I wonder why they keep using a dedicated numbers station instead of embedding the code in a regular radio broadcast on a traditional channel? I'm sure that even before LLMs one could find a way to create a story where certain numbers / code words would be embedded without altering the underlying story too much. And they could probably get BBC / whatever station to air it. It would be a bit less inconspicuous to listen to BBC than to a dedicated numbers station, even if the message would be undecryptable either way.
> "I'm sure that even before LLMs one could find a way to create a story where certain numbers / code words would be embedded without altering the underlying story too much."
It's called steganography, and it's a centuries if not millennia old technique.
Seems to me like coordinating with an entity outside of the spooks' control, such as the BBC, would give more opportunities for leaks. It would also reveal some information about who is controlling the signal--someone with some kind of relationship with the broadcaster.
who's to say they aren't doing both? They may not even be sending anything over the number station; these stations will continue on a schedule even when there is nothing to say and nobody is listening because it makes it harder to eek out a foothold in the event of a weakness in the encryption.
I can't find it immediately, but I've read about something even sneakier than this. A standard broadcast station was modified such that its carrier signal was modulated by a PSK signal. The intended listener would use e.g., a PSK-31 modem to listen to the carrier signal and would be able to obtain the encoded digital data. Everyday listeners would hear the regular broadcast. The station involved _might_ have been a BBC station, but I don't recall.
You could technically just transmit data via RDS, too. Change a letter here and there and nobody would know whether that’s a decoding error or actual ciphertext. (Would need some kind of checksum or so, of course.)
@windytan did a fascinating audio clip highlighting the RDS data stream in a radio recording some while ago:
Shortwave propagates better and also its just a one time pad being distributed so embedding doesn't matter as much as long as the one time pad is longer than the intended message to send. There is no way to decrypt it because once you encrypt a message using a one time pad it is impossible to decrypt without the exact one time pad that it was encrypted with.
It's not a one-time pad being distributed, because leaking the pad leaks all your communications. It's almost certainly the actual messages being distributed, at specific times of day. The listener records the numbers for the known time period to get the message, then decodes it with their pad for that period. Then they destroy that pad. Continually broadcasting numbers makes it impossible to tell the length of the messages.
One time pads work only if only the sender and receiver have a copy of the pad - and they destroy each sheet on use. Distributing the pads is hard, but often it can be done easier than the message.
Distributing a one time pad like this is a stupid idea: it isn't hard to collect everything you ever send, and it takes a computer a few ms to check every encrypted message against every possible sequence. That is breaking a distribute one time pad via shortwave like this is something a single layperson can do, it doesn't even need a government scale attacker to break it.
Don't get me wrong, this can be used for good encryption. However it isn't a one time pad they are doing, it is something more complex.
Every message is equally likely when you attempt this kind of brute-force decryption with a one-time pad. The code you get is actually 100% unbreakable if the pad isn't intercepted.
I think there's some confusion in this thread. GGP talks about distributing the one time pad via the numbers station. GP (rightly) says that's a stupid idea.
The numbers station should be transmitting a message encoded with a one time pad. The one time pad itself should be physically given in person to the spies who you want to communicate with.
However, the numbers stations transmissions are never a big secret. They're intentionally powerful so someone can pick them up on simple equipment without raising suspicion. A person can modify an off-the-shelf AM radio to pick up shortwave, for example, even in an oppressive regime.
It's a one-time pad, so the encryption is unbreakable.
Sure, but that would be a benefit, I would think. Most old cars come with an AM/FM radio, most cheap phones now have FM (? I don't know about AM, don't think so) and so on. So it would be more inconspicuous to listen to a regular radio than to a special station on special hardware. You don't even have to broadcast from EU, you could probably purchase some Radio Quatar Classical Rock or something :)
Radios capable of receiving shortwave bands aren't exactly rare among normal people. They're not really "special hardware". Just owning one would not be inherently suspicious.
What would be suspicious is being in possession of the one-time pad needed to decode the messages, regardless of which media those messages are transmitted through.
For the record, "numbers stations" can be found in nearly every communication medium, including the web. The advantage of using shortwave (range, primarily) are large enough that the benefits outweigh the drawbacks.
The location of this transmitter is a shortwave transmission facility within a US military base in Böblingen, 15 km southwest of Stuttgart, Germany. The coordinates:
Shortwave radio is more challenging than you might imagine.
Near to the transmitter it's received by ground wave, further it's scattered off the ionosphere. In-between it's undetectable due to the skip zone. This might also explain why Amelia Earhart went missing [1]
Coverage is obtained from multipath and reflections. Leading to variable strength and timing. Not as bad as DXing on HF with low power but much harder than you might imagine.
Fine for someone to transcribe some numbers but useless for people trying to identify sources.
So locally you get an apparent direction to the source which is clearly not the source.
Add to that the complex local terrain and a well placed number stations can be very difficult to locate with precision.
Edit: unrelated but interesting there are some mysteries in HF transmission including long delayed echoes where a signal takes far longer than reasonable to travel out and back over several seconds [0] which given its travelling light milliseconds is a conundrum.
My father regailed tales of his college years where it was a game to have a HAM radio operator start broadcasting and to have teams try to find where they were hiding, first.
More challenging? Not really. It does require multiple boots on the ground to do it.
Yes, more challenging. Ham radio fox hunting is usually VHF/UHF. Waaay easier to direction-find, since the signal isn't bouncing off the ionosphere, and also the much shorter wavelength means that you can get highly directional antennas that are small enough to be held, and don't need to be 50 feet in the air to work well.
Besides the problem caused by reflections and by the fact that unless you are very close to the transmitter you do not receive a direct wave but one reflected from the ionosphere, there is an additional difficulty.
Antennas with high directivity, which are needed for accurate triangulation, must be very big in the shortwave range (wavelength from 100 meter to 10 meter). Moreover, if they are too big it would be difficult to move them, to be able to measure an angle.
So traditional triangulation is inaccurate in this frequency range.
With modern technologies, using highly accurate synchronized clocks, one could distribute shortwave antennas over a large area, to create a synthetic aperture array, enabling a precise triangulation. However this would be expensive. An amateur would certainly not have such a thing. I doubt that even a state would bother to build such a thing, because it would not be worthwhile.
While precise triangulation of a shortwave transmitter from far away is very difficult, such a transmitter would not be hard to find during a local search wherever it is placed, because there not only the direction, but also the intensity gradient of the signal would allow finding it.
Two receivers of the same signal may not be from the same proximate source. One could from the original antenna the other from a reflection. Both could be reflected but by different reflectors. Even if the proximate source was the same for both the receivers, triangulation might yield the location of a virtual image of the original source.
BTW I am just going by geometry and may be way off because radiowaves behave quite differently compared to visible light.
One might need effectively the inverse of beamforming to nail it.
Nothing much in Iran is well defended from air I suppose.
Assuming, of course, the hypothetical that it's a signal emanating from Iran. The current fix seems to indicate Germany, in which case you would be correct.
Street View nearby reveals this sign at the edge of the Street View area: "Forstarbeiter und Militär Frei," which means "Forestry Workers and Military [are free to enter]". The red circle around the sign implies that everyone else is forbidden to enter. So, it's some kind of military installation.
Until around 2000-2004 there have even been 2 Antennas. The whole surrounding forest is a military training ground, obviously used by German Bundeswehr and US forces. There are German and US barracks on opposite ends of the area. Within the vicinity there are an UXO clearance service, K9 school, CQB training village, shooting ranges, lots of bunkers and who knows what.
If anyone is interested in further reading, this group are the world's leading experts on number stations (outside of intelligence services of course). They've done a detailed article on the new station, including recordings, technical mishaps, and analysis of why they believe the station is CIA run. https://priyom.org/number-stations/other/v32
> Considering the topical interest in this station, the Priyom team shares its further expertise regarding V32's attribution, beyond being transmitted from a US military facility. While this remains unconfirmed speculation, and not facts, a prime candidate for the operator of this station would be the CIA. Contrary to popular belief, US intelligence has not entirely moved away from numbers stations. Sources in the intelligence community indicate that the CIA provides extra training about numbers stations and one-time pads to clandestine agents assigned to locations with a very hostile operating environment, such as Iran or North Korea: it is envisioned as a last-resort means of communication with high-value sources. So according to this, numbers stations are actually still an institutional part of the CIA playbook. The war in Iran, and the Internet blackout installed by the regime, fulfill the very circumstances for which the CIA would have planned this.
> We already know that the CIA has a significant presence in Iran and involvement in the war, having provided crucial intelligence tracking Iranian leaders that enabled the assassination strikes that kickstarted the war. They most probably have had a network of infiltrated assets already in place and organized, ready to be reached through a numbers station if need be right when the war started - which makes the CIA a candidate for running V32 consistent with a legitimate intelligence operation. However, what we've observed from V32's operations - technical quirks and shifting formats - suggest that the technical deployment of the numbers station and shortwave transmissions themselves may have been a little rushed by the circumstances.
> Another noteworthy feature of V32 is how all its transmissions take place on the same frequency. Most other numbers stations in general are comprehensive operations targeting many different recipients in different countries, and making use of many different transmission times and frequencies suited to the particular signal propagation needs corresponding to all those areas. In contrast, the fact that V32 always uses a single, same frequency, at always two given times of the day, would be consistent with an operation that only needs to target a single geographical area: Iran.
This reminds me of UVB-76[0], a shortwave military radio in Russia. It would be interesting know why they're using this method to communicate covertly rather than beaming down messages to a phone via satellite or something. I'm not an expert on radios, though, so maybe it's not as clunky as I'm imagining where an undercover asset is hauling around bulky equipment.
It’s simple, reliable, and effective. Shortwave receivers can be made fairly compact. They’re also very prevalent in most countries (every ham transciever), so there’s nothing suspicious to pack. People find numbers stations interesting, so they are often streamed online. One time pads have their logistical shortcomings, but are still the best encryption possible. The OTP can be compromised in known, visible ways, where a phone has myriad invisible ways to be compromised.
You could probably cheat with the one time pad and use a book as a key, pick a pre determined starting point go diagonally down accross the page convert the letters to numbers and xor that against the message. It would be near enough to random and less conspicuous than a pad of random numbers when searched.
Like the article says, satellite messages can be traced while radio is broadcast to everyone so it's impossible to find out who's listening. Shortwave radios are also cheap and widespread, so it's easy to get one anywhere in the world and if your house gets searched, it won't be suspicious if you have one.
> Shortwave radios are also cheap and widespread, so it's easy to get one anywhere in the world
I always hear this in discussions about number stations, but I don't think this is true in the US. In fact, I don't think I've ever seen a general consumer "shortwave radio". Unless the regular AM band counts, which seems to be medium wave.
I used to have little battery powered AM/FM/Shortwave/weather radio lost it a couple house moveings ago. Kept it around for the emergacy weather radio during flood events and other extreme weather when internet/power isnt reliable. Should probably pick up a replacement come to think of it.
The term for shortwave radios targeting the general consumer market is "world band radio". They look like a standard portable AM/FM radio except they'll also pick up long wave, medium wave, short wave, and maybe weather band. They're more of a niche in the US now that internet streaming is a thing, but you should still be able to get one at most electronics stores. Of course like most niche products, you'll get much better selection and pricing online.
I'm in the US. At least half of the people I know own shortwave radios, although most don't think of them as "shortwave radios". They're more often called "world radios" or some other such synonym. I could run out to a consumer electronics store right now and buy one.
The younger people I know tend to own such a radio in the form of the Baofeng UV-5R or the like.
> Like the article says, satellite messages can be traced while radio is broadcast to everyone
I don't buy it.
Satellite downlinks are broadcast to everyone under a potentially massive footprint. Take a look at the footprint for QO-100 which you could use with very inexpensive equipment that looks pretty much like a normal satellite TV dish.
Phones usually contain the hardware for radio too, so making sure agents have some set of models for that doesn't sound bad. Even if you had to use a dedicated one having a radio at home isn't that conspicuous? Or in a car, etc
perhaps they're not directed at deeply embedded lone spies with radios in their attics, but at 'military assets' which as a matter of course can receive these transmissions on a designated schedule.
You'd be amazed how many firefighters I know called "Burns", even leaving aside Ayrshire where lots of people are not-too-distantly related to a famous poet who, to put it mildly, put it about a bit.
It's called steganography, and it's a centuries if not millennia old technique.
@windytan did a fascinating audio clip highlighting the RDS data stream in a radio recording some while ago:
https://soundcloud.com/windytan-1/rds-mixdown
Distributing a one time pad like this is a stupid idea: it isn't hard to collect everything you ever send, and it takes a computer a few ms to check every encrypted message against every possible sequence. That is breaking a distribute one time pad via shortwave like this is something a single layperson can do, it doesn't even need a government scale attacker to break it.
Don't get me wrong, this can be used for good encryption. However it isn't a one time pad they are doing, it is something more complex.
The numbers station should be transmitting a message encoded with a one time pad. The one time pad itself should be physically given in person to the spies who you want to communicate with.
However, the numbers stations transmissions are never a big secret. They're intentionally powerful so someone can pick them up on simple equipment without raising suspicion. A person can modify an off-the-shelf AM radio to pick up shortwave, for example, even in an oppressive regime.
It's a one-time pad, so the encryption is unbreakable.
What would be suspicious is being in possession of the one-time pad needed to decode the messages, regardless of which media those messages are transmitted through.
For the record, "numbers stations" can be found in nearly every communication medium, including the web. The advantage of using shortwave (range, primarily) are large enough that the benefits outweigh the drawbacks.
48°41'26"N 9°05'12"E
https://www.google.com/maps/place/48%C2%B041'26.0%22N+9%C2%B...
Near to the transmitter it's received by ground wave, further it's scattered off the ionosphere. In-between it's undetectable due to the skip zone. This might also explain why Amelia Earhart went missing [1]
Coverage is obtained from multipath and reflections. Leading to variable strength and timing. Not as bad as DXing on HF with low power but much harder than you might imagine.
Fine for someone to transcribe some numbers but useless for people trying to identify sources.
So locally you get an apparent direction to the source which is clearly not the source.
Add to that the complex local terrain and a well placed number stations can be very difficult to locate with precision.
Edit: unrelated but interesting there are some mysteries in HF transmission including long delayed echoes where a signal takes far longer than reasonable to travel out and back over several seconds [0] which given its travelling light milliseconds is a conundrum.
[0] https://en.wikipedia.org/wiki/Long_delayed_echo
[1] https://youtu.be/zTDFhWWPZ4Q?si=Ib8jfbdNP-sLHM0B
More challenging? Not really. It does require multiple boots on the ground to do it.
Antennas with high directivity, which are needed for accurate triangulation, must be very big in the shortwave range (wavelength from 100 meter to 10 meter). Moreover, if they are too big it would be difficult to move them, to be able to measure an angle.
So traditional triangulation is inaccurate in this frequency range.
With modern technologies, using highly accurate synchronized clocks, one could distribute shortwave antennas over a large area, to create a synthetic aperture array, enabling a precise triangulation. However this would be expensive. An amateur would certainly not have such a thing. I doubt that even a state would bother to build such a thing, because it would not be worthwhile.
While precise triangulation of a shortwave transmitter from far away is very difficult, such a transmitter would not be hard to find during a local search wherever it is placed, because there not only the direction, but also the intensity gradient of the signal would allow finding it.
Two receivers of the same signal may not be from the same proximate source. One could from the original antenna the other from a reflection. Both could be reflected but by different reflectors. Even if the proximate source was the same for both the receivers, triangulation might yield the location of a virtual image of the original source.
BTW I am just going by geometry and may be way off because radiowaves behave quite differently compared to visible light.
One might need effectively the inverse of beamforming to nail it.
> Shortwave radio is more challenging than you might imagine.
Assuming, of course, the hypothetical that it's a signal emanating from Iran. The current fix seems to indicate Germany, in which case you would be correct.
Apple's maps version has that section blurred out though.
Bing's sattelite images seem to be older, the antenna isn't visible on there yet and there's just building foundations: https://www.bing.com/maps?cp=48.690103%7E9.086240&lvl=18.8&s.... Can't determine how old those images are though.
> Considering the topical interest in this station, the Priyom team shares its further expertise regarding V32's attribution, beyond being transmitted from a US military facility. While this remains unconfirmed speculation, and not facts, a prime candidate for the operator of this station would be the CIA. Contrary to popular belief, US intelligence has not entirely moved away from numbers stations. Sources in the intelligence community indicate that the CIA provides extra training about numbers stations and one-time pads to clandestine agents assigned to locations with a very hostile operating environment, such as Iran or North Korea: it is envisioned as a last-resort means of communication with high-value sources. So according to this, numbers stations are actually still an institutional part of the CIA playbook. The war in Iran, and the Internet blackout installed by the regime, fulfill the very circumstances for which the CIA would have planned this.
> We already know that the CIA has a significant presence in Iran and involvement in the war, having provided crucial intelligence tracking Iranian leaders that enabled the assassination strikes that kickstarted the war. They most probably have had a network of infiltrated assets already in place and organized, ready to be reached through a numbers station if need be right when the war started - which makes the CIA a candidate for running V32 consistent with a legitimate intelligence operation. However, what we've observed from V32's operations - technical quirks and shifting formats - suggest that the technical deployment of the numbers station and shortwave transmissions themselves may have been a little rushed by the circumstances.
> Another noteworthy feature of V32 is how all its transmissions take place on the same frequency. Most other numbers stations in general are comprehensive operations targeting many different recipients in different countries, and making use of many different transmission times and frequencies suited to the particular signal propagation needs corresponding to all those areas. In contrast, the fact that V32 always uses a single, same frequency, at always two given times of the day, would be consistent with an operation that only needs to target a single geographical area: Iran.
https://youtu.be/Q6cR7PEyzW4
0: https://en.wikipedia.org/wiki/UVB-76
I always hear this in discussions about number stations, but I don't think this is true in the US. In fact, I don't think I've ever seen a general consumer "shortwave radio". Unless the regular AM band counts, which seems to be medium wave.
The younger people I know tend to own such a radio in the form of the Baofeng UV-5R or the like.
However, carrying one of these is probably highly suspicious compared to a world band radio receiver.
I don't buy it.
Satellite downlinks are broadcast to everyone under a potentially massive footprint. Take a look at the footprint for QO-100 which you could use with very inexpensive equipment that looks pretty much like a normal satellite TV dish.
https://jeremyclark.ca/wp/telecom/sdr-for-qo-100-satellite-r...
Sifr is also a valid word both in Farsi, I think. An Ironic and cruel pun.
https://www.etymonline.com/word/cipher
(Al Jabr, the translator of Indian Mathematical texts was a Persian IIRC)
That is the root of 'cipher'; meaning zero/empty/nothingness.
I knew 'sifr' was an Arabic word and only today I came to know that it works in Farsi too.
The double pun/irony is that the John Sipher's surname is related to the topic of cryptography and that the etymological roots is Middle-Eastern.