From: Dave Emery
the April 1998 Issue of IEEE Communications Magazine is a special issue
devoted to the subject of locating cellphones and other personal
wireless devices that radiate rf.
This technology, quietly ordered by the FCC, will measure the
location of a caller accurate to within 125 meters at least 67% of the
time. And the industry seems to be moving toward DTOA and other passive
triangulation techniques rather than making cell phones simply contain a
GPS receiver. This of course means that the network will be able to
locate a cellphone whenever it radiates anything at all, rather than
asking it for its position only under certain emergency circumstances
such as an E-911 call. And all cell and PCS phones and some pagers can be
interrogated by the network and commanded to silently respond with a
registration message without user intervention or knowlage as part of
the mechanism by which the cell system locates the correct cell site to
put an incoming call for the phone on. Thus passive tracking of the
location of any cellphone that is turned on with 125 meter accuracy
will become a feature of most cell and PCS networks, a feature
presumably subject to at least some law enforcement access via the CALEA
mechanisms.
And given that the cell and PCS systems will be capable of
such tracking, is there any reason to believe that law enforcement
and other more shadowy groups won't find the necessary "terrorist, drug
dealer, etc" crisis to gain secret access to this capability ?
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
Best Regards - Doug Ralph, COMSEC Services Inc.
China is well known for it's human intelligence which you have
referred to in several emails and with reference to the book
CHINESE INTELLIGENCE OPERATIONS" by Nick
Eftimiades (which I have read). Unlike the USSR, they
have an attitude of going for more mid level technologies and less
controlled technologies and unlike the USSR, they do it
through humans with heavy emphasis on Chinese nationals and
not recruited westerners.
This makes your statement "information must be communicated in one form or other" irrelevant if there are no Chinese nationals in the work environment. As a culture, the Chinese are not likely to be confrontational like the USSR was. They are passive, though aggressivly passive. They will go after the things that are available on the open market and available from open sources, "like human vacuum cleaners." It is needless to say that they will push across the line if they see how close they are to getting something.
It is unlikely you will find a Chinese national intercepting your communications as this requires hard technology that costs money, experience, and technical operatives all of which China would not support (in this country).
Probably the greatest loss happens because of U.S. Government policy that is uneven throughout all the U.S. Departments and Bureaus. China normally requires that if you are going to operate a company or sell products into China, you must do it through a "joint venture". And guess what, most of the companies you will joint venture with are China Gov. owned or operated with CEO's and MD's that are "Ministers" or "Army" officials. So send all the computers, fabricating equipment, milling tools, and so on to China. Why steal it? Companies like Compaq, IBM, General Motors, etc have or will have factories
in China all under the close observation by Chinese officials.
The point to all this is that a typical TSCM job to prevent Chinese interception of communications is not likely to be fruitfull. A good background check on a Chinese national or employee who is Chinese by race is more likely to tell you more.
I was told once by a British subject in Hong Kong who is Chinese by race, that a Chinese national immigration officer in China insisted that the subject complete his immigration card in Chinese characters instead of English because in the eyes of China, the subject was Chinese by race and thus it was irrelevant what passport he carried. This "Chinese by race" statement crosses alot of boundaries and obligates alot of people to be loyal to the "mother country".
If each of the 100,000 plus declared Chinese in the USA gathers one piece of information for China, think of the amount of information that would be collected. If 100,000 US tourists and other declared persons visited China each year and out of patriotic duty collected one piece of information for the CIA or FBI , etc, what a treasure of knowledge we (USG) would have.
Also see: "These Spies Steal American Jobs" by J. Michael Waller;
From: Mike
Sorry - I can't remember which hotel it was - you know how they all begin to look alike.
I do, however, feel that I owe you an explanation since you were kind enough to query your list on my behalf.
My purpose in sending the original EMail was to see how frequently this kind of thing may or may not happen. I have been a frequent business traveler for a long time (getting close to half a million miles on Delta and God only knows how much on half a dozen other airlines) and this is
the first time anything like this has happened to me. Statistically speaking, I suppose it was just a matter of time. Am I the subject of a surveillance? Operating Spectrum Analyzers for prospective customers doesn't seem that exciting. If a competitor wanted the scoop on one of
the products I deal with then all they have to do is check out the company's web site. Based on that and the fact that I'm a typical family man working on a second career with no involvement in anything weird or illegal I will have to conclude that the transmitter I found was left over from a previous surveillance. (Although - the customer I visited the next day had white noise generators installed in the ventilation ducts over their conference room. That got me thinking for a while. When I asked them about it they said it was to mask the sound of the fans - very curious fans.)
I'm sure you and any other investigator who reads this is already asking - why carry a scout and a scanner on road trips? The answer is pretty simple - you can watch the same movies on HBO just so many times before they begin to look really stupid. (Stephen King is so predictable, etc.)
My trip to the UK was interesting from a different perspective - Customs asked if I had any electronic gear. I told them I had a radio receiver. They asked if it "was licensed." I stated that it was my personal property. I thought for a minute they would take the Scout or Scanner by
the way they were asking about the electronic gear. When the bags were opened they barely looked at them. Shortly after that I began seeing ITAR warnings on your list and also from several other sources. Based on that - the next trip overseas is without the Scout and Scanner.
So anyway - that's the story.
Best Regards,
Mike
For you own info, such discoveries, no matter how insignificant they may
appear on the surface, should be reported to the 'Technical Supervisor' of
the local FBI office. Of course these types of discoveries are completely
different from TSCM inspections performed for a client. Anyway, enough said
on this topic (I don't need to preach to the choir).
I'm really concentrating on assisting my clients to protect their
proprietary info and such reports reinforce the need for care, caution, etc.
when dealing with potential business contacts, etc. If any of your BB
recipients, associates, etc. ever have a question regarding
handling/notification of a discovered 'intercept', I'd be happy to make
contact with the appropriate 'authority' without disclosing the original
source - I know a lot of folks which not to get 'too' involved, but I think
'legitimate discoveries' need to be addressed.
Thanks for letting me share my thoughts. Have a great day. BTW, how's
'Mikey' doing?
Al
Document destruction was delayed until the last minute. The shredders were
the older strip shredders which effectively destroyed the documents, but
left the remains in the shredder bin (Normally these remains are
incinerated).
These remains quickly backed up due to the panic in the embassy. The
militants found that it was still pretty easy to read the shredded
documents if the bins were not disturbed (all were in sequential order).
They found that by taping a strip of tape across the remains, entire
documents could be removed and then "reconstucted" using a copier (the US
Embassy copiers). This proved to be very effective.
Many of these documents were later released and a compilation was published.
The new
Timothy Poole
Scott.
SPYKING ARTICLE
I recently conducted a couple of tests with the CPM on an Audiotel
subcarrier bug located in Hong Kong. The results are that the CPM does
not demodulate the sub carrier frequencies. (REI says that the CPM is not
designed to do so but gave no reason.) The CPM bargraph does increase due
to the near field effect, however if you are in a high broadcast (flooding)
area such as Sydney, New York or Hong Kong, you will not locate the bug
through demodulation. (The Oscor on the other hand will locate this bug
easily- especialy if you create extra search spans at 15khz bandwidth. ie.
5-500Mhz, 500-1000Mhz etc.)
In Sydney over Easter I had reason to do some tests on sub carrier and the
CPM 700. Using a wireless domestic intercom as the transmitter, I located
the 250khz signal on the Oscor- that was fine and demodulation was perfect.
I was also able to hear room noise using the CPM at a remote power point,
but there was no signal strength registration or alarm activation when
there should have been. Why? The answer was that the power point to which
the CPM was connected needed to be switched ON. The alarm activation and
signal strength then worked fine. The lesson learned is that you need to
use headphones (if going covert) to listen for room audio in case the power
switch is off or there is a short in the wiring or within the power point
(caused by a poorly installed carrier current device). Also if you work in
different countries, some of which do not have switched on the power
points, you may forget when travelling to a country that does and you could
miss the carrier curent device.
Regards,
Scott Fuller.
Scott,
It is important to note that often people confuse the difference between Carrier Current and Sub-carrier. In the middle paragraph, I you were referring to Carrier Current, but actually wrote "sub-carrier". The CPM has no problem demodulating normal AM and FM carrier current signals, but has no capability to demodulate sub-carrier signals.
The reason that the CPM does not demodulate sub-carrier is that the CPM relies on Slope Detection Demodulation to demodulate a signal. I would recommend that you look up slope detection demodulation to understand this principal further.
But, the basic result is that the CPM is capable of demodulating AM and FM (both wide and narrow band) without any switching or fancy coherent demodulator electronics. However, the CPM audio is not great for either AM or FM. In order to do sub-carrier demodulation, the receiver must first be capable of doing real coherent FM demodulation (instead of faking it with slope detection). Since there is no true coherent FM demodulation, it is technically
impossible perform a second demodulation which is what is required for sub-carrier.
The CPM will never have the capability to do sub-carrier and cannot be modified to do so.
I hope this helped.
Regards,
Tom Jones
Slope Detection is a way of demodulating (detecting) an FM signal, using an AM
detector. Normally used when a receiver does not have an FM mode. By tuning
the receiver (in AM mode) off to the side of an FM signal, there is a little
amplitude activity in the outer edge (or slope) of the signal that an AM
detector can "hear" it and detect some audio. The fidelity is poor and the
signal is weak but you can hear it. This is a trick we used to use with an
older spectrum analyzer. A modification was done that added a diode detector.
It worked pretty good on AM signals but had to use the same detector for FM
signals, and slope detection. Experiment: Fire up the Mason A3 and tune to
an FM broadcast station. Switch the detector from FM to AM. Adjust the tuner
dial a little and you will hear the station in AM, but not very good.
Hope that helped,
Subject: Position escrow
For those interested in the current state of position escrow
technology (AKA FCC mandated E-911 emergency call location reporting),
From: Doug Ralph
Subject: 900 MHz Wireless Babysitters
Hello Tim,
There are now 900 MHz wireless babysitting devices out there, currently
on sale at one US retailer for $ 39.88 - Receiver & Transmitter. A new
generic threat for people to abuse. The one unit I bought to evaluate
was a 2 channel WBFM - Freq's were 905.450 and 905.970 MHz. Crystal
controlled on each channel. Thought the info would be of interest to
the readership.
From: "K.A.Pfarr"
Subject: And more
Tim,
Your blurb on China makes sense except for your last paragraph.
Reprints from February 1998 Reader's Digest, 1-800-289-6457
From: steve
Tim - FYI, while it may be small consolation, COSCO will not be getting the Navy station in San Diego. House Resolution (HR) 1138 (co-sponsored by Sonny Bono) was introduced to block that specific action. It was melded into HR 1119, the Defense Authorization Bill which was finalized by Public Law (PL) 105-85, section 2826 or 2628 (can't remember which one), and signed by the President in November 1997. At least they didn't get the whole enchalata......this time.
From: Al Zumpf
Subject: Bugged rooms
Hi Tim: Thanks for the info from 'Bob' (I've cut a portion of your message to refresh your memory). Needless to say, the identity of the hotel, room number and 'approximate' date of 'discovery' would certainly be important to our corporate clients. If 'Bob' was not the intended 'target', then perhaps other corporate guests are/were. Any chance of me obtaining answers to the above questions? I don't need to know the identity of 'Bob'. I am aware through my 'contacts' that this type of 'activity' in on the increase. Let me know.
Thanks again. Al
Any thing of a similar nature from anyone else?
Al is a PI here in the Phoenix area, is retired FBI and and an asociate of TSCI.
Tim,
That's a question I would love to answer. However - I don't want to get you (or me) tangled up in nasty litigation. Since I didn't keep the device (I'm not legally entitled to possess it so I crunched it and dropped it in the dumpster....) and I didn't call law enforcement (I screwed up.....) I don't have a leg to stand on if the management of a hotel chain starts sending legal papers.
From: "Al Zumpf"
Subject: Re: Bugged rooms
Tim:
thanks for the quick response. I'm sure your "Bob" was not the target of
the intercept and I'm not interested in promoting "paranoia". I can
certainly appreciate his concern(s) and his desire to avoid litigation, etc.
Like I've said before, I firmly believe more and more of this type of
activity is ongoing especially in view of the increased competition in the
business world, etc.
FKerr@worldnet.att.net
Subject: Re: Interesting "Unshredding" Service Offered
|Hi Fred;
One of my colleagues was involved in the takeover of the US Embassy in
Iran. Security was lax, and the embassy officials did not anticipate that
the militants would actually succeed in penetrating the embassy security.
Best Regards;
John
From: Timothy Poole
Subject: Telecomm schools.
Tim-
Can you post this to the list? I'm looking for any feedback on Telecomm
schools in the D.C. area. I'm currently looking at the B.S. in
Telecommunications Engineering Technology at Capitol College in Laurel, MD.
If anyone can provide positive/negative comments on that school or make
any other recommendations, it would be greatly appreciated!
Subject: U.S. firms helped China on missiles
*** U.S. firms helped China on missiles, Times says
A classified Defense Department report concluded scientists from
Hughes Electronics Corp. and Loral Space & Communications Ltd. turned
over expertise to China that significantly improved the reliability
of China's nuclear missiles, the New York Times said Monday. The
scientists from the two companies turned over the information as part
of their investigation of a Feb. 16, 1996, crash of a Chinese rocket
Loral had contracted for the launch of a $200 million satellite, the
Times said. The 200-page accident assessment also discussed other
sensitive aspects of the rocket's guidance and control systems, an
area of weakness in China's missile programs, the Times said.
See
http://www.infobeat.com/stories/cgi/story.cgi?id=2553721875-e52
From: Scott Fuller
Re: Spyking Article
Got a note form Tom Jones with a clear explanation about the CPM and Sub
carrier. It is attached below. I have an inkling about what you mean as
to why some professionals do not contribute to Spy King, however at this
stage in my career "it is better to be talked about than not talked about
at all." Even though certain professionals may not contribute, they
certainly do read it :) and hence I can promote myself and business.
Martketing TSCM is VERY difficult. My old food and alarm company in Hong
Kong was very simple to market. However, I believe there is light at the
end of the tunnel and I am seeing this with 5-10 hits a day on my website
from my direct marketing, and at least one enquiry per day as to our
services which is resulting in sales. Hong Kong is looking like a great
market but the lifestyle in Sydney is better- especially after 10 years
away. All for now.
I saw your posting on SK about the CPM not demodulating sub-carrier, and thought that you deserved
a better technical explaination. Some people have e-mailed and asked questions about your posting.
Subject: Re: Slope Detection
Gary