Comms, Hardware and Software Solutions for Technothriller Adventurers in March, 1991

Fair enough. The adventuring tech support man, Hrafn Eirik Thys, would have high skill and familiarity in multiple European countries, but not have familiarity or even Cultural Familiarity in former East Germany or Poland, until very recently behind the Iron Curtain.

What he could have would be the sevices of an agent who is an astrophysics graduate student at Humboldt and deeply involved in esoteric wargaming and science fiction fandom, in order to help him overcome unfamiliarity penalties in Germany and perhaps even Poland, if said SF fan and future astrophysicist connected to the BBS of like-minded folk in his neighbouring socialist republic, before the Solidarity-led government in Poland and the re-unification in Germany.

The agent properly belongs to the DGSE, but as long as no DGSE funds are used to pay him, it is highly unlikely they’ll ever discover that a minor tasking for the agent was not in support of a proper DGSE operation, but originated from a senior officer using his access and security clearance for personal purposes.

It will be out on June 5, 1991. The date of the first mission will be in March, 1991, and it might be years of playing before summer arrives in the campaign. Or it might go faster than that, but I’ve rarely done significant time-skips I’m happy with, as there never seems to be a time when no PC has something time-sensitive going on. Generally personally, rather than professionally, as personal relationships are hard to hit pause on. Time-skipping into the next professional engagement without resolving personal tension between the rival frenemies or leaping over what appeared to be a romantic overture by one half of the ‘will they/won’t they’ couple, without any kind of of melodrama, would be to ruin the best parts.

At worst, the PCs and their supporting characters will rely on late 1970s encryption, such as burst-transmitting radios with electronic keyboards which also served as encryption. Yes, the oldest models they would have access to would be very feeble encryption, at 16-bit, but for the most dangerous missions, they would hopefully have access to high-end Swiss encryption devices.

Alternatively, if they had reason to fear that their recruiters might be searched well enough to find any encryption devices or transmitters, they might not carry any cryptographic materials or communications devices at all. They would go completely Moscow rules (maybe even in Moscow), using no communications other than subtle signals visible to their handler and security team, with the placement of a vase, arrangement of flowers in a window or the partial drawing of the curtains serving to signal certain pre-agreed messages, and anything more detailed sent in notes to be burned after reading, passed through dead drops or brush passes.

Common encryption solutions used by intelligence and security services in the period might be up to 128-bit and were generally made for radios or they sometimes relied on POTS and an acoustic coupler to send and receive. Several cipher machines were designed to be carried in your luggage or briefcase and allow you to send encrypted text through any telephone, such as one in your hotel room. For radio, it usually also relied on burst transmission and burst transmission for encrypted text or Morse code obviously allowed shorter ‘phonecalls’ if you were relying on POTS from a hotel room, but I’m not sure whether that would work when what you are sending is a message to a BBS.

In the US at this time, and a little before, BBS’s were of two kinds. One was publicly available. These sorts were listed in guidebooks (paper or on other BBS), on (physical) message boards at computer stores, etc. Anyone who knew the phone numbers could call up and access it, at least to read or access files. Sending messages to other systems (via fidonet) had rules and was often restricted to ‘trusted’ or paying users. (the one I used most often let you send messages to a couple local systems, wider fidonet access required subscribing.)

the other sort were private, and you had to be invited. some of these were on fidonet, but the ones with all the pirated software usually weren’t. Some sort of underworld knowledge skill would help here…

Note that fidonet net mail was slow. fidonet used a hub and spoke system, with tiers. Systems often exchanged messages with other systems only once a day, often using a couple of intermediate hosts to bundle messages and reduce the number of long distance calls (there was a formalized system to do this, paritially encoded in system numbers). It could take several days for a message to arrive at the destination, assuming everything was working properly (not a given). Things could be sped up, and there’s some adventure sidequests there…

Pictures were exchanged at much lower resolution and with more compression than is currently the case. You didn’t try to send them over 300bps links, but you’d send small ones over 1200, and slightly bigger ones over 2400. Note that JPEG is a fairly good format for steganography, but altering the compression of a JPEG will destroy any message within it.

Obligatory XKCD:

Very good. So, if Hrafn Eirik Thys, computer criminal and cocaine enthusiast, were to do his own compression of pictures, he could manually insert steganography messages before sending them?

And, in a case where security were more important than rapid communications, he could encode the message so even if someone knows which pixel to click, they don’t get a clear-text message, they need to decrypt it with a book code, the same kind of electronic cipher machine he has or, for maximum security, a one-time pad?

Ah, how well I remember, the pixelated breasts of my youth.

Until the Solidarity-led government came to power in Poland in 1989, connecting a computer to a phone line was illegal without explicit permission from the authorities. All BBS activity was illegal activity by its very nature. By spring 1991, the new government would probably not use legislation which they are in the process of changing against technophile students and formerly underground BBS may have recently started to advertise on bulletin boards in those universities where there is a faculty of electronics engineering or computer science.

Germany is clearer, in that until unification, connecting computers to phones was illegal in what was then DDR / GDR / East Germany, but as soon as the two countries became one again, the federal laws of what had been BRD / FRD / West Germany applied to in all of unified Germany. So, for the past two and a half months before the start of play, BBS enthusiasts in Humboldt University in Berlin, TU Berlin, TU Dresden and other universities in former East Germany with strong STEM programs could have advertised without fearing arrest for that alone.

Of course, if they are exchanging ‘hacking’ or ‘phone phreaking’ tips and passing along pirated software, they might still rely only on word of mouth among trusted peers, in which case Area Knowledge (BBS Scene) with Cultural Familiarity and regular Familiarity penalties would be required to find them, or someone could use regular investigative skills and methods, or asking around on university campuses using Current Affairs (Science and Technology).

Mostly, though, it doesn’t matter what the people at the BBS discuss, not for the purposes of getting out messages. It just matters that you can send a compressed JPEG (which could as irrelevant to their actual espionage as a Far Side or Dilbert comic) and that compressed JPEG can make it to the point person for headquarters, stationed in Geneva and monitoring a BBS and/or multiple methods of networked connections, through access to CERN computing resources.

Hrafn Eirik Thys has a partner, Layla Mohend. Basically, their partnership works in that he knows a staggering amount of stuff about technology and how to make illegal contacts, acquire criminally-useful information or access and sell stuff they should not have, over message boards or other networked means, and she knows enough technology from him teaching her about it to sneak into secured facilities with internal networks to install malware, connect a networked computer to Hrafn’s terminal or conceal surveillance equipment there.

In GURPS terms, Hrafn has Area Knowledge (BBS Scene) and Contact Groups among people willing to do ethically questionable and possibly illegal stuff over computers, but only modest Streetwise skill, while Layla has high Streetwise skill for getting along in rough neighborhoods or dealing with criminals in person, but only a default in Area Knowledge (BBS Scene) and only knows the ‘hacker’ and ‘phreaker’ contacts Hrafn has through him.

Okay, what are some methods to speeding up the sending of messages to headquarters, other than knowing at what time of day the daily exchange of messages happens and sending yours just before that?

A Numbers station - Wikipedia gives you a decent outbound channel, but anything you can do in the other direction will be conspicuous to the opposition. It’s a tradeoff.

I have no idea of their backgrounds, experience or connections to know what they might have known; nor whether they care as they were creating fictional versions of the “modern” world. I do presume from the game content that they had done some sort of research and costing of what technology was commercially available (at least in the “West” or Japan) and what could have been available to sectors of the military and intelligence agencies. Of course some technological aspects do seem highly improbable - cybernetics, for example - but I didn’t have reason at the time to believe that their communications equipment were unrealistic.

I would say that recent events have shown that some elements of the genre have proved not to be so far fetched though, such as well funded secret organisations and criminal networks infilitrating all levels of society and remote hidden lairs concealing dangerous activities. Even technologically; I remember my A-Level Physics teacher talking about development of ultrasound technology harnessing natural resonance as potential weaponry back in 1990/91, which came to light during recent events in Venezuela.

“Your time travel mission is to go to 1945 and sit hard on Ian Fleming before he writes down his superspy fantasy, so that late 20th century idiots don’t take it as a template. Here’s some gin.”

Change the timing and/or change which remote systems were called up. The normal fidonet hop systems was designed to reduce the total long distance bill, at the expense of latency. If a sysop was willing to pay the phone bill, they could call their regional hub more often, or call a destination system directly. You could also have the destination call the source, and I can imagine an expat community in the west paying for that to happen, so they could exchange messages from home.

The most straightforward way to do these things is the application of money, but a resourceful adventurer can surely come up with others.

Software, not even necessarily pirated, is probably a better vehicle for a hidden message than images. JPEG wasn’t formalized until 1992, and support was limited after that. Gif and bitmap is what I remember from the early 90s.

The way I understand the technology is that if the numbers station were in Austria and used to instruct recruiters, ordnance and vehicle procurers or any support staff with their next tasks, target or rendezvous, even if the KGB, or the security service of any of their satellites who still care what the Soviet Union wants, were absolutely certain that it was being used to broadcast messages to spies somewhere, they would have no way of knowing where?

It could be in Germany, Poland, Czechoslovakia, Hungary, Romania, Yugoslavia, Odessa, Kiev, Moscow, Leningrad, Arkhangelsk, Vladivostok, Tashkent or Baku, but they have no way of narrowing it down from the simple fact that a numbers station is broadcasting from Austria?

And, due to Austria’s legal quirk of not criminalizing espionage unless it is against Austria, even if the USSR could send a request for police assistance to Austria through Interpol (a process which takes at least two orders of magnitude more time than Hollywood shows), Austria would almost certainly politely decline to do anything, on account of no Austrian laws being broken. If they could bring substantial pressure to bear, it would, at the very most, yield Austrian police looking for the sender and asking them if they could move it along, please, they were disturbing the neighbors.

Only if the Soviets or their allies found spies with their radio receiver set for the frequency of the numbers station and/or with code books or one-time pads next to them while decoding the message would they be able to connect someone to the Austrian transmission.

Some other way for the spies to communicate with their home base and headquarters would have to be found, of course.

Reports which aren’t time-sensitive could possibly be sent using a modem and acoustic coupler or phone jack combined with POTS to a local (and unaware) BBS, from whence it would eventually find itself downloaded to the computer of someone who knows how to access and decode the report. Or an even more circuitous route, hand-written in tiny letters and code on flash paper left at a dead drop, where a cutout retrieves it and passes it to the support staff, which handles the actual sending of the report, whether through the phone system (with or without the use of computers and a BBS or similar) or using encrypted, burst-transmission radio.

Time-sensitive messages would be simple pre-arranged visual signals, like the colour of a tie, the position of a vase in the window or the use of the left hand to scratch the right ear, with meanings that range from ‘Stay away, I’m compromised!’ to ‘Get me out now, before I’m caught!’

We can have the communication station charged with receiving messages from people in the field, and sending them any information which they request, connect to anything and everything to which they are allowed to connect, so they’d have phenomenal connection speed and as many phone lines as could be installed somewhere with a cover as a communications technology company, near CERN in Geneva, Switzerland.

They could call a variety of BBS in the target countries, including the ones being used by field people, many times a day. Even possibly several times per hour, if events were taking place which might require fast response times.

If it’s possible to apply money to it without being suspicious or leaving a trail pointing at the espionage activity, there is a substantial budget. But if you are making use of a local BBS, you might not be able to change what they are willing to pay in phone bills, at least not without asking them to change their habits, which would usually be too suspicious. You could become a paid subscriber if that gives your messages priority, but that moves you from a username which connects from various different phone lines, to someone traceable through bank records.

Good point. It would take someone going through the code manually to find a concealed subroutine with encrypted text and people would be exchanging all sorts of programs. Given that Hrafn was and, really, still is the same sort of early computing youngsters as the students he’d be exchanging messages with as cover, it wouldn’t be hard for him to give them some actually useful code he’s written, just slightly larger than it has to be in order to conceal a message in it.

It seems like a somewhat roundabout way to do research.

For one thing, GURPS High-Tech: Electricity and Electronics exists, so if the goal is just to consult an RPG manual, it would probably be better to consult one where I know the goal was to accurately represent the technology in question, not to emulate Bond movies or cartoons about ninjas and superspies, and know that the authors and playtesters take their historical research seriously and try their very best to note what is realistic and what would only be available in cinematic campaigns.

Secondly, what real intelligence and security agencies were using during the Cold War is a matter of history now. Much of it is no longer classified and you can find it in museums. Like Cryptomuseum.com, where I found some data on this cool Gretacoder 906, and all sorts of other possible radio technology.

Thirdly, Roger Bell_West and John Dallman are actual primary sources, because they were young men and likely using Internet precursors at this point in time. And I hope very much that many other discoursers here are as ol… erhm, that is, venerable and wise, as they are. Primary sources make me much happier than sources where I don’t know which facts might be simply made up and which might be the result of the author doing some research of their own.

Steganography isn’t likely to be defeated by knowing which pixel to click - if you send me a file and I open it in a graphics viewer, the individual pixels won’t be clickable.

But if I open it in a text editor, I can then use that to decode the text that you’ve hidden inside the image.

(You can see this even now - take a word.docx file and change the suffix to .zip - because that’s what modern MS Office documents are. You could easily add a text file into one of the sub folders, change the suffix back to .docx and it’s very unlikely that anyone would spot it. Word would just ignore the text file as irrelevant.)

Indeed. You need to insert the message after compression in a lossy format like JPEG. Someone could however write a JPEG format checker that would spot something was odd about the file. It’s probably better to hide the message in an uncompressed image and then use lossless compression, like GIF or PNG.

You need custom software on the receiving end to get a “click on a pixel for the message.” This might make more sense if I explain the basics of how this works.

An uncompressed digital image consists of numbers. Those numbers represent the colours of the pixels. In formats intended for photographs or photo-like images, there are three numbers per pixel, usually for the amounts of red, blue and green in the colour of the pixel. Those numbers are usually in the range 0-255, where 255 is “all the ” and 0 is “none at all.” Some values are easy to understand:

(Red=0, Blue=0, Green=0) represents black.
(Red=255, Blue=255, Green=255) represents white.
(Red=128, Blue=128, Green=128) represents a mid-grey.
(Red=255, Blue=0, Green=0) represents a bright red.
(Red=0, Blue=255, Green=0) represents a bright blue.
(Red=0, Blue=0, Green=255) represents a bright green.

With me so far?

To hide a message in the image, you need to start with the individual characters it’s made out of. Those have standard representations as numbers. In the early 1990s, those were also numbers in the range 0-255, because that’s a convenient range for almost all computers. But you don’t try to use those codes directly as RGB colour values, because that does not produce plausible pictures.

Instead, you spread the information out. You do that by establishing a convention for how you hide information in an image. There is a hilariously large number of possible conventions. I’m going to invent a vey simple one here.

We will hide one character in each row of pixels. The first character of the message is in the first row, the second in the second row and so on. That simplifies the problem to just dealing with a single character and a single row of pixels.

We look along that row pf pixels looking for the first one where the RGB values are all even numbers. We should find one of those in most rows. If we don’t, we randomly pick a pixel between a third and half-way along the row, and alter the values to even numbers, keeping them as similar as possible to the pixels on either side. Now we have our start point.

We skip the next pixel in the row, and then start encoding our character. It’s a number between 0 and 255, but we can also interpret that as eight separate “bits”, which each have values or either 0 or 1. We encode the 8 bits separately, in the 8 following pixels. We put the first bit in the blue value of the first of those eight pixels, by making the value even if the bit is 0 and odd if the bit is 1. In the next pixel, we store the second bit in the green value, using the same method. We store the third bit in the red value, and then carry on repeating the cyclke until we’ve stored all eight bits.

This works because the colour difference produced by adding or subtracting 1 to a colour value is tiny, and most people won’t notice it.

I made up this convention while writing this post, and it might produce some distinctive visual effect. The only way to find out would be to write the software to create images with hidden messages and see if they look different. You also need decent colour vision for that check; different kinds of colour vision defects might make it more or less obvious.

Given the frequency with which hardcopy glamour and porn magazines were scanned in the period, creating a convention that creates effects that look like creases in paper might be worthwhile.

Well, specifically, a pixel in a picture adorning a post full of innocent and boring text serving as the hyperlink to the real message, which was still encrypted, was allegedly actual tradecraft from the 2000s. I was wondering how to simplify it for the technology where hyperlinks weren’t even things yet, but truthfully, the most important part is that you can conceal the message in something innocuous.

Obviously, if someone analyzes the message with the idea that it probably has a hidden meaning or something, and that someone has professional level skill in the technology, they’ll find it. The bet being made by the planners behind this whole thing is that with perestroika, glasnost, the end of the Warsaw Pact, the opening of borders and flood of people trying to connect with long-lost family in the next country or just know more about the West, is that the KGB and its satellite services are swamped.

They’re already suffering from a total freeze on all spending of foreign currency, which ends most of their still-running intelligence operations, or forces them to try to spend valuable time convincing agents to give them information in return for future promises. And, frankly, way more than half of the GRU and KGB are either already planning for their future in private industry or they’ve already started working for themselves, without bothering to tell anyone that they no longer work for the State.

Even if some small part of the counterintelligence and security services actually cared more about the cause they serve than their own future, or the fact that their state is probably more threatened by one side or another in domestic politics trying a coup at the last moment than anything foreigners are doing, well, this isn’t 1986 or 1988. There aren’t just a few foreigners in Moscow, each with a full surveillance detail, and their room bugged.

There are unprecedented numbers of foreign journalists, diplomats, political hacks, tourists and, yes, spies, travelling to Eastern Europe and the USSR, because they’ve started approving visas like it’s going out of style. Why? Because all of them arrive with, and, spend foreign currency, you see, changed at the exorbitant official rate, which has gone up by an order of magnitude recently, but is still three times better than the real market rate. This is what a country going broke looks like and it looks like all the security precautions take a back seat to trying to somehow stabilize the ruble.

Leaving aside the recent chaos sweeping through Eastern Europe and granting that the KGB and its satellite services trained disciplined and skilled counterintelligence and surveillance people, information technology is a fast-growing field at the moment. Formal academia, curriculums, corporate and business software, in short, all the fields which the KGB and GRU spied on, are not at the forefront of connectivity and Internet precursors. It might have happened among students and on university-owned computers, but people around the world sending each other fairly mundane messages, funny pictures or, well, porn, it isn’t something the KGB employs many experts on. Charitably, their experts are some months behind the cutting-edge, and it might even be years, and during the development of technology which changes week by week, that is a very long time indeed to be behind.

Could they still determine that what appeared to be a scan of a Far Side comic or a Playboy centerfold, or, for that matter, a very low resolution game to shoot blaster shots at janky alien spiders moving according to simple patterns, which was a clear violation of Space Invaders IP, actually contained a message? Yes. What are the odds that they pick this particular one out of the many, many connections to foreign countries that their own citizens have started to do, in flagrant violation of all laws? Astronomical.

All the message has to do is look innocuous enough so that no one ever analyzes it. Look as much like the rest of the messages there as they can manage, but hide regular reports in some of their traffic.

Yes. Asymmetrical broadcasts like that are as old as broadcasting, and you have to run them all the time, so it’s not obvious when real traffic is happening.

One of the reasons I suggested using software as the cover letter for the messages from your operatives was they got passed around, and didn’t have to be sent directly to a specific address. The enemy might figure out there were hidden messages, they might even catch the sender, but it would be impossible to know who they were sent to.

The chair is under the table. Rooster crows at sunset. The chair is under the table. Rooster crows at sunset.

Okay - that’s two different things - if you’re looking at an image in a hypertext browser, then yes, that’s possible, though I don’t really see how you’d hide it - if the link is clickable, then the link is visible - anyone looking at the code would see it.

And hyperlinks existed in 1991. Web pages didn’t though

Anyone looking at the code, yes. The goal was to hide it in normal message traffic, so that when viewed by someone looking through an immense volume of online posts and correspondance to see if anyone was saying something critical of the government or otherwise requiring action of the secret police would have no reason to scrutinize that particular message more than others.

I thought early Internet precursors like BBS didn’t have hyperlinks in early 1991, espscially not ones found in areas which were behind the Iron Curtain only a few months before. Tim Berner-Lee had already invented the World Wide Web by then, with all the familiar protocols like HTTP, HTML and URL, but as far as I can tell, you’d have to have decent connections on both ends, as well as people using Berner-Lee’s work, which he’d barely started to share. Eastern Europe had BBS, which were proliferating at great speed once it was no longer illegal in former East Germany, Poland and Czechoslovakia to connect a modem to a phone line without government approval. So, finding and accessing local BBS, even ones connected to FidoNet, and hiding your messages in their traffic would be practical.

I thought that finding local Internet precursors using modems and phone lines to share formatted text and potentially-hidden hyperlinks would be far less likely and would require better connection speed to access and send without remaining on the line for too long.

But that check is such a trivial thing to automate, even at the time.

People like the Stasi were used to going through hours after hours of audio recordings - I really don’t think they’d have been phased by the typical volumes of a BBS of the time - especially a small obscure one where you might see a dozen posts a day.

I think you’re conflating a couple of things. Hypertext existed long before TBL - Ted Nelson and Doug Englebart were writing about it in the 60s, and Prof Wendy Hall was building hypertext systems in the very early 90’s at Southampton Uni. TBLs genius was adding that to the internet, but even as late as '94, when I was lecturing on this at a Library school, it wasn’t a given that the web would be bigger and better than the current set of online resources like GOPHER.

The Internet (as in the collection of protocols that underly modern communications like TCP/IP) was striving in the universities sector, and at the time in the UK at least, most computer labs were largely self-monitored, and there was very little security on most university buildings. Members of the public could and did wander around, and I know when I worked at Brighton Uni, a lot of ex students still used to come in and keep their accounts active so they could access the internet. Given no one was paying fees at the time, there was less pressure on unis to close accounts down, and a quiet word with the friendly CompSci student supervisor at the time would likely get you access.

The same might not be as true in Eastern Europe - but there would still be an element of that available.

You have to consider the numbers - best estimates I can find of total number of internet users in 1995 was around 16 million globally. That’s after 4 years of the web being available, and 2 years after Mosaic and Netscape turned everything graphical.

You might do better looking at USENET - that had very active groups, including ones that posted binaries so you could (very slowly) download software and images from there. Use that for your steganography.

Or telnet to a server to use the software on there, which could include telnet to allow you to go to another service, then another one, then another one - the authorities would only see the connection to the first server. That’s how I first used the web, by the way. Telnet to cern.ch