Archive for September, 2010

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-               RULES FOR INSURING PRIVACY IN AN ORGANIZATION.                       CONSTANT AWARENESS OF THREATS.              -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-                             Written by: -Q-                            -=-=-=-=-=-=-=-=-The following is a brief abstract on the topic of privacy and the awarenessof threats and vulnerabilities.  I shall in this text discuss some of thecommon rules that security experts and countermeasures technicians live by.I have found that the best set of rules published to date is byGlen H. Whidden which he draws upon from his 28 year career with the CIA.Mr. Whidden, noted as one of the countries most knowledgeable surveillancecountermeasures experts details these rules in the books which his companyTechnical Services Agency (TSA) publishes.I shall simply reprint these rules from his book  "A GUIDEBOOK FOR THEBEGINNING SWEEPER".   Mr. Whidden has  lovingly given his rules a name,and that is:  "THE MOSCOW RULES".    I  dont  know what it specificallymeans.. Nothing really, just a clever slogan.. but anyway the rules areas follows.MOSCOW RULES FOR COUNTER ESPIONAGE INVESTIGATIONS=================================================(1) Assume that all LN's are hostile.(2) Assume that an approach by a non-LN is hostile until proven otherwise.(3) Assume that there is always hostile physical surveillance unless    counter-surveillance proves otherwise.(4) Assume that all telephone conversations are monitored by LN's.(5) Assume that all enclosed areas are bugged unless they are 'secure' rooms.(6) Assume that incoming and outgoing mail will be subject to hostile    examination.(7) Assume that anything that is left unattended will be subject to    examination by LN's.(8) Assume that locks left unguarded or unprotected will be manipulated    or bypased and the material they protect will be compromised.(9) Assume that simple traps will not deceive LN's.10) Assume that any guard can be recruited by LN's or is himself    an LN agent.11) Assume that a pair of guards can be recruited by LN's or are    themselves agents of LN's.MOSCOW RULES FOR COUNTERMEASURES INSPECTIONS=================================================(1) Assume that the eavesdropper is listening in the sensitve areas.(2) Assume that an eavesdropper has an agent near the sensitive area.(3) Assume that the eavesdropper is watching the entrances of the facility.(4) Assume that the eavesdropper can maintain a low vulnerability status    when he is not listening.(5) Assume that the eavesdropper is guarding the NLJD band of frequencies.(6) Assume that the eavesdropper is watching for sweep receiver radiation.TRANSLATION INTO ENGLISH============================Mr Whidden, then goes onto explain what each one of the above rulesmeans in detail, but it is rather long-winded and I wont reprint itin this text.  Most of the rules are very simpe to understand, buta few points warrant explanation which I'll put into my own words soI can explain it in more simplistic terms.First, Mr. Whidden uses the term  "LN" (which stands for Local National)which means a person who is indigenous to a specific area.  This term hasa greater meaning in the field of world intelligence as it means a citizenof a foreign country who may be an agent or informer of that country or itmay be a citizen of another country that you recruit as an "agent" or"asset" to work for you.  However, in the context of the Moscow Rules itis simply a term of convenience which is not nearly so grande. In suchcontext of the rules it merely refers to a person who may work for anorganization or a corporation who is either acting on their own accord orunder the direction of others and the purpose of that individual is toinfiltrate and or compromise the corporation or organization usually in acovert manner (such as to steal business secrets in industrial espionage),but can be done in an overt manner also if the intent is to destroy or causeharm or embarress the organization.MOSCOW RULES FOR COUNTER ESPIONAGE INVESTIGATIONS:(1) Rule 1 which states that you should assume that all LN's are hostile    roughly translates to the philosophy of   "trust nobody!"    This is extended to include the very person who hired you!    As unlikely as it may seem, if you look at the rules it is a very    logical conclusion, especially in a corporate situation.  It is    very common for the  "security department"  to be the one to request    that a TSCM countermeasures sweep be performed, this can be done    to please the bosses and make the executives feel that since the    sweep was done all the confidential conversations are secure.    In a real world situation it is likely that one or more individuals    in the 'security department' itself may be the actual perpetrator    and they thusly will be well aware of the search for eavesdropping    devices and they will have the ability to easily deactivate or remove    the clandestine devices before the search, wheras they can be replaced    promptly after the search was performed. This tactic of infiltration    not only gives the eavesdroppers the advatage of knowing when a sweep    is to be performed but also provides a form of 'cover' since the security    employee (really an LN "agent") will seem all the more legitimate    since he is the one that ordered the sweep.  One can reference    Moscow Rules 10 & 11 to realize that "guards" and "security" should    not usually be given 100 percent trust.  The "SWEEPER"  MUST obey    what the security staff says, even if the sweeper suspects the    guards or security staff as being the actual perpetrators, and once    actual proof is established to concurr that fact, the sweeper should    convey that possibility to some other person within the company who    the sweeper feels is trustworthy.(4) Rule 4 is an especially important one. Although it needs no elaboration,    I cannot stress how important it is NEVER EVER to discuss anything    sensitive over a telephone (that is even more so true if you have    a cordles or cellular phone).    Also, it should also be noted in my personal opinion, that not even    encrypted phones/faxes should be beyond suspicion. Their exists many    ways to defeat such encryption. The easiest is simply to compromise the    keys which is not a difficult task if your target is unaware. A simple    blag-bag job is all that is needed to either liberate the codes from    the encryption unit itself or from a locked safe or drawer which can    then be copied to floppy and the original code returned to its position    undisturbed.  Modern encryption units such as the STU phones do help    to some small extent to guard against such attacks by the uses of    "ignition or code keys" which can be physically taken from the unit to    help secure the units key integrity, but their are ways around that.    Then of course, it is never beyond reason to doubt that the encryption    itself can be cracked if it is deemed a priority. This is a mere simple    task which can be done in a half a second if your using weak encryption    on your phone such as simple "inversion" chips or other simple    encryption units which are widly sold in catalogs.  It is also not    out of reason to realize that even DES is not safe anymore, although    its a hell of alot safer than "inversion chips" which can be cracked    with a $50 kit available in the classifieds of most electronic magazines.(5) Rule 5 states that all conversations should be considered vulnerable    unless conducted in a "secure" room.   Personally, I hold to the    philosophy that THEIR IS NO SUCH THING as a "secure" room, but then    one must realize that this is reality and you cannot be completely    paranoid.    A "secure" room is a complicated term to define as their are many    degrees of what is considered "secure".  The ultimate "secure" room    would be completely RF (Radio Frequency) proof and would thusly    attenuate completely all RF transmissions from "bugs", but the    security must be extended to insure that no wires/fiber enter the    room or leave the room as they can carry clandestine signals hidden    on that wire (or at the very least all wires must be monitored for    hidden signals). The room must have no loudspeakers which can act    as microphones, the room preferable would have no windows and if it    did would attenute any Infrared light so as to protect against    RF/IR transmitters. And lastly the room would be acoustically secure    which means their would be virtually no acoustic leakage (in otherwords    no sound could be heard on the other side of the wall using any types    of devices such as microphones and high powered amplifiers.)    Also, to be acoustically secure, the room should have sufficient    random masking signals present and continuously fed into the secure    room. Their should be several of such masking generators in use    at different points in the room and in addition all plenums and    air vents should be masked as well. In addition, the walls as well    as any windows should be masked using a transducer element which    vibrates all windows and walls in a random fashion to further defeat    any clandestine listening devices such as contact microphones, spike    or tube microphones which are drilled into the wall from the opposite    non-guarded side, as well as techniques of 'laser/microwave pick-off'.(8) Rule 8 also warrants elaboration. All mechanical locking mechanisms    are easily bypassed by persons with experience in such fields -    which very often includes an eavesdropper himself - or on occasion,    an eavesdropper may have a  "keyman"  which is a person who is    an entry specialist (called "quick-entry" in the locksmithing field).    To properly secure a facility electronic locking mechanisms should    be used which are much harder (yet not impossible to defeat).    Preferably a secure installation should go beyond simple electronic    locking mechanisms (such as key card system connected to an    electric strike). A complete access system must be incorporated    with full provisions for software logging of all entries and    exits, as well as "anti-passback" protection to further enhance    accountability and security and tracking.    All safes should be of the electronic type, NOT the mechanical    combination type of yesteryear.  It is not a difficult task to    bypass combination safes nowadays.  The top expert safecrackers can    ply their trade in an hour to two hours time, and a device now exists    on the market which cracks safes automatically using a computer    controlled mechanism and does so in approximately 1 hour.    Electronic safes are virtually 100 percent secure and are the current    standard on all government facilities where classified information    is stored. The electronic safe itself should preferably have    accountability and logging features built-in with seperate access    codes for multiple users of that safe.MOSCOW RULES FOR COUNTERMEASURES INSPECTIONS:(3) Rule 3 is a most important one and is something both the countermeasures    technician as well as his client should keep in mind and previously    discuss during the initial client contact. Although it does not    suit every situation, but in many cases it would be wise not to    be recognized as a countermeasures technician for obvious reasons.    One does not want to spook the eavesroppers into either shutting their    devices off, pulling them out temporarily or at worst "skipping town"    never to be heard from, and unlikely to be caught. How does a countermeasures technician arrive at his clients office in a discreet manner?    When it is deemed necessary, a simple "disguise" is in order.    The TSCM Tech should blend in to look like all other employees,    he should look and act like all employees, and in fact NO EMPLOYEES    except a select few should even know the TSCM techs are who they are.    The TSCM tech should arrive in a vehichle preferable a "work"    vehicle which can be disguised as either a maintenance or utility    company vehicle.    All equipment should be carried in, under concealment. This means    that some type of discreet yet common bag should be used to    carry the equipment in.  It is obviously suspicious for a person    to carry in 5 briefcases (some of them being oversized cases indicating    to the eavesdropper that its no "ordinary" briefcase) into a building. One tactic I have personally used myself when doing the occasional sweep for a client,  is to arrive in a borrowed van which bears the name of some maintenance company.  My typical motife is to arrive as a "painter" and when I enter the office if its a large office I announce myself as such to the secretary. This of course must be made clear in advance to the client so that the secretary knows that the  "painter" (or "plumber" or "carpentry contractor" will arrive), again it should be stressed that not even secretaries should be made aware of the TSCM Techs identity or purpose of visit.  All equipment I carry in discreetly in a  painters spackle bag which is just large enough for most of my sweep gear. And for my spectrum analyzer which is too large for the spackle bag, I just haul that into the office discreetly wrapped up in a large painters cloth tarp.  Usually I strip the plates off of the van and I remove the inspection and registration sticker so as to avoid being "checked-out" by an LN agent who may find your van "suspicous".  This in actuallity IS NOT THE IDEAL METHOD. I merely do that for convenience purposes. (because I am not rich I cant afford multiple vans and vehicles registered to multiple legitimate "ghost" companies which all must pay taxes and be registered with the state you do business in.) In fact its better to arrive in a van which  has license plates and registration which is legitimate as well as the company logo painted on the side of the truck belonging to an established legal business. This provides a better degree of cover. Although it is very very rare, it should likewise not be considered out of the question that an LN might ckeck out the validity of your company (a simple check of the yellow pages should turn up your company name.. and if not.... suspicion..)  It doesnt take a genius likewise to figure out that if you see a white van marked  "Acme Painting Company" parked in front of your target building which you are eavesdropping upon, you should become suspicious.(4) Assume that the eavesdropper can maintain a low vulnerability status    when he is not listening.What rule number 4 deals with, is the eavesdroppers ability to makehimself "invisible" to the TSCM Technician, Security Staff and hisintended "targets" by various methods too detailed to describe here.This mainly includes 2 tactics.. [1] shutting the taps or bugs off remotely  (and) [2] having an LN agent remove the taps/bugs after they are     no longer needed and then promptly replacing them when they     are needed again. It merely takes seconds for an agent who     has access to the facilities to install such devices in the     compromoised area.(5) Assume that the eavesdropper is guarding the NLJD band of frequencies.This one is a bit esoteric to the laymen, but the term NLJD refers toa device which is used by countermeasures technician to locateclandestine listening devices which may be buried under concealmentinside of a wall, desk, drawer, behind books, buried covertly insidea piece of wood or other structural material which could not be inspectedby any other means.The NLJD works much like a metal detector, only the principle involved isALOT more sophisticated. The device doesnt merely search for metal.Rather, it searches for semiconductor junctions such as transistors anddiodes which would be present in all "bugs" (transmitters) as well asin most microphones, etc..  The NLJD is mainly usefull for finding aclandestine device which is NOT ACTIVATED!   This has to do with one ofthe rules above (Rule #4). The eavesdropper may have the ability toturn the device off remotely or even manually and as such would notbe detected with normal RF "sweeping" gear which looks for an RF/IR signal.(since if the device is OFF, it thusly generates no RF/IR signal).The NLJD works by transmittng a microwave frequency signal (between800 - 950MHz  [depending on the version, and the laws of the countrywhich the unit is sold in]. The signal power of these units isrelatively low 20mW - 300mW for non-government ("consumer"/industry)versions [legal U.S.A versions a.k.a FCC approved]  and  300mW to approx3 Watts for law enforcement and government units. The greater output powerof the government models allows a higher degree of penetration into deeplyembedded or dense materials. The typical radiated ouput for a U.S.A. versionNLJD is 915MHz and for European versions is often 888.5MHz.Since the unit emits a microwave it thusly radiates through the airwavesand the eavesdropper can thusly detect it using his scanner. A clevereavesdropper will continuously scan the band of frequencies, or a specificfrequency if the eavesdropper is relatively sure of the frequency on whichthe targets NLJD uses. Once the eavesdropper detects the signal, he can thenremotely deactivate his clandestine devices.It should be noted of course, that a clever eavesdropper has at theirdisposal, a number of uniquely different methods in which to "fool" anNLJD unit into not detecting the listening device completely, or methods tofool the user of the NLJD into believing that the reflected signal is afalse alarm.. One example is to modify the casing of the listening device,and RF filter all the leads when done in such a manner that they clandestinedevice will reflection a large portion of 3rd harmonics while keepingsecondary harmonics to a minimum thus indicating to the NLJD user perhapsthat the unit is picking up disimilar metals (sheetrock screws, nails, rebar,etc..) rather than semiconductors.I shall not detail these particular processes as its irrelevant and unwisebut if anyone actually cares to know the methods are I can discuss that withyou in more detail if you ask.(6) Assume that the eavesdropper is watching for sweep receiver radiation.This is a bit more esoteric and its something which I dont feel isany great threat. But their might be some government experts in thefield who are a bit more sophisticated who would say otherwise. Butin a real life situation I dont see it happening unless theeavesdropper is himself a former government employee.ALL electronic equipment generates EMI (Electromagnetic Interference)which is essentially spurious radiation emmited unintentionally. As suchthese radio wave emmisions are also generated from any type of "sweep"equipment which the countermeasures technician may use.A sophisticated eavesdropper can detect these spurious emmisions andtake it as a sign that sweep equipment is being used and the sweep isnow in progress. The eavesdropper then shuts his clandestine devicesoff remotely.In reality the ability to do this is actually quite simple. Its justthat I find it unrealistic and I dont think many buggist in this countrygo to all that trouble. Not unless its a super sophisticated operation,or unless the eavesdropper is being payed well to take such precautions.But then super sophisticated operations are not the norm. Not even close.Usually the bugging is done by amateurs using crude bugging equipmentwhich is easily detected, and is not even concealed well on top of it.Most bugging devices are usually not even remotely activated and likewisetheir usually not protected against NLJD sweeps either, unless the personwho is doing the eavesdropping is a pro which is rarely the case.MOSCOW RULES FOR TELEPHONE SYSTEM INSPECTIONS=============================================(1) Assume that the eavesdropper is listening to room sounds through    the telephone instrument until tests prove otherwise.(2) Assume that the eavesdropper is listening across the    line when the line is active.(3) Assume that the eavesdropper may be monitoring the    line when it is inactive.(4) Assume that the eavesdropper is monitoring the line    to detect TDR and RF tracing signals.MOSCOW RULES FOR TELEPHONE SYSTEM INSPECTIONS:(1) The eavesdropper has a variety of techniques at his disposal which    enable him to listen to 'room sounds' ("room audio" [note 1]) from a    remote location. I will not discuss that in detail, because all    the techniques involved in telephone and wireline attacks could fill    an entire book in itself.    Generally however, their are two main techniques that could be    employed. [Their are actually another 3 or 4 techniques but    I shant get into discussing those for the sake of brevity.]  [a] 'Hot-miked telephone' otherwise called a 'Hot-On-Hook telephone'      is one method, which involves modifying an actual telephone which      is in a targets location (in reality, the targets phone itself is      not modified, but an identical replacement is brought in and switched      with the original [this technique of switching phones of course      warrants caution as the target could possibly notice the difference      between the two by noting scuff marks, etc.. that were on the      original phone]. The modification consists of a circuit that will      allow the eavesdropper to listen to room sounds while the phone      is still "on-hook". The modification "drops-out" once the phone      is picked up for use and is brought "off-hook" (in which case,      the eavesdropper would then have a seperate circuit which could      monitor the phone conversation.  [b] The second most common method is called an "infinity transmitter",      which in the 'olden days' circa 1960/70 was called a "harmonica bug".      This is a slight variation of the hot-miked telephone. It is      similar in that it allows a person to listen to room audio from      a remote location, however the system employed need not be part of      the actual telephone. The device could be hidden anywhere along the      phone line in close proximity to the target where a seperate      microphone can listen to room audio which is then sent through the      phone lines while the phone is 'on-hook'. When the phone is lifted      'off-hook', the device drops-out. The device is activated remotely      by the eavesdropper by simply calling the targets phone line and      then activating the device.      Room sounds could also be monitored by simply placing a microphone      across any line pair, preferably a line pair which is not currently      activated for phone useage (ie: the second yellow-black pair.)      This would allow constant monitoring of the room audio even when the      target uses the phone (which would be on line pair 1 (red-green)      and thusly would not conflict. The microphone could either generate      its own signal 9which has the disadvantage of being easier to detect      because the microphone transmits constantly , or could use a microphone      element which requires an external voltage such as in a carbon mic.      In the case of carbon microphones, the eavesdropper need only apply      a small voltage to the line and the microphone will activate sending      intercepted audio down the line. The device has the advantage that it      is slightly harder to detect (especially inadvertently) because the unit      only operates when the eavesdropper has the device activated.      Countermeasures technicians can find the device (in its simplest form)      easy enough by just applying voltage to the line. But more sophisticated      set-ups would utilize a 4-layer diode, SCR, or a reverse polarity      configuration or some other method to hinder and thwart detection.(2) Rule 2 is fairly obvious and needs little explanation. Always assume    that a phone line can be, or currently is being monitored.    It is very important for the laymen to make the distinction between    the two facts in the above statement which are:         [a] the phone/line "could" be tapped.         [b] the phone/line "is being" tapped.    It does not make one paranoid to come to the conclusion and realization    that a phone "could" be tapped. It merely makes one alert and an    informed individual.  That does not mean that one should insist    that a line "is" tapped, but it should simply be considered a possibilty    which one must take into consideration and act accordingly on.    Thusly, if one conducts confidential business in which it would be    of important consequence to keep the conversation from prying ears    of the eavesdropper, one should always employ end-to-end encryption    through the use of telephone/fascimile "scramblers". [note 2]    One must make the decision for themselves regarding what is to    be kept secret and what can be disclosed, and you must come to    some sort of plan of action regarding what the different levels    of confidentiality are. Some secrets are worth keeping more than    others. In fact one might even say some secrets are so great that    you should not disclose them to anyone ever. That would be the    ultimate form of security.. As an example, if you had just    murdered someone, obviously any sane individual should not announce    that over the phone lines, no matter how secure you feel that phone    line is. Because their is no degree of security which is worth    25 years in prison or death. Even encryption (phone scramblers)    should not be considered secure in such cases as they can be    compromised rather easily by simply bypassing the encryption    altogether through modification by the eavesdropper, or by simply    liberating the code keys from the unit (which is a simple task with    some encryption units while alot more difficult in the better units.)Whenever a line pair is to be examined or traced (for maintenancepurposes such as working on a phone or computer network in an officeor home, or when a countermeasures search is being done, it is preferablethat "audio" signals of a strange nature (line tracing signals) shouldNOT be placed across the line as they would be suspicious to an eavesdropperin which case the eavesdropper might deactivate remotely any deviceswhich he may have installed which could put the devices in a low-profilestatus making them more difficult to detect.So how then does one trace a line without using an "audible line tracer"as is the standard method among technicians?  The alternative is touse either an RF (Radio Frequency) tracer system which is relativelyinexpensive (and also has many advatages over audible tracers such asthe ability to track wires through walls without having to open up the wallor structure for physical examination) or one could utilize an "ultrasonic"tracer device which sends an inaudible signal down the line. Theseaultrasonic tracers are an indespensible tool which come in two forms.The first is simply a aultrasonic tone tracer and merely produces asingle tone for identifying line pairs. The second type of ultrasonicdevice actually modulates a voice signals onto a wire pair so that itis inaudible and above both the range of human hearing and likewisecannot be picked up by either microphones of any type and cannot bedemodulated by any type of standard amplifier unit which is not designedto amplify sounds above the standard human hearing/speaking range.Only a specialized matching ultrasonic demodulation amplifier canintercept and convert the signals back into the human hearing range.Keep in mind with the above however, that rule #3 below shall apply.Rule #3 states that the eavesdropper "may" be able to hear your linetracing with the phone on-hook.  So one has to balance thisconsideration out. Nine times out of Ten you would be better off sendingthese signals down the line because most eavesdroppers DO NOT monitora phone which is on-hook, nor do they look for signals on inactive lines(not unless they are professionals, or are simply getting payed alotof money to do that extra work which is often unnecessary).But if your up against a sophisticated eavesdropper and you know ofhis capabilities it would probably be wise in such case NOT to send anystrange signals down a wire pair other than ordinary phone conversations.(3) Most of the time, telephone surveillance, whether it be the    interception of phone conversations where the phone is off-hook,    or even monitoring of room conversations when the line is on-hook    involves the use of some sort of "activation" device which records    the conversations when and only when those conversations are present.    When the conversation ceases the device will shut itself off (usually)    so as to conserve tape (and in addition make it easier for the    eavesdropper to find the conversations in the recorded tapes.    When dealing with recording telephone calls, a device is used which    monitors the voltage on the line for off-hook/on-hook conditions    and then activates a special tape recorder (with a remote activation    jack) when the phone goes off-hook. [although a more clever eavesdropper    would not use such a device but would rather use a VOX (voice    [sound level] activated unit as opposed a voltage sensing unit which    can actually be "tricked" as well as "detected" alot more easily    which should be coupled to an inductive pick-up coil (or at the least    a high-impedance capacitively coupled interface). VOX units too also    have their problems, namely they can have havoc wreaked upon them    by the use of masking devices or "telephone security units" which are    now widely sold on the market for a couple hundred dollars. These    telephone security units have the ability to defeat most simple    eavesdropping methods utilizing  techniques such as masking as well    as "Line Balancing". The latter technique of balancing performed by    raising the voltage, while the current is simultaneously lowered.    Such a technique does not interfere with the PSTN Central Office and    will give the user a dial-tone when the line is raised off-hook(600 Ohms)    and will thusly defeats most voltage activated devices such as simple    telephone tap transmistters as well as drop-out relays (telephone    recorder controllers).    The foolish individual could conclude that if most eavesdroppers    used a voltage activated device that only recorded audio when the    phone was "off-hook", then the line should be secured in an "on-hook"    condition. Example, a person could then transmit his voice within    the household or office while the phone was still "on-hook" using a    relatively simple circuit to do that and "supposedly" that would    alow for safe conversation, and it would be safe "if" a voltage    activated telephone recording adapter was used.    However, many eavesdroppers (sophisticated ones) may be a bit more    clever than that. The clever eavesdropper may monitor a line pair    even when it is inactive (such as when a phone is "on-hook".)    This would allow the eavesdropper to hear  "AUDIO" [note 1]    even when the phone is off-hook.  Note I use the word AUDIO very    carefully. Because in such an instance, the eavsdropper may NOT    just be listening to secret conversations which occur "on-hook"    but he may be listening to other audio which could be a potential    threat to the eavesdropper such a the sounds of audible line tracing,    ultrasonic line tracing or ultrasonic voice modulation, as well    as RF tracing, and lastly the eavesdropper could be looking for    the signals emmenating from a TDR (see rule #4 explanation).(4) The last rule is a rather esoterical one which is of more concern    to the countermeasures technician who is performing the search    as opposed to concern of your ordinary individual or businessman    concerned with the rules to insuring privacy.    Rule #4 is just a follow up to rule #3 which states that an eavesdropper    could possibly be monitoring the inactive line pair. In rule #4 we    get specific in saying that an eavesdropper may be looking for    RF signals or TDR signals which may be an indication of a countermeasures    "sweep" which is being conducted. This should concern the eavesdropper    for obvious reasons, which are that he could possibly be discovered    very soon if the technician is a competant one, or if the eavesdroppers    set-up is crude or poorly installed in which case it could possibly    be detected.    I have already explained ultrasonic and RF tracing above in rule 3,    so I'll just deal with TDR's.    A TDR is common abbreviation for a device known as a Time Domain    Reflectometer. You pronounce the units name by simply saying the    letters..   "T" - "D" - "R".    The TDR is a common tool of anyone who works exensively with wires    (or fiber optic cabling) of any type. The type of TDR we are discussing    is only for the "wire" and not "fiber optic" type.    TDR's are used by cable company technicians, computer network    technicians, telephone lineman or repair personell, as well as    surveillance countermeasures technicians.    A TDR is a device (usually a hand-held size device although slightly    larger and more powerfull bench-top units are available) which emits    a mild powered signal into a wire pair. This signal gets sent down    a wire pair, or through a coaxial cable and gets partially reflected    off of any discontinuity on the line pair. Herein, I'll refer to any    discontinuous reflections as an "anomaly" on the wire. I use the word    as opposed to discontinuity (because its easier to type) and because    much like an anomoly it is indicative of the unknown. And thats what    your looking for when doing a TSCM TDR sweep of a wire pair.    Your looking for unknown or strange situations.    It is these anomalies which the technician is looking for which are a    possible source of the problem (or could even indicate that everything    is normal if their is supposed to be an anomoly at some point).    The word "anomaly" is a generic term which refers to anything on the    line which will interfere with the signal going through the line.    To put it another way, it is something which causes part of the signal to    literally reflect backwards from the point of origin instead of traveling    freely and smoothly through the wire.    This "reflection" of the signal is what the TDR is looking to receive    after it emits the original pulse. The reflection which could be of    varying degrees of intensity depending on how large the anomaly is.    The larger the anomaly, the larger the reflection, and occasionaly that    means the bigger the problem. Ideally the signal is supposed to travel    through the wire impeded as little as possible.  Anomalies are caused    by a wide variety of things too great to discuss here. They can be    caused by imperfections in the wire itself, they can be caused by    splices in the line, they can be caused by "connectors" on a wireline    which join 2 wires together or a wire to a piece of equipment. Anomalies    can be caused by "termination plugs" which are a dummy loads placed    at the end of a unused wirepair. Anomalies can also be caused by    physical hardware on the line such as splitters, filters, junction boxes,    66/110blocks, entrance bridges, and the list can go on and on.    The countermeasures technician is primarily interested in looking for    things such as splices on the line which could be indicative of a    telephone tap.  Keep in mind, that the word "splice" does not necessarily    preclude that a line was physically "spliced" (ie: cut and then    re-connected.) It also can imply a simple "tap" on the line where one    wire (alligator clip, etc..) is touching upon the original wireline.    TDR's have a typical range of 1,000 - 10,000 feet. A typical handheld    TDR used by computer network installers will have ranges of 1,000 - 2<html xmlns=""><body xmlns=""><pre xmlns="">k    feet. Countermeasures technicians often utilize slightly more powerfull    models extending 2,000 - 5,000 feet so they can have the ability to    trace large amounts of wires present in office buildings. And benchmodel    units which are usually the most powerfull (although some handheld    units are capable of such) can extend upwards of 10,000 or more feet.    These units can pinpoint  "flaws" or "anomalies" on a wireline to    a resolution of millimeters which makes them damned accurate devices    which can tell you exactly where the flaw is down the line. (typically    however in high powered devices the resolution is limited to feet or    meters).    The TDR is most effective when it is used on a routine basis and a    day-to-day (or more likely week-to-week or moth-to-month) comparison    can be made between the different or same results.  Ideally, the    results of the TDR should always be the same.  Should a result be    significantly different on one occasion, or something appears to have    been spliced/tapped onto the line it will be readily apparent.    Of course for the TDR test to be most effective, it should be realized    that the initial tests of the TDR must be done when the line was "clean".    If the line was tapped in the first place the first time you tested    it, then all subsequent comparisons thereafter are of little use because    you cant compare a "clean" like with a "tapped" line.    However, that factor doesnt render a TDR test completely useless.    One does not necessarily rely solely on the technique of comparison    from one time to another.  Other methods exist for using the TDR    which are a combination of tracing the line physically with the TDR    from the demarc point inwards to the telephone instruments and    physically searching the line for taps/splices in conjunction with    the use of voltmeters or telephone analyzers to search for    imbalanced loops, or imbalanced lines to ground, crossed line pairs    as well as suspicious line impedances.    Likewise, the search should occur from the demarc point outwards    towards the telephone company as far as one can go. The search should    extend out the end of the customers property,  but a countermeasures    technician who does not mind breaking a few laws might feel free    to extend the test point up to the neighborhood cross connect cabinets    where the distribution cable meets the feeders.                            [note 1]  In surveillance lingo, the word "AUDIO" is often used as opposed to  the word "SOUND" or "CONVERSATION". The meanings are almost synonymous,  but their is a slight difference.  The word "audio" is used because  it denotes any type of intelligence which could be collected and is  not limited to intercepting spoken conversations (spoken words).                             [note 2]  Even encryption (phone scramblers) should not be considered secure  as they can be compromised rather easily by simply bypassing the  encryption altogether through modification of the telephone instrument  by the eavesdropper, or by simply liberating the code keys from the unit.-----------------------------WHAT THIS MEANS TO YOU AND ME-----------------------------One may ponder the question of  "what the hell does this article haveto do at all with me?"How does this concern you if you dont run a company?How does this concern you if you are not doing anything illegal?How does this conern you if you believe your not a target being watched?I have no answer. Take from this article what you will. It is providedfor informational purposes. I have discussed not only quite a bit aboutsurveillance as well as countermeasures, but also the some of the termswhich is used by people who work in that field. These are terms which youmay run across one day if you work in the field of general security, andyou will thusly be able to speak a bit more authoritatively to yourcolleagues who may not know much about espionage.But if you have any respect for your own privacy, then you should heedsome of the advice discussed herein.You need not be a corporate executive to realize the need not only for yourprivacy but the need to recognize how many people by their own actscontribute to the privacy violations. They do this by using cordless phones,cellular phones, by using paging beepers and even by holding confidentialconversations on unsecured phone lines instead of in person.I write this specific article for those people on computer bulletin boardsystems, and this is aimed SPECIFICALLY at those who refer to themselves as"computer hackers"   or  "telephone phreaks".. If you do not recognize thevalue in this article then you are a great fool indeed.Remember folks.. Paranoia is our friend. You never know who is watchingor listening.   Always assume the worst and thusly disclose the leastyou can; even to so-called friends.                   ----------------------------------Never discuss anything illegal over a telephone be it landline or cordless.Never keep any incriminating material at your home. Or at the very leastany such information if illegal, should not be 'feloniously' illegal.Never discuss any majorly illegal acts (in my book thats defined as anythingthats a felony) with anyone else, even friends. And if you do, then youshould be sufficiently vague and even intentionally misleading to yourfriends so as to give the eavesdroppers "misiformation".Never disclose to any friend the full capabilities of your power, yourknowledge, etc.. If necessary intentionally mislead those friends byoverstating or understating your capabilities or knowledge in order tofeed misinformation to an eavesdropper. This can be done to "spook" youreavesdropper and make them enact a move prematurely, or to make thembelieve what you want them to believe for whatever reason you see fit.In addition, feed just enough thruthfull information so as to 'whet theappetite' of the eavesdropper and not give away your conversation astotal obvious misinformation.

from very good info.

Today we’re going to show you how to create a Lock Pick Rake and Tension Wrench using two simple paperclips and a Multi-Tool.

As we’ve mentioned in previous Lock Picking articles, the Rake/Tension Wrench is the most versatile combo to carry for bypassing standard pin/tumbler and wafer locks.

In our last Lock Picking article on the SerePick Bogota Entry Toolset, a lot of people commented that they were unable to purchase Lock Picks, and couldn’t get involved in learning the skill-set.

After today, you’ll have no excuse not to make your own simple picks, buy a cheap padlock and work on your raking technique. In fact, while we demonstrate creating a rake, you could also make a feeler pick to start learning how to “feel” the individual pins and how they move/bind under tension.


Paperclip Lock Pick 02The first thing you’ll need is a supply of larger paperclips. These that we’ll be using are not the standard small paperclips, but the larger versions. One will be needed for the Rake and one for the Tension Wrench. As you’ll see in the video below, it’s easy to snap these as you’re bending the rake.

This will happen if you bend one direction, and then try to re-bend it in the opposite direction. If you keep to a single bend direction though, these will last a long time and remain strong.

A Multi-Tool works the best to create the necessary bends and twists for the combo. You’ll be mimicking the bends of a “C” Rake, and the right angle of a tension wrench with the second paperclip.


Rather than try to explain the bends and twists, we’ve created a video that will help show you a hands on demonstration of the creation and successful bypass of a pin/tumbler lock. This DIY combo will take a bit longer to use than a standard Rake/Tension Wrench, but nevertheless just as effective.


We encourage everyone reading this article to get involved with lock picking as a skill set through various lock sport groups such as Toool and Lock Sport International. There’s a large community out there of people who understand the value of this skill-set and also like to have fun picking locks.

Here’s the Lock Sport code of ethics, which sums things up nicely:

“You may only pick locks you own or those you have been given explicit permission to pick.”

Lock sport is an honest, ethical, and legitimate hobby. Unfortunately, the whole world hasn’t figured that out yet (though we’re working on it!). Because the lay person has a tendency to perceive what we do as somehow nefarious, it is extra important that we commit to following a strict code of ethics. For this reason, the above credo is non-negotiable in the locksport community. Lockpicking should never, ever be used for illegal or even questionable purposes. Please do not misuse this information. We assume no responsibility for your actions, and in no way condone immoral activity. Help keep locksport fun for all by following strictly the one rule.

The Moscow Rules

Posted: September 27, 2010 in Uncategorized
From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Moscow Rules is the name for rules said to have been developed by the CIA during the Cold War to be used by spies and others working in Moscow.

The rules are associated with Moscow because the city developed a reputation as being a particularly harsh locale for clandestine operatives who were exposed. The list may never have existed as written; agent Tony Mendez wrote "Although no one had written them down, they were the precepts we all understood … By the time they got to Moscow, everyone knew these rules. They were dead simple and full of common sense…".[1]

An abbreviated list of the probably-fictional Moscow Rules has circulated around the Internet and in fiction:

  • Assume nothing.
  • Murphy is right.
  • Never go against your gut; it is your operational antenna.
  • Don't look back; you are never completely alone.
  • Everyone is potentially under opposition control.
  • Go with the flow, blend in.
  • Vary your pattern and stay within your cover.
  • Any operation can be aborted. If it feels wrong, it is wrong.
  • Maintain a natural pace.
  • Lull them into a sense of complacency.
  • Build in opportunity, but use it sparingly.
  • Float like a butterfly, sting like a bee. (borrowed from Muhammad Ali, aka Cassius Clay.)
  • Don't harass the opposition.
  • There is no limit to a human being's ability to rationalize the truth.
  • Technology will always let you down.
  • Pick the time and place for action.
  • Keep your options open.
  • Once is an accident. Twice is coincidence. Three times is an enemy action. (taken from Ian Fleming's novel Goldfinger)

Referred to in the works of John le Carré e.g. Tinker, Tailor, Soldier, Spy and Smiley's People. The newest novel that uses these rules is by Daniel Silva, entitled 'Moscow Rules'. In these works, the rules are not general precepts, but methods of tradecraft, such as using chalk marks and thumbtacks as signals, the use of dead drops, and the ways to signal the need for a (rare) face-to-face meeting. Moscow Rules are important at the beginning of Smiley's People, where the General invokes the rules to request a meeting with Smiley, but he is followed and killed by KGB assassins before it can happen. The applicable rule states that no documents may be carried that cannot be instantly discarded, in this instance a 35mm negative concealed in an empty pack of cigarettes.

In Ian Fleming's 1959 novel Goldfinger, Auric Goldfinger mentions this last rule to James Bond in Goldfinger's warehouse in Geneva.

In the International Spy Museum in Washington, D.C., the Moscow Rules are:

  1. Assume nothing.
  2. Never go against your gut.
  3. Everyone is potentially under opposition control.
  4. Don't look back; you are never completely alone.
  5. Go with the flow, blend in.
  6. Vary your pattern and stay within your cover.
  7. Lull them into a sense of complacency.
  8. Don't harass the opposition.
  9. Pick the time and place for action.
  10. Keep your options open.



Officials with the Tampa-based USSOCOM followed up on our Mk-16 cancellation story with some clarifications about some of the data presented in the piece posted on

First off, the command took issue with my calling the program “cancelled.” Technically the SCAR program is still on, of course, but SOCOM has decided not to buy any more of the straight up 5.56 versions. OK…In my book that means the Mk-16 is cancelled, but I can see how they’d get some grief from some quarters about the legalistic terms.

Also, to be clear, SOCOM is not buying any additional Mk-17s than it was already planning to buy. If the article gave some folks that impression, that’s an incorrect read of the “buying more” bit. They’re buying more than they have now, and no more of the Mk-16s.

Another point. SOCOM said they are definitely having troopers turn in their Mk-16s when they redeploy and will not allow any Mk-16s in the inventory. What SOCOM is not clear on yet is what will happen to the roughly 850 SCAR-Ls once they’re back at the armory.

Now, there was confusion on the back and forth via email with SOCOM and FNH on this, but the command wanted to make sure we made this point clear. SOCOM will “complete development” of a kit that can convert the Mk-17 into a 5.56 if desired.

The original objective was to develop a single weapon capable of firing whatever caliber desired. That objective is met with the Mk 17 as the development of a conversion kit allows the operator to fire either 7.62mm or 5.56mm ammunition from the Mk 17. 

I did get my numbers mixed up on the original acquisition objective. What SOCOM followed up to me was that the JORD showed a requirement for 38,000 Mk-16s and 5,600 Mk-17s.

Read more:


Posted: September 26, 2010 in Uncategorized



just goes to show new does not mean better.  all Glock owners must see!

Five open carriers went into a restaurant. One patron called police to check them out, stating she "felt uneasy" despite their calm behavior. The city is classifying it as disorderly conduct (disturbing the peace), noting "The DC statute does not require an actual disturbance take place, only that conduct in question is of a type that tends to cause or provoke a disturbance."

The relevance of that is unknown. The city's position must boil down to — conduct that is both legal and peaceful becomes a misdemeanor if it upsets someone to where they call police. And that, even if it is constitutionally protected. It seems like a 2A version of the 1A "hecklers' veto" — we will ban your speech, the content of which is permissible, because your opponents might become violent if you gave it.

UPDATE: the point about respondeat superior raises an interesting issue. In a §1983 civil rights action, there is no respondeat superior liability (as I recall, because a violation of constitutional rights cannot be within the scope of duty of a government employee). To make a governmental unit liable, you have to prove that its organizational actions were wrong — one approach being to argue that the unit gave insufficient training to its agents. Usually, though, this is more easily claimed, than proven.

But the City has just officially determined, as an entity, that disorderly conduct charges should be issued. It's no longer a decision by officers on the scene, but an official determination by the City through its highest decisionmakers. I think the City is on the hook.