Russian Federal Guard Service "Upgrades" To Electric Typewriters

Razgorov Prikazka writes "The Russian Federal Guard Service (FSO), who are in charge of protecting high level politicians like president Putin (amongst others), are 'upgrading' to electric typewriters for writing sensitive documents. They have found out that computers pose a security risk and this is their answer to it. On first sight this seems like a very pragmatic and cost-efficient thing to do. However, the FSO has its roots in the KGB and those were the ones who placed keystroke loggers on the popular IBM Selectric electric typewriter 40 years ago! So how much safer does this make them?"

How much safer

[schneidafunk]

I suspect having a device that has only one purpose, as compared to a computer, it is much less likely to be compromised and much easier to detect.

Re:How much safer

[Idbar]

I was thinking, why not mechanical? Wouldn't that save on electricity costs as well?

Re:How much safer

Bullshit, pencil shavings get into equipment and short circuit things

http://www.snopes.com/business/genius/spacepen.asp

Re:How much safer

[kimvette]

Radio shack still sells parts?

Are you sure you mean Radio Shack? The place where their motto is apparently "You've got questions, we've got blank stares?" THAT Radio Shack?

Re:How much safer

[hawguy]

I don't think they got seriously more secure than using a computer with physically destroyed USB and ethernet ports.

I think it's hard to reliably destroy the USB ports for someone that has physical access to the machine and is motivated to get data off - USB is integrated into the core logic chips on the motherboard, so even if you destroy the actual ports, someone could tap into the traces on the motherboard to access the port. Though I guess if he has that much access to the machine, he'd just find a way to write it unencrypted to the hard drive and would take the hard drive with him. (I know there are operating system controls that make it hard to use USB ports or write data where it shouldn't go, but those controls can be bypassed)

If he can find a way to run a binary on the machine, then it's even easier to get data off -- he can just have his app flash QR codes on the screen at 15 frames per second and record it with a camera to get a 45kbyte/sec stream of data. With a good camera and a high res screen he can probably achieve much higher bitrates.

Re:How much safer

[icebike]

Less likely to be compromises?

It may be easier to detect an electric typewriter, because each key-press triggers one or more solenoids, which emit a small electromagnetic radio signal, detectable through walls.

Further you have the burn requirement of the ribbon, because you can often recover the message from the ribbon, especially single use plastic ribbons.

A smarter choice might have been an purely mechanical typewriter, which emits no radio signal, and has a ribbon that is intended to be used repeatedly, lessening the chance of reading the ribbon.

Re:How much safer

[weeble]

The attacker would have to physically implant the bug in the machine, which would take training. Once it's in, however, the bug can isn't limited to wired networks or short range technologies like Bluetooth or WiFi. It could use GSM or SMS with nothing more than parts bought at a Radio Shack.

Not at all and the technology for monitoring the output for typewriters is decades old.

They can be monitored remotely using the vibration in the office windows or using the fluctuation in the electrical current. Monitoring the vibration in the office windows can be done from across the street or further away.

cost.

[gandhi_2]

It's probably cheaper than trying to out-bid American hipsters for old Remington typewriters.

Safer than an Internet Connected Computer?

To place a keylogger on a typewriter you need physical access to the typewriter... to place a keylogger on a computer you need the internet...

I can see the advantage...

Nothing is safe

When your opponent has access to your hardware, you've already lost. That's true whether its a mechanical typewriter, electric typewriter, or a computer.

Keep it simple

[fustakrakich]

No written communications. This whole writing and reading thing is overrated, and apparently can be dangerous.

Re:Keep it simple

"Conversation was invented by humans to reveal secrets. We use it to sweet talk our way into people's business. You know who has safe conversations? Ants. They talk by vomiting chemicals into each other’s mouths. They get right down to brass tacks. Bleh! Which way’s the picnic? Bleh! That way. Humans are more evolved. We spy."

Here's the NSA historical document

http://www.nsa.gov/public_info/_files/cryptologic_histories/Learning_from_the_Enemy.pdf

Re:Here's the NSA historical document

[plover]

Thanks, AC, for the link. Very interesting story!

In an ironic twist, I present this paragraph from page 23 of the report:

"Eight months after the GUNMAN discovery, the story broke in the press. By highlighting the damage, press coverage helped to focus the attention of the U.S. government on improving the security of its information."

Perhaps Ed Snowden or Bradley Manning can present this in their trials.

So Awesome

[Sparticus789]

I was driving by Fort Meade today and I heard a collective scream of "PUUUUUTTTTTIIIIINNNNNNNNNNNNN!!!" coming from the NSA headquarters. Every single PRISM employee screamed in agony.

Sound

[Dan+East]

I remember reading a slashdot story years ago where researchers were able to determine which keys on a computer keyboard were pressed just by the sound they produced mechanically. I would think it would be even easier to use this technique against a typewriter.

Re:Sound

[Dan+East]

Wow, I'm citing 8 year old Slashdot stories.
http://it.slashdot.org/story/05/09/13/1644259/keyboard-sound-aids-password-cracking

Re:Sound

[plover]

Except it turned out not to be the case when the Soviets were bugging the U.S. Embassy's typewriters. CBS News had learned about the original typewriter bugging from a leaker, and in their reporting sought out an expert to explain how the bugs worked. The expert guessed that it was an audio bug. But this technique was refuted in the NSA paper "Learning from the Enemy", on page 18:

"In an article entitled "Tapping the Keys," a bugging expert offered the following explanation of the Soviet bug:

The Soviets must have taken advantage of the way the Selectric types. A metal ball covered with characters spins so that the appropriate character strikes the paper and then spins back to its starting point. The time it takes to accomplish the rotation to each letter is different. A lowtech listening device planted in the room could transmit the sounds of a typing Selectric to a computer. The computer could then easily measure the time intervals between each key stroke and the character being put on the paper, and thus determine which character had been tapped.

[ ], an engineer in the COMSEC organization, who was involved in reverse engineering the GUNMAN bug, explained that the press had a good idea, but it was inaccurate: "IBM Selectric typewriters used a spinning ball to get the right character on the paper. The bug was not based on sound or timing." [ ] further elaborated: "The Soviets were very good with metal. Housing the bug in a metal bar was ingenious. The bar was difficult to open and it really concealed the bug from inspection." [ ], an engineer from R9 who also worked on this project, agreed:

To the naked eye, the bar looked like a single unit. You could not see that it could be opened. The use of low power and short transmission bursts also made it difficult to detect this bug. The bug contained integrated circuits that were very advanced for that time period. The implant was really very sophisticated."

Elsewhere in the paper, the NSA explains the bug was hidden in a metal bar, and magnetically detected the ball moving mechanism.

Re:Sound

[operagost]

So is the front page.

Not all typewriters are ball-type

[davidwr]

The Ball-type IBM Selectric typewriters had a flaw that made it easy to tell what was being said just by the sound and delay between characters. You didn't even have to have the listening device in the typewriter, it could be across the room if it was "directional" enough.

While you could probably decode a lever-type typewriter's activity from just a good sound recording, it's probably much harder.

Oh, and as for trying to decode an inkjet- or thermal- electric typewriters just by the noise, "good luck with that."

Of course, today, if you can plant spy equipment in the room where the person is typing and you are good and well-funded, you don't need to rely on the noise the typewriter makes. Or, to put it another way, if you have a determined adversary who is significantly better than you, it's probably "game over" before the game even begins.

Easy to answer

[Idarubicin]

However, the FSO has its roots in the KGB and those were the ones who placed keystroke loggers on the popular IBM Selectric electric typewriter 40 years ago! So how much safer does this make them?

"Somewhat".

If your adversary has physical access to any piece of hardware, it's impossible to secure. Period. One can install a keystroke logger on a modern computer keyboard as well. Switching to non-networked, 'dumb', electric typewriters doesn't block this avenue for attack.

On the other hand, depending on the typewriter's features, it will be very difficult or impossible to remotely compromise, or to compromise using non-hardware approaches. Entire classes of attacks are rendered irrelevant.

To be fair, this does introduce some new potential avenues for attack--increased physical document handling means additional risks related to moving and securing bits of paper.

Gotta Love Ruskie's Pragmatism

[luis_a_espinal]

"The Russian Federal Guard Service (FSO), who are in charge of protecting high level politicians like president Putin (amongst others), are 'upgrading' to electric typewriters for writing sensitive documents. They have found out that computers pose a security risk and this is their answer to it. On first sight this seems like a very pragmatic and cost-efficient thing to do.

This kind of reminds me of the Colonial solution to Cylon infiltration in the re-imagined BSG TV series. Obviously not perfect, but also simple and good enough. It is not something we in the U.S. - with so much resources to waste (and fall into further debt) would think about.

However, the FSO has its roots in the KGB and those were the ones who placed keystroke loggers on the popular IBM Selectric electric typewriter 40 years ago! So how much safer does this make them?"

It makes them safer from UNWANTED/EXTERNAL infiltration. Infiltration by them is just fine. In the world of political/military security and intelligence, safety does not mean impenetrability. It means resilient to infiltration that you do not want. This is a completely different requirement from the requirement of "safety" as understood in the commercial/private sector.

All US TLAs ...

[PPH]

... should adopt this. It will make spotting people like Snowden easier. Just look for the carbon paper smudges on his fingers. On the other hand, it will make them stand out at DEFCON when they break out their travel typewriters to make reports. And don't forget all of them lining up to use the bank of payphones in the lobby to call in reports.

Anyone else remember...

[TheCarp]

A while back someone did some research and published it on keystroke logging via audio capture. They found they were able to reliably determine what someone was typing just from the sound of their typing. I have to imagine that would work here.

http://www.berkeley.edu/news/media/releases/2005/09/14_key.shtml

Though, maybe they also run white noise generators in the office?

Bull Shit

[RobertLTux]

http://www.snopes.com/business/genius/spacepen.asp

1 pencils are a FIRE HAZARD in space
2 the pen in question was developed by Fisher and sold to NASA (and the russian counterpart)

Re:in soviet russia

[ackthpt]

Pre-flight instructions for passengers about to depart Russian airports:

Please turn off all electronic devices, including mobile phones, laptop computers, tablet computers and electric typewriters...

Protect the ribbons

[T.E.D.]

In this modern era many people forget that typewriters had a *huge* security hole. The ink ribbons they used, in the right hands, were practically a "tape backup" of everything typed at that typewriter.

Mylar ink tape

A record of all keystrokes is stored on the mylar ink tape used in the Selectric. You need to incinerate the ink cartridge after use to keep things secure.

Re:in soviet russia

Would you believe that Maxwell Smart (agent 86) figured that out years ago while working for Control. Not only computers but shoe phones pose a security risk. That's why we have Cell phone and not Shoe phones. The only way to have secure communications is to use the "Cone of Silence" when discussing anything of importance.

Re:Physical access?

[Bill,+Shooter+of+Bul]

Stuxnet jumped the air gap just fine via jump drives and other sneakernet tech.

The ultimate vulnerability

[gmuslera]

... is always people. Even if is just by stupidity (like going to one of those meetings with a cellphone), but could be plain malice, double agents or blackmailed "safe" people (and with all the data of the world you have plenty of material to blackmail anyone).

And thats the most worrying thing about NSA and associates snooping, you are getting 5 millon extra vulnerabilities in everything that surrounds all your data.

Pigeons

[cute_orc]

I think it is right time to train pigeons.

Now all you need are two typewriters that are...

[aristotle-dude]

joined by quantum entanglement and you can send messages across vast distances like they do in Fringe across universes.

Re:It's not as unsecure as you'd think

[ponraul]

You don't need to install a keylogger, it already has one built in; the ribbon.

Re:Physical access?

[pellik]

That's where social engineering comes in. You call up the grunt employees and start saying big words like 'firmware update' until they just start doing whatever you tell them to.