Computers seized from a retired National Security Agency analyst’s home in 2007 contained information that is classified at a level beyond “top secret,” officials said in court filings Tuesday.

A prosecutor and a senior NSA official made the claim to a federal court in Baltimore in response to a motion ex-NSA analyst Kirk Wiebe filed in November, demanding that the Federal Bureau of Investigation return items seized from Wiebe’s Westminster, Md. home four-and-a-half years ago.

“Documents [found on hard drives in Wiebe’s home] contain information that is currently and properly classified TOP SECRET//SI/REL to USA, FVEY,” the deputy chief of staff for signals intelligence policy and corporate issues in NSA’s Signals Intelligence Directorate wrote in a declaration. The NSA official who signed the declaration (posted here) gave his name solely as “Steven E. T.,” in keeping with an NSA policy of not publicly identifying most of its employees.

“Steven E. T.” did not detail the nature of the ostensibly classified documents, but explained that “SI is an SCI (Sensitive Compartmented Information) compartment used to protect especially sensitive communications intelligence information.” FVEY stands for “five eyes,” a restriction limiting disclosure of information to officials of the U.S. and four key allies who cooperate closely with NSA: Australia, Canada, New Zealand, and the United Kingdom.

According to sources familiar with the case, Wiebe’s home was searched pursuant to a search warrant issued in 2007 as he, several other NSA veterans and a former House Intelligence Committee staffer were investigated in connection with leaks related to the NSA’s warrantless wiretapping program and claims of mismanagement of NSA programs. Wiebe was never charged with a crime. Justice Department officials say the probes are now closed.

A friend and colleague of Wiebe at NSA, Thomas Drake, was indicted in 2010 on 10 felony charges related to alleged mishandling of NSA information. Prosecutors said Drake passed some of the information on alleged NSA mismanagement to the Baltimore Sun, though he was not charged directly with leaking. On the eve of trial last year, prosecutors dropped the felony charges and Drake pled guilty to a misdemeanor offense of accessing a government computer for an unauthorized purpose. Drake was sentenced to one year probation and community service.

Wiebe said Tuesday that he was troubled by the government’s claim that his computers had critical secrets on them.

“I am dismayed to hear the government thinks there is classified information on either or both of my two computers.  Frankly, I wouldn’t put classified information on my computers.  After 32 plus years in the business, you don’t do that sort of thing, and – again frankly speaking – I could not conceive of a need to ever do so,” Wiebe told POLITICO via e-mail. “I have no idea what documents the government is referring to and I am more than a little surprised to hear the government thinks  I have ‘150 pages of NSA information’ on one of the computers.” 

“Secondly, the government does not say I put classified information on my computers, just that there is some there, in the government’s opinion,” Wiebe said. He said it’s possible the government concluded that information not considered classified previously or that was never removed from NSA is now classified.

Wiebe said NSA may have now deemed to be classified research he and others put together as part of business proposals drafted after leaving the agency. “Might the government now—years later—claim those concepts are classified?  I don’t know, but something doesn’t seem right, if that’s the case,” he said.

An attorney for Wiebe and other self-styled whistleblowers who worked at NSA said she is dubious about the government’s classification claims since prosecutors gave Wiebe immunity in 2010 in connection with his statements.

“It defies credulity that if my clients’ hard disk drives contained not only classified information—but SI, a Sensitive Compartmented Information category used to protect especially sensitive intelligence information, that the Justice Department would have given them immunity letters,” Jesselyn Radack of the Government Accountability Project said.

Prosecutor Thomas Barnard said in a court filing (posted here) that the hard drives cannot be returned to Wiebe now because of the classified information they contain. He also said a 10-page hard-copy document agents found cannot be returned for the same reason. Barnard asked Judge Richard Bennett to appoint a magistrate judge to oversee the process of separating Wiebe’s personal data from the classified information on the disks.

It’s unclear from the court filings whether the computers found in Wiebe’s home were thoroughly analyzed at the time they were seized. The NSA personnel whose declarations were filed with the court on Tuesday seemed to be examining the hard drives for the first time. The NSA experts make no reference to what the FBI concluded about the data back in 2007.

**NEW**

Aldrich Ames Audio Recording 1
Ames describes two secret CIA operations, one of which was “CK – Absorb” which was a $60 million covert project where the CIA filled a cargo container on a train going west on the TransSiberia railroad with highly sensitive electronic sensors that were supposed to take readings of Soviet warheads that were being shipped by rail eastward on the same train line. The project never produced any useful information because Ames tipped off the Soviets before it was fully developed. He also describes “CK – TAW” an operation where the CIA was able to wire tap the KGB in Moscow. The “CK” designation was used as a prefix by the CIA to denote a secret operation.

Aldrich Ames Audio Recording 2
Ames describes the CIA “assets” he betrayed, including several who the KGB immediately arrested and executed. He identified them by the cryptonyms (codenames)that the CIA had assigned them. You will hear him discussing “GT Accord” — later identified as Vladimir Vasilyev — who was in the GRU (Glavnoye Razvedyvatelnoye Upravlenie — Soviet Military Intelligence), which sounds like “ga-new” on the tape when Ames says it. One of his most sensational revelations is the story of “GT Fitness” — Gennady Varenik — an officer in Germany who warned the CIA about a KGB plot to plant bombs near U.S. military bases.

“Why did you commit treason?”

“Treason?”

Aldrich Hazen Ames repeats the word out loud as if he is shocked by it. The word itself sounds evil, doesn’t it? he says. He prefers spying. It is easier on the ear, exotic even, much more civilized. “Rick” Ames is excellent with words. He enjoys the sound of his own voice, listening to his explanations, repeating his detailed rationalizations. He is smart, extremely well-read (he has read an average of two or three books each week since he was a teenager) and he can be affable. A listener has to remind himself that Ames also is one of the most cold-blooded traitors in U.S. history. During the nine years that he worked for the KGB as a mole, Ames single handily shut down the CIA’s eyes and ears in the Soviet Union by telling the Russians in 1985 the names of every “human asset” that the U.S. had working for it there. In all, he sold the KGB the names of twenty-five “sources.” These twenty-four men and one woman, all Russians, were immediately arrested and ten were sentenced to what the KGB euphemistically referred to as vyshaya mera (the highest measure of punishment). The condemned person was taken into a room, made to kneel, then shot in the back of the head with a large caliber handgun so his face would be made unrecognizable. His body was buried in a secret, unmarked grave to further punish his loved ones. It was part of the Stalinist tradition. Although Ames didn’t know most of the spies whom he betrayed, one of them was a Soviet diplomat whom he considered to be one of his best friends. Ames betrayed him, not once, but twice.

Besides revealing the names of every U.S. spy in the Soviet Union, Ames derailed vital CIA covert operations and put dozens of CIA officers at risk. In return for his treason, the KGB paid him more than $2 million and kept another $2 million earmarked for him in a Moscow bank, making him the highest paid spy in the world.

His arrest in February 1994 badly embarrassed the CIA. He remains the most damaging mole ever to burrow into the agency. After he was caught, Congress criticized the CIA for badly bungling the Ames investigation. It should have been known that he was a mole much earlier but instead of investigating obvious clues — he drove a new Jaguar to work that cost more than his annual salary — it spent years chasing dead-end leads and focusing on obscure suspects.

While that criticism stung, what really infuriated CIA officers the most about Ames was that he was one of their own. He came from a CIA family. The CIA had trained him to recruit foreigners as spies. Yet, he was the one who had betrayed his own country. Why?

“What really amazed me about Rick Ames is that I thought he had a feeling of loyalty to the people whom he dealt with and that is the betrayal that I can’t understand,” said FBI agent R. Patrick Watson. “I can understand why he didn’t have any loyalty to the agency. I can understand how he could have lost his way so that there came a point when it didn’t matter to him if he was the recruiter or the recruitee. But what I can’t understand is how he lost his loyalty, not only to his coworkers, such as me, but his friends! How can you ever justify betraying the people closest to you?”

Carleton & Rachel Ames

Rick Ames would later jokingly claim that spying was in his blood. His father, Carleton Ames, had worked secretly for the CIA in Burma in the early 1950s, posing as a college professor on leave to study the local culture there. Ames did not learn about his father’s covert activities until after the family returned from overseas and settled in a Washington D.C. suburb. Carleton told him in the spring of 1957 when he suggested that Rick, then a gangly sixteen year old, apply to work in a summer jobs program that the agency offered exclusively for its employees’ children. Rick was hired and spent the summer helping make fake money used in training exercises at “the Farm” — the CIA’s secret training facility.

Ames in high school

Ames’ family portrait

After graduation, Ames attended the University of Chicago but spent so much time working in the drama club there on plays that he flunked out. His dad got the agency to hire him in February 1962. At night, he attended college classes. Ames quickly learned that his passion for acting was useful when he was trained at the Farm to become a case officer in the Directorate of Operations, the CIA’s covert branch. “At the Farm there was a great emphasis on camaraderie,” Ames recalled. “You were told that you were now part of an elite service, and that your job was paramount to the very survival of the United States. Because of these things, you were entitled to lie, cheat, deceive. You could operate in disguise, be anyone you wished.” The CIA assigned him to its Soviet division and sent him to Ankara, Turkey, where he posed as a military officer. His job was to recruit Turks as spies, but he only managed to “turn” one asset: a local beauty pageant contestant whose boyfriend was involved in a revolutionary group trying to overturn the Turkish government. It was a dismal tour. When he returned to Washington in 1972, his supervisor predicted that Ames would never be an effective case officer because he had trouble working “face to face…with unknown personalities who must be manipulated.” Simply put, he was lousy at recruiting spies.

Ames was so distraught that he considered quitting, but the agency sent him to its foreign language school where he quickly mastered Russian and in 1974, he got a break. Colombian intelligence agents had blackmailed a midlevel Soviet diplomat into becoming a spy, but he refused to work with them and insisted on being turned over to the CIA. Alexander Dmitrievich Ogorodnik, was given the cryptonym Trigon to protect his identity, and Ames was put in charge at CIA headquarters in Langley, Virginia, of overseeing him. At first, Trigon didn’t appear to be very valuable because all he knew about was diplomatic affairs in Bogota. But then he was called back to Moscow and assigned to the Soviet Foreign Ministry. There, Trigon photographed hundreds of classified diplomatic cables that were so important that copies of them were delivered daily to the White House and given to Henry Kissinger. One of Trigon’s first requests to Ames was for an “L” (lethal) pill so he could commit suicide if caught. Ames had one concealed in an expensive pen and in 1977, Trigon used it to kill himself after he was exposed by a Czechoslovak translator who had gotten a job at the CIA without it realizing that he was a KGB mole.

Even though Ames still couldn’t recruit spies, his handling of Trigon so impressed his bosses that they sent him to New York City, a hotbed for spying because it was home to the United Nations. Ames was assigned there to handle Sergey Fedorenko, a nuclear arms expert assigned to the Soviet U. N. delegation, whose cryptonym was Pyrrhic. Ames would later claim that Pyrrhic disclosed key missile information and crucial details about Soviet procurement practices, before he was called back to Russia. Before they parted, Ames and Fedorenko hugged. “We had become close friends,” said Ames. “We trusted each other completely.”

In early 1978, Ames got another juicy assignment: handling Ambassador Arkady Nikolaevich Shevchenko, the number two man in the U.N. bureaucracy, who had secretly been spying for the U.S. for more than two years. Ames helped hide Shevchenko from the KGB when he defected and consoled him after his wife, who was taken back to Russia under armed guard, mysteriously “committed suicide” out of shame because he had dishonored her. Shevchenko was the highest-level Soviet official ever to defect and Ames was at the top of the spy game. But at home, his personal life was a mess. Ames and his wife, Nan, had grown apart. Bored and lonely, he began checking into hotels and going on drinking binges.

William Casey ,(DCI)

Much to his surprise, Ames was passed over when it came time for promotions because he had failed to recruit a single spy. He applied in 1981 for a covert diplomatic post in Mexico City so he could prove himself as a recruiter. His wife, Nan, stayed in New York. In Mexico, he once again floundered. His failed efforts at recruitment led to more drinking binges and disillusion. “Beginning with Trigon and later with Arkady Shevchenko, the CIA was getting really good, and I mean first-class, political information about the Soviets,” Ames said later. “We knew we were disproportionately stronger than the Soviet Union and the Warsaw Pact. And yet, decade after decade, the political leadership in both parties ignored that intelligence. They were committed to running around and screaming, “the Russians are coming! The Russians are coming! It was nonsense.” Ames was especially outraged by CIA Director William Casey’s preoccupation with the Sandinista rebels in Nicaragua. Over drinks with other CIA employees, Ames complained bitterly about what he called U.S. “aggression.”

“All of us were concerned about him,” recalled a close friend, Richard Thurman, who worked in Mexico City for the State Department. “He was beginning to express some real skepticism about what our country was doing in Latin America.”

Maria del Rosario

Enter Maria del Rosario Casas Dupuy, the cultural attaché for the Colombian Embassy in Mexico. One of Ames’s CIA buddies, David Samson, was paying her to use her apartment for clandestine meetings with Mexican spies and he thought she and Ames might hit it off. Rosario was slim, attractive, and came across as an intellectual. Before long, they were in love. Ames took her on weekend jaunts to Acapulco where they made love on the beach. They dined in Mexico City’s finest restaurants and because he was a diplomat attended the U.S. government’s most glamorous affairs.

In September 1983, Ames finally got a promotion. It was arranged by a CIA official who had worked with Ames in New York City and didn’t know about his mediocre performance in Mexico. He was named counterintelligence branch chief in Soviet operations, a job that would require him to return to CIA headquarters and would give him access to nearly all of the agency’s Soviet cases, including the names of all of the CIA’s “human assets” in the Soviet Union.

Ames broke the news to Rosario just before he was scheduled to return home. She was crushed and became even more despondent when he told her that he was actually a CIA officer and had a wife waiting in New York. He left Rosario heartbroken in Mexico City, but shortly after he settled into a tiny apartment in Virginia, he learned that Rosario’s father had died suddenly and he raced back to Mexico to comfort her. When he returned home, she tagged along.

Ames was stunned at work when he began reading the dossiers of the CIA’s spies. “My god,” he later exclaimed. “We had penetrated every aspect of the Soviet system.” Adolf Tolkachev, whom the agency called Vanquish, had volunteered in 1977 and been paid $2 million in return for giving the CIA details about the Soviet military’s entire avionic system, a treasure that, Ames said later, would have given the U.S. “unquestioned air superiority” had a war broken out. The second most important asset was not a human, but a technical one called TAW. In 1979, the CIA discovered the Soviets were building a secret communications center outside Moscow that was connected to the KGB headquarters in downtown Moscow by tunnels that housed miles of cables for telephones and teletype messages. The agency bribed a member of the construction crew and got him to install a recording device in one of the tunnels that permitted it to intercept the KGB’s message traffic.

There was another fantastic technical covert operation, called Project Absorb, underway at the time. By 1983, the CIA had identified the location of every permanent ground based nuclear missile in the Soviet Union, but it wasn’t certain how deadly these missiles were after the Soviets began developing MIRVs (multiple warheads on single launchers). CIA scientists knew that each warhead emitted a tiny amount of radiation, so they designed a souped-up Geiger counter to determine the number of warheads each missile contained. The Geiger counter was mounted on a cargo container that was shipped east along the Trans Siberian railroad from a Pacific port. En route, it passed a Soviet train carrying MIRV missiles, and in the seconds it took for the trains to pass, the Geiger counter counted the warheads.

In all, the CIA had more spies working inside the Soviet Union than at any time in its history. Besides the dossiers of its agents, Ames had access to information about Soviets who were working for the CIA outside the Soviet empire. Two caught his eye. Both were KGB officers assigned to the Soviet Embassy in Washington D.C. Valery F. Martynov, whose cryptonym was Gentile, was assigned to Line X, the KGB division charged with stealing scientific and technical intelligence. The other, Sergey Motorin, known as Gauze, was a KGB Major knowledgeable about the Soviet intelligence. The FBI was using both to learn about the Russians covert operations in Washington.

Valery Martynov & Sergey M Motorin

As soon as she arrived in Virginia, Rosario began pressuring Ames to divorce Nan. When he finally confronted her in New York, Nan immediately agreed to a divorce but made it clear that she was going to keep most of their joint assets. Rosario, meanwhile, was running up huge bills that Ames couldn’t pay. She phoned her mother in Bogota almost daily, resulting in $400 per month charges. Ames got a second credit card and ran it up to the maximum $5,000 limit. Still, he couldn’t cover the costs of Rosario’s unchecked spending. By late 1984, he had close to $34,000 in unpaid debt. He owed another $16,000 to Nan as part of the divorce settlement. His salary was about $45,000 per year and he estimated that he needed at least twice that to cover the cost of his new lifestyle with Rosario. He thought about putting her on a strict budget, but was afraid she might leave him. One night on a train ride home from New York, where he had just signed papers finalizing his divorce, Ames found himself fantasizing about ways to raise money. “My first thought was robbing a bank,” he recalled. But he quickly rejected that idea. Then he remembered that the KGB had once offered one of his CIA subordinates $50,000 to spy. “That was just about what I needed to pay off all of my debts,” he later recalled. By the time the train pulled into Washington’s Union Station, Ames had made up his mind. He had figured out a way to earn a quick $50,000.

The CIA had asked Ames to recruit a Soviet Embassy press attaché, but the Russian had made it clear from the beginning that he was not interested. He had, however, stunned Ames by suggesting that he contact Sergey Chuvakhin, a Soviet expert in arms control. Soviets didn’t usually recommend their co-workers as potential CIA targets. Years later, the press attaché would surface in Moscow and explain that he had suggested Chuvakhin because everyone in the embassy knew he was a rabid American-hater. The attaché had been so desperate to get Ames off his back that he had sent him to see Chuvakhin, all the while, feeling safe that Ames had little chance of recruiting him.

Ames began pestering Chuvakhin in late December 1984 and after repeated telephone calls, the Russian finally agreed to meet him for lunch on April 16th. An hour before their meeting, Ames typed a note addressed to Stanislav Androsov, the KGB resident agent at the embassy. Exactly what Ames wrote is hotly disputed. Ames would later claim that he had come up with a “perfect scam.” He told Androsov that for $50,000, he was willing to sell the KGB the names of three Russians spying for the CIA. The three agents, however, were actually “double agents,” who had volunteered to work as CIA spies, but were actually still working for the KGB. “This way, I would be giving the KGB the names of its own agents,” Ames explained, “so I would not be doing any damage really to the CIA or United States.”

The FBI and CIA have a different theory about what Ames put in his note. They claim he told Androsov that Valery Martynov, and Sergey Motorin were CIA spies. Because both men worked inside the Soviet Embassy, they posed the greatest threat to Ames. The FBI and CIA theorize that Ames’s first note to the KGB was aimed at “taking out” the two spies most likely to expose him.

Note from Ames to meet the KGB

Ames attached one page from the CIA’s Soviet division internal telephone roster, with his name underlined, to his note and sealed both in an envelope. That done, he left to meet Chuvakhin at a restaurant in the Mayflower Hotel, just down the street from the Soviet Embassy in downtown Washington D.C. As soon as he arrived, Ames began downing vodkas. Minutes passed. Chuvakhin didn’t show up. Finally, Ames realized he had been stood up so he decided to improvise. He knew the FBI routinely photographed Americans entering the Soviet Embassy, but he didn’t care since he was authorized by the CIA to make contact with Russians. He boldly walked up and opened the embassy’s thick wooden front door. Inside, he handed the envelope to a security guard and left. A few days later, Chuvakhin called and suggested they meet for lunch on May 17th. He asked if Ames could stop by the embassy first. This time when Ames stepped inside, Chuvakhin was waiting to escort him into what was supposed to be a “clean” room that had been checked for CIA bugs. Even so, Viktor Cherkashin, the KGB counterintelligence chief at the embassy didn’t want to risk speaking out loud. “He took a letter out of his pocket and handed it to me,” Ames said later. “It said, ‘We accept your offer and are very pleased to do so.’ Then it said, ‘Mr. Chuvakhin is not a KGB officer, but we have evaluated him and consider him reliable and mature, and he will be able to give you the money and be available to lunch with you if you care to exchange more messages.’ I scribbled on the back of the note: ‘Okay, thank you very much.” We shook hands, and then I went out of the room, and Chuvakhin said, ‘Let’s do lunch.’”

They walked to the Mayflower and during the meal, Chuvakhin handed Ames a shopping bag filled with reports. “Here are some press releases that I think you will find interesting,” he said. After they had parted, Ames drove to a remote park overlooking the Potomac River and pawed through the bag. In the bottom was a brown-paper-covered package. “There were $100 bills wrapped tightly inside. It was $50,000. ” When he got home, he slipped the bag into his closet and told Rosario that he had gotten an interest free loan from an old college pal named Robert who had connections with the Mafia. She didn’t press him for details.

Two days later, the FBI announced that John Walker Jr., a retired Navy warrant officer, had been arrested over the weekend making a dead drop in the Maryland suburbs. The timing of the arrest scared Ames. He thought Walker had been caught because someone in the Soviet embassy — probably Motorin or Martynov — had tipped off the CIA or FBI. (It turned out that Walker’s ex-wife had told on him.) “I knew how well we had the Soviet system penetrated. It was only a matter of time before one of our spies learned what I had done. I was very vulnerable.”

Ames moved quickly to protect himself. On June 13, 1985, Ames met with Chuvakhin for lunch again and although the KGB had not asked him for any additional information, Ames decided on his own to give them the name of every CIA “human asset” that he knew, with the exception of his pal from New York City, Sergey Fedorenko. Besides giving the names of U.S. spies, Ames revealed that Oleg Gordievsky, the KGB resident agent in London, was spying for MI-6, the British intelligence service. He also gave Chuvakhin seven pounds of CIA intelligence reports, which he had simply carried out of the agency in his briefcase. No one had ever bothered to examine it or frisk him during the days he stole the documents.

He would later admit that he knew the “human assets” whom he had compromised would be, at best, put in prison, and more than likely, executed. But he insisted it was a case of either them or him. “All of the people whose names were on my list knew the risks they were taking when they began spying for the CIA and FBI. If one of them had learned about me, he would have told the CIA, and I would have been arrested and thrown in jail. Now that I was working for the KGB, the people on my list could expect nothing less from me. It wasn’t personal. It was simply how the game was played.”

Beginning with Motorin and Martynov, the KGB began rounding up the CIA’s secret spies. In Moscow they were brutally interrogated. Both Motorin and Martynov were executed.

Ames would later attempt to rationalize his treason. “A lot of the barriers that should have stopped me from betraying my country were gone,” he said. “The first barrier was the idea that political intelligence matters. It doesn’t.” Ames said he had become disillusioned because several presidents, beginning with Richard Nixon, had ignored the CIA’s findings because they did not suit the White House’s political agenda. “I realized these men’s actions do not excuse mine, but they did influence my decision making and help grease the slope…I also had come to believe that the CIA was morally corrupt. The CIA is all about maintaining and expanding American imperial power, which I had come to think was wrong… and finally, I did not feel any sense of loyalty to what mass culture had become. How does treason fit into all of this? In some ways, not at all. I would love to say that I did what I did out of some moral outrage over our country’s acts of imperialism or a political statement or out of anger toward the CIA or even a love of the Soviet Union. But the sad truth is that I did what I did because of the money and I can’t get away from that. I wanted a future. I wanted what I saw [Rosario and I] could have together. Taking the money was essential to the recreation of myself and the continuous of us as a couple.”

Not long after Ames made what he called “the big dump,” he also betrayed his pal, Sergey Fedorenko. Ames had decided that if he was going to “do a good job” for his Soviet masters, he might as well tell them everything that he knew.

Alarms inside the CIA began sounding within months as the agency began to realize that its spies in the Soviet Union were disappearing. At first, the agency suspected the culprit was Edward Lee Howard, a disgruntled CIA employee who had defected around the same time Ames became a spy. Never before had so many of its spies been exposed. The TAW program monitoring KGB communications stopped sending signals and the Geiger counter used in Project Absorb was discovered. It soon became clear that Howard couldn’t have known about all of the agents and covert operations that had been compromised. There had to be another explanation.

The CIA launched an immediate internal investigation, but rather than looking for a mole, it searched for other logical explanations. In 1986, CIA investigators mistakenly concluded that the arrests in Moscow were unrelated. While Howard probably caused some, the others had come about because of mistakes made by CIA case handlers or the spies themselves, the investigators reported. There was a good reason why the agency was reluctant to launch a mole hunt. It was still recuperating from a crippling witch-hunt that the legendary James Jesus Angleton had led years earlier. The careers of several promising case officers had been destroyed and the agency had been paralyzed because of Angleton’s paranoid accusations.

Aerial view of CIA building

Ames, meanwhile, applied for a CIA opening in Rome because he wanted to distance himself from CIA headquarters and because he felt Rosario would be happier living overseas. She felt most Americans lacked culture and style. Shortly after he arrived in Rome, he confronted his KGB handler. Ames had assumed the Russians would arrest the CIA’s assets quietly, over time, not in a panic as the KGB had done. “You’re going to get me arrested!” he complained. “Why not just put up a big neon sign over the agency with the word MOLE written on it?” His handler apologized but said the KGB had not been given a choice. The ruling Politburo had been so badly embarrassed by the CIA’s success in recruiting spies that it had ordered the mass arrest.

Neither Rick nor Rosario made any attempt to hide their newfound wealth in Rome. She replaced her entire wardrobe with designer outfits. Rich chucked his J.C. Penny navy blazers, gray slacks and half-priced socks for $1,500 custom tailored Italian silk suits with monogrammed shirts and hand sewn leather shoes. His teeth, which were yellow from years of smoking, were capped. He bought a Jaguar sports car, wore a Rolex. Their friends and his colleagues simply assumed Rosario came from a wealthy Colombia family. In fact, Ames was pocketing shopping bags full of money in increments of tens of thousands of dollars.

Although the agency’s first internal probe had swept over the possibility of a mole, some agents in the agency weren’t convinced. In November 1986, at the insistence of a tough talking, no-nonsense counter-intelligence officer named Paul Redmond, the agency agreed to assign Jeanne Vertefeuille, an unassuming 54 year-old with 32-years of service, to take another look at the “1985 losses.” Her problem was that no one had ever found a mole based purely on detective work. Every spy caught by a U.S. intelligence service in recent history had been nabbed because of a snitch. The Russians did their best to distract her. The first year, she and a tiny group of analysts focused on Clayton Lonetree, a Native American Marine who had been convicted in August 1987 of spying for the Soviets while stationed in Moscow. By the spring of 1987, Vertefeuille had learned enough to know that Lonetree couldn’t have been responsible.

At about this same time, a new CIA officer joined Vertefeuille’s team. Dan Payne, was an ambitious 29-year old investigator with an accounting background who thought the best way to catch a mole was by looking for unexplained wealth. Ames had just about finished his tour in Rome, meanwhile, and was preparing to move back to headquarters. During a final face-to-face meeting, his Russian handler gave him a nine-page letter that contained instructions for how he would be contacted after he returned to Washington. The note also assured Ames that he would be paid a yearly salary of $300,000 as long as he continued spying. The KGB also said it had deeded him several acres of land to use when he “retired.” It was just outside Moscow along a beautiful river. Touched, Ames kept both the note and three Polaroid color photos of the land — a move he would later deeply regret.

Photo of land set aside for Ames

Rick and Rosario’s friend, Diana Worthen, was stunned when she welcomed the couple back to the U.S. in the fall of 1989. She had worked with Ames in Mexico City and had known Rosario before they had married. Worthen couldn’t believe how wealthy they seemed. The Ameses bought a $540,000 suburban house with cash. Rick purchased a new Jaguar XJ-6 and Rosario refurnished the entire house. But it was the new draperies that would prove to be too much for Worthen. Rosario had invited her over one afternoon for coffee and to show her fabric samples.

“Help me choose,” Rosario said.

“Okay,” replied Worthen, “which room are you going to do first?” She had just had drapes put up in her house and knew they were expensive.

Rosario laughed. “Diana, don’t worry about the price. I am going to have the whole house done at once.”

“Where the hell did they suddenly get all of this money,” she wondered. Unlike her colleagues at the CIA, Diana knew that Rosario’s family in Colombia wasn’t wealthy. Rosario had confided in her when they both were living in Mexico City that her parents in Colombia, while socially prominent, were poor. Suspicious, Worthen notified Sandy Grimes, a close friend who was part of the mole hunting team. Grimes didn’t need anyone to twist her arm. She had always been suspicious of Ames because she knew he was bitter about being passed over repeatedly for promotions, especially since he thought he was smarter than his peers.

Grimes began digging into Ames’s past contacts with the Soviets in Washington D.C. while Dan Payne plunged into his finances. When Payne obtained access to the Ameses’ credit records, he discovered the couple routinely charged $18,000 to $30,000 per month even though Ames was drawing a salary of $69,843 per year. Despite this, there was no proof of wrongdoing and when Vertefeuille asked a CIA officer in Bogota to make several discreet inquiries there about Rosario’s family, the officer reported that Worthen was mistaken. Rosario’s relatives were among the wealthiest families in Colombia. Only later would the CIA learn that its officer in Bogota had only spoken to one source, a family priest who had no first hand knowledge but knew only rumors about the family’s finances.

The mole hunting team seemed stymied until Sandy Grimes noticed that the dates of Ames’s 1985 bank deposits matched the days that he had lunch with Sergey Chuvakhin. Incredibly, Ames had taken few precautions to hide his money, often depositing it on the way home from his lunchtime exchanges with the Russian.

Rushing down to Paul Redmond’s office, Grimes showed him her discovery. “It doesn’t take a rocket scientist to tell what is going on here,” she said. “Rick is a goddamn Russian spy!”

While the mole hunting team was busy zeroing in on Ames, he received a surprise telephone call from Sergey Fedorenko, his old Russian pal from New York City. He had been accused of being a spy after Ames first told the KGB about him, but he had managed through his family’s political connections to avoid arrest. He was now calling Ames from Canada where he was on a diplomatic trip. Ames arranged for him to be smuggled into the U.S. so they could meet in person. During their emotional reunion, Fedorenko said he wanted to move to the U.S. and Ames promised to help. Instead, as soon as Fedorenko left, he contacted the KGB and told them once again that Fedorenko was a traitor.

Rick Ames in FBI surveillance video

Armed with Sandy Grimes’ findings, the CIA contacted the FBI, since it is responsible for arresting spies in the U.S. Cameras were posted outside Ames’s home and in his office ceiling at the CIA’s headquarters; an electronic bug was hidden in his Jaguar. Yet, almost entirely by happenstance, Ames managed to elude agents when he made a “dead drop” delivery to the KGB. (At one point, an FBI airplane tailing him was forced to abandon its mission because Ames had driven under the flight zone being used by passenger jets landing at Washington’s Reagan National Airport.) Finally, on October 6, 1993, an industrious FBI agent stole the trash can from in front of Ames’s house and discovered a computer printer ribbon inside it that showed Ames had written several long letters to the Russians. Using that evidence, the FBI got approval to secretly break into Ames house while Rick and Rosario were out of town and plant hidden microphones. They also discovered a wealth of incriminating evidence, including the note that the KGB had given him in Rome. It turned out that Ames had made another colossal blunder. He had recently upgraded his word processing program on his computer and failed to realize that it automatically saved copies of documents that he typed. The FBI was able to recall every message he had typed.

Rosario Ames in FBI surveillance video

Over the next several weeks, the FBI listened to conversations between Rick and Rosario and quickly determined that she not only knew about his spying, but also constantly badgered him about demanding more money and being careful. FBI agents said later that the conversations they overheard made them want to arrest Rosario just as much as Ames. On the tapes, she could be heard sniveling about money, belittling her friends, and constantly berating Ames.

By mid-February 1994, the FBI began running out of time. Ames, who had been quietly transferred to a job where he no longer had access to classified information, was scheduled to leave the country to attend an overseas conference. The agents were afraid he might bolt. On February 21, 1994, he was lured out of his house on the pretext that he was needed at work for an emergency. As he was leaving his neighborhood, his Jaguar was pinned in by FBI cars. Back at his house, a Spanish speaking FBI agent told Rosario that she too was being arrested. Inside they found signs of the Ames’s unchecked gluttony: dozens of designer dresses never worn, nearly a hundred unopened boxes of panty hose, a half dozen Rolex watches, several hundred shoes.

Ames quickly offered to confess if the government would free Rosario, but the Justice Department refused to release her. She, meanwhile, turned against him. “I offer you no excuses for my conduct, only explanations,” she told the judge at her sentencing. “In order to understand how I got caught up in Rick Ames’s deceit, you have to understand that he was, and is, a liar and manipulator. Exactly those qualities that made him a good intelligence officer for our country.” But the judge didn’t buy it. He sentenced her to five years in prison. She was deported to Colombia as soon as she was paroled in 1999. She still lives there today. Ames was sentenced to life in prison. He jokingly told a friend that he had sealed his own fate. The KGB had no one to swap for him. It had killed all of the spies it had arrested who were worth trading.

Indictment: megaupload_indictment.pdf

Megaupload.com employees Bram van der Kolk, also known as Bramos, left, Finn Batato,second from left, Mathias Ortmann and founder, former CEO and current chief innovation officer of Megaupload.com Kim Dotcom (also known as Kim Schmitz and Kim Tim Jim Vestor), right, appear in North Shore District Court in Auckland, New Zealand, Friday, Jan. 20, 2012.

German Internet millionaire Kim Schmitz arrives for. a trial at a district court in Munich in these May 27, 2002 file photos. New Zealand police broke through electronic locks and cut their way into a mansion safe room to arrest the alleged kingpin of an international Internet copyright theft case and seize millions of dollars worth of cars, artwork and other goods. German national Schmitz, also known as Kim Dotcom, was one of four men arrested in Auckland on January 20, 2012, in an investigation of the Megaupload.com website led by the U.S. Federal Bureau of Investigation. Reuters

Tow trucks wait to remove vehicles from Kim Dotcom’s house in Coatesville, north west of Auckland, New Zealand Friday, Jan. 20, 2012. Police arrested founder Kim Dotcom and three employees of Megaupload.com, a giant Internet file-sharing site, on U.S. accusations that they facilitated millions of illegal downloads of films, music and other content costing copyright holders at least $500 million in lost revenue. (Natalie Slade)

A general view shows the Dotcom Mansion, home of Megaupload founder Kim Dotcom, in Coatesville, Auckland, January 21, 2012. The U.S. government shut down the Megaupload.com content sharing website, charging its founders and several employees with massive copyright infringement, the latest skirmish in a high-profile battle against piracy of movies and music. The U.S. Department of Justice announced the indictment and arrests of four company executives in New Zealand on Friday as debate over online piracy reaches fever pitch in Washington where lawmakers are trying to craft tougher legislation. Reuters

A broken intercom system is seen after a police raid at Dotcom Mansion, home of accused Kim Dotcom, who founded the Megaupload.com site and ran it from the $30 million mansion in Coatesville, Auckland January 21, 2012. The U.S. government shut down the Megaupload.com content sharing website, charging its founders and several employees with massive copyright infringement, the latest skirmish in a high-profile battle against piracy of movies and music. New Zealand police on Friday raided a mansion in Auckland and arrested Kim Dotcom, also known as Kim Schmitz, 37, a German national with New Zealand residency. Reuters

 An entrance to Megaupload’s office at a hotel in Hong Kong is seen in this Hong Kong government handout photo released late January 20, 2012. The Hong Kong government said on Friday over HK$300 million ($38.4 million) worth of proceeds from Megaupload were seized in the country in joint operations by Hong Kong customs and U.S. authorities. The U.S. government shut down the Megaupload.com content sharing website, charging its founders and several employees with massive copyright infringement, the latest skirmish in a high-profile battle against piracy of movies and music. Reuters

An entrance to Megaupload’s office at a hotel in Hong Kong is seen in this Hong Kong government handout photo released late January 20, 2012. The Hong Kong government said on Friday over HK$300 million ($38.4 million) worth of proceeds from Megaupload were seized in the country in joint operations by Hong Kong customs and U.S. authorities. The U.S. government shut down the Megaupload.com content sharing website, charging its founders and several employees with massive copyright infringement, the latest skirmish in a high-profile battle against piracy of movies and music. Reuters

We get a glimpse into the mind of 1952 (an era when crypto on land lines was very limited, indeed). We get to see how the US tapped and how it worked with the phone company to tap others – in the course of determining that standard US techniques for taps were not present (2-wire pair line tampering, inductive tapping of the 2-wire pair on local telephone pole, tapping of the “multiplying line” extensions).  Let’s not  forget jus “how physical” was telephony, in 1952.

We also get to see the reaction to (activated) resonant cavity class of listening device – distinct from tapping lines.

One sees the resource requirements, and the basic attack plan for the new threat (and the desire not to alert the tapper, presumably so the tap could be turned to dis-information).

One notes that searchers were familiar with microphony attacks in general, though not the cavity resonant devices initially.

Earlier disclosures show that the high level FBI agent had two classes of phone – those served by the phone company and those installed by DoD (obvious from the context of the redacted material). This shows that, in the 1950s, FBI was very much sub-servient to DoD in technical countermeasures.

At the same time, we note how the FBI was viewed as a go-to agency, by others (not that there is any suggestion that there is a law enforcement rationale to such requests).

The USPS (as a giant spying agency on paper) was probably one source, and one notes how the agencies were colluding to track EACH cabinet officer (of the government) for oral cues (as to the souce of leaks about USPS policies). This all seems consistent with the general state of red-scare paranoia of the period, as folks sought to address technical information leakage on the bomb, etc. Note that its all very much a pretext (to get the FBI into the “business”), since its all about the club of executives (not line sources).

One sees also other civilian issues, including Bensons’ solid understanding of the price sensitivity (which seems a bit more coherent, and more tuned to issues of today):

Its fun to see the “most likely” sources of placement:

One sees some of the normal “art” of the searcher, used to American equipment:-

One notes a couple of references to the “countermeasure” device (which could be DoD/FBI trojan horse, of course):

An outline of its purposes follows (basically, it isolates the mic in the handset, or suppresses it own diaphragm)

One sees a side threat, too, repurposing lines:

An interesting tit bit about the secret service wanting to do their own scan, and the FBI a sole source of the equipment (which was hand made, which is telling about FBI’s “Lab Division” technical capabilities in presumably valve electronics of the day).

At the same time, evidently there is a standard design (such that it can now be ”procured”).

One see several features of a general foil, since folks rationalize that its more important to protect the channel that to prevent leaks. They really WANT to use it for reverse signaling, consistent with 1945 counter-intelligence doctrine. There is also the assumption that the Presidents Office and Cabinet Office are really not secure areas (since the cabinet officers are necessarily surveilled proto-suspects, themselves).

One has to assume that non-FBI folks would also be testing FBI capabilities (since Hoover was such a known-deceiver). One sees how FBI is entirely compartmentalized from nuclear-level infosec/comsec (which must have irked Hoover no end).

One sees another reference to the infamous “British” equipment (which somewhat undermines the story about FBI being the sole-source of cavity mic detecting). Who operates the latter equipment is not disclosed.

we see a policy of information containment, concerning technical methods (including “acceptance” that white house could be a source of insecurity – national imperatives notwithstanding)

We see clearly how the FBI and the phone companies happily conspire to mis-inform and mid-direct the White house officials (in the hope that direct White House request be made of FBI, for an appropriate investigation, supported by technical means). It is  more important to the FBI to protect this than protect the secrets being leaked!

One sees how Bell Labs is involved in subverting the signalling system, to aid tracing (suggesting that such tracing was not present, pre 1952). Having a secretary listen in to the call (and write it all up, soviet style, was deemed much more appropriate, as in White House conventions):

we also seem by 55, the emergence of ISIS, led by Treasury:

By 1955, one sees less scare about the cavity mic, and more action about compartmentalizing the Community buildings’s lines.

Folks are still obviously worried that the very proximity to the wire pairs afforded soviet tapping, of calls to friendly governments. One sees nothing about radio tapping though (where folks had the most skill.)

We also see some of the phone company responses emerging:

And, in other quotes we see the general attitude towards GSA, with phone companies wanting not to participate with GSA ‘infosec’ policies (preferring cosy relations with FBI, instead, with whom they have a working relation regarding authorized wire taps, anyways).

We see how transistors have made their mark (on size), by 1956:

One sees s little of the architectural impact on the FBIs own buildings (with reference to tie lines, etc) and “mainframe” switching:

one sees countermeasure, in 1957, to (presumably) analogue signalling for video (though we  recall, they had PCM in 1942. By 1957, did they have early codecs for video?)

we see a general fishing attempt against the c ontractors of state (where FBI has no jurisdiction) – seeking to perform an intelligence review:

We see the “former agent” network subverting agency policies, with “discreet checks”, being “caused”. Cooperating with such subversion seems not to be a worry for the FBI. even absent any rationale for an “investigation”. Its just normal to engage in this type of behaviour.

One sees an interesting fact about 1945:

One sees means used to isolate those who would be independent of the FBI’s technical expertise (in wire circuits, and sound recording):

one sees the mindset of the FBI, concerning microphony (and countermeasures):

All the drivel about inspecting handsets for “tampering” is a diversion, to the microphones outside the windows measuring the window’s reactance itself! There is a fair amount of policy-based deception going on.

When you look at the endless letters, one sees folks in “power” looking for assurance that someone makes them believe that a) their equipment is not being tampered with, and (b) they indeed have something worth keeping a secret (given how important, they now are).

one sees in a 1962 memo emergence of secure phone codecs (keyed by card), with attendant overhead of security officers responsible for the keying.

Interesting facts on capabilities, costs, leased line specificity and delay:

http://jproc.ca/crypto/ky3.html

Someone helped the FBI out, on using window material to project sound:

Updating to 1981,

Updating to 1988, we see quite a marked change in the tone. There is a lot more professionalism on display, particularly once FBI formally ceded from DIA in handling the industrial security program. Upto 1995,

I really hate to have to mention this, but in the following image. You will notice the moron who is using a cell phone right next to a STE.

Same here. Moron using cell phone in close proximity to a secure telephone:

When you place a concentrated RF signal transmitter in close proximity to a piece of cryptographic gear (like a STU or STE) the RF signals and strong enough to intermix with the RF or magnetic signals and create a third signal.  This is most valuable with cryptographic equipment that used cables that was not in conduit as the cable (seem in these pictures) provides a high threat access point where all kinds of havoc can be caused if a cell phone is brought within 8-12 feet of a STU, or 16+ feet of a STE. You will notice that the moron holding the phone is well within those distances.

The following image just proved what a utter moron this guy is, and remember who is is:

Notice that he is in a STE, in secure mode, and the STE (unencrypted voice path) is draped over a live RF transmitter.

I apologize Mr. President, but you sir are a fscking moron, just an utter moron.

Observers with sharp eyes will also notice the profoundly sloppy jobs of TSCM that is being done on these phones as well, and how the routing requirements for cables are not beign observered, but then that is the least of their probelms… their boss obviously does not care, so why shoudl they.

Are executives at the highest levels expected to be TSCM, COMSEC, and TEMPEST experts who possess detailed technical knowledge and extensive related experience?

If yes, then why would any top executive have any need to hire experts in those fields?  Does JMA call his executive clients (who aren’t as well-versed in those fields as he obviously is) “fucking morons?”  That doesn’t seem like an effective business practice to me.

Perhaps the executive in the photo wasn’t briefed by his experts on the finer points of proper COMSEC—such as not to use a cell phone near a STE.  If he wasn’t, then perhaps those experts are to blame, not the executive.  Or maybe there’s other protections in place which prevent that from being a COMSEC problem.  There is equipment in those photos tht probably none of us know the workings of…

He knows that he can not use a cellphone within X feet of a STU, STE, or security communications media because he can read the white papers on the matter, and has been briefed by the technical advisors until they were blue in the face, but he does not care, he likes his cell phones (because it makes him a more effective leader)

If a customer hires me to tell them about the problem, and I tell them about it, write numerous white papers on the subject for them, demonstrate the risk for them by recovering classified information, and even the CIK form a STU using only a nearby cell phone, and they still refuse to use proper communications security, and abide by stand-off distances (the space between the secure phone and the cell phone), then I will have no problems explain that they are a moron to their face (usually in private, but still).

You need only to watch the video of my testimony before Congress on related matters to see that I tend not to couch my words when it comes to national security matters like this.

The President of the United States is a fucking moron, but given the last pool of candidates he is less of a moron, then the other morons we had running at the time. But still, he is a moron, and an arrogant one at that.

TEMPEST, HIJACK, NONSTOP, and TEAPOT Vulnerabilities A STU-III is a highly sophisticated digital device; however, they suffer from a particular nasty vulnerability to strong RF signals that if not properly addressed can cause the accidental disclosure of classified information, and recovery of the keys by an eavesdropper. While the unit itself is well shielded, the power line feeding the unit may not have a clean ground (thus negating the shielding).

If the encryption equipment is located within six to ten wavelengths of a radio transmitter (such as a cellular telephone, beeper, or two way radio) the RF signal can mix with the signals inside the STU and carry information to an eavesdropper. This six to ten wavelengths is referred to as the “near field” or the wave front where the magnetic field of the signal is stronger then the electrical field.

As a rule all COMSEC equipment should be kept out the “near field” by a factor of at least 2.5 to 3 times to get it outside of the field transition point. Simply put, there needs to be a “danger zone” or exclusion zone around any and all COMSEC gear 2.5 to 3 times the near field distance, or 16 to 30 times the longest signal wavelength (the lower the frequency the longer the wavelength).

A “wavelength” is inversely proportional to frequency being used which means that an 800 MHz cellular phone (near a STU) presents a greater direct threat that a higher frequency PCS phone operating in the 1.7 GHz region. On the other hand a PCS or CDMA telephone creates a greater spectral density and far more transitions which allows an eavesdropper to corelate on the signal with more precision.

We also have to consider the amplitude of the signals as well as the “danger zone” created by the transition point or radius of the near field (times 2.5 to 3). When any RF signals inside the “danger zone” exceed -50 dBm (or -77 dBm in some cases) there is still a problem even though the cryptographic equipment is some distance from the actual transmitter, cellular phone, pager, etc. These relatively high signal levels (above -50 dBm or -77 dBm) are actually strong enough that they create secondary fields or signals when they encounter the outside of the equipment case or any other conductive or non-linear element. This is called the “saturation effect”, and if it is not properly addressed can result in the cryptographic equipment put at risk of disclosing secrets. Typically the ambient RF environment near any cryptographic equipment should be well below -80 dBm and in some cases well below -110 dBm. Fields of this strength are common near broadcast facilities such as FM or television transmission towers or cellular/PCS towers. If you have a concern of this nature then you should contact a TSCM professional and schedule an evaluation of the RF in the vicinity of where you will be using your encryption equipment.

The critical thing to remember in all of this is that the ciphering key is where all the magic is at, and that the eavesdropper will typically target the ciphering circuit (or “Scrambler”) to obtain the secret key. Sure they are interested in the material being scrambled by the cryptographic system, and they will also be interested in the inner workings of the phone, but it is obtaining the secret ciphering key that is most important to the spy. An encryption box or cryptographic device may only be classified secret, and yet the keying material is top secret, and the keying material is far more sensitive then the box itself, and must be protected with much greater care.

On a related note, it should be mentioned that the ciphering key is actually of a fairly small length, and that is even if a very small segment of it is compromised the eavesdropper’s may be able to reconstruct it in whole (depending on what segment they get). In some cases even a 200 bit ciphering key can be broken by obtaining a small fragment the cipher which can be “snatched from the airwaves in less a ten millionth of a second” (if the cryptographic ignition key is loaded when in the presence of a cellular phone or strong RF field). Once the key is loaded into the cryptographic device the amount of time required to reconstruct the key is significantly larger, but not at all prohibitive. Remember, the eavesdropper is only looking for a few bits of data (the payload of the key), and that this small number of bits can be “hijacked” by an external RF source like a cellular phone as a highjack requires an absolute minimum of bandwidth.

Since the signal of interest is of extremely narrow bandwidth, and the “illuminating” signal can be easily correlated to the “signal of interest” the eavesdropper can be a considerable distance away from the encryption device and still perform the highjack (called “correlation gain”, which can be well over 40 dB). This assumes that someone using the encryption device has a cell phone or other RF device on their person, that while not on an active call is still checking in with the base station for status updates on a regular basis. Without this “correlation gain” the intercept may only be feasible within a few feet, but with it; the eavesdropper can be 500 and even 1500 feet away.

Remember that the most valuable “item of interest” is not directly the clear text communication itself, but the key used to protect the communication. Once the eavesdropper has the key, then the communication itself would be targeted and exploited. You must protect the key at all times.

NEXTEL or Motorola iDen phones based on a TDMA or “Time Domain” signal presents a really nasty threat as the cell phone is constantly strobing a specific predictable time slice, and basically illuminates the STU and turns it into a strobing lighthouse that will seriously compromise classified information. If a NEXTEL is present within 12-15 feet of a STU-III (when it goes secure or a CIK is loaded) the phone and information passed though it should be considered compromised. The STU should always be located in an area called an exclusion zone, and cellular phones, pagers, beepers, and other RF devices should be kept outside of a stand-off zone of at least 15-20 feet (30 foot is good practice).

Now if this wasn’t confusing enough; portable Inmarsat stations also present a similar problem, but only if the STU is located in front of the transmitter antenna or within the side lobes of the signal (about 45 degrees off the center axis of the antenna).

The best way to deal with this is to never have a cellular telephone or pager on your person when using a STU, or within a radius of at least thirty feet (in any direction) from an operational STU (even with a good ground). If the STU is being used in a SCIF or secure facility a cell phone is supposed to be an excluded item, but it is simply amazing how many government people (who know better) forget to turn off their phone before entering controlled areas and thus cause classified materials to be compromised.

In the case where the STU is being used on a cell phone or satellite phone your best option is to keep the phone in analog mode (a STU, not a STE) and locate the STU a good 6-12 feet away from the antenna. In the case of an Inmarsat terminal simply keep the STU BEHIND the antenna by at least 10-15 feet (this is why Inmarsat terminals have long cables for the antenna). If you can obtain a digital Inmarsat connection you can get a very high quality connection, but the equipment is fairly costly, the terminal is quite large, and the digital service quite expensive.

At no time should a STU-III be operated in the presence of an RF field that exceeds -105 dBm for any signal with less then 30 kHz of occupied bandwidth. In the case of a signal which the occupied bandwidth exceeds 30 kHz the RF levels should not exceed -138 dBm.

Between the TEMPEST and TSCM fields of study there is also an area of our field that deals with unmodified or quasi-modified equipment and signals, which interact with each other. This is the case where in effect a classified signal or classified information is accidentally impressed onto an unclassified signal. Thus, the unclassified signal carrying the classified data with it is accidentally transmitted a considerable distance allowing for eavesdropping by those who should not possess the information. This is usually the result of TEMPEST standards not being rigorously followed during equipment design, installation, and maintenance.

The investigation, study, and control of intentional compromising emanations from telecommunications and automated information systems equipment that was created, provoked, or induced by a spy is known by the code name of “TEAPOT”. An example of this would be the positioning of a rack of two way radios need a secure telephone, or by installing RED cable near to a BLACK cable. This can also involve modifications to software, to slight breaches to the configuration of equipment.

An example of this would be a case where a cable, which contains only unclassified radar, navigation, or communications signals, is placed near a cable, which carries highly classified information. On a maritime vessel an example of an unclassified signal would be the VHF marine radios, the unencrypted HF (shortwave) radio communication systems, and sections of the radar and IFF systems. Should any of these cables or equipment be placed near the classified systems an eavesdropper could intercept the classified information that was riding-on-the-back-of the unclassified signals.

Another example of this would be a warship that downloads classified spy satellite imagery through the onboard satellite communication system.

The problem is that the installer of the classified system has not properly installed the system that creates considerable TEMPEST problems causing these signals to leak off the ship a short distance. This is further complicated by several cables which do not carry classified information but which pass in close proximity to the classified cables.

As of now we start sharing with all our brothers and followers information from the Indian Militaty (sic) Intelligence servers, so far we have discovered within the Indian Spy Programme (sic) source codes of a dozen software companies which have signed agreements with Indian TANCS programme (sic) and CBI

The 28th Chaos Communication Congress (28C3) is currently underway in Berlin and on Tuesday, researcher Karsten Nohl gave a presentation called: Defending mobile phones. If you have an hour, it’s worth watching.

Initial press reports focused on Nohl’s revelation that hackers can potentially sniff numerous phone IDs and network authentications from an advantageous point, and because network authentications aren’t frequently refreshed (depending on the network operator), an attacker could make expensive premium rate calls and bill them to other persons. GSM network specifications allow for every network action to be re-authenticated, but that requires serious investment in authentication servers. So operators may only do it every third call. Or tenth. Or perhaps only when the phone connects to the network.

The H Security has a good summary overview of all the topics covered during the presentation.

But one of the most interesting things, from our point of view, was Nohl’s brief reference to recent reports (Dec. 13th) about various German police authorities having used nearly half a million “Silent SMS” to track suspects in 2010.

So we did a web search and found nothing about it in the English language press. However, Wikipedia’s SMS entry has (had) this:

Silent messages, often called “silent sms, “”stealth sms,” or “stealthy ping,” will not show up on the display, neither is there an acoustical signal when they are received. However, at the mobile provider some data is created (for example, the subscriber identification IMSI). This kind of message is sent especially by the police to locate a person or to create a complete movement profile of a person. In Germany in the year 2010, nearly half a million “silent SMSs” were sent by the federal police, the customs, and the secret service “Office for Protection of the Constitution.”

On January 19, 2010, Mahmoud Abdel Rauf al-Mabhouh was killed in his room in a hotel in Dubai. He had been followed by at least 11 individuals suspected of being Mossad agents, who were carrying fake or fraudulently obtained passports from various Western nations, seven of which assumed the names of Israeli dual citizens. Reports indicate that al-Mabhouh was tracked by his killers from Damascus to Dubai. He was travelling without bodyguards, and was en route to Bangkok. Although it has been reported that he carried five passports under different names, Hamas officials in Syria reportedly stated that at this time he was using one issued in his own name.

He checked into the Al Bustan Rotana hotel on the afternoon of January 19. He left the hotel about an hour after check-in, and there are conflicting reports as to what he did during the few hours before he was killed. At approximately 8:25 p.m. Al-Mabhouh went back to his room. He failed to answer a call from his wife a half hour later.

According to Dubai Police Force, he was dead by 9 p.m. that evening. On January 20, the following day, his body was found in his hotel room. Al-Mabhouh’s remains were transported to Damascus for burial.

Hotel surveillance footage released to the public shows the suspects, who had arrived on separate flights, meeting in the hotel. While the suspects used personal communication devices among themselves to avoid surveillance, a number of telephone calls were made to a number in Austria. When al-Mabhouh arrived around 3pm, two of the suspects followed him to his room. They then checked into the room opposite al-Mabhouh’s. At 8pm al-Mabhouh left the hotel and while several of the suspects kept watch, two tried to gain entry to his room, but were disturbed when a tourist exited the nearby elevator. While another suspect distracted the tourist, four suspects allegedly entered the victim’s hotel room using an electronic device, and waited for him to return. Hotel computer logs indicate that an attempt was made to reprogram al-Mabhouh’s electronic door lock at this time.

Initially, Dubai authorities believed al-Mabhouh had died of natural causes. Results from a preliminary forensic report by the Dubai police found that al-Mabhouh was first paralyzed by an injection of succinylcholine (suxamethonium), a fast-acting muscle relaxant. He was then suffocated with a pillow, though their investigation and final report on the matter would not be ready until the beginning of March. Signs indicated that al-Mabhouh attempted to resist as he was being suffocated. The hyper-relaxation mode induced by this drug applies only to muscles – the victim remains conscious.  Dubai authorities stated they were ruling the death a homicide and were working with the International Criminal Police Organization to investigate the incident. succinylcholine (suxamethonium), a fast-acting muscle relaxant. He was then suffocated with a pillow, though their investigation and final report on the matter would not be ready until the beginning of March. Signs indicated that al-Mabhouh attempted to resist as he was being suffocated. The hyper-relaxation mode induced by this drug applies only to muscles – the victim remains conscious. Dubai authorities stated they were ruling the death a homicide and were working with the International Criminal Police Organization to investigate the incident. 

Dhahi Khalfan Tamim, Lt. Gen. and Dubai’s police chief, announced on February 18 that, “Our investigations reveal that Mossad is involved in the murder of al-Mabhouh … It is 99% if not 100% that Mossad is standing behind the murder.” Dubai police said the killers spent little time in the emirate, arriving less than a day before the murder, killing al-Mabhouh between his arrival at 3:15 p.m. and 9 p.m. that night, and leaving the country before the discovery of the murder.

The Israeli government initially did not comment on claims that it was involved in Mabhouh’s death. On February 17, Foreign Minister Avigdor Lieberman refused to confirm or deny any Israeli involvement, citing Israel’s “policy of ambiguity” on such matters, and claimed a lack of solid evidence for Israeli involvement. Lieberman even declared that the press “watch too many James Bond movies”. Later the Israeli Deputy Foreign Minister Danny Ayalon, said “there is nothing linking Israel to the assassination.” However, Israeli media and public opinion have generally accepted Mossad’s responsibility for the operation.

The Israeli government initially did not comment on claims that it was involved in Mabhouh’s death. On February 17, Foreign Minister Avigdor Lieberman refused to confirm or deny any Israeli involvement, citing Israel’s “policy of ambiguity” on such matters, and claimed a lack of solid evidence for Israeli involvement. Lieberman even declared that the press “watch too many James Bond movies”. Later the Israeli Deputy Foreign Minister Danny Ayalon, said “there is nothing linking Israel to the assassination.” However, Israeli media and public opinion have generally accepted Mossad’s responsibility for the operation.

The identities used by eleven of the suspects have been publicly identified, based on passports that the Dubai police said were not forgeries, though both the British and Irish governments said the passports bearing their countries’ names were “either fraudulently obtained or [are] outright fakes.” The total number of suspects stands at eighteen, all of whom entered the country using fake or fraudulently obtained passports. Passports used by the assassins were from the United Kingdom, Republic of Ireland, Australia , France (suspected of being the hit squad leader and logistical coordinator), and Germany.

Attackers can send a maliciously-crafted SMS to a Windows Phone, causing it to reboot and disable messaging functionality. “The flaw appears to affect other aspects of the Windows Phone operating system too,” reported WinRumors. “If a user has pinned a friend as a live tile on their device and the friend posts a particular message on Facebook then the live tile will update and causes the device to lock up.” WinRumors and Khaled Salameh, the researcher who discovered the vulnerability, are in the process of disclosing the flaw to Microsoft. “At this stage there doesn’t appear to be a workaround to fix the messaging hub apart from hard resetting and wiping the device.”

Interestingly enough, Ben Rudolph, from Microsoft’s Windows and Windows Phone team, is appealing to victims of Droid malware by offering a free Windows Phone. If you have an Android malware nightmare story and you are willing to share your droidrage with the world, Microsoft tweeted “you could win a #windowsphone upgrade.” WinRumors noted this latest PR antic follows one by Microsoft’s Brandon Watson, senior director of Windows Phone development, who placed a $1,000 bet with Scott Adams, the author of the Dilbert comic strip. “Watson offered Scott Adams the chance to try a Windows Phone 7 device. If Adams didn’t like Windows Phone then Watson promised to donate $1,000 to a charity of Adams’ choice. Adams was impressed by Windows Phone.”

With advances in near field communication (NFC) technologies, cybercriminals are probably drooling to exploit smartphones as we all start using our mobile phones as our wallets. In regard to NFC, Microsoft mistakenly told TechRadar in an exclusive “exciting things coming soon” interview that NFC support was coming to Windows Phone 7.5. WinRumors said Microsoft was forced to “correct” that statement with this one: “While NFC is not currently supported on Windows Phone 7.5, it is coming. We expect NFC-enabled Windows Phone devices to ship within the next year.” Microsoft does hold “14 NFC-related patents” which might make a ‘beaming’ file transfer feature available “for Windows 8, Windows Phone and Xbox.”

Will Microsoft’s beaming technology across a “single ecosystem” for phones, PCs and tablets be the future of banking? This concept video suggests this is what Microsoft envisions as the “future of retail banking.”

Despite mobile security reports and dire 2012 predictions that Android is the most tempting target for mobile malware writers due to its popularity with users, the NSA is expected to approve the Android OS “to be used on ‘secret’ military networks.” It’s unlikely the NSA would approve of Android if it were truly a “cyber menace.” Mobile malware might indeed be “exploding,” but cybercrooks will target any popular phone as was warned by F-Secure’s Mikko Hypponen at Black Hat 2010 in a presentation titled, You will be billed $90,000 for this call.

Not only is your smartphone a pocket spy with actionable intelligence, and the apps may be listening, watching and tracking you, the better to steal from you, but your cell phone isn’t the only one spying on you. Those Carrier IQ files are being used for “law enforcement purposes,” the FBI confirmed to MuckRock.

The FCC is holding two workshops to examine the transition from the public switched telephone network (PSTN) to new technologies. Circuit-switched wireline voice technology has created a high standard for reliability, accessibility, and ubiquity. Consumers will continue to expect and demand these qualities, even as they shift from PSTN services to services provided over different networks. The transition away from the PSTN is already occurring, and is likely to accelerate. Through these workshops, the Commission will seek input on the technical, economic, and policy issues that must be addressed to minimize disruption during this transition, and to protect consumers, public safety, competition, and other important interests.

After reading about the emerging threats to PBX and toll fraud, I decided to give a primer to administrators of IP PBX servers. The purpose of this rambling is to offer administrators insight into creating a form of “toll fraud prevention” intrusion prevention system. Most IP PBX’s differ but most have a mechanism to log information so keep that in mind. As I write this, I’ll be using the Asterisk Open Source PBX as the framework for my “VTIPS” Voice Toll-Fraud Intrusion Prevention.

Before I dive into the nitty-gritty, let’s have a concise look at how a “device” registers to an IP PBX. This device could be in the form of an analog telephone adapter (ATA), a softphone, a hardphone or a trunk. IP based PBX’s such as Asterisk use usernames and passwords to interconnect with one another. In this sense it is no different than an e-mail account. You’re given a username, a password and a server to connect to and from to send and receive mail. In the case of the IP PBX, you’re given a username, a password and a registrar. (And no Mark - this is not just “how to use strong username/password combos” ;))

Let’s have a look at an extension on of my Asterisk servers: 

[ext1000]
type=friend
context=mycontext
username=ext1000
secret=mySecretPassword
host=dynamic
qualify=2000
canreinvite=yes
disallow=all
allow=g729
allow=ulaw
host=dynamic
nat=no

We see extension ext1000 has a username of ext1000 and a password (secret) of mySecretPassword. If this were email, an equivalent would look similar to:

[john.doe@thisdomain]
username=john
secret=myEmailPassword

While someone may receive e-mail to “john.doe” what matters is actually the username. This is what is entered in Asterisk’s log entries - it is what we need to watch out for. When logfiles start filling up with a large amount of erroneous entries, it’s likely someone may be trying to brute force an account on your IP PBX. If you’re in a production environment, your log entries can be rather large which makes vigilant monitoring difficult.

Now, there are methods we can use as administrators to make sure that extension 1000 ONLY logs in internally for example, in the host=dynamic portion, we can statically assign an IP address there to ensure that extension 1000 ONLY logs in from whatever address is entered. What about road warriors? Remote connections from say the VP of sales who might be at a hotel in another state. You can say “IPTables” but that too can be problematic.

Assuming you have workers who need connectivity remotely, it can be from anywhere, a hotel, their home, a client. Are you willing to block all and have an administrator make a change at three in the morning for a remote worker who needs access? Kind of counterproductive. For starters, just like e-mail, strong passwords should be used, also just because it is phone, doesn’t mean you couldn’t assign the username joesremotephone. This is one of the beauties of VoIP.

Ridding yourself of the number scheme is a good practice. Most bots attacking machines for the purposes of toll fraud are generating connection attempts sequentially. Beginning with say ext 100, they’ll likely program their “wares” to attempt to connect to say extension 100 first, 101 second, 102 third and so on. This means, if you’re used to the numbering scheme, eventually they will reach a valid extension. If you used a bad password, they’ll likely break that in minutes as well. So we should immediately seek to remove the potential for this from occurring. 

[CompanyExtension1000]
type=friend
context=mycontext
username=CompanyExtension1000
secret=mySecretPassword
host=dynamic
qualify=2000
canreinvite=yes
disallow=all
allow=g729
allow=ulaw
host=dynamic
nat=no

The formatting in: username=CompanyExtension1000 is a more difficult combination to guess than a username=1000 let alone using a real password as opposed to a dictionary based password or a numeric password - wouldn’t you agree? With this said, we can feel a little more assured that it would be difficult for a program or someone to brute force an account based off of this scheme. Not full-proof, but far better than username=1000 password=1234. Remember that VoIP won’t have a limitation on the kind of password you can use (numeric, alphabetical, etc). Let’s see if it worked shall we? 

# sed -n '403,415p' /etc/asterisk/sip.conf

[CompanyExtension1000]
type=friend
context=mycontext
username=CompanyExtension1000
secret=mySecretPassword
host=dynamic
qualify=2000
canreinvite=yes
disallow=all
allow=g729
allow=ulaw
host=dynamic
nat=yes

Open up Asterisk: (only relevant information pasted)

myPBX*CLI> sip show peer CompanyExtension1000

myPBX*CLI>


* Name: CompanyExtension1000
Context: mycontext
Dynamic: Yes
Addr->IP: 8.6.4.2 Port 2051
Def. Username: CompanyExtension1000
Status: OK (53 ms)
Useragent: Cisco-CP7960G/8.0
Reg. Contact: sip:CompanyExtension1000@8.6.4.2:2051;line=10r6ruft

I’ve successfully connected remotely to my IP PBX. I can send and receive calls without a problem whether I’m using a softphone, hardphone, ATA, you name it - I can make calls. So we averted the potential of an automated programming brute forcing without using some form of hybrid attack. So how do we stop that…

All connection attempts are logged as stated previously, the notion is to be able to allow someone to connect remotely without having that person have to notify an adminstrator of the PBX: “I will be in a hotel in Japan next week, when I get there should I call you with the IP address so you can allow me to make calls?” How productive is that. Not everyone can afford to have an uber VPN connection to and from the office either. In the real world, not everyone works in the Fortune XXX environment.

So let’s look at a failure:

# tail -n 1 messages|grep -i wro
2009-02-05 12:32:05 NOTICE[25457] chan_sip.c: Registration from '' failed for '221.123.45.67' - Wrong password

We see from the log entry that username 1234 is having issues however, this is a valid username. An invalid username log entry would look like this:

2009-02-05 12:14:25 NOTICE[25457] chan_sip.c: Registration from '"1000" ' failed for '22.33.44.55' - Username/auth name 
mismatch

So how can we mitigate against this username/auth mismatch - this is a big concern. We’d like to be able to watch it in real time however, we might not want to disaffect the machine, we may not want the added memory usage, we just might not want to create a start-up script, whatever the reason, we’d like to be able to check at any given point in time whether someone is attempting to access our PBX using a bogus username combination. We’d also like to ensure if they do by chance guess a name, they’re blocked anyway.

So how can we do this effectively. From a system administrator’s standpoint, I could monitor my logs using tail in real-time, if I see something, I can block it. That would only work if I was monitoring my terminal 24/7. I could use Splunk, syslog-ng, PERL, Ruby. The list goes on and on. The following started off as a one-liner and evolved into a “Frankenstein” like script that enables me to block repeat offenders. While many would wonder what is my reasoning for not writing an outright program in C or maybe streamlining this to perl, the answer is simple; no two systems are alike, just because I have Perl installed, doesn’t mean someone else would. Just because I wrote it in C doesn’t guarantee someone else would have the necessary libraries to compile it. What is certain about the script is, if it’s on Linux, BSD, Solaris, it will work on those servers period. It uses nothing more than baseline, standard commands. 

idjits=`basename $0`
TMPFILE=`mktemp /tmp/${idjits}.XXXXXX` || exit 1
messages=/var/log/asterisk/messages
time=`tail -n 2 /var/log/asterisk/messages | sed -n '1p' | awk '{print $2}' | awk -F : '{print $1":"}'`
day=`tail -n 2 /var/log/asterisk/messages | sed -n '1p' | awk '{print $1}'`


# Go through the logs, parse out today's date then parse out the hour... After this, check
# this time frame for invalid logins and password issues. Sort them to a temporary file.
# awk '{print $11} and $10 yield different things in Asterisk (go figure). So we go through this
# two times - the results of these two will get sorted a third time


echo "grep \"$day $time\" $messages" |sh|\
awk '/Wrong password/{print $11}'|\
sed 's:'\''::g'|sort -u|grep -vi [a-z] >> $TMPFILE


echo "grep \"$day $time\" $messages" |sh|\
awk '/Wrong password/{print $10}' |\
sed 's:'\''::g'|sort -u|grep -vi [a-z] >> $TMPFILE


echo "awk '/mismatch/{print $11}' $messages" |sh|\
grep -vi [a-z]|sed 's:'\''::g'

echo "Creating rules"


for i in `cat $TMPFILE|sed 's:for::g'`

	do

echo "iptables -A INPUT -s $i -p udp --dport 5060:5061 -j REJECT --reject-with icmp-host-prohibited" > /etc/dbeats
echo "iptables -A INPUT -s $i -p tcp --dport 5060:5061 -j REJECT --reject-with icmp-host-prohibited" > /etc/dbeats

sort /etc/dbeats2 | uniq > /etc/deadbeats

echo "Flushing firewall"

	iptables -F

echo "Reloading normal rules"

sh /etc/firewall

echo "Adding deadbeats"

sh /etc/deadbeats


done


date > /tmp/blocked
echo >> /tmp/blocked

echo "grep \"$day $time\" $messages" |sh|\

awk '/Wrong password/{print $11}'|\
sed 's:'\''::g'|sort -u|grep -vi [a-z] >> /tmp/blocked
echo "grep \"$day $time\" $messages" |sh|\
awk '/Wrong password/{print $10}'|\
sed 's:'\''::g'|sort -u|grep -vi [a-z] | mail -s "Blocked accounts" my@emailaddress.com


rm -f $TMPFILE

Pretty messy wouldn’t you say - but oh so effective. So what is happening amidst all of that mess of a script. Well, the script goes through Asterisk’s message logs doing two things, one is, it checks for password anomalies, the second for invalid users and blocks them both. The theory is, there shouldn’t really be an issue with someone and their password and there definitely should not be anyone with an invalid username trying to register. So it blocks them immediately (more on this later). At first I created it to look at the logs, parse out the date, go right to the hour, then look at the anomalies. If userX had X amount of bad entries, then block them out, end of story. Then I thought about this, what if my VP fat fingered his password. He’d be blocked, he’d complain, so that wasn’t a viable option. “Time based” would work, if it was 3am, he fat fingered his password, he’d fiddle with his device’s username and password which would take some time and within an hour, he’d be able to re-register. By the way, the /etc/firewall file is a static list of rules always needing to be implemented for those wondering what that file is. Remember, those blocked are thrown in rules that are contained in /etc/deadbeats. You could go about it by specifying something similar to: if user tries and fails 50 times per hour, then block them (e.g. if [ `wc -l $messages|sed -n ‘1p’ -gt 50 ]), there are different variables you could play with.

So the script works like this: 

User --> register --> Bad Information --> Blocked for an hour
User --> fixes information on their own --> register --> service (all is well)
Bot --> random guesses --> register --> blocked for an hour (IP Tables rejects packets)

The notion is that bots would be automated to detect a failure and move on. The script which is running hourly or every five minutes, depending on what I configured in cron would always keep a watchful eye on what is happening. I have a modified version of the above which e-mails me alerts on who was blocked along with information on who may have been attempting to bruteforce an account. My personal crontab entry is for 5 minutes, now my theory is, a bruteforcing bot has five minutes to get into an account, within those five minutes, even if it did manage to bruteforce an account, it will be blocked anyway, in the interim, I will receive an e-mail notifying me of the offending IP address so I can either implement a static rule to always block them, or change passwords. In the event that a bruteforcing occurrence did manage to get into my system, their damage is still minimized for the duration of 5 minutes. Because most bruteforcing automated attacks start usually with a number - which I don’t use - the event of them being successful is extremely low.

Now, things to keep in mind are 1) tweak this script to your needs. Don’t shoot me an email complaining you blocked yourself out. This should be tested and modified to your individual system. 2) Account Architecture - seriously, you don’t need to use 100 with a password of 100 unless you want to be infiltrated within seconds. 3) YMMV - your system differs from mine. This has proven to be more than an effective and cost efficient method of implementing anti-toll-fraud. The notion of having an employee upset for an hour versus forking out thousand of dollars in unauthorized calls is a no brainer.

Re-capping, the conceptual framework is there, I have something almost similar running in a production environment. Since mileage does vary, my version is modified to perform other tasks as well including sending information to OSSIM, performing a twice per day check on registered numbers not to mention to find anomalies in my CDR’s, for example, if I see an extension making say 30 calls in a minute, no brainer, I can’t think of anyone who’d be able to dial a number consistently in 2 seconds for a minute straight, let alone four minutes.

user --> register --> bad password? (hey poop happens) --> blocked (for an hour)

During this time, the user can attempt to fix their password, double check their entry, contact their support/admin staff.

invalid user --> register --> bogus info --> blocked (period)

No reason to even bother allowing this connection in really but in case is was a PEBKAC issue, these too will be flushed from the firewall in an hour - after the hour is up, if they continue to be make bad attempts (register bogus accounts), they will continue to be blocked after the initial instance. In the meantime, any blocking is mailed to the admins to make sense of at the end of the day which means an admin has ample amount of time to stop a potentially big issue.

Illegal VOIP telephone exchange in Gurgaon, India. They are using GSM prepaid SIMs to break out calls onto the PSTN. They circumvent official leased line call routes by (in this case) using VoIP over the internet. Huge profits can be made by people selling these “grey routes” into India from European countries.

A non-linear documentary about operators - male and female, but mostly female - at their work, and describing their work and the type of customers they encounter. A fascinating inside look at the skills needed by operators in dealing with the public. Shot in the style of a Maysles- or Weisman-type documentary. There are clips from a 1913 D.W. Griffith silent film, Telephone Girl and the Lady, at the beginning and end.

“The operator’s job, despite tensions and aggravations, is one which consists primarily of human contact and as such, carries rich rewards.”

Cox went on to direct television in Hollywood and also documentaries for PBS. She now lives in Kentucky and still makes documentaries.

Cox also made “All in a Day’s Work” for AT&T.

Directed by Nell Cox
Song “Operator” by the New York Rock & Roll Ensemble was originally released as a 45rpm record.

Footage courtesy of AT&T Archives and History Center, Warren, NJ