Archive for the ‘electronics’ Category

The fact that a majority of this year’s graduates from USAF basic pilot training are assigned to drone squadrons has got quite a bit of play in the blogosphere. Here, via Jamie Kenny, John Robb (who may still be burying money for fear of Obama or may not) argues that the reason they still do an initial flight training course is so that the pilot-heavy USAF hierarchy can maintain its hold on the institution. He instead wants to recruit South Korean gamers, in his usual faintly trendy dad way. Jamie adds the snark and suggests setting up a call centre in Salford.

On the other hand, before Christmas, the Iranians caught an RQ-170 intelligence/reconnaissance drone. Although the RQ-170 is reportedly meant to be at least partly stealthy, numerous reports suggest that the CIA was using it among other things to get live video of suspected nuclear sites. This seems to be a very common use case for drones, which usually have a long endurance in the air and can be risked remaining over the target for hours on end, if the surveillance doesn’t have to be covert.

Obviously, live video means that a radio transmitter has to be active 100% of the time. It’s also been reported that one of the RQ-170’s main sensors is a synthetic-aperture radar. Just as obviously, using radar involves transmitting lots of radio energy.

It is possible to make a radio transmitter less obvious, for example by saving up information and sending it in infrequent bursts, and by making the transmissions as directional as possible, which also requires less power and reduces the zone in which it is possible to detect the transmission. However, the nature of the message governs its form. Live video can’t be burst-transmitted because it wouldn’t be live. Similarly, real-time control signalling for the drone itself has to be instant, although engineering telemetry and the like could be saved and sent later, or only sent on request. And the need to keep a directional antenna pointing precisely at the satellite sets limits on the drone’s manoeuvring. None of this really works for a mapping radar, though, which by definition needs to sweep a radio beam across its field of view.

Even if it was difficult to acquire it on radar, then, it would have been very possible to detect and track the RQ-170 passively, by listening to its radio emissions. And it would have been much easier to get a radar detection with the advantage of knowing where to look.

There has been a lot of speculation about how they then attacked it. The most likely scenario suggests that they jammed the command link, forcing the drone to follow a pre-programmed routine for what to do if the link is lost. It might, for example, be required to circle a given location and wait for instructions, or even to set a course for somewhere near home, hold, and wait for the ground station to acquire them in line-of-sight mode.

Either way, it would use GPS to find its way, and it seems likely that the Iranians broadcast a fake GPS signal for it. Clive “Scary Commenter” Robinson explains how to go about spoofing GPS in some detail in Bruce Schneier’s comments, and points out that the hardware involved is cheap and available.

Although the military version would require you to break the encryption in order to prepare your own GPS signal, it’s possible that the Iranians either jammed it and forced the drone to fall back on the civilian GPS signal, and spoofed that, or else picked up the real signal at the location they wanted to spoof and re-broadcast it somewhere else, an attack known as “meaconing” during the second world war when the RAF Y-Service did it to German radio navigation. We would now call it a replay attack with a fairly small time window. (In fact, it’s still called meaconing.) Because GPS is based on timing, there would be a limit to how far off course they could put it this way without either producing impossible data or messages that failed the crypto validation, but this is a question of degree.

It’s been suggested that Russian hackers have a valid exploit of the RSA cipher, although the credibility of this suggestion is unknown.

The last link is from Charlie Stross, who basically outlined a conceptual GPS-spoofing attack in my old Enetation comments back in 2006, as a way of subverting Alistair Darling’s national road-pricing scheme.

Anyway, whether they cracked the RSA key or forced a roll-back to the cleartext GPS signal or replayed the real GPS signal from somewhere else, I think we can all agree it was a pretty neat trick. But what is the upshot? In the next post, I’m going to have a go at that…


Sultan al-Qassemi kicks in a data point to the ArseDex. Apparently Libyan agents are distributing flyers in Guinea and Nigeria calling for mercenaries to fight for $2,000 a day. Yesterday, loyalist thugs cost $500 a day in Libya. Even with the huge supply of potential thugs in sub-Saharan Africa’s demobilised militias being available, the ArseDex has gone non-linear – it’s risen by a factor of four in 24 hours. Arseholes now command a premium of four hundred times the average wage. Surely Gadhafi must be doomed now.

The data’s pretty sparse, but here’s a spreadsheet. The edit link is here.

So someone’s trying to raise $150,000 to buy a satellite from the bankruptcy of TerreStar, in order to “Connect Everyone”. I admire the aim, but I’m concerned that this is going to be a round of forgetting that a lot of perfectly good GSM operators are doing just that. Also, I can’t find any reference to what they intend to use for the customer-premises equipment except that “we’re building an open source low cost modem”, which would be better if it came with a link to the source repo, right, or at least some requirements documentation? I’m also a little concerned that the team includes this guy:

Fabian is a NYC based Swiss wanna-be-entrepreneur who spends all his time trying to make meaningful connections between ourselves and business.

(and I chose charitably) but not anyone whose potted bio mentions being an RF engineer.

Actually, I think that it would be more worthwhile to start off with the low-cost open source satellite radio, as this may be the difficult bit and would be highly reuseable in other projects. A lot of Indian or African GSM people would find a cheap satellite radio very useful for their backhaul requirements. Depending on the spec it could be used with things like the amateur radio AMSATs, the transponders on the ISS, and the spare US Navy FLTSATCOMs. USRP is way too expensive at the moment (they cost more than a cheap netbook) so that one’s out.

A major philosophical difference between the UK and USA halves of the SIGINT tribe, and between the tribe and the military, was who the intended customer for intelligence was. The Americans were traditionally very keen on bringing everything back to Fort Meade for processing and analysis, and then feeding intelligence reports to the top level of government. As very often, the British followed suite, but only up to a point. GCHQ as an institution was traditionally very concerned with its status as a direct contributor of intelligence to the core executive, co-equal with MI6, the diplomats, and the armed forces’ Defence Intelligence Staff. In fact, as we saw in part one, in some ways it had greater independence and status – as well as its own private diplomacy with the Americans, it also has the unique privilege of sending the prime minister intelligence outside the formal processes of the Joint Intelligence Committee machinery.

In practice, though, it was often more interested than the Americans in pushing information forward to the military in the field or to diplomatic posts. This was influenced by the British specialisation in ELINT, which tended to be more interesting to the military and more dependent on collection from their ships or aircraft, and also by the Bletchley heritage. ULTRA’s triumphs weren’t just about Alan Turing or about computers; a huge problem that had to be solved to make it useful was the distribution of highly secret information to the army in the field in near real time. (A key motivation was that GCHQ was well aware that the Germans were in the habit of breaking Allied cyphers, and then transmitting the results over their ENIGMA and FISH radio networks – allied traffic turned up in the take all the time.)

It’s probable that a major reason why GCHQ wasn’t more like that, rather than less, was that the American approach was useful politically. Supplying the Cabinet directly obviously helps to win the budget wars. Similarly, too much emphasis on tactical work might give the impression that the agency was a support service to the armed forces, rather than something like a fourth service in its own right. Horrors.

But this didn’t stop some important projects from being designed to fill the gap. GCHQ had been called in to investigate whether the Territorial SAS’s stay-behind reconnaissance teams, intended to target the Red Army’s rear areas for air (and specifically nuclear) attack, were likely to avoid getting caught for long enough to be useful. They demonstrated that, even using burst transmissions, the Soviet electronic-warfare units would very likely triangulate on them within 24 hours. This obviously wasn’t good enough, and one of the results was the Nimrod R1, the RAF’s airborne electronic intelligence system. System is the right word; as well as the planes, the project included a special RAF intelligence centre at Wyton, communications links forward to the army, and the capability to have intelligence analysts, Army liaison officers, or linguists actually fly on the plane with the radio operators. (As well as the R-1s, the Nimrod MR2s have done a lot of this in Afghanistan, and paid the price.)

That was then; the RAF is now leasing three RC135 aircraft from the Americans, actually older than the R1 airframes and designed for the model then considered inappropriate.

This may be a serious problem; one of the big questions facing GCHQ is the age of fibre-optics and open-source cryptography. With less and less telecoms traffic going by satellite or microwave, and less of that going in the clear, what to do? Further, the questions aren’t the same ones as they were in the cold war.

An example of why this is relevant is this piece by Spencer Ackerman on the US Air Force’s MC-12 aircraft and its role detecting improvised explosive devices in Afghanistan. In fact, as he points out elsewhere, the MC-12 (roughly, a Beech King Air stuffed with sensors, extra fuel, and spooks) does a lot of other things too, although they’re mostly classified. It’s an example of a current trend – rather than UAVs, there’s increasing interest in cheap light aircraft carrying the latest sensor packages. This has the advantage that they can take up intelligence agents and work more closely with the troops, as well as being cheap.

There’s much more detail here, which makes the interesting point that the role of Task Force ODIN, set up to kill insurgent bombmakers in Iraq, is now a broader one in support of the counter-insurgency strategy. This changes their relevance from being purely tactical and military to being political and strategic. They haven’t been inactive on this – from Aldrich’s site, here’s a fascinating data sheet on their backpack SIGINT kit, the ideal gift for the geek who has everything and a death wish and very similar to some Rohde & Schwarz mobile network testing gear.

Speaking of mobile networks, Aldrich also confirms that a capability to listen to cellular networks exists, mounted on the British Army’s three Islander aircraft – it’s not clear from his discussion whether this means the access side or microwave-backhaul, or whether this relies on the old A5/0 and A5/1 cyphers still being in use.

Remember cows with blogs? Sure ya do. This week I was talking M2M technology again, but with people who are way more hardcore about it than Scottish farmers wanting to give their cows RSS feeds, or even wind turbine engineers wanting to monitor the state of their bearings and power-control electronics. Putting control logic on the seabed is problematic, but putting it at the end of a drill, thousands of feet below it, at silly temperatures?

That’s science fiction, but the scary bit was the communications question. You can’t really do anything like that with radio, so they modulate the flow of drilling mud up to the surface to squeeze out a few bits/second of bandwidth. Seriously – it’s called mud-pulse telemetry. Of course, as you can only hope for 3 or so bits a second at the depths in question, this is why the control logic needs to be down at the drill and largely automatic.

We are, of course, talking oil here, and specifically the ultra-deepwater stuff BG Group has hacked out a speciality in. What struck me is that people constantly talk of the supposed complexity and difficulty of utilising renewable energy, and they tend to assume that oil is simple to extract. Intelligent drills and mud-pulse telemetry to you.

Vexation about the publication on Wikileaks of some US Army documents with details of the counter-IED radio jammers. Well, you can see why they’re concerned; but I very much doubt this is particularly important.

Recap: the New-Old Iraqi Army was in the habit of using command-detonated IEDs to blow up Coalition and Iraqi government road convoys. To begin with, the command element was often either a GSM device or else some sort of el cheapo radio device like a garage-door opener, RF thermostat, bits and pieces from an industrial process-control rig or the like. After much spending and much fuss, the US Department of Defense deployed “secret” but much hyped jammers on the lead vehicles in the convoys.

Now, there was almost certainly no reason to spend anywhere as much as they did. This is directly linked to the non-fuss about Wikileaks. The devices we have just mentioned have an internationally-standardised frequency band to chatter away in – the so-called Industrial Scientific Medical band, which is unlicensed spectrum – anyone can use it for anything, so long as they don’t use too much power. Among other things, all the world’s WLAN access points work in the ISM 2.4GHz band, as do wireless hi-fi speakers, baby monitors, cheap CCTV cams, etc, etc. So right back in 2003, it was blindingly obvious which frequencies were involved and what an upper bound on the power output would be. Which made the problem of jamming it pretty simple – just hammer away in the ISM with noise at a significantly higher Tx wattage.

Radio waves are electromagnetic radiation, and therefore their intensity changes with the inverse square of the distance from the source. So you could trivially calculate how much power you need to trigger the device a given distance away from the target. All you need is something that will radiate in the ISM band on command, like…a WLAN card, which now costs about five quid (or, perhaps, a door opener with a better antenna…). I have to say, I suspect that Donald Rumsfeld got played terribly over this. And, of course, nothing radio-frequency stays secret once you start transmitting; everyone can hear you.

There are cleverer things you can do; regarding the GSM ones, you could carry a malicious base station around with you, and therefore blackhole all traffic to and from phones in range. Or you could tap the phones and find out whodunnit (we know the other side do it to us). If I was really serious about this, I’d use one of these, which can be programmed to emulate pretty much anything radio.

So, like so much government secrecy, this is much more to do with security from embarrassment (we spent $billions on technology that would have been cutting edge in 1940!) than security from anything else.

OK, so yer lie detector. It’s been something of a blogosphere hit. And in the comments, we have Nigel, who appears to know something about acoustic signal processing – in the sense of “makes speech recognition systems for Eurofighters”.

It seems that rather than being a signal at a frequency between 8 and 12Hz, the signal you’re interested in is a signal, of that frequency, modulated onto the main signal. So in fact, you could theoretically detect it through a telephone call. I was wrong.

However, that isn’t what Nemesysco’s patent claims, and they vigorously deny that what they are doing is voice stress analysis. It’s not the pitch of any such signal that is discussed in the patent, either; it’s the change in the numbers of thorns and plateaus.

Our acoustic expert says that this could be a way of measuring the signals required for classical VSA, just not a very good one; and anyway, he argues that VSA itself is useless, even if it was VSA they were promising to conduct. And, of course, they deny that this is their methodology. Further, VSA gives only one measurement, one of vaguely-defined stress – not the nine or so Nemesysco claim to get out of this.

Meanwhile, someone who makes the same spelling mistakes as Amir Liberman does showed up in comments to claim there was more, secret technology involved that they hadn’t actually patented. Interestingly, he showed up from the same network as Nemesysco’s Web site. The same network was also the source of a Wikipedia article which got deleted for advertising, in which Nemesysco claimed that their method uses 129 different measurements and isn’t anything like VSA. No, sir. And there weren’t 129 different metrics in their patent…

OK. So we looked into voice stress analysis and the world telecoms infrastructure. And we concluded that proper VSA – the sort with the peer-reviewed scientific papers an stuff – was technically impossible. Recap; the original VSA research is based on a change in a signal in your voice between 8 and 12Hz, but even the highest-quality voice codecs used for public telephony filter out everything below 50Hz, so a VSA system based on – well – science couldn’t possibly work.

But there was always the possibility that “Nemesysco” had hit on some kind of roaring king-hell breakthrough. Minitrue couldn’t find a copy of the patent that covers their product; you might wonder why there wasn’t a US patent if it’s so great, or why every call-centre workflow system and high-end mobile phone in the world doesn’t have it as a much-valued standard feature, or why Amir Liberman, the CEO of Nemesysco, isn’t incredibly rich.

After all, he’s been hawking it since at least 1998. His company was formed in early 2000, just a tad late for the joy of the .com boom; at the time they were marketing towards consumers and businesses. But, as the venture capital dried up, the stock exchange cursed everything to do with computers, and it looked like a whole world of vaguely technical young sheisters would have to get a job…something happened, and suddenly his product became “Israeli intelligence service technology” that would save you from terrorists.

There is no evidence that Tsahal or the intelligence services ever made use of it, but as reader Chris “Chris” Williams points, there is a certain mana attached to the Israeli military – link your product to them, and it gets just that bit badder. I tell you, it’s the sunglasses.

So, let’s cut to the chase. The patent is here, thanks to the Canadian government. The “claims” section described how it is meant to work – there’s even an example implementation in Microsoft Visual Basic (you bastards). Here’s how: it takes samples of speech and identifies “plateaus” – flat bits – and “thorns”. Thorns are defined as:

A thorn is a notch-shaped feature. For example the term thorn may be defined as:
a) a sequence of 3 adjacent samples in which the first and third samples are both higher than the middle samples
b) a sequence of 3 adjacent samples in which the first and third are both lower than the middle samples

Now, all speech is roughly speaking a succession of sine waves; by definition it’s going to fit this. Anyway, they take a control sample of speech, count the plateaus and thorns and compute the standard errors, then they ask the questions they want to test, and do the same thing. They then look at the difference between the values and compare them to reference values to tell if you’re lying.

Where do these reference values come from? It is appreciated that all of the numerical values are merely examples and are typically application-dependent. So basically, the all-crucial message on the screen depends entirely on the sensitivity values you punch in to the thing; perhaps great if you’re trying to bully some random Palestinian, but not so good if you need real information.

Hey, if they only knew Visual Basic and were willing to commit Software Crime, Harrow council could crank the reference values down to zero and deny EVERYBODY their housing benefit.

From this, he reckons he can determine:

Excitement Level: Each of us becomes excited (or depressed) from time to time. SENSE compares the presence of the Micro-High-frequencies of each sample to the basic profile to measure the excitement level in each vocal segment.

Confusion Level: Is your subject sure about what he or she is saying? SENSE technology measures and compares the tiny delays in your subject’s voice to assess how certain he or she is.

Stress Level: Stress is physiologically defined as the body’s reaction to a threat, either by fighting the threat, or by fleeing. However, during a spoken conversation neither option may be available. The conflict caused by this dissonance affects the micro-low-frequencies in the voice during speech.

Thinking Level: How much is your subject trying to find answers? Might he or she be “inventing” stories?

S.O.S: (Say Or Stop) – Is your subject hesitating to tell you something?

Concentration Level: Extreme concentration might indicate deception.

Anticipation Level: Is your subject anticipating your responses according to what he or she is telling you?

Embarrassment Level: Is your subject feeling comfortable, or does he feel some level of embarrassment regarding what he or she is saying?

Arousal Level: What triggers arousal in the subject? Is he or she interested in you? Aroused by certain visuals? This new detection can be used both for personal use for issues of romance, or professionally for therapy relating to sex-offenders.

Deep Emotions: What long-standing emotions does your subject experience? Is he or she “excited” or “uncertain” in general?

SENSE’s “Deep” Technology: Is your subject thinking about a single topic when speaking, or are there several layers (i.e., background issues, something that may be bothering him or her, planning, etc.) SENSE technology can detect brain activity operating at a pre-conscious level.

He can apparently detect that all from a total of two measurements. Note also that there is no mention of Micro-High Frequencies in his patent claims; if they were particularly high, they would probably vanish in the band-pass filters above 3.4kHz….

I have collected these claims across his Web site; I wonder if Harrow council is aware that exactly the same technology is being marketed as a “Love Detector“? Or that another company has ripped off the patent, and he warns buyers that theirs won’t produce the advertised 85% accuracy, even though it’s the same patent? This is scienciness, not science. But then, the point is to scare the poor.

Update: See here.

So, those Oystercard outages. I wrote a sizable post on this immediately before going on holiday, but something odd happened with WordPress’s clever ajaxy bits and it vanished. Computers…anyway, we can work out various things about the problem from the few details supplied.

In the first incident, around 1% of the cards somehow became nonfunctional. We don’t know how; we do know, however, that it was indeed the cards, because the fix was to bring them in and issue new ones. This raises an interesting question; why did new physical cards have to be issued? The process of issuing a card involves writing the data TfL holds on you to the blank card; there isn’t much difference between this and overwriting whatever is on the card with the details held in the database. This suggests either that the affected cards suffered actual physical damage – unlikely, unless someone’s running about with a really powerful RF source and a bad sense of humour – or else that TfL can’t trust the information on file, and therefore needs to erase the affected records and set up new user accounts.

So, how could it happen? Card systems can work in various ways; you can do a pure online authorisation system, like debit or credit cards, where information on the card is read off and presented to a remote computer, which matches it against a look-up table and sends back a response, or you can do a pure card system, where your credit balance is recorded on the card and debited when you use it, then credited when you pay up. Or you can have a hybrid of the two. Oyster is such a hybrid. TfL obviously maintains a database of Oyster user accounts, because it’s possible to restore lost cards from backup, to top-up through their Web site without needing a card reader, and to top-up automatically. But it’s also clear that the card is more than just a token; you can top up at shops off-line, and the transaction between the card and the ticket barrier is quick enough that you don’t need to break stride (consider how long it takes to interact with a Web site or use a bank card terminal).

Clearly, the actual authorisation is local (the barrier talks to the card), as is offline top-up, but the state of the card is backed up to the database asynchronously, and changes to your record in the database are reflected on the card, presumably as soon as it passes through a card reader. To achieve this without stopping the flow of passengers, I assume that when a card is read, the barrier also keeps the information from it in a cache and periodically updates the database. Similarly, in order to get online top-ups credited to the cards, the stations probably receive and cache recent updates from the database; if the card number is in the list, it gets an “increment £x” command.

We can probably rule out, then, that 1% of the Oyster card fleet were somehow dodgy when they started to flow through the gatelines that morning, and that the uploaded data from them caused the matching records to become untrustworthy. It’s possible – just – that some shops somehow sporked them. It’s also vaguely possible that bad data from some subgroup of cards propagated to the others. But I think these are unlikely. It’s more likely that the batch process that primes the station system with the last lot of online and automatic top-ups went wrong, and the barriers dutifully wrote the dodgy data to the cards.

This is also what TfL says:

We believe that this problem, like the last one resulted from incorrect data tables being sent out by our contractor, Transys.

People of course think this was somehow connected with the NXP MiFare class break, but it’s not necessary.

In this scenario, some sort of check incorporated in the database was intended to detect people using the MiFare exploit (probably looking for multiple instances of the same card, cards that didn’t appear in the database, or an excess of credit over the cash coming in), but a catastrophic false positive occurred. This is a serious lesson about the MiFare hack, and about this sort of public-space system in general; the effects of the security response may well be worse than those of the attack. Someone using a cloned, or fraudulently refilled, card could at best steal a few pounds in free rides. But the security response, if that was what it was, first threatened a massive denial-of-service attack on the whole public transport system, and then caused TfL to lose a whole day’s revenue.

Does anyone else think the reason the Oystercard system had a multi-hour outage might be somehow connected with the fact that TFL’s response to the class break of the NXP MiFare Classic cards it uses has so far been even worse than the manufacturers’? NXP’s contribution to dealing with this has been to sue the Dutch students who demonstrated the exploit, but TFL’s has been to write to the papers and say that there is nothing anyone could do with the ability to change any and all information on the cards. Nothing, I tell you!

Which, if it were true, would suggest that the cards are completely irrelevant to the system’s functioning, which obviously isn’t true…