 This is a pretty sensitive topic to a lot of people. You don't see much discussion of this outside of Milcom conferences and in controlled environments. And I'm hoping that I'll be able to provide some amount of understanding of what covert communications is about, who your adversaries are, what technology they're using, and what the opportunities are to evade those technologies. That's the purpose of what we're doing here today. So I guess the first point I want to make is that resistance is not futile. I think that there's a widespread view that the NSA and the other intelligence agencies have tried to promote is that they can listen to anything anywhere, anytime they want. And it's not true. They'd like you to believe that because then you won't be saying things or doing things they don't want you to do. So this is definitely not the case. Despite the fact that they have billions of dollars, there are limits to what they can do. And many of those limits are just set by physics. And that's what you have to direct towards. Well, we all know that communications, if they're not private sometimes and you're doing things that other people don't want you to do, especially if they're powerful people, well, it could be go bad for you. In the case of journalist Mary Coven, she was killed when she was using a sat phone in the Syrian conflict because the military under the Assad regime was able to triangulate her. And they just blew away the building that she was in. So this happens more often than not. Most of it's not as maybe outrageous as a firefight going on in a city. But there are assassinations, kidnappings, things like that by people all the time. Yesterday I was talking to someone who works for a major company. And they worked for that company in China. And he told me that in no uncertain terms he knew from the time he arrived, he was being followed and observed and listened to. And that one of his friends, a journalist, regularly had his flat ransacked and inspected by the Chinese authorities in order to see what he might be up to. I think that there's a huge market for covert communications that's practical and affordable. And hopefully what I'm working on and other people who might be working on it that even haven't talked about it and you don't even know about them, that it will come to pass and we'll have that. So why do you want to use wireless to begin with? Well, it can be cheap. It can even be free. And depending upon how it's done, if it doesn't use infrastructure, like ham radio, you don't owe anyone anything. You have mobility. Things do get a little tougher because you have link reliability issues. There's nobody standing behind you making sure that the link stays at a certain level and it's air free. Probably the biggest problem is that when you're operating in this kind of mode, you're going to be using specialized antennas. It's certainly not going to be built into your mobile phone. You're not going to be using your mobile phone for communications. And in the same way that Tor is very vulnerable to attacks because it's a low latency, high speed communication link, it's probably not possible within any reasonable amount of cost and effort to have anything more than low speed data be covert. So you're talking about instant messaging and emails, things of that nature, might be able, in certain stances, to get up to the speed that would support voice communications. And of course, it may not be legal locally. All of the regulations worldwide by nations try to prevent anyone from using any technology that they can't break and observe. So the term that's used, the term of art that's used in the community is low probability of detection, low probability of intercept. And unlike encryption, which is where the focus of most every other system is, the focus in covert is at the high level, because that's where you make or break at the high level. You can see here a lot of advantages to operating that way. You get to do a lot of things that you can't do at higher levels. But it's more difficult, expensive, complex. So covert channels. Well, we are all familiar, I hope, with stagnography of various sorts. And when you're trying to use a covert channel, you're trying to use something that is never intended for communications. You're trying to maybe abuse that capability in the channel. Lots of covert communications by stagnography and hidden information on the internet. A lot of work has been done in that area. It continues. It's sort of a cat and mouse game. However, when you're doing things that are signal based instead of just a regular covert channel, now here you're working in the modulation and coding regime and, in some cases, directive antennas in order to limit Eve's ability to listen in. Before SDR, covert communications in wireless was really not a practicality. Many people, of course, did practice this. Sometimes they've been caught, starting with wireless warriors in World War II who had covert communication radio sets. Some of them didn't get caught. A lot of them did. And of course, they disappeared after that. With the advent of software defined radio, which many people here are using, it really opens up a vista of things that you can do that before were only available to the military and the intel agencies. And that's what we're talking about here. GNU Radio, of course, is one of the leading types of software defined radio software support. And being free and open source makes it very nice because lots of people are adding to it. Lots of people are looking at it, analyzing it, finding flaws, and fixing them. SDR, most people here have RTL dongles. And if they are working in the HF regime, they probably also have a FunCube. It's a really nice little dongle. Very good for the cost and what it does. I see a lot of HACRFs here. I'm not sure if I saw any USRPs. I'm sure there were, but I didn't notice them. And there's one here. And I think one of the biggest differences between what most people are doing with SDR is that in covert communications, you're going to be transmitting. And not many people's transmitters, their SDR systems, are set up for transmission. So most people here, I think, are familiar with GNU radio, so I won't be labored that. It's mature. It has high performance pieces that are coded in either assembler or C++, part of the Volk library of kernels for different types of applications. And even though not many people use GNU radio companion for anything more than prototyping, it's very flexible, as we saw in Balanced presentation earlier. It's very flexible. I'm sure many people have seen things like this as just an example of an FM receiver done in GNU radio companion. Not much to see here. If you were at Balanced presentation, it was awesome. Kinds of things that you can do. Showing here the HACRF, very capable unit for what it is. Some people don't like it. They consider it nothing more than a glorified IF strip. And I've heard that from a number of people. But for certain types of applications, it's quite good. Its biggest problem is the fact that it's only an 8-bit unit, and so you don't have very much dynamic range. Doesn't work with weak signal detection and noisy environments so well. That's something that can be upgraded. There's a dotted board capability in the HACRF. I don't think anyone has actually released a 12 or a 14-bit ADZ converter. But I look forward to someone doing it who would totally transform the HACRF into a much more serious device. So wireless threats fall into two categories, passive and active. The most important ones that we're going to be talking about today are the passive types of system, passive adversaries. Because that's where they're trying to find you. They're looking for your signals. They're looking at every signal in the spectrum from every location that they can build systems, doing direction finding, trying to analyze whether or not your signaling system appears to be unusual, of note, and the focus of more attention. The active systems, probably the most important for most unless you're targeted and they know who you are, are jammers. The insecure reversion is of significance here. Because if you had your mobile phones on, you probably saw that they're all in 2G mode. And that's because somebody's been jamming the 4G, LTE, what do you call it, frequencies to force their phones to revert to 2G where they're vulnerable to attack. So here I'm trying to talk about where the passive attacks, where they occur in the protocol stacks. They can occur all over, everywhere you can think of, there are attacks that are focused on various aspects of systems. For what we're going to be talking about or I'm going to be talking about today, it's mostly at the high level, which is on the left side. But every other aspect is certainly fair game to the intelligence agencies. So the intelligence agencies have huge receiving capability. They have stations all over the world. And they're listening to every frequency at any time they can. And looking for ones that are normally, they'd expect to see. Most frequencies are being used by commercial or other people on a regular basis. And they would just pull out the ones that are noteworthy because they haven't seen that one before. Same kind of things like ham operators do sometimes. They'll be listening in on the band. And they'll say, wow, haven't heard that signal before. And then the people will be discussing it online as to what that signal might be. In particular, they're looking at what I call the red October scenario, where signals are out there that may look like something that they've seen before, but they're not. And in the hunt for Rod October, it was a seismic signal that the sonar operator was being told, was being received, the software saying it was a seismic event. And when he sped it up, lo and behold, it was a magnetohydrodynamic or crawler drive from a Russian sub, something that was only theoretical in the movie up to that point. And I think that the NSA and all intelligence agencies, they're looking for a red October situation. So you don't want to stick out like that. As Ballant showed in some of the earlier analysis of signals, this is an example of what signals look like, various ones that are very common and how they're classified by the software. What's, I think, significant is the intelligence agencies are without a doubt using artificial and neural network capabilities in order to do signal classifications, because there's much too much traffic for humans to look at. They would fatigue too quickly. So the human people, the humans only come in when receivers that are targeting certain kinds of signals identify something of note. And then someone human is sent to look at it for further investigation. So the receivers that they build are called high probability of intercept. That's the term of art that's used. Sometimes they're called electronic warfare receivers if they're used in a military engagement environment. What they try to do is to pick out signals that other receivers cannot. And they spent gobs of money to try to do this. And they're very effective at their job in general. This shows what the probability of receiving a certain signal near a very strong one. Very common technique is to hide a signal as to put your signal near somebody else's. And if you've got the right kinds of technology and tradecraft, it makes it much more difficult on the adversary, including the NSA. Many factors go into deciding whether or not a high probability of intercept receiver is going to do the job. And it has to do with the signal characteristics and also the capabilities of the receiver and its internals. Interrupt me if you have a question. So here's the ideal high probability of intercept receiver. It's a software defined radio with lots of bit depth and a lot of stability in its circuitry to make sure that it stays on frequency and that you can identify the signals easily. Usually they're very broad banded, although there are narrow band systems. But in general, because the intelligence agencies are wanting to watch every frequency from DC to light, they have a huge number of receivers that cover parts of the band. And they either hop to different frequencies or they have ones that cover enormous amounts of band with simultaneously. And they act as directive receivers. That is, they tell other receivers to look further. What we're looking here is what we want to see is we want to see our own GNU radio high probability of intercept receiver so that you can do red team, black team. Without that, you really can't be very confident that what you're doing is as good as you think it is. So Ballant has worked a fair amount in this area in doing signal analysis and blind estimation. What I'd like to see is something very much more structured and turnkey so that you don't have to be an expert in order to do signal analysis and signal location. These are the kinds of receivers that are typically used for high probability of intercept or electronic warfare. They break into these areas. The simple and the most common is the crystal video. It's basically a lot of video channels connected to a wideband multiplexer. And most of the time, the system is only good for pulse type of operation. It's the kind of receiver that you'd see inside a radar detector, a good one, is the kind of circuitry you would use. So the next step would be something similar to the crystal radio, which is called a TRF. That's the general term that's used. And what it's meant to do is to very quickly find a signal. It may not be accurate in analyzing the signal. But what it's meant to do is to point other receivers that are much more capable at that signal. And you want to do it in burst mode. You can pick up a signal within nanoseconds. And instantaneous frequency measurement devices can actually within nanoseconds pick up a signal and direct another device to look more closely at it while the burst is still in operation. So phase interferometer and detection capability, this is really a technology rather than a receiver. It's used in a lot of other electronic warfare and high probability receivers. And it's commonly used for direction finding. I know balance doesn't work in direction finding. So I'm sure you're familiar with this. One of the last is the SWEP superdyne receiver. This has lots of very fast super heterodyne receivers, each one sweeping part of the frequencies that are of interest. There are the two varieties, the narrowband and the wideband. The narrowband is actually a special case of the wideband in which they've attached filters to it, and they've narrowed the bandwidth during the sweeping. Below typical performance characteristics of these receivers, the MDS is the minimum detectable signal. Very important for intelligence agencies. And channelized bulk filters. I haven't seen any details about these. But again, the typical multiplexed receiver where you have a wideband input, you divide it up with a multiplexer, and you have a huge number of software defined radios that follow it. Now, this is something that probably most people haven't heard of. It's called a Bragg cell receiver. It came from Radio Astronomy and the SETI project. And its purpose is to be able to receive, in parallel, many, many, many channels. We're talking about huge numbers of hundreds of megahertz or gigahertz bandwidth. And unlike the other receivers, it's an acousto-optical receiver. The advantage is that it's very stable. It doesn't need a local oscillator. That most receivers, that's kind of a weak point of making sure that they're stable. This one has no such problem. And it uses a combination of lasers and microwave frequencies. The problem with it is that it's not nearly as sensitive. So it doesn't really have the dynamic range. And so it uses a receiver that finds signals of interest and then points other receivers, again, to listen. This is what one of them looks like. I think what's of interest is this device here is like a piezoelectric device there. It is very similar to a saw device. And it's operating in an acoustic-opical manner. What's happening is the laser light is illuminating the device that has the, what do you call, the transducer. And the transducer has the microwave signals of interest that are coming in from a wideband amplifier. And what it does is it changes the refraction index of the device in real time spatially on this device so that it separates all of the characteristic signals in the band that it's looking at in parallel. And they actually appear as signals optically and are picked up by photo cells. And it's a really huge advantage for the intelligence agencies, because it doesn't have to sweep frequencies. It sees them all in parallel and simultaneously. So when these devices are packaged up, the top photo is a single bragg cell. They're often ganged together, each one of them covering different adjacent frequency ranges. And when they're put together in an array, like we see, they can carry and cover an enormous amount of bandwidth simultaneously, often from 2 gigahertz to 24 gigahertz in parallel. So now we come to the active threats. So jammers, there's been a lot of work in jamming from really World War II was the beginning of jamming technology. And they can be very difficult to detect, because if they're smart, they look like they're just noise and bad signal conditions and band bad conditions to your devices. It's very difficult to detect them if they're smart. And what they try to do is either brute force, jam the signals, or if that's not working because of the way that you've oriented your system, then they'll either hop around. There'll be broadband noise. But if they're targeting a packet-based system, what they're trying to do is to prevent the communications. And one of the ways they would do that is they might jam the frequency to such a point that the transmitter who's, which is doing carrier sense, for example, very common technology, it would find that the band is always occupied. And eventually, the buffers would overflow, and the system wouldn't be able to communicate. So that's targeting the transmitter. At the receiver side, that's very obvious. You're going to try to overload the game control system of the receiver or use other technologies that would cause your signal to fall in the detection area of the receiver and make it incapable of receiving what it was intended to. So there's many types of jammers. And each one of them targets a certain type of signal. What's of note is that, in general, it's very difficult to jam direct sequence type of systems because they're noise-like already. And because they operate over such large bandwidth, especially if they're covert, the amount of transmitter power required by the jammer, unless they're very close to you in a near-far situation, becomes really not possible. So this is what happens when you have a single tone or a multi-tone type of jammer trying to jam a direct sequence signal. Because of the way that the direct sequence is spread and de-spread, the jam signal actually gets spread during the deconstruction of the signal. When the signal is de-spread in the receiver, the neverband signal gets spread. So they're just the inverse. And therefore, it doesn't interfere with the direct sequence signal, at least not easily. So as I mentioned before, intel agencies have huge budgets. But trying to listen to every frequency simultaneously all around the world is not the same as the task that they have when they're listening to internet. There are no network access points they can just tap into and listen to the feed that everyone has on the internet. You have a three-dimensional temporal type of problem that you need to solve. And it's not easy even when you have billions of dollars. And the defender, in each case, whether it's the person trying to do covert radio or the intel agency trying to defend their turf, they have the problem is they have to plug every possible exploit that might be used against their technology, where the attacker only has to find one good one and drive through it. In particular, the physics that restrict any kind of receiver system. And the technologies that are available for high probability of intercept receivers set floors on what can be received. And if you know what those are or have a good idea, then when you design your covert system, you want to design it so that it falls below their capabilities or above. Again, if you're targeted, it's not good, because they can send stuff right down the street to listen to your communications. And even covert communications are not very covert when you've got a van sitting outside. So you certainly want to be able to hide your transmitter, your antennas, all of your communications. And you need to be covert and you need to be using good tradecraft. So where do we look for clues as to build covert communications? All commercial communications systems, they're really looking at interoperability cost. And they really don't care about security, not really, because they're not selling to clients that need that kind of capability. On the other hand, military and intel agencies, they build systems that are not open and they're our covert and they're proprietary. So we want to look at trying to bring the technologies from some of those hardened systems into open source systems and also into standard space systems. Even if it means that changing those systems makes them nonstandard, but they're built on very good foundations as far as the structure of the communications and the higher level stacks. So here are the major, what I consider the major, methodologies for doing LPI, LPD. The most common is to hide the signal below the noise, one I certainly favor. The other one is to use stagnography. It turns out that it can be used very effectively if you know how to use it, this particular circumstance, and I'll talk about that. Another way is for control jamming. It's actually possible to use jamming in order to communicate. Another possibility is to reduce the side lobes from your signal in a very directional manner if you have point-to-point communications. And there are technologies that the military has used for quite a long time, but none of them are available in commercial use right now, and that's a shame. They turn out to be not that hard. And the last one is to repurpose existing systems, commercial systems, and use them covertly. So common type of chart here showing how spread spectrum signals work and how you convert a baseband signal into a spread signal. Nothing should be interesting there to the people here. However, how about changing the codes to something secret? Because you're trying to be interoperable, all the standard systems have known codes so that they can quickly sync and identify the signals. But if you're trying to be covert, well, you certainly don't want to do that. So one of the first things is to change all the coding systems. This is an example of the chip to symbol coding that's used in 802.154. So in experiments that were conducted, by changing the codes, actually making them more random and not the normal orthogonal codes that are used in commercial stuff, the packet error rate increase was only about 13%, which is actually not too bad. And the ways that we looked at to identify the methods for the attacker included looking at the M ARI direct sequence attacks that are used against coding systems like what are used in 802.15.4 and Wi-Fi. And without getting into too much detail, a lot of these technologies that are in the attacker strategy, these are all in the literature, although they're not easy always to find. And basically, they're blind estimate technologies to try to, as Ballant was showing, how do you identify a signal, figure out its data rate, the modulation schemes, and try to figure out the symbol rates, and by doing that, to start narrowing down to the point where you can identify the signals more easily, and you can start doing triangulation of the signal. So in order to prevent this, you have to figure out how often, if you're using random chips, how often those sequences need to be changed in order to thwart these technologies, and also the length of the codes, things of that nature. And experiments were carried out. And what it was discovered is that if you only expand the chips to about 32, your key size, or your chip code size to about 32, instead of the 16 that's used in 82.15.4, and you don't play any other games of randomization, it only took about 27 bytes under worst case conditions for the attacker to be able to lock onto your signal and identify it. Not good. However, it did point away towards improvements. And those are what are planned for the future. This gives you an idea of what was achieved. So what needs to be done next is possibly to combine direct sequence for frequency hopping, change the cryptographic primitives. For example, in the tests, pseudo-random number generator was used in order to provide the key information, to build the keys. And PRNGs are deterministic. And of course, those can be attacked. So one of the things you want to do is to use two random number generators in order to establish your key information and your spread codes. That's not being done yet. You want to start maximizing the entropy of the packet timings. And by that, what you're looking to do is to change, for instance, your preambles so that they're randomized instead of being very simple to sync signal. As Ballant pointed out, if you don't have bits flipped on a regular basis, it makes it hard for your clocks to acquire. So that's one of the things that needs to be traded off, is as the signals get more random, clock synchronization becomes a problem. So maybe your adversary can't sync on your signal, but maybe you can't either. And other burst frame improvements are planned. So to wrap it up is that load detectability is one of the characteristics that is most often mentioned for direct sequence. But that's only true if they can't break certain aspects of your random number generator, your spread codes, and your crypto. So antennas are probably the most neglected part for most people that are outside of radio. They don't realize how important a good antenna is. For the communications that I've been looking at, I'm looking at HF radio, mostly for communications, because I want to be able to transmit signals at great distances without infrastructure. The most common antennas that are used in the cheapest are dipoles and long wires. As you can see, this one can be hidden inside an addict, very nice to be able to do. However, they're not directional, they don't have much gain, and they're very broadband, which for HF signals is a no-no, because they overload the front end of your receiver, your LNA. All those things, they're not a good antenna for general HF use, but they are cheap. What I consider one of the most ideal antennas is the magnetic loop. The advantage is, depending on how it's designed, it can be extremely high-Q, meaning that signals outside a very narrow passband are eliminated. You don't have to worry about noise from FM transmitters or pagers or other military swept signals like the radar that all be eliminated at your antenna. They never even get into the front end of your receiver. What's also very interesting is that if you build larger magnetic loops than are normally used, most magnetic loops are around 10th wave or so or smaller. But if you make them larger, then at the higher frequencies, that antenna becomes more and more broadband, which means it can be used for broadband communication while still maintaining most of the characteristics of a controllable passband. So I've been looking into that. I happen to have one of these antennas. It's a very good one, MJF. So one of the other ideas that's been discussed is to expand the kinds of beacons that are used by amateurs so that you can put other information into them. And that information might include the availability of nearby covert communication parties. So the beacon now would actually have a receive side, receive signals from nearby covert communications, capture some aspect, some code that would only be meaningful to the parties that are going to be using it to communicate with, and then transmit that along with the beacon information that's normally sent. How many are familiar with the whisper? OK, it's an excellent technology for very low power, what do you call it, efficient communications over long distances. Excellent stuff. Joe Taylor is the god of HF radio today. He's the guy who invented this. Now I mentioned NVIS. This is a kind of communication technology that was developed, I believe, originally by the Germans during World War II. And what it amounts to is using the proper HF antenna, it's possible to bounce the signal off of the ionosphere over your head. And instead of trying to just skip where you're trying to go great distances, what you're trying to do is illuminate a cone around your location of signals and enable you to avoid mountains and other obstacles that would be a problem for ground wave. Also, it can be very secure communications, and it was used by them to great effect. Stagnography. Many of you have probably seen these photos, but that cat signal is hidden inside that winter scene. Most of the stagnography is using nothing more than low order bits or some kind of simple characteristic that they can take advantage of in the noise of the signal. Unfortunately, the statistical properties when you try to embed these signals in another image or some other signal turn out to be non-trivial to do covertly. They're very easily uncovered. A lot of research has been in that area about the only form of stagnography that I'm aware of that is not easily broken this way is called noiseless stagnography. And I don't want to go into it, but it's semantically based instead of sort of like data-based. Last year at DEF CON, we had a presentation where people tried to inject noise into the forward air correction protocol for JT65. And I think it's something that needs to be looked at further. I think there's actually still some good possibilities with additional work. And since it's all open source, it's a very well understood protocol. I think someone here that really is into HF should be looking into this. So in this technology here, what you're trying to do is inject noise into the constellation of, for instance, a Wi-Fi signal. But you want to do it in such a manner as it stays within the specification for Wi-Fi for hardware impairment. No hardware is perfect. And when products are shipped, they have issues. They can generate noisy signals. So there's a specification that says, your signal characteristics, you can't have more than 10 dB of noise in your constellation or you're out of spec. Oh, if you stay below 10 dB and you've got good hardware, now you can inject stagnographic signals that only you will be aware of. And so what you can do is when Alice and Bob, shown by or indicated by these Wakatalkis, want to talk to each other, they'll be near a hotspot or some other system that is open to communication using a constellation type of arrangement. And Alice and Bob will then proceed to inject real innocuous data into that system, such as web surfing or whatever. And while they're doing that, they're injecting noise into the constellation. The hardware for the hotspot will work fine. It's not even aware that there's any problem because the signal's in spec. But Alice and Bob, their system, it's been tuned to look for this noise signal, this stagnographic signal. And it'd be very difficult to detect. This could be long range too, but certainly under short range conditions like Wi-Fi hotspots, it should work great. As an example of what it would look like with hardware impairments, it's really indistinguishable from the spec, from just a regular noisy signal. So in order for Alice and Bob to talk to one another, they need to be able to generate keys. And they need to be able to do that with Eve listening and not being able to detect that they're communicating. Very tough to do that. There are huge numbers of papers looking into this kind of capability to generate keys in the presence of an eavesdropper. And it's really beyond the scope of this talk to talk about how it's done. But the important thing is how fast you can generate that key. Usually, the methods use the entropy of the channel itself in a very careful way to generate the keys. So the method that I'm looking into in order to generate or have your keys is to do them sort of like the old fashioned way when people would distribute out-of-band information like one-time pads. So Alice and Bob might have applications that run on their mobile phones that would generate like when people are doing, for instance, Bitcoin. And you want someone to send you money. So your Bitcoin wallet would generate a QR code, and that QR code would be unique in the sense that it's in a huge space. And the same thing could be done this way. So whenever you meet someone and you want to give them the capability of communicating with you, you would give them a unique key. And that key would help them locate the time that that key can be used and how to generate an on-the-fly key from that. That would be the seed for something like an AES type of encryption, some symmetric key encryption. And so it would be different for every person that you'd give keys to. And when they were operating over the air, all the keys would be different, the key, the spread codes. Everything would be unique. By the way, there's people working on systems and products and capabilities to create what are called cryptographic artifacts. And these are devices that could be secreted in locations almost anywhere that if you didn't know they were there, you'd never be able to communicate with them. So if you send a signal to them and you know where they're located, they would actually dispense a key for you, a unique key that could be shared, for instance, between parties. Here's another method. In this case, a signal is repeated again and again by Alice or Bob. And it has varying information in the signal. And what Alice does, for example, in this case, is she transmits a signal to jam parts of Bob's transmission while it's active. And by doing so can isolate parts of the signal that she wants to listen to. Other parties, like Eve, are thwarted because they don't know which parts of the signal are important. By doing this, instead of depending upon random information in the channel, which is the common technique that's used for generating shared keys without having communication beforehand, you get very low bits of information, entropy information, to build a key from. But this allows you quite a few kilobits per second. So satellites are fun. Almost all satellites today are bent pipes. And Ballant was showing signals coming from satellites earlier. What's really interesting about the satellites is that even though they're bent pipes, they use Fourier transforms and inverse Fourier transforms in order to clean up the signals. Sometimes there's ground clutter that they need to remove, transmitters that leak into their bandpass. In other cases, you have people that are transmitting when they shouldn't. Maybe their equipment's malfunctioning. It's a VSAT situation. And they're transmitters splattering information. Or it's transmitting when it shouldn't. Or you have jammers. If they're narrowband signals, using a Fourier transform, you can identify the signals, whack them out in the Fourier domain, and then do an inverse Fourier domain on the downlink. And the signal's been cleaned up, very common technology. However, it doesn't work at all against wideband signals that are being used either covertly or jamming. Because it's all over your band. You can't knock the whole thing down. That would be the end of your downlink. So these systems are not capable of taking care of wideband signals that are leaking into their bandpass. An interesting situation occurred with US Navy's fleet SATCOM and UFO satellites. It was reported in a number of magazines, including Wired. Brazilian truckers were getting two-meter transceivers, having them modified, and were using the Navy's satellites in order to talk to each other while they were on the road. They did that because there was no coverage in their cellular radios. Eventually, most of them were caught. Their hands were slapped, or worse, they were fined. And I'm not sure if that stuff is going on now or not. So if Alice and Bob are trying to use the satellite covertly, they want to use something similar to the technology that I was talking about for 802.15.4. They want to use a VSAP modem, which is a blockup converter. They're cheap, maybe started $250. They work with standard parabolic dishes, so your neighbors won't know that you're communicating in an uplink, not just downlink. And if you do it properly and spread your signals and use long enough codes and they're randomly changing, I believe they're pretty much invulnerable to any kind of location or interference. The other method is to, since one of the ways that they would try to find your signal is they would use the signal spilling over into adjacent satellites to use time of arrival and direction of arrival information in order to triangulate your position. So what you want to do is to prevent anything but the one satellite you're using from receiving a useful signal that they can use for this kind of technology. It turns out that technology is available, P-cell technology, using massive MIMO to focus beams to a single party in real time, very expensive. But they've gotten a lot of money, haven't they? You don't know, OK. All right, well, the P-cell technology is something that's being shown as the next generation for cellular communications because it massively could increase the capacity of cell systems by using MIMO. I came across another technology. It came from the military. It's never been used in the commercial world as far as I know, but it's used to prevent radar signals from being identified. When, for instance, a plane is flying over a target and maybe it's marking the target for its own missile that it's going to launch or a gravity bomb that's going to be a smart bomb, it's going to illuminate the target in certain ways in order to give speed, direction, location, information. And of course, it's important when you're illuminating a target with your radar that a missile doesn't come flying up your tailpipe because they identified your signal. So if you can narrow the beam down to the point where only the target you're looking at can see the information, this is a real advantage. And so this might be ported to applications for satellite communications, troposcatter, line of sight. In tests that were done, or I shouldn't say tests, but analysis that was done on this technology, it was found that you could, with not too much technology, make it virtually impossible for any dropper more than half a degree off of your beam access of your antenna to be able to receive it. It wouldn't even detect a signal. So like last but not least, is maybe you don't want to build a system. Maybe you can use somebody else's system. Pager networks are wonderful. First of all, the receiver is receive only in most cases, which means they can't be found, unless they're targeting you. And maybe they'll be able to find the superhead, noise coming out of your local oscillator spilling out from your device. But in all practical cases, they're not going to be able to find that. It turns out that it's not very difficult to anonymously inject traffic into pager networks worldwide. They all use email. And if you can identify, and you can pretty easily, the email addresses that are being used that are mapping to user addresses, then you can start sending messages that can, if they're anonymously injected and the receiver can't be located, that's the end game for that. So it turns the pager network into a number station for you. So one more thing before questions. I'll show some information here. That's my email address. My key is available on the MIT PGP server. And I'll be uploading this so this presentation will be available. There's got to be some questions. Come on now. Either I've bored you to stiff, or it's zoomed over your heads. Which is it? Absolutely. You cannot run covert communications using standards. Well, actually, you want to make sure that they can't even see your preamble. They don't see any signal at all. Well, they'll still get the RF. But if the signal is done properly, there'll be a noise signal. You see, one of the things they're looking for, pseudo-noise signals, all of the standards-based systems use codes like gold codes and things like that that have really nice correlation capabilities. And they're very short so that you can use them at high data rates. But when you're doing covert, you're talking about really long keys. And those keys, if they're changing constantly, much closer approach a real pseudo-noise system or a real noise, like natural noise situation. And if they're used properly, they don't see what's called cyclostationary characteristics, anything that appears to be repeating where the noise level moves up and down, things like that. You have to avoid that at all cost. So if you're able to achieve that, where you can operate below the threshold of the receiver's noise figure, then if they don't know the code, and if you're not sticking out because you have these cyclostationary characteristics, then the game is really over for them because their receivers are muted. Yes, exactly. Now, eventually this might be something that's widespread and commercialized. But that's why software, if you're not using software radio, you can't do any of this, really. Yeah, near vertical incidence sky wave. Yes, people have done moon bounce. And in fact, the reason that JT Taylor built his stuff was originally for moon-birth. However, the path loss is so great that even with any reasonable process gain, I don't think you could really do an earth-moon-earth bounce. I haven't investigated it, but the losses are, I think it's like 160 dB or something like that. It's really massive loss. And that's why all the people that do EME, and I know some people in that field, they have huge backyard dishes, commercialized in some cases. And their transmitters are not small either. However, interestingly, people have actually bounced covert signals off the moon in the optical domain. Yeah, because lasers have much narrower beam angle. And so, if you have a few watts of laser energy illuminating the moon, and you know what you're doing, you can deliver much more energy to the moon's surface than you can, even with a good-sized dish. Yes? The Bragg cell, right. Well, they were first developed for ground station use with, what do you call, space, deep space stuff, and especially SETI, radio astronomy. But they're small enough, and they're light enough, and their energy consumption isn't that high that the military can't put them in orbit. So I suspect that the KLH satellites and those kinds of satellites, all the newer generation, have receivers of that sort in order to direct, perhaps, other receivers that were in the satellite to look at signals of interest. Wideband optical receiver, you talking about the Bragg cell? Oh, I haven't costed them. I imagine that only commercial people can afford them. I would just guess that something like this would be in the $10,000 to $20,000 a channel, something like that. But I haven't actually gone out and tried to purchase one. So I don't know. Any others? Oh, yes? Yes, that certainly could happen. One of the reasons that software-defined radios can be sold is that because they're not actually a receiver, they're actually just an instrument. They fall under exclusions for instrumentation. And it could be that those things will start to be limited as to who can purchase them and what channels can be used to sell them. What? It's exactly their instrumentation and test equipment. This kind of exclusion is available in most countries. I'm not sure about China. But certainly, the EU in the United States, most developed countries, have exclusions in their radio policies for instrumentation. Otherwise, you couldn't buy an oscilloscope. People couldn't do ground station work because they couldn't import a spectrum analyzer. I'm sorry. Oh, yeah. Right, well, ham operators are also watched very carefully in different countries. And ham operators are actually in sort of a different twist to this because many ham operators are very persnickety about the spectrum. And so if I had to guess, who is your largest risk if you're doing covert communications, it would be nearby ham operators who will find your use of their frequencies quite objectionable. And if they're very nearby, of course, your signal's still going to stick out. If someone's like one of your neighbors down the street, it's probably not going to be possible for you to mask your signal from that because it's almost the equivalent of the van outside with the Intel people. Sorry, it was another person had their hand up. Who was that? Oh, you again? Right. I would not be surprised that they do this, but maybe only after the animals have escaped the corral. So the idea is to get going on this technology and not wait until some really high level things happen in this area that you'll see on CNN or Fox News. There'll be shows about narco terrorists using this technology. We don't want that to happen until all of us have the technology. So I believe that it's possible to build either software to find radios or modify existing hardware, JT65 whisper type systems to start doing covert communications now. Back in my talk, I mentioned QRSS, or it was in there, but didn't talk about it. This is where you have extremely narrow band, very low speed data, usually CW. But there's no reason that you could be doing the equivalent of offset frequency division multiplexing with very narrow band signals and very low power. Did you want me to mention something else, or? No. OK. Anything else? Oh. It seems like I could take that off. Sure. Sure. Because these are instrumentation devices, that's the hint. Because these are instrumentation devices, they have very low power output. For instance, the hacker only has 10 milliwatts of transmitter output. And I think the same thing is true for the USRP, isn't it? OK, but not much. And it really depends on the USRP, the daughter boards and the earlier models, things like that. But they're certainly well under a half a watt. Yeah. Yeah. 50 or 100 milliwatts. Yeah, 50 or 100 milliwatts. So however, if you're operating spread spectrum communications, that may be more than enough. One person actually was able to communicate over 6,000 kilometer distance, transmitting with the USRP 10 milliwatts. No, excuse me. It was a hack RF, 10 milliwatt output, and it was received 6,000 kilometers away. So it is possible. That was using the whisper protocol. Straight to the antenna. Those were the curtain lights, I'm sure. Thank you very much.