Fieldnotes // Proposition for an On Demand Clandestine Communication Network by Curtis Wallen

Cellphones are modern day trojan horses, ubiquitous spies lying in wait. Intelligence analysts can locate any cellphone in the world, reconstruct its movements, and correlate its connections to expose a user. This is a lesson the United States Central Intelligence Agency(CIA) has learned the hard way on at least two occasions, once in Italy in 2005 and again in Lebanon in 2011. In 2003, the CIA kidnapped Hassan Mustafa Osama Nasr (aka Abu Omar), the Imam of a mosque in Milan, as part of the agency’s extraordinary rendition program under the auspices of the Bush administration’s “global war on terrorism.” In 2005, the Italian government issued warrants for the arrest of 22 Americans, believed to be CIA agents, accused of carrying out the kidnapping. Italian law enforcement used network analysis of cellphone metadata to discover an anomalous closed network of approximately 30 phones. After closer analysis of the network, they were able to trace the movements of the phones parallel to known surveillance of Nasr, and then connect the network to the CIA. Cellular handsets have a unique identifier called an IMEI, while subscriber identity module (SIM) cards (used to authenticate subscribers) have a completely different unique identifier called an IMSI. Hollywood films often show users swapping SIM cards in order to evade detection, however swapping SIM cards only serves to link two SIMs to each other. In the Milan case, an operational handset, used to make calls within the clandestine CIA mobile network, was accidentally paired with a “clean” SIM, meant only to be used by one agent to contact the local CIA station. The Italian authorities eventually found this connection, giving them the link they needed to prove CIA involvement in the kidnapping. In 2011, the militant Islamist group Hizballah rolled up the CIA’s spy network and most of their human assets in Beirut, Lebanon by analyzing cellphone metadata to find similarly anomalous networks. They were able to approximate the location of each node using tower dumps, and then task physical surveillance to suss out the agents and informants. Staying hidden while using cellphones is very hard. It either requires blending in perfectly, raising absolutely zero attention or suspicion, or it requires ensuring that any anomalous behavior is so anomalous that analyzing it is useless.

 

ExhibitA2_1 copy  ExhibitA1 copyExhibitA2_2

Annex 1
Overview of OTP encryption

In one time pad (OTP) encryption, the content you wish to encrypt, or “plain text,” is encrypted through modular addition using a secret key. The resulting ciphertext is impossible to decrypt without access to the secret key. 

For the example in this proposal, the secret key is derived from the 1993 edition of Sun-Tzu’s The Art of Warfare. (Everyone involved must be using the exact same edition of the book.)

The phone number is paired with a number sequence of the same length, determined by the text on a specifi c page in the The Art of Warfare. (A=01, B=02, etc.) 

NOTE: The starting page, and page advancement interval, must be predetermined by you and your communication partner(s). E.g., start onpage 37 and advance 11 pages with each subsequent communication. Encryption/decryption should be done by hand on nitrocellulose paper and destroyed once no longer necessary. You should manually “salt” the ciphertext using letters, underscores, and adding numbers to the end of the sequence. This countermeasure prevents bulk analysis to fi nd image fi lenames 10 numeric digits long (the length of an american phone number.)

E.G.,

 3798234184 ——> 379fdh82_3418ad4432_89474_o 

When decrypting the phone number, only use the fi rst 10 digits and throw out any letters and/or special characters.

Annex 2
Overview of Challenge/Response Procedure

The person who answers a call must prompt the caller with a “challenge.” The caller must then reply with a corresponding “response.” If either party is under duress (law enforcement on the line, etc.), they provide any unrelated prompt, or no prompt, as a warning signal.

For the example in this proposal, the challenge is the last word in the first full sentence of the determined page in the The Art of Warfare, and the response is the first word in the third to last full sentence of the same page. (Skip any prepositions and/or articles.)

Exhibit_1A_1 copy_v2

 

 

 

 

 

1. Analyze your natural daily movements

Your normal daily patterns cannot be interrupted. They must be studied to identify moments of operational opportunity. Identify your “anchor points,” places you would consider to be bases of operation. Carefully consider all activity in relation to these anchor points. Anomalies in your routine will get you caught. When you do something you wouldn’t normally do, that raises suspicion. Most of the time, anomalies in one’s routine are innocent changes, but when conducting operational activities anomalies must be carefully considered, and ideally obscured. Take advantage of dormant periods in your normal routine to provide cover for clandestine activities. This is achieved by leaving your normal cellphone where you are supposed to be, while you move elsewhere. This only works if an adversary has not yet committed to physically surveilling you. This is an important point. The proposed system only works if you are not already on the radar of your adversary. Once you become an active target, things get much more difficult. The goal of this system is to prevent ever being identified as a potential threat.

 

 

 

 

2. Purchase a prepaid no contract cell phone (AKA “burner phone”)

Go during a dormant period in your usual schedule and leave your normal cellphone behind. (Anyone tracking your movements via your cellphone will think you are static in place as usual.)

Pay with cash.

Do not get cash out at the time of the phone purchase. Plan ahead and get cash at a point in your schedule that makes sense (e.g., buying breakfast at the corner store, going to the bank after work, etc.)

The handset should be acquired at least two weeks prior to operational use. (Most commercial video surveillance systems only store footage for ~2 weeks.)

Keep your head down. Dress nondescriptly. Don’t be overly friendly, but don’t be mute. Be forgettable.

Handsets are one time use.

Exhibit2 copy

 

 

 

 

CurtisWallengif1

 

 

 

Exhibit3 copy

3. Activate prepaid phone

Unbox the handset and store it in a faraday bag1, without the battery installed. Do not do this at home, or any other anchor point.

Leave the phone in the faraday bag without the battery installed. You will not open the bag and install the battery until you are in position and ready to receive an operational call.

You should use a clean laptop, on a public Wi-Fi network, behind Tor, to activate the phone online. This will greatly

impede an adversary attempting to link the activation back to you.

When you install the battery and turn on the phone, it will automatically activate. (Build 10 minutes into your operational preparation time to ensure proper activation before the call.)

 

 

 

 

 

4. Signal communication request and relay phone number

Encrypt your new phone number using a one time pad (OTP) system. (Annex 1 of this proposal gives an overview of how to use OTP encryption.)

Rename a random image with the encrypted phone number and post the image to a public Twitter account. The account should be accessed, and subsequently viewed by your communication partner(s), while browsing behind Tor.

Posting the image signals a communication request to your partner(s), who will then decrypt the phone number from the image filename.

Your partner(s) should never click on the image link, or ever actually interact with the image server. They must simply hover over the link to see the full fi lename, and write it down.

If there is a problem, your partner(s) will signal a failure by tweeting out an unrelated image from a different account.

If failure occurs, a second signal attempt, with a new ciphertext, should be be made within 48 hours.

Calls are always made at 9:30pm (EST) the day after a successful signal.

Exhibit8 copy

 

 

 

 

Exhibit7 copy

5. Receive call

Unbox the handset and store it in a faraday bag1, without the battery installed. Do not do this at home, or any other anchor point.

Leave the phone in the faraday bag without the battery installed. You will not open the bag and install the battery until you are in position and ready to receive an operational call.

You should use a clean laptop, on a public Wi-Fi network, behind Tor, to activate the phone online. This will greatly

impede an adversary attempting to link the activation back to you.

When you install the battery and turn on the phone, it will automatically activate. (Build 10 minutes into your operational preparation time to ensure proper activation before the call.)

 

 

 

 

 

1. A faraday cage blocks the reception and/or transmission of radio waves. According to “A field test of mobile phone shielding devices” by Eric Katz, the most effective commercially available faraday bag is the Ramsey Electronics STP1100. From the Ramsey website: “The STP1100 is specifically designed to rapidly collect and secure wireless devices at the scene by law enforcement personnel. Cellular phones and other wireless devices have quickly become one of the most important and valuable sources of investigative data. But that data has the high risk of being overwritten, deleted, locked-out, or corrupted unless the device is immediately RF shielded from the carrier’s network, or even powered down. If a phone is “receiving service” it is vulnerable to remote access, remote data dumps, and remote lockdowns. If the phone is powered off, it is also vulnerable to auto lockdowns and authentication code changes for re-access.

 

Be first to comment