"In the beginning of a change, the patriot is a scarce man, and brave and hated and scorned. When his cause succeeds the timid join him, for then it costs nothing to be a patriot."
--- Mark Twain, as quoted in Mark Twain's Notebook (1935), edited by Albert Bigelow Paine (p. 394).
Introduction
It's July 22, 1946 and you've just settled into your room at King David Hotel in Jerusalem. You feel safe, as the hotel is widely known to businessmen from all around the world, and the British essentially control the hotel and the surrounding land. At around noon, the hotel receives a cryptic telephone message stating: "I am speaking on behalf of the Hebrew underground. We have placed an explosive device in the hotel. Evacuate it at once - you have been warned." Approximately 20 minutes later a massive explosion will destroy the entire southern wing of the 7-story hotel. Days later, members of the Irgun Zvai Leumi "united resistance" extremist group - which includes the likes of Menahem Begin and Benjamin Emanuel, future father of Rahm Emanuel - claim responsibility for the deadly bombing. Their goal was racially-motivated and driven by intense hate. Attacking the White/Christian British in an attempt to return Palestine over to complete Jewish control. When the hotel's wreckage is cleared, the British announce that 91 people have been killed, including 28 Britons, 41 Arabs, 17 Jews, and 5 others.
And thus was born modern "terrorism," giving rise to the police state we all know today. Just don't count on Hollywood, CNN, or MSNBC talking about that... Change!
Overview
While Edward Snowden's revelation that the Kenyan-Muslim-Marxist-usurper Obama regime was using the NSA to spy on Americans was no surprise to anyone with half a brain, it did help to shed light on some types of sophisticated technical surveillance techniques which have been known to those "in the field" for while. One of the neatest is an improvement on Leon Theremin's resonant cavity bug which was planted in the gift of an U.S. Great Seal, and was presented to U.S. Ambassador Averill Harriman in 1945 by Russia. The "opening" of the resonant cavity was covered with a thin metal-foil diaphragm which deflected in the presence of sound waves. When illuminated with unmoduated RF carrier, the cavity would resonant and rebroadcast a modulated (phase and a little amplitude) version of the illumination carrier. Subtract (mix) that signal with a portion of the unmodulated transmitted carrier frequency, and your left with a baseband signal containing the room audio. As quoted from the NSA's own sales brochure:
"The radar unit [PHOTOANGLO] generates an unmodulated, continuous wave (CW) signal. The oscillator is either generated internally, or externally through a signal generator or cavity oscillator. The unit amplifies the signal and sends it out to a RF connector, where it is directed to some form of transmission antenna (horn, parabolic dish, LPA [log-periodic antenna], spiral). The signal illuminates the target system and is re-radiated. The receive antenna picks up the re-radiated signal and directs the signal to the receive input. The signal is amplified, filtered, and mixed with the transmit antenna. The result is a homodyne receiver in which the RF signal is mixed directly to baseband. The baseband video signal is ported to an external BNC connector. This connects to a processing system, such as NIGHTWATCH, an LFS-2, or VIEWPLATE, to process the signal and provide the intelligence."
The NSA's PHOTOANGLO unit appears to be an updated version of their CTX4000 system, which is pictured in the leaked secret brochure. The operating frequency range is 1-4 GHz. The use of lower illumination frequencies allows much deeper penetration into obstructed areas, such as concrete blocks or other "shielded" areas. From the brochure: "The CTX4000 provides the means to collect signals that otherwise would not be collectable, or would be extremely difficult to collect and process." The output RF power is adjustable up to 2 watts, but there is a 1 kW external amplifier option for those difficult embassy SCIFs (or rezidentura) or to remotely trickle-charge batteries via an additional antenna/diode rectifier circuit.
The baseband output(s) from these units is what's refered to as "video output." This is a mostly a historical term, and does not mean the output is a "real" video signal. The baseband outputs are referred to as I&Q, for "in-phase" and "quadrature-phase," and are basically buffered and amplified outputs direct from the receive quadrature mixers. The real signal processing takes place on these baseband I&Q output signals. By processing the I&Q signals, it is possible to extract all sorts of really neat intelligence, from room audio via any micro-Doppler phase shifts, to intercepting crypto key exchanges (i.e. passive DROPMIRE), or even remotely listening to heartbeats. Unfortunately, I don't have a clue on the software processing side, so we'll have to leave that up to someone else... It should even be possible to run the I&Q signals directly (transformer-coupled) into one of those inexpensive RTL SDR dongles, or as least start there...
The NSA's improvement on this surveillance techique is to use "radar retro-reflectors" to increase the sensitivy and range of the remote gear. By planting little retro-reflector circuits, it's possible to significantly increase the performance of these surveillance techniques. The NSA's LOUDAUTO device comprises a standard Knowles hearing aid microphone and simple amplifier. The audio output Pulse-Position Modulates (PPM) a low-frequency RF carrier at, say, 100 kHz.
This low-frequency carrier then toggles the gate of a quality RF FET, which basically has antennas for the drain and source. The PPM signal then "chops" the microwave RF illumination carrier to impose the (amplitude) modulation coming from the microphone. The NSA recommends the Rohde & Schwarz FSH-series of handheld spectrum analyzers for receiving and demodulating the reflected RF carrier. You know, using a $9,000 spectrum analyzer to recover a signal you can demodulate for about $100 in parts...
The GBPPR PHOTOANGLO unit described here will be mostly for experimentation, but should be a useable starting point. Most of the RF components were hamfest/eBay finds or salvaged from other gear, so the exact parts may be difficult to track down, but it should be easy to track down suitable equivalents.
The main oscillator is based around a manually-tuned (potentiometer) Avantek 2-4 GHz YIG-tuned oscillator. This is buffered by an optional wideband 2-7 GHz RF isolator (HP0960-0638). A Transco SPDT RF relay selects between the internal YIG oscillator or an external RF source, such as a synthesized oscillator.
The RF signal then passes through a Narda 6 dB directional coupler to split the signal between going to the receiver's Local Oscillator (LO) and to the transmitter amplifier stage. An optional HP33008C PIN diode modulator can be used to ampltiude modulate the transmitted signal, if so needed.
In real-world surveillance devices of this type, it's common to "chop" up the RF illumination carrrier (AM) to help extract the target intelligence from the noise via a lock-in detector tracking the transmitted modulation phase on the receive side. That will be project for the more advanced student...
The RF signal then enters another Transco SPDT RF relay to select the use of an internal 1 watt RF amplifier, or to send the transmit signal "as-is" to a front-panel connection. The RF amplifier is an Avantek APT-6065 wideband (2-6 GHz) amplifier with 37 dB of gain and a P1dB output around +30 dBm. A linear-biased amplifier is required if you amplitude modulate the carrier to prevent distortion.
An optional RF isolator (HP0960-0084) is on the output of the Avantek APT-6065 to prevent any damage in case you forget to hook the transmit antenna up and to increase isolation between stages. The entire transmitter unit is powered by an external supply providing +28, +15, and -15 VDC sources.
A small voltage regulator board will convert the +28 VDC down to +24 VDC for the YIG's heater connection. The raw +28 VDC is used for the Transco RF relays and is also regulated down to +15 VDC for the YIG oscillator itself. Since the Avantek APT-6065 draws around 1.3 amps, it will have its own +15 VDC source from an external power supply.
The Avantek 2-4 GHz YIG oscillator has its own control circuit board. This is a standard voltage-controlled, constant-current source based around a LT1677 op-amp and an IRF510 MOSFET. A 50k ohm multiturn potentiometer controls the final output frequency.
The matching GBPPR PHOTOANGLO receiver unit will be described and built in a later article. I ran out of money this month...
Pictures & Construction Notes
Overview of the GBPPR PHOTOANGLO TX/RX Power Supply.
It's based around an Acopian TD15-160 +/- 15 VDC power supply capable of supplying around 1.6 amps, and a Condor HB28-1-A+ +28 VDC power supply capable of supplying around 1.0 amps.
The Acopain will power the majority of the transmitter and receiver circuits, while the +28 VDC power supply is required for operating the Transco RF relays and will also be regulated down to a clean +15 VDC source for the YIG oscillator.
The blue disk on the transformer's primary is a 150 VAC Metal-Oxide Varistor (MOV) to protect against any voltage transients on the incoming AC mains.
The blue rectangle device on the primary is an optional "snubber." This device consists of a series 120 ohm / 0.033 µF AC-rated capacitor to prevent the generation of a large voltage spike when power is turned off.
Overview behind the front-panel.
The power supply will be built into an old ammo can.
The 120 VAC mains input is via a standard filtered IEC connector.
The black "hot/live" lead then passes through a panel-mounted 15 amp circuit breaker then goes to a SPST switch for power control.
The white wire is the AC mains "neutral." The green wire is the AC mains Earth ground.
Three optional ferrite beads are on each of the AC mains wires (right after the IEC connector) to help knock down any incoming EMI on the power line.
Front-panel overview of the completed GBPPR PHOTOANGLO TX/RX Power Supply.
The banana jack is for an optional +28 VDC output and the 1/8-inch stereo jack (Tip: +15V / Ring: -15V / Sleeve: ground) is also for an optional +/- 15 VDC output. These will be useful for powering external hardware and should be added for future expansion.
There is a green neon lamp for a "power on" indicator.
Two 8-pin microphone jacks are used for the +/- 15 VDC and +28 VDC outputs. Only four of the pins are used on each connector:
Pin Description Internal Wire Color 1 +28 VDC Output Green 2 +15 VDC Output Red 3 -15 VDC Output Yellow 4 Ground (Common) BlackOverview of the Avantek S080-1026M 2-4 GHz YIG-tuned oscillator.
This particular Yttrium Iron Garnet (YIG) oscillator was salvaged from some older microwave gear, so the exact part number doesn't appear on Avantek's website. All their YIGs tend to be quite similar, though.
This particular YIG oscillator tunes from 1.9 to 4.6 GHz with a 20 MHz/mA tuning current. The RF output (SMA jack) is around +16 dBm. Any similar YIG oscillator will work.
The +24 VDC heater connection is optional, but recommended for stable operation. Tie the -HEATER pin to the common ground.
The YIG's +FM and -FM pins are used for applying FM modulation or phase-locking, and they will not used in this application.
Constructing the YIG oscillator control board.
Since YIGs are current-tuned devices, we'll have to use a LT1677 op-amp buffer and IRF510 MOSFET in a voltage-controlled, constant-current configuration to ensure the YIG tuning lines see the proper current.
Four 0.1% 40 ohm resistors in parallel form the current shunt for the IRF510. A 1 volt drop across these resistors equals 100 mA of YIG tuning current.
Since the YIG tunes at 20 MHz per milliamp, the tuning current for the low frequency end of 1.9 GHz is 95 mA. The tuning current for the high frequency end of 4.6 GHz is 230 mA. This corresponds to an equivalent 0.95V and 2.3V voltage drop across the shunt resistors.
A 10-turn, 50 kohm panel-mount precision potentiometer will provide the main frequency tuning.
GBPPR PHOTOANGLO transmitter voltage regulator board. The input voltages are from the external power supply.
This takes the incoming +28 VDC and converts it to +24 VDC for the YIG's heater connection and a clean +15 VDC source for the YIG's main power.
The heater draws around 100 mA initially, then backs down as the unit warms up. The YIG's main +15 VDC also draws around 100 mA continuous, separate from the tuning current.
A standard LM7824 voltage regulator is used for the YIG's +HEATER supply. The -HEATER pin is tied to the common ground.
A Micrel MIC29152BU voltage regulator is used for the +15 VDC power. The MIC29152's voltage setting resistors are 6.2 kohm and 560 ohm and should be 1% tolerance.
The +28 VDC input is also used to power the Transco RF relays.
Mounting the Avantek S080-1026M YIG, tuning control board (left), and voltage regulator board (right) onto a piece of sturdy aluminum plate.
The lines to the panel-mounted frequency tune potentiometer are pieces of scrap white Teflon coaxial cable.
The frequency tune potentiometer has a few 1% metal-film resistor in series and parallel to tweak the tuning range from around 0.7 to 2.6 volts and to minimize thermal drifting within the potentiometer.
The YIG oscillator can be mounted via rubber vibration absorption hardware to help minimize the generation of any microphonic modulations which could interfere with the transmitted RF carrier.
Rear-view of the aluminum mounting plate.
On the output of the YIG is a HP0960-0638 2-7 GHz RF isolator (blue rectangle device on the right). This is to isolate the YIG oscillator from any impedance mismatches further down the RF chain. This device is optional, but recommended.
The output from that isolator is then sent to a Transco 82152-919C74700 SPDT RF relay (port 1). This is to select either the internal YIG oscillator or an external (port 2) RF oscillator. The NSA's PHOTOANGLO does this, so we'll do it too...
The output from the RF relay passes through a Narda Model 23696 6 dB, 2-4 GHz directional coupler. The coupled 6 dB port is sent through the PIN modulator and then onto the RF amplifier.
The pass-through (output) port of the directional coupler is then sent to another optional HP0960-0638 2-7 GHz RF isolator (blue rectangle device on the left) and then finally to a panel-mounted SMA-to-N jack for use as the LO OUTPUT. It should be around +15 dBm, but using the PIN modulator will attenuate the RF power a little bit more.
Closeup view of the HP33008C PIN modulator and the Transco 82152-919C74700 SPDT RF relay used for selecting the transmitter output port.
The HP33008 is designed for the 3.7-8 GHz range, but it will still work here for modulating the RF signal with only slightly increased insertion loss. The "correct" modulator would be the HP33000, which covers 1-4 GHz. The HP33001 cover 8-18 GHz. The letter in the part number refers to the isolation range, C = 40 dB, D = 80 dB. They all use a negative bias (100 mA MAX). It's applied via the SMA jack on the "top." I've yet to find a manual for these HP33000-series PIN absorptive modulators, so if you have any info please let me know.
The RF relays require +28 VDC for proper operation. They'll be selected via panel-mounted SPST switches by toggling their ground lines. They can also be controlled externally via the optional AUX CONTROL port.
Mounting the Avantek APT-6065 wideband (2-6 GHz) amplifier and the optional HP0960-0084 isolator on its output.
The Avantek APT-6065 will need to dissipate a bit of heat, so it's mounted to a scrap aluminum plate before attaching to the side of the case. Use a liberal amount of heatsink compound to ensure good thermal contact.
The RF input to the Avantek APT-6065 should be around -8 dBm, so you may have to add an external attenuator on the input.
The final TX1 OUTPUT is via a panel-mounted SMA-to-N jack.
The optional Transco RF relay mounted on the HP33008C PIN modulator can be used to bypass the RF amplifier stage. This connects (port 2) directly to the TX2 OUTPUT which is also a panel-mounted SMA-to-N jack.
Internal overview of the (partially) completed GBPPR PHOTOANGLO transmitter unit.
The aluminum plate with the YIG oscillator and its control/voltage regulator board are mounted to the side of the case via standoffs.
Regular coaxial cables are used for some of the RF connections due to testing purposes. These will be replaced with RG-402 or RG-405 conformable coax for better isolation in the future.
A 12 to 15 dB attenuator may need to be added to the input of Avantek APT-6065 to meet its input RF power (-8 dBm) requirement. This may vary in your own design.
Alternate internal overview.
The FREQ TUNE 50 kohm potentiometer is a high-quality, 10-turn type with a turns counter.
An optional 4DPDT switch was added to act as a power switch for the +/-15 & +28 VDC supplies.
Pinout for the optional 8-pin AUX CONTROL auxiliary control port:
Pin Description 1 Transmit Output Select (Ground to enable TX2 Output) 2 External Oscillator Select (Ground to enable External Oscillator Input) 3 PIN Modulator Bias & Modulation 8 Ground (Common)Pinout for the 4-pin TX POWER external DC power input jack:
Pin Description 1 +28 VDC Input 2 +15 VDC Input 3 -15 VDC Input 4 Ground (Common)Finished front-panel overview of the GBPPR PHOTOANGLO 2-4 GHz Transmitter.
The N jack on the upper-right is the approximately +15 dBm LO OUTPUT (Local Oscillator Output) which will go to the PHOTOANGLO receiver unit. The N jack next to it is for the optional EXT OSC INPUT (External Oscillator Input, +15 dBm MAX).
The N jack on the center-left is the main +30 dBm TX1 OUTPUT (Transmit 1 Output) from the Avantek APT-6065 amplifier. The N jack below that is the +7 dBm TX2 OUTPUT (Transmit 2 Output) and should have a 50 ohm load on it. This is could also be handy for shutting down the transmitter RF output without having to power down the entire unit.
The red YIG POWER switch is to controls the +/-15 & +28 VDC input power supplies. The yellow TX OUT 2 / TX OUT 1 switch controls the transmitter output select RF relay. TX OUT 1 is the default. The green EXT OSC / INT OSC switch controls the external/internal oscillator select RF relay. INT OSC is the default.
Below the yellow switch is the FREQ TUNE multiturn potentiometer with a turns counter. Next to it is the 8-pin AUX CONTROL input jack.
Below the AUX CONTROL is the 4-pin TX POWER jack which goes to the GBPPR PHOTOANGLO TX/RX Power Supply.
GBPPR PHOTOANGLO 2.4 GHz Transmitter with the matching GBPPR PHOTOANGLO TX/RX Power Supply (bottom).
GBPPR PHOTOANGLO 10W 2.4 GHz Amplifier with the matching GBPPR PHOTOANGLO 15V / 3A Power Supply (top).
Below is a chart of the transmitter's frequency versus RF output power (from the Avantek APT-6065). The roll-off above 4 GHz has to due with the isolator on the output of the APT-6065 amplifier.
Frequency (MHz) RF Input (dBm) RF Output (dBm) 2000 -8.0 +29.1 2100 -8.1 +29.1 2200 -8.1 +29.3 2300 -8.2 +30.2 2400 -8.2 +30.5 2500 -8.5 +30.4 2600 -8.4 +30.8 2700 -8.3 +30.7 2800 -8.2 +31.0 2900 -8.3 +30.7 3000 -8.4 +30.6 3100 -8.4 +30.5 3200 -8.5 +29.9 3300 -8.3 +29.8 3400 -8.2 +29.9 3500 -8.3 +29.4 3600 -8.1 +29.3 3700 -8.4 +28.9 3800 -8.6 +28.3 3900 -8.5 +28.3 4000 -8.4 +28.4 4100 -8.3 +27.5 4200 -8.6 +27.3 4300 -8.5 +24.4 4400 -8.2 +24.1
Schematic
Related Video & Audio
- GBPPR Vision #25: Overview of the NSA's CTX4000/PHOTOANGLO Radar Units (YouTube)
- GBPPR Vision #26: Overview of the NSA's TAWDRYYARD Radar Retro-Reflector (YouTube)
- GBPPR Vision #27: Overview of the NSA's LOUDAUTO Radar Retro-Reflector (YouTube)
- GBPPR Vision #28: Overview of the NSA's RAGEMASTER Radar Retro-Reflector (YouTube)
- GBPPR Microwave Surveillance Device #5 Using a slighty modified Decatur RM-715 X-band police radar. (YouTube) (MP3 Audio)
- GBPPR Microwave Surveillance Device #6 Using a slighty modified Decatur RM-715 X-band police radar. (YouTube) (MP3 Audio)
- GBPPR Microwave Surveillance Device #3 Using a stock Kustom Signals Hawk K-band police radar antenna (MA86732 Gunnplexer). (YouTube)
- GBPPR Microwave Surveillance Device #4 Phone dial tone at 40 feet with a hallway acting as a waveguide and other other test sounds. (YouTube)
- Kaiser 2010 Doppler Stethoscope - Test Audio Sample #1 Aimed at a phone three feet away. You can hear the dial tone and recording. Raw audio output with a Kaiser 1059 Preamplifier. (1M MP3)
- To Protect and Infect: The Militarization of the Internet - Part 2 Chaos Computer Club 30c3 speech by Jacob Appelbaum. (Slides) (YouTube)
- Seeing the Secret State: Six Landscapes Trevor Paglen discusses his work attempting to "see" the various aspects of the secret state. In examples ranging from tracking spy satellites to foraging through the bureaucratic refuse of CIA front companies. (YouTube)
- An Inside Look at the NSA With Whistleblower William Binney - Part 1 In this video WeAreChange gets an unique inside look at inner workings and evolution of the NSA with NSA whistleblower William Binney. (Part 2) (YouTube)
- The NSA and the 9/11 Deception As the public finally becomes outraged over the NSA's illegal spying, members of government and the corporate media wage an information war to misdirect that anger to issues of less importance. To counteract this, a bold new citizen-led initiative to nullify the NSA is now gaining momentum around the United States.
- NSA Wiretapping Public Service Announcement What we can do about the NSA wiretapping our phones.
- Sexy NSA Commercial with Sasha Grey
- Frontline: Spying on the Homefront Frontline documentary on the National Security Agency.
- Martial Law 9/11: Rise of the Police State What a modern police state looks like.
- Julian Assange: Sysadmins of the World, Unite! Julian Assange addressed a major gathering of computer experts at the Chaos Communication Congress (30c3) in Hamburg, Germany, calling on them to join forces in resisting government intrusions on Internet freedom and privacy. (YouTube)
- ShmooCon 2014: The NSA - Capabilities and Countermeasures Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on. By Bruce Schneier
- Corbett Report Interview 793: John Young Breaks Down the Snowden/NSA Saga John Young of Cryptome.org joins us to discuss the Snowden/NSA affair, and how it is being reported by Glenn Greenwald and others with access to the documents. We discuss the way in which the documents are being released, Greenwald's new journalist venture with billionaire Pierre Omidyar and major book publishing deal, Sibel Edmonds' recent series of articles on these connections, and the layers of smoke and mirrors in this ongoing game of cloak and dagger.
Datasheets & Notes
- Higher resolution pictures and the original project article are available in GBPPR 'Zine Issue #119
- Avantek AFT/AMT/AWT-Series Wideband RF Amplifiers (680k PDF)
- Avantek APT-Series Wideband RF Power Amplifiers (771k PDF) (Internal View)
- Avantek Octave-Band YIG-Tuned Oscillators (131k PDF)
- Vishay IRF510 Power MOSFET (135k PDF)
- Micrel MIC29152 LDO Voltage Regulator (148k PDF)
- Mitsubishi MGF1302 GaAs FET COTS microwave FET for NSA's LOUDAUTO radar retro-reflectors. (221k PDF)
- NEC NE33284A HJ-FET COTS microwave FET for NSA's RAGEMASTER radar retro-reflectors. (1.9M PDF)
- Knowles EK/EY-Series Microphones COTS microphone for NSA's LOUDAUTO radar retro-reflectors.
- A Simple Approach to YIG Oscillators by Bernd Kaa, DG4RBF (1.7M PDF)
- The PIN Diode as a Microwave Modulator HP Application Note 58 (1.8M PDF)
- Signal Bandwidth vs. Resolution for Analog Video Analog Devices AN-944 (121k PDF)
- Automatic Clutter-Canceler for Microwave Life-Detection Systems (322k PDF)
- Active Electromagnetic Attacks on Secure Hardware University of Cambridge Technical Report 811 (10.6M PDF)
- Poam Electronics RTF-118 Broadband Horn Antenna (89k PDF)
- Kent Electronic Quality log periodic antennas by Kent Britain, WA5VJB, at very decent prices.
- Mitsubishi GaAs FET Markings (224k PDF)
- NEC GaAs FET Markings
- Fujitsu GaAs FET Markings (327k PDF)
- Security Engineering - A Guide to Building Dependable Distributed Systems
- NSA Codenames List of NSA/GCHQ codenames affiliated with hacking and bugging.
- How the NSA Monitors Target Computers with Radar Wave Devices
- The NSA Has Special Technology for Beaming Energy Into Computer Systems & You
- NSA Devises Radio Pathway Into Computers
- -moose- Archive on Reddit Large collection of related links.
- NSA Spyware Names as Band Names LOL!
- The NSA Product Generator
- Schneier on Security: PHOTOANGLO - NSA Exploit of the Day
- Schneier on Security: CTX4000 - NSA Exploit of the Day
Closeup view of the TAWDRYYARD retro-reflector. The 6-pin device is the square wave oscillator (microcontroller - PIC10F20x-series, tinyAVR, etc.) This feeds the gate of a FET, located on the back of the device. The red wire is +3V from a lithium coin cell and the black wire is ground. The oscillator frequency is chosen to be unique and can even be pulsed to reduce power consumption.
- Schneier on Security: TAWDRYYARD - NSA Exploit of the Day
Closeup view of a SURLYSPAWN retro-reflector. Transistors forming a low-frequency (MHz range for the bandwidth) square wave oscillator (carrier). This feeds the gate of a FET, located on the back of the device. The keyboard data (white wire) frequency-shift keys (two-level) the square wave carrier. The red wire is +5V from the keyboard Vcc and the black wire is ground. The vertical wire at 1-14/32" is the antenna on the FET's drain. Received data is decoded via a standard FSK data slicer circuit.
- Schneier on Security: SURLYSPAWN - NSA Exploit of the Day
Closeup view of a RAGEMASTER retro-reflector inserted in a VGA monitor cable. The red thing is an enameled air-core inductor (connecting isolated cable shields, couple H&V sync via ground spikes to FET's drain antenna), the thing with the "U" label is the NEC NE33284A FET, the black thing with numbers (left) is a 1 Mohm bias resistor (gate to source tied to left shield ground), the black rectangle (right) is a diode (DC restore clamp) on the FET's gate to source (ground), the brown rectangle (top) is a capacitor (AC coupled red video to gate, 0.1 µF). The short little wire on the FET's drain to (right) cable shield is the antenna. The yellow film is Kapton tape. A fake moulded ferrite bead covers the implanted FET circuit. A TAWDRYYARD beacon is required to identify the general location of a RAGEMASTER implant. An external processing unit (LFS-2, NIGHTWATCH, GOTHAM, VIEWPLATE) is used to analyze/detect/filter and reinsert the H&V sync signals and display the target video signal.
- Schneier on Security: RAGEMASTER - NSA Exploit of the Day
Closeup view of a LOUDAUTO retro-reflector. The Knowles EK/EY-series microphone is on the left, the little black rectangles with numbers are resistors, the brown rectangles are capacitors (filtering and blocking DC bias), the 6-pin device is the PPM (ultrasonic) clock generator (microcontroller - PIC10F20x-series, tinyAVR, etc.), the white circle thing with the "Ax" label is the (MGF1302) FET. Top of the "A" is the gate. The red wire is +3V from a lithium coin cell and the black wire is ground. The vertical wire at 1-15/32" is the antenna on the FET's drain.
- Schneier on Security: LOUDAUDTO - NSA Exploit of the Day
- A NSA Coworker Remembers the Real Edward Snowden: 'A Genius Among Geniuses' "Another hint of his whistleblower conscience, aside from the telltale hoodie: Snowden kept a copy of the Constitution on his desk to cite when arguing against NSA activities he thought might violate it."
- Data Pirates of the Caribbean: The NSA is Recording Every Cell Phone Call in the Bahamas
- Inside the NSA's Secret Efforts to Hunt and Hack System Administrators
- Exclusive: Courier Services Deny Participation in NSA Interception Program
- Secrets, Lies and Snowden's Email: Why I Was Forced to Shut Down Lavabit For the first time, the founder of an encrypted email startup that was supposed to insure privacy for all reveals how the FBI and the U.S. legal system made sure we don't have the right to much privacy in the first place.
- IC Off the Record Snowden leaks revealed in 2013.
- NSA Surveillance Story: NWO Media Trickery by INCOG MAN
- How Does the NSA Break SSL? Post on the 'A Few Thoughts on Cryptographic Engineering' blog.
- On the NSA Post on the 'A Few Thoughts on Cryptographic Engineering' blog.
- Joint Threat Research Intelligence Group (JTRIG) Tools and Techniques (1.1M PDF)
- TEMPEST: A Signal Problem The story of the discovery of various compromising radiations from communications and COMSEC equipment, Cryptologic Spectrum, Vol. 2, No. 3, Summer 1972. The entire section under "Flooding" is censored. Hmmm... (285k PDF)
- NSA's Special Collection Service EINSTEIN/CASTANET Located on the top floor of the U.S. embassy in Berlin and elsewhere (Special Collection Service). This is not a transmitting antenna system, though it can be used for transmitting/illumination/RF flooding/etc. This is a wideband microwave SIGINT (bug repeater, telco microwave backbones, WiFi, GSM/cellular, satellite up/downlinks, etc.) collection system. Note the dual wideband log periodic antenna feeds (horizontal/vertical polarization, 0.5-18 GHz) and the precision (fraction of a degree - Az/El) stepper motor dish positioning system. The receive electronics portion is mounted onto the back of the dish. The "curtain" in the background is made of conductive fabric to knock down stray RFI and to block the setup from nosey diplomatic staff. The parabolic dish is designed to be broken down into several smaller sections for concealment and transportation. EINSTEIN(?) is the antenna setup's codename, CASTANET(?) is the handheld positional controller's codename and is based around a Qlarity QTERM-G55 data terminal (Qlarity Foundry Software Manual, Qlarity Programmer's Reference Manual).
- Wideband Retroreflector U.S. Patent 7,383,026 (NSA Patent)
- Vibration Detection U.S. Patent 5,828,331 (Medcon Limited)
- Phase Modulation in RF Tag U.S. Patent 7,180,402
- Microwave Responder U.S. Patent 5,119,099
- Shielded Access Apparatus for use in an Enclosure for Preventing Propagation U.S. Patent 4,841,692
- Electromagnetic Radiation Shielding Enclosure and Shielding Components U.S. Patent 4,823,523
- Here is little information pamphlet on a similar commerical PHOTOANGLO/LOUDAUTO surveillance device called the "Sabre" which uses remote RF energy (888.5 MHz @ +20 dBm with 10 dB antenna gain) to "illuminate" a remote transponder (125 kHz) which contains the target audio. It's made by Security Research (Audiotel) in the U.K.
Wanna steal U.S. secrets? Obama's cell phone is RF illuminating the wired secure telephone...
(Secure Phone + RF Carrier) - RF CarrierPhase Shifted = 0day Sekretz- LM Technologies LM006 802.11n 150 Mbps WLAN USB Adapter Build your own NSA COTTONMOUTH-series USB implants and save around $1 million! (600k PDF)
- Hyperion Bristol: Open-Source NSA Technology (Airborne WiFi) Homebrew version of the NSA's SPARROW II UAV-based (airborne) wireless LAN collection system.
- NSA BIOS Backdoor (a.k.a. God Mode Malware) - Part 1: DEITYBOUNCE This article is the first part of a series on NSA BIOS backdoor internals. (Part 2)
- GainSpan Maker of the GS2000 ultra-low-power 802.11 WLAN Systems-on-a-Chip (SoC). Integrated 802.11b/g/n radio, media access controller, baseband processor, on-chip memory, and networking applictions processor on a single silicon die.
- FMS Advanced Systems Group Sentinel Visualizer provides advanced link analysis, data visualization, geospatial mapping, and social network analysis.
- Scientific and Technical Options Assessment Report: Interception Capabilities 2000 Report to the Director General for Research of the European Parliament. By Duncan Campbell, IPTV Ltd., Edinburgh, Scotland, April 1999.
"France and Germany, and many other countries, require U.S. companies to register their encryption key for reasons of national security... All the American transmissions are monitored and the data is passed onto the local competitors... Companies like IBM finally began to routinely transmit false information to their French subsidiary just to thwart the French Secret Service..."
--- Excerpts from the book Friendly Spies by Peter Schweizer. Socialism works - when you have the U.S. to steal from...
- Friendly Spies How American's allies are using economic espionage to steal our secrets, by Peter Schweizer. (Scribd Entry) (Amazon Entry) (51.3M PDF)
- Why We Spy on Our Allies by R. James Woolsey, a Washington lawyer and a former Director of Central Intelligence.
- Boeing Called a Target of French Spy Effort (Mirror)
- Cleaning the Bug House The new U.S. Embassy in Moscow was half done. Then officials realized the Soviets had built hundreds of listening devices right into the structure.
- Prosper in Israel Help prevent another King David Hotel bombing! Your donations and support can help send needy non-Jewish immigrants and elderly Holodomor survivors to Israel in order to further support diversity and multiculturalism.
Other Related GBPPR Projects
- Passive Resonant Cavity & "Spycatcher" Technical Surveillance Devices
- Wireless Keystroke Data Tap
- VGA Video Monitor Transmitter
- Laser Bounce Listening Device
- Battlefield Laser Warning Receiver
- Doppler Stethoscope for E.O.D. Applications
- Martin Kaiser 1059 Preamplifier
- GBPPR Remote Telephone Surveillance Experiments
- Intercepting Older Digital Cordless Phones
- GBPPR Radar Experiments
- GBPPR Active Denial System
- van Eck-style Radiation Interception Experiments
- Through-the-Wall Motion Detection Device
- GBPPR Non-Linear Junction Detector
- Homebrew Lock-In Amplifier
- GBPPR Remote Respiration/Heart Beat Monitor Experiments
- GBPPR Interferometric Surveillance Device Experiments - Part 1
- GBPPR Interferometric Surveillance Device Experiments - Part 2
- GBPPR Speech Jammer
- Ultrasonic Surveillance Bug
- Anti-TASER Clothing Experiments
- Techniques for Countering Thermal Imaging Devices