analysis (Score:4, Interesting)

        by Incadenza (560402) on Sunday August 06 2006, @04:42PM (#15856420)

        Exchanging data in the way mentioned above is a way that an interested third party is unable to work out who's sending, and who is receiving the message - if lots of people can receive it then it becomes harder to tell out of those who can receive it, who is able to read it, or make anything of it

        But you have to make sure that your receiving mode is exactly the same as Joe Average's. A Dutch extertionist once used a classified ads site (the biggest list of second hand cars in the Netherlands) to have his funds transferred to him, by having bank account details embedded in the picture of one of the cars (with steganography). Sounds perfect.
        However, the guy accessed the page through an American anonymiser (surfola.com) instead of through a normal Dutch ISP (as all the other page viewers did). Dutch police contacted the FBI, FBI contacted surfola, surfola gave FBI the guy's CC details, Dutch police arrested the guy. Ten years jail sentence for being too paranoid.

  • Back in my day (Score:4, Funny)

    by eagl (86459) on Saturday August 05 2006, @09:09PM (#15854037) Journal
    Back in my day, we called that a prank.

    Ha. Hah.

    *golf clap*

  • One Time Pads (Score:4, Interesting)

    by tradecraft1 (993475) on Saturday August 05 2006, @09:16PM (#15854053) Homepage
    You just have to love the simplicity. There were so many amatateur cryptananlysts thowring all sorts of methods at these messages. A sound implementation of a OTP is a formidable foe. --Chris

    • Re:One Time Pads (Score:5, Informative)

      by QuantumFTL (197300) * <`justin.wick' `at' `gmail.com'> on Saturday August 05 2006, @09:27PM (#15854079) Homepage
      A sound implementation of a OTP is a formidable foe.

      OTP has two huge problems associated with it, despite the mathematics being sound (assuming you have good random numbers):
      1. Key distribution - do you like sending long messages? You'll need a key that's at least as long as the compressed message, and that distribution system must be absolutely secure. Also you'll need to make sure no one ever has a chance to access your key before or after the message is sent, otherwise you're screwed.
      2. Overconfidence - Congratulations, if you've done it correctly you have 100% secure communications channel. The endpoints, however, are not protected by this mathematics, and are succeptable to everything from hidden bugs to software hacking or even "rubber hose" cryptoanalysis.
      • I was referring to the crypto-system behind OTP, not the implementatio per se. --Chris

        • Re:One Time Pads (Score:4, Interesting)

          by QuantumFTL (197300) <`justin.wick' `at' `gmail.com'> on Saturday August 05 2006, @09:50PM (#15854135) Homepage
          Oh, I don't disagree with you at all... In fact if I ever try to do something like this, you better believe I'll be using OTP. I just worry that some people perceive this to be a "magic bullet," which it most definitely is not. In another post [slashdot.org] that even attracting attention with encrypted messages (especially those the government cannot break) could soon be an unacceptable risk for many people, and unfortunately OTP can't help with that.

          • Re:One Time Pads (Score:5, Interesting)

            by X0563511 (793323) * <draeath AT member DOT fsf DOT org> on Saturday August 05 2006, @11:04PM (#15854263) Homepage Journal
            Better method:

            1. Encrypt data with OTP.
            2. Hide this encrypted data in some false information (stenography)
            3. Encrypt the result with something that can be broken (but not too easily)

            This way, even if they managed to extract the original data from the stenography, they would just get what looks like random junk. It would actually be quite hard to even realize what you have extracted was real (rather than an error)

            • Re:One Time Pads (Score:5, Interesting)

              by X0563511 (793323) * <draeath AT member DOT fsf DOT org> on Saturday August 05 2006, @11:07PM (#15854267) Homepage Journal
              Oops, forgot to specify:
              The data you hide the OTPed data in, does not have to be text. You could use an audio file (notch out a frequency on the edge of the sample range, and then use very small amplitudes to put the data in) or an image, or even a video. You could even put this data out on P2P (encrypted data in porn? who would bother to look?) and simply email an ED2K link or something to the intended recipient. Hmm, porn-link swapping; fairly benign behavior.

              • Re:One Time Pads (Score:5, Funny)

                by foniksonik (573572) on Sunday August 06 2006, @12:28AM (#15854360) Homepage Journal
                Dude is that why I keep seeing pr0n that looks slightly mangled? I thought it was just amateur encoding jobs... now you're telling me i'm watching encrypted messages while.... NOW I feel dirty... it's like some guy was talking to me while i was... ewwwww...
            • A much more detailed version of what you describe can be found here [nicetext.com].

              If the hostile party even thinks you're still hiding something, however, this won't stop them.

            • Stenography vs. Steganography (Score:5, Informative)

              by sshore (50665) on Sunday August 06 2006, @03:35AM (#15854587)

              I'm sure someone has pointed it out by now, but stenography [wikipedia.org] (shorthand) is not the same as steganography [wikipedia.org].

              The mistake is apparently common enough that the first line of the wikipedia entry for steganography says, "Not to be confused with stenography".

      • Are these really resolvable issues? Ultimately, those two questions are the big ones in security. Mostly the second one, I'd say. But it's nice to be able to focus on them without having to worry that the actual cipher technology will make your efforts worthless. I mean, it's really saying something that we've only now entered an age where we can finally stop worrying about the engineering side of secure communication, and actually focus on the endpoints in confidence. As long as we don't forget that t
    • If its only used once, and you have to pass it securely, then why not just pass the message in place of the OTP? I understand that the message may not be ready. But in this light it seems like OTP is not 'encryption' but encoding?
      • Because you may not have the luxury of exchanging messages over a secure channel all the time.

        The scenario is typically this ; your field agent is issued with his book of OTPs at home base ; you can be sure of the security of this distribution channel because you have vetted your staff, have armed guards, big EM shielded rooms, etc.

        The agent then moves to Enemy Country X, where the phones are routinely tapped by the government, postal mail is all steamed open, and the only ISPs are government sanctioned and

  • Stenography Encryption (Score:5, Interesting)

    by QuantumFTL (197300) * <`justin.wick' `at' `gmail.com'> on Saturday August 05 2006, @09:19PM (#15854060) Homepage
    I think we're moving to a society where just being suspected of a crime will be so bad (in terms of government harassment like no-fly lists, wiretapping, etc) that the most important thing will not be to make sure that the government can't read what you communicate, but rather have no reason to suspect you're doing anything they don't like. With current advances in data mining, it's going to be an arms race - the stenographers against the miners. I for one am fascinated by both technologies, and frankly rather terrified of how they each may be used. It was be interesting to see, but one thing is for sure - encryption will no longer be enough.

    • Re:Stenography Encryption (Score:5, Interesting)

      by hcob$ (766699) on Saturday August 05 2006, @09:26PM (#15854076)
      Of course, if you are visible as a "citizen" through credit card purchases, debit cards, atms, banks, etc. and all your other traffic is encrypted... It might make a case for a visual tail to be attached to you. Warrants are only required for searches... not observations in public areas.
      • I think that was the point... As GP said, "the most important thing will not be to make sure that the government can't read what you communicate, but rather have no reason to suspect you're doing anything they don't like".

        In other words, you'll (additionally) need to hide your communications, not just encrypt them. If the government doesn't know any of your encrypted traffic exists, or can't attribute it to you, then there would be no case for a visual tail, possibly excepting the "This person seems to
        • Oh, they'll have plenty of ways to flag you. Any sort of unusual behavior, such as changes in spending on consumer goods, what books you are buying or checking out from the library, dissatisfactions with life that you express not just online, but face to face to close friends and confidantes. Maybe even a tone of dissatisfaction in your voice in a conversation about something that has nothing to do with the issues of the day.

          Crawford, Texas Uber Alles
          Uber Alles Crawford, Texas

          Now it is 1984
          Knock knock at yo

      • Re:Stenography Encryption (Score:5, Interesting)

        by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Sunday August 06 2006, @01:52AM (#15854449) Homepage Journal
        All very true. Which makes it more important -- if you're up to some sort of "no good" (where 'no good' is defined by the people with the most guns in the vicinity) -- that you maintain a passable facade of normalcy, at least as far as the government/credit bureau databases are concerned.

        If you're the only person on your block using encrypted email, and using it for all of your email, you're an obvious red flag for some form of side-channel attack (i.e. they just sneak into your house when you're away and bug your keyboard). So if you did want to use encrypted communications, not only would you have to hide said communications in other things, but you'd also have to maintain the regular volume of unencrypted traffic from your email accounts so as not to arouse suspicion.

        Email use is a trivial example, but it extends to anything else that can be tracked. The exact same thing goes for purchasing patterns: if you're spending large wads of dough (in cash) buying things that the government doesn't want you to have (*cough*recreational drugs*cough*), then you had better make sure that the rest of your purchasing habits aren't affected, so that nobody can find out how much money you're diverting into your illicit hobbies, just by looking at the difference between your income and your creditcards+savings+retirement accounts.

        I, too, see this as becoming a cat and mouse game; as the authorities become better and better about mining information, people are going to start to become more clever and more aware about not only limiting the information they give out, but about putting out patently false information in order to create a semblance of "Joe America" when in reality they could be the Shah of Iran.

      • Re:Stenography Encryption (Score:4, Insightful)

        by Lumpy (12016) on Sunday August 06 2006, @03:27PM (#15856256) Homepage
        not so.

        If you have any brain cells you would make sure that your "visible life" was randomized as much as your invisible life. Then your secret transmissions will be missed as you raised the noise floor so much their detection systems will miss it.

        the first way to defeat any detection system is to make it go off all the time and the operatores will start ignoring it.
    • Sorry, the title was supposed to read "Stenography >> Encryption"

    • Re: Stenography Encryption (Score:5, Funny)

      by Black Parrot (19622) on Saturday August 05 2006, @09:35PM (#15854102)
      > I thin k we're moving to a society where just being suspected of a cr i me wi ll b e so ba d (in terms of government harassment like no-fly lists, wiretapping, etc) that the most important t h ing w i ll not be to m ake sure that the government can't read what you communicate, but rather have no reason to suspect you're doing anything they don't like. With current advances in data mining, it's going to be an arms race - the stenographers against the miners.

      A little analysis reveals your cause for concern.

    • Re:Stenography Encryption (Score:5, Funny)

      by Deadstick (535032) on Saturday August 05 2006, @11:40PM (#15854308)
      the stenographers against the miners.

      Wow, fighting it out with typewriters against picks and shovels. Wait till the steganographers get in the act...

      rj

  • 23 42 13 75 24 53 20 45
    12 43 88 42 90 45 23 23
    45 63 00 06 34 64 22 64
    32 54 99 99 23 54 32 22
  • These trolling phenomena, encrypted or not, really get to me! It seems to senseless and a waste of time! ALL YOUR BASE BELONG TO US
  • Wouldn't it have been just as effective to just write the numbers into the craig:s list pointing right fromt he start? What's the point of the VOIP nonsense?

    Oh, and:

    Group 214
    80020 21085 00601 30690
    01201 50240 07006 01601
    70690 01702 40050 14024
    00908 70220 67089 00820
    10086 07801 30240 02707
    30130 15006 09306 20084
    00000 00210 03070 03107
    02706 70000 07016 01201
    Q

    • Re:What was the point again? (Score:5, Interesting)

      by Dachannien (617929) on Saturday August 05 2006, @11:37PM (#15854306)
      A post containing the actual encoded message might get deleted from Craigslist due to its content (or lack thereof). A cleverly disguised reference to a phone number where the message can be retrieved fits in with the natural flora of Craigslist.

      It's like doing the same thing on a restroom stall. "For a good time, call 202-555-3988" will probably get passed over as graffiti, but a large block of cryptic-looking numbers looks unusual enough to attract attention.

  • I cracked it!! (Score:2, Funny)

    by Anonymous Coward
    The decrypted message is: "There are motherfuckin snakes on the motherfuckin plane."
  • ...how these guys didn't get a visit from a few nice men in suits flashing Homeland Security badges and asking a lot of questions. I'm sure that they had to have been looked at...

    • Re:What I want to know is... (Score:5, Interesting)

      by digitalchinky (650880) <dtchky@gmail.com> on Sunday August 06 2006, @01:49AM (#15854442) Homepage
      All the three letter agencies across the world have finite resources. Supposing you had a box on every backbone, it's still not practical. Logically you need to have knowledge of your target beforehand, otherwise it's needle in the haystack stuff.

      There are very few viable solutions, one might have 'the next terror act (tm)' sitting somewhere on a collection system, though how would an analyst ever know what that snapshot actually means without additional information? Hindsight doesn't help much.

      There's an awful lot of noise out there to hide behind, and it's only ever going to get worse.

      Signed.
      Ex 3 letter agency drone.
      • You've just hit one of the biggest problems facing intelligence today square on the head.

        In times past, the real trouble was in the acquisition of information. Now, the problem is on the analysis end: there's just so much information pouring in, nobody can even store it all, much less analyze it to any significant degree. You've got signals from the radio spectrum (broadcast TV and radio, satellite signals, telephone signals), plus all the POTS system voice traffic, plus actual Internet data in its myriad formats; it's really overwhelming.

        I don't think there's any pat answer to your question. Obviously the intelligence agencies think that the best solution to the problem is with better analysis software and heuristics programs; stuff that can comb through the haystack and try to find the needle. But of course, those systems are only good at finding stuff, if you have a reasonable idea what you're looking for.

        International terrorism, which is the bogeyman today, hasn't been around for long enough that -- in my uninformed opinion, anyway -- we probably know exactly what the "fingerprints" of an upcoming operation look like. We've had a couple of incidents to go on, now, but those are precious few datapoints to base future predictions on, or to use in order to seed systems in the hopes of catching future activity beforehand. It will probably be only in hindsight that we'll know of the next few incidents, and we'll have to use those to program the systems to sort the data.

        Obviously, it's a very hard problem, both in the literal layman's sense of the term but also I think in the information-science sense of the term. My personal feeling is that it's such a lucrative problem, both in the public and private-sectors, that we'll get quite good in the future at mining through the rough to find the diamonds; however, it'll always be a cat-and-mouse game with people who want to hide their activities, whatever they are.

        To go totally out onto a limb for a moment, my (unjustified) feeling is that eventually, the systems for doing this sort of information-processing will be biological in nature; either using some sort of simulated, self-programming neural networks in silicon, or will actually use neurons that have been plugged in to computer systems (literal 'brains in jars,' perhaps). Assuming we start to see the practical limits of information-processing on silicon, I see biological computing as being the next big step forward in information processing, particularly in the areas requiring a lot of heuristic analysis that don't lend themselves easily to more conventional algorithmic solutions. Data mining seems to be one of the few areas that would have enough possible rewards to justify both the risks and massive investment required, at some point in the future, of research and development.
  • Are Defcon likely to put up MP3s of the presentations?
  • No one cares, and Craigslist swiftly removed the "final number station" post.

    • Puzzles = High entropy (Score:5, Interesting)

      by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Sunday August 06 2006, @02:00AM (#15854460) Homepage Journal
      Actually a while back I was talking to someone who was writing a little steganographic program (not sure if he ever completed it) that was designed to make "word find" puzzles out of encrypted or encoded text. So the result would be a block of letters that you could print up as a trivial word-find puzzle, the ones where you look for the words printed vertically, horizontally, diagonally, etc., but then if you actually analyzed the letters (I think he was using some sort of trivial cipher that could be broken via distribution analysis) it contained a message.

      I thought that was pretty neat; "puzzles within puzzles" and all that. When you think about places where you can hide messages though, there are lots of opportunities when you have puzzles, because people expect a certain amount of randomness there. In a newspaper, there aren't a whole lot of other places where you can just have a whole block of random letters and not arouse suspicion; if you find someplace where there is already expected to be high entropy, then you can sneak in your encoded material much more easily.

      Sudoku puzzles and crosswords could also be good candidates, but there are even ways you could probably work them into more subtle things if you had a predetermined scheme for encoding the message. I'm sure you could probably work the chess puzzles if you knew what you were doing.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.