VoIP Numbers Stations were Social Experiment 116
IO ERROR writes "The mysterious phone number stations appearing on Craigslist for the last three months, which resembled their shortwave radio cousins, and which Slashdot reported on in June, were an experiment devised by security researcher Strom Carlson and a group of Los Angeles hackers to determine if encrypted messages could be passed using unwitting third parties to foil traffic analysis by hostile intelligence agencies. Carlson and the hackers presented their findings at DEFCON earlier today and gave away CDs with "Make your own Mein Fraulein station" kits and posted one final number station for people to try to decrypt."
Another matter (Score:4, Interesting)
Re:Another matter (Score:5, Interesting)
http://en.wikipedia.org/wiki/Cryptanalysis_of_the
And at one time, I was trained to transcribe 5-digit numbers from another language. That was a different time and place, though.
Interesting stuff.
Re:Another matter (Score:1)
tri-shestiorki pyatdyecat dva
dyevatnadcet dvadcet dva
tweaking out yet?
Re:Another matter (Score:1)
shortwave radio number stations (Score:2)
Re:shortwave radio number stations (Score:5, Funny)
Shortwave numbers stations are a social experiment being conducted by the aliens. They'll present their findings at GALAXICON on July 8, 2047.
Re:shortwave radio number stations (Score:4, Funny)
Re:shortwave radio number stations (Score:5, Funny)
Actually they are mostly tenticle-enlargement spam, but we don't have the proper char-set support yet. Hopefully this will be included in Vista.
Re:shortwave radio number stations (Score:1)
When released the recordings were subject to a D-Notice http://www.dnotice.org.uk/ [dnotice.org.uk] and had little publicity; there must be something behind it.
summary (Score:2, Informative)
It seems to have worked.
Re:summary (Score:1)
Not much of an experiment (Score:5, Insightful)
Re:Not much of an experiment (Score:1, Insightful)
Traffic Analysis (Score:5, Informative)
This is a method of sending a message out, and having someone you want to receive the message, without other third parties being able to tell that a message has been exchanged. I can send you encrypted emails using any one of a number of secure protocols, and you can reply in kind. This is good on one level as reasonably no-one can read these emails, however it is trivial to work out that we're communicating - and this forms a pattern. Even if you can't work out what's being said, just knowing that certain parties are talking to each other is enough to build up a web of who's connected with who.
Exchanging data in the way mentioned above is a way that an interested third party is unable to work out who's sending, and who is receiving the message - if lots of people can receive it then it becomes harder to tell out of those who can receive it, who is able to read it, or make anything of it - ie, who is actually able to exchange useful information in this fashion.
Re:Traffic Analysis (Score:4, Interesting)
Exchanging data in the way mentioned above is a way that an interested third party is unable to work out who's sending, and who is receiving the message - if lots of people can receive it then it becomes harder to tell out of those who can receive it, who is able to read it, or make anything of it
But you have to make sure that your receiving mode is exactly the same as Joe Average's. A Dutch extertionist once used a classified ads site (the biggest list of second hand cars in the Netherlands) to have his funds transferred to him, by having bank account details embedded in the picture of one of the cars (with steganography). Sounds perfect.
However, the guy accessed the page through an American anonymiser (surfola.com) instead of through a normal Dutch ISP (as all the other page viewers did). Dutch police contacted the FBI, FBI contacted surfola, surfola gave FBI the guy's CC details, Dutch police arrested the guy. Ten years jail sentence for being too paranoid.
Back in my day (Score:4, Funny)
Ha. Hah.
*golf clap*
One Time Pads (Score:4, Interesting)
Re:One Time Pads (Score:5, Informative)
OTP has two huge problems associated with it, despite the mathematics being sound (assuming you have good random numbers):
Re:One Time Pads (Score:2, Interesting)
Re:One Time Pads (Score:4, Interesting)
Re:One Time Pads (Score:5, Interesting)
1. Encrypt data with OTP.
2. Hide this encrypted data in some false information (stenography)
3. Encrypt the result with something that can be broken (but not too easily)
This way, even if they managed to extract the original data from the stenography, they would just get what looks like random junk. It would actually be quite hard to even realize what you have extracted was real (rather than an error)
Re:One Time Pads (Score:5, Interesting)
The data you hide the OTPed data in, does not have to be text. You could use an audio file (notch out a frequency on the edge of the sample range, and then use very small amplitudes to put the data in) or an image, or even a video. You could even put this data out on P2P (encrypted data in porn? who would bother to look?) and simply email an ED2K link or something to the intended recipient. Hmm, porn-link swapping; fairly benign behavior.
Re:One Time Pads (Score:5, Funny)
Re:One Time Pads (Score:1)
Re:One Time Pads (Score:2)
we did this back in the 80's with a bridge rectifier in a strange configuration and used a OTP of a casette tape of Pink Floyd's dark side of the moon. Get your encrypted tape and put it in deck 1 put your floyd tape in 2 and cue to the right spot. Play tape 1 until beep press pause. play tape 2 until predetermined part of song press unpause on encrypted tape and hear the audio message.
Heck I had it working as a voice scrambler
Re:One Time Pads (Score:2)
Re:One Time Pads (Score:2)
If the hostile party even thinks you're still hiding something, however, this won't stop them.
Stenography vs. Steganography (Score:5, Informative)
I'm sure someone has pointed it out by now, but stenography [wikipedia.org] (shorthand) is not the same as steganography [wikipedia.org].
The mistake is apparently common enough that the first line of the wikipedia entry for steganography says, "Not to be confused with stenography".
Re:Stenography vs. Steganography (Score:2)
I'm sure someone has pointed it out by now, but stenography (shorthand) is not the same as steganography.
The mistake is apparently common enough that the first line of the wikipedia entry for steganography says, "Not to be confused with stenography".
True. However, with a sufficiently poor stenographer, the distinction might be a hard one to make.
Re:One Time Pads (Score:2)
PS But only if you dont find it
Re:One Time Pads (Score:1)
"rubber hose" cryptoanalysis (Score:1)
http://www.telegraph.co.uk/news/main.jhtml?xml=/n
Have a nice day.
Issues (Score:2)
Numbers Stations as OTP delivery? (Score:2)
Re:One Time Pads (Score:2)
> 1. Key distribution
Since one can buy a 4GB SD-Card the size of a stamp I'd think that the distribution of HUGE OTPs is a lot easier nowadays.
If Alice has initial physical access to Bob, of course.
k2r
Re:One Time Pads (Score:2)
Re:One Time Pads (Score:2)
The scenario is typically this ; your field agent is issued with his book of OTPs at home base ; you can be sure of the security of this distribution channel because you have vetted your staff, have armed guards, big EM shielded rooms, etc.
The agent then moves to Enemy Country X, where the phones are routinely tapped by the government, postal mail is all steamed open, and the only ISPs are government sanctioned and
Stenography Encryption (Score:5, Interesting)
Re:Stenography Encryption (Score:5, Interesting)
Re:Stenography Encryption (Score:2, Insightful)
In other words, you'll (additionally) need to hide your communications, not just encrypt them. If the government doesn't know any of your encrypted traffic exists, or can't attribute it to you, then there would be no case for a visual tail, possibly excepting the "This person seems to
Re:Stenography Encryption (Score:2)
Re:Stenography Encryption (Score:5, Interesting)
If you're the only person on your block using encrypted email, and using it for all of your email, you're an obvious red flag for some form of side-channel attack (i.e. they just sneak into your house when you're away and bug your keyboard). So if you did want to use encrypted communications, not only would you have to hide said communications in other things, but you'd also have to maintain the regular volume of unencrypted traffic from your email accounts so as not to arouse suspicion.
Email use is a trivial example, but it extends to anything else that can be tracked. The exact same thing goes for purchasing patterns: if you're spending large wads of dough (in cash) buying things that the government doesn't want you to have (*cough*recreational drugs*cough*), then you had better make sure that the rest of your purchasing habits aren't affected, so that nobody can find out how much money you're diverting into your illicit hobbies, just by looking at the difference between your income and your creditcards+savings+retirement accounts.
I, too, see this as becoming a cat and mouse game; as the authorities become better and better about mining information, people are going to start to become more clever and more aware about not only limiting the information they give out, but about putting out patently false information in order to create a semblance of "Joe America" when in reality they could be the Shah of Iran.
Re:Stenography Encryption (Score:4, Insightful)
If you have any brain cells you would make sure that your "visible life" was randomized as much as your invisible life. Then your secret transmissions will be missed as you raised the noise floor so much their detection systems will miss it.
the first way to defeat any detection system is to make it go off all the time and the operatores will start ignoring it.
Re:Stenography Encryption (Score:2)
Re:Stenography Encryption (Score:3, Funny)
You should probably use a bit-rotation method instead of just a shift.
Re: Stenography Encryption (Score:5, Funny)
A little analysis reveals your cause for concern.
Re: Stenography Encryption (Score:2)
Re:Stenography Encryption (Score:5, Funny)
Wow, fighting it out with typewriters against picks and shovels. Wait till the steganographers get in the act...
rj
Re:Stenography Encryption (Score:2)
Don't they need both typewriters and picks and shovels if they're going to write biographies of dinosaurs?
Re:Stenography Encryption (Score:1)
Re:Stenography Encryption (Score:2)
Re:Stenography Encryption (Score:1)
(sorry, just making an obligatory Slashdot-style joke, nothing personal)
Re:Stenography Encryption (Score:1)
In other words, abiding the law will become insufficient; there will be a new set of truely harmless things which will be met with punishment, but without any courts involved or room for defense.
Re:Stenography Encryption (Score:1)
I mean, imagine, just out of the blue, everybody starts posting or emailing around random groupings of 5 numbers.
If everybody does it, you are less likely to be singled out. It will annoy the hell out of the surveillance government. It will allow people who want to really have a covert channel to be undetectable. It will make a strong political statement, can become viral. Add a line at the end of the bloc of numbers to the effect of: 'I
12 24 55 88 45 97 96 (Score:2, Funny)
12 43 88 42 90 45 23 23
45 63 00 06 34 64 22 64
32 54 99 99 23 54 32 22
Re:12 24 55 88 45 97 96 (Score:4, Funny)
Re:12 24 55 88 45 97 96 (Score:4, Funny)
Re:12 24 55 88 45 97 96 (Score:4, Funny)
Re:12 24 55 88 45 97 96 (Score:1)
Re:12 24 55 88 45 97 96 (Score:1)
Re:12 24 55 88 45 97 96 (Score:4, Funny)
Re:12 24 55 88 45 97 96 (Score:2)
04 08 15 16 23 42
Trolls everywhere! (Score:2)
What was the point again? (Score:2)
Oh, and:
Group 214
80020 21085 00601 30690
01201 50240 07006 01601
70690 01702 40050 14024
00908 70220 67089 00820
10086 07801 30240 02707
30130 15006 09306 20084
00000 00210 03070 03107
02706 70000 07016 01201
Q
Re:What was the point again? (Score:5, Interesting)
It's like doing the same thing on a restroom stall. "For a good time, call 202-555-3988" will probably get passed over as graffiti, but a large block of cryptic-looking numbers looks unusual enough to attract attention.
Re:What was the point again? (Score:1)
Re:What was the point again? (Score:1)
Here I sit, broken hearted. Came to poop and only farted.
LK
Re:What was the point again? (Score:1)
Re:What was the point again? (Score:2)
You're a genius. Don't worry about Craigslist...train the girls to memorize your encrypted numbers. They'll recite them if you ask. And if government officials start calling the girls...instant scandal! They're forced out of office, and they can't tap your conversation any more. (And anyway a
I cracked it!! (Score:2, Funny)
Suduko (Score:1)
There's probably some dastardly plan in there somewhere
Puzzles = High entropy (Score:5, Interesting)
I thought that was pretty neat; "puzzles within puzzles" and all that. When you think about places where you can hide messages though, there are lots of opportunities when you have puzzles, because people expect a certain amount of randomness there. In a newspaper, there aren't a whole lot of other places where you can just have a whole block of random letters and not arouse suspicion; if you find someplace where there is already expected to be high entropy, then you can sneak in your encoded material much more easily.
Sudoku puzzles and crosswords could also be good candidates, but there are even ways you could probably work them into more subtle things if you had a predetermined scheme for encoding the message. I'm sure you could probably work the chess puzzles if you knew what you were doing.
Re:Puzzles = High entropy (Score:1)
During a phase of Bletchley Park's expansion, the Government Code and Cipher School place a challenge to the readers of the Daily Telegraph for anyone who could solve it in under twelve minutes. Those who did were brought to Fleet Street for a followup test, and those who passed that (six of them in the end) were brought to work at Bletchley Park.
In Victorian Times, newspapers used to carry columns of enc
Re:Puzzles = High entropy (Score:1)
Your friend doesnt look like Alec Baldwin does he?
What I want to know is... (Score:2)
Comment removed (Score:5, Interesting)
That's the Holy Grail, pretty much. (Score:4, Insightful)
In times past, the real trouble was in the acquisition of information. Now, the problem is on the analysis end: there's just so much information pouring in, nobody can even store it all, much less analyze it to any significant degree. You've got signals from the radio spectrum (broadcast TV and radio, satellite signals, telephone signals), plus all the POTS system voice traffic, plus actual Internet data in its myriad formats; it's really overwhelming.
I don't think there's any pat answer to your question. Obviously the intelligence agencies think that the best solution to the problem is with better analysis software and heuristics programs; stuff that can comb through the haystack and try to find the needle. But of course, those systems are only good at finding stuff, if you have a reasonable idea what you're looking for.
International terrorism, which is the bogeyman today, hasn't been around for long enough that -- in my uninformed opinion, anyway -- we probably know exactly what the "fingerprints" of an upcoming operation look like. We've had a couple of incidents to go on, now, but those are precious few datapoints to base future predictions on, or to use in order to seed systems in the hopes of catching future activity beforehand. It will probably be only in hindsight that we'll know of the next few incidents, and we'll have to use those to program the systems to sort the data.
Obviously, it's a very hard problem, both in the literal layman's sense of the term but also I think in the information-science sense of the term. My personal feeling is that it's such a lucrative problem, both in the public and private-sectors, that we'll get quite good in the future at mining through the rough to find the diamonds; however, it'll always be a cat-and-mouse game with people who want to hide their activities, whatever they are.
To go totally out onto a limb for a moment, my (unjustified) feeling is that eventually, the systems for doing this sort of information-processing will be biological in nature; either using some sort of simulated, self-programming neural networks in silicon, or will actually use neurons that have been plugged in to computer systems (literal 'brains in jars,' perhaps). Assuming we start to see the practical limits of information-processing on silicon, I see biological computing as being the next big step forward in information processing, particularly in the areas requiring a lot of heuristic analysis that don't lend themselves easily to more conventional algorithmic solutions. Data mining seems to be one of the few areas that would have enough possible rewards to justify both the risks and massive investment required, at some point in the future, of research and development.
Re:That's the Holy Grail, pretty much. (Score:1)
Which means that if the bogeymen have some competent cryptographers, the three-letter agencies don't stand a chance. They can only bet on stupidity (like that Mafia guy a couple of weeks ago who used a substitution cipher.)
Spelling... (Score:2)
Surely this is different to (I quote a CIC) 'the next terrer act'?
Re:What I want to know is... (Score:2, Interesting)
Re:What I want to know is... (Score:2)
One almost certainly does, given that pretty much all the 'terror acts' (including the whole 9/11 thing) were sitting somewhere on a collection system for considerable time before they happened. The intelligence agencies don't have a problem with data collection and haven't for years. Their problem has for a long time been that they don't know how to handle the data they have already collected.
(From this we can conclude that a
Re:What I want to know is... (Score:1)
Podcasts (eew i hate that word) (Score:2)
Ignore the Stupid Prank (Score:2)
My plan (Score:1)
2. Tell people it was actually an elaborate social experiment
3. ???
4. Profit!
Yet another shameless plug by IO ERROR (Score:1)
There are a few slip-ups that still tie him together.. on the contact page... is skype name is ioerror_us and on the policies p
Shortwave numbers station recording (Score:1)
Usenet? (Score:2)
Glad I wasn't at this presentation.. (Score:1)
A handrwritten fax (Score:2)