SWS Security
White Papers
"In God We Trust. All Others We Monitor."

From the Listening Post

Issue #2


Hi all,

Spring has sprung. The grass has riz. I wonder where the birdies is?

As a quick recap, this column is a technical question and answer forum discussing topics of concern to the technical investigator. Most will relate to electronic surveillance, communications or electronics in some form or fashion pertinent to law enforcement. There will be some soapbox also – my privilege as the author!

Submissions are from readers via email. I’ll generally get a personal answer off to you in short order. Submissions of general interest and my reply, edited to remove sensitive or identifying info where necessary, will be printed here. Please feel free to comment on anything. This is an interactive column!

So there.

First, some peanut gallery:

How are you on basic electronics? You have to crawl before you can fly. Can you answer the following in the time it takes to draw a breath?

  • 1) What’s the period of a megahertz?
  • 2) What’s the direction of current flow in a battery powered circuit?
  • 3) What’s the definition of resonance?
  • Answers at end of article.

    Following up on a topic from last issue, another spyware ID and removal program is Spybot.

    Spybot is a utility for finding and removing malicious code in your computer which sends info you don't want sent to people you don’t want it sent to, all transparent to you. This includes stuff like your personal info, sites you visit, stuff you download, etc. Spybot was rated #1 last month by PC Magazine, and is FREE. You donate if you think the thing helps you, like with Mailwasher (http://www.mailwasher.com), the premier spambusting utility. The info these spyware routines collects on you is sold and resold and resold to spammers. Since they then know who you are and what you do, what your interests are, etc., they can send targeted spam to you.


    There are three built in things in Windows which report your configuration, identity and activity with certain applications to Microsoft and somewhere else. They're there just by virtue of your having the operating system. All my machines had the same three hidden 'spy' routines to built-in Windows applications, on both W98 and Windows 2000 operating systems. Spybot found them and pulled them out. I have inspected a number of machines for others with Spybot and found usually between a dozen and three dozen malicious applications. One guy had over 100, because he lets his kids play with his computer unsupervised. It's nearly impossible to be active on the web without having some of these things infect you unless you happen to be extremely anal and paranoid and run all sorts of security. If you let kids (of any age) use your machine or you use it as a toy, it's not wise to use it for business. Computers can be a tool or a toy, and never the twain shall meet. If you try to mix the two, you're almost guaranteed problems.

    Be sure to read and understand the instructions. Removing the malicious code attached to some free sites and programs, like Kazaa, will disable them. If some site or program seems to give you a lot of stuff for free, look closely. It's not free. They're gathering info on you and your web activities, and selling it to nasties. Use a utility like Spybot to deny them that info, and the ‘free’ packages refuse to run unless you reinstall them. If you run into that, that should tell you something.

    Spybot is very easy to use in beginner mode, and you don't have to understand anything. It will hold your hand and walk you through things and explain what is and is not a problem and suggest what action to take and any potential consequences of that action. And anything you do is reversible.

    Be sure to donate something to the author if you use the thing.

    I won’t go much into computer security as it’s not really my thing, not totally in keeping with the mission statement for this column, and the topic is much better addressed by others elsewhere in this magazine.


    A technical specialist in Ireland asked the following:

    After 8 years replacing blown equipment in our comm center every time there is a lightning storm I've finally decided to address the matter of GROUNDING. About all I know is equipment should be grounded and everything in the facility (including building electrical) should have a COMMON ground. Well, the comm center is at the opposite end of the building from the electrical ground. To couple the building electrical ground and a the comm center ground rod would require a trench approx. 30 meters long ...it's not going to happen soon so I'd like to address just grounding what I can for now. The building is over one hundred years old. Steve, what can you recommend?

    There is a world of difference between 60 cycle power grounding (50 cycle in your case, but the principles are the same) and protecting equipment from lightning and surges. That makes it fun when you hire electricians to do some of the install. They don't understand and argue with you. A 60 cycle power ground is an open circuit to lightning. Figure lightning is around 70 megacycles for purposes of calculating.

    You hear a lot about ‘single point ground’. The reason for a single point ground is to prevent voltage drop across ground. A nearby lightning hit induces a LOT of current in any nearby conductor. Multiple paths to ground induces a voltage difference between the different points, and this voltage will force its way to ground through your equipment.

    Figure what a few hundred, or a few thousand, amps will do across a few Ohms difference in ground.

    You need a low impedance ground. That is very difficult to achieve. Lightning does not turn corners. You cannot bend conductors in less than a certain radius. Large solid conductors are worthless. Braid is slightly better, but still has far too much inductance to give you the low impedance path you need. Remember higher frequencies travel on the surface of the conductor, not through the middle. This is called the ‘skin effect.’ Because of this, many components in high frequency antenna systems actually are hollow pipes. No sense in having the expense and weight of material which the RF never will see. Look in a large transmitter and you’ll see it plumbed with tubing or pipe for this reason.

    So a solid heavy gauge wire like you see used really is of little value as far as providing an easy path for lightning and power surges to travel. You want a lot of surface area.

    Solid copper strap is the best for interconnecting components of the ground system. Lots of surface area which is what matters. 1.5 inch is minimum. 3 inch is better. Wider is necessary for longer runs. It comes up to 6 inch in width. 1.5" will do for 95% of installations. Polyphaser Corporation http://www.polyphaser.com is my preferred source for all this stuff – protectors, grounding components, etc. They publish a book on effective grounding which is worth the money. You need proper protectors specific to each type of equipment. There are 60 cycle protectors for line voltage. There are modules for data, telephone and low voltage. Various inline types for coax. See Polyphaser's website.

    Cheap protectors (99% of them regardless of price) are single stage. They are of minimal use. Polyphaser uses typically 3 stages. The idea is, you need to grab and shunt to ground a very quick pulse before it gets to your equipment. Components which turn on quick enough cannot handle much current. Components which handle adequate current take a long time to turn on.

    Therefore a properly designed protector typically will have three stages, to turn on early and start shunting and provide protection while the longer, higher current stages take their time starting to turn on. You also want protectors which fail in the SHORTED position, which is unusual, so when they fail you are forced to replace them. Separately fuse anything on a power buss for obvious reasons.

    Then, once you grab this quick surge, you need to do something with it. Feeding it into the 60 cycle power ground is a worthless effort as mentioned above. This especially is true of ‘surge protector power strips’ as you see on computers or other electronics. Dumping a surge into the power ground is a waste of time. You need to get rid of it in a hurry, hence the low impedance ground. A low impedance ground means one where these fast, high energy surges can travel to earth ground with the least resistance.

    The single point ground, usually a large copper plate on which all protection devices are mounted, gives you a common ground to prevent voltage drops across ground as mentioned. Everything is grounded to this same electrical point. This single point ground is grounded to earth with copper strap. Up to 50 or 75 feet or so is OK for 1.5" strap between the single point ground and the ground rod..

    Ground the mains power going into the equipment with the appropriate protector. Don't worry about a long trench to ground the entire building electrical system. Then this strap has to go to ground, using proper 'saddle' clamps and preparation of all copper (strap, clamp and rod) by polishing it to mirror bright with Scotchbrite and immediately applying copper antioxidant paste. Copper starts to oxidize in seconds.

    A single ground rod is not adequate. A ground rod will 'saturate' the ground for a radius of twice its depth. This means the ground will absorb as many electrons as possible. Hence, multiple ground rods are needed, in parallel.

    The industry standard is three ground rods spaced twice their length apart, connected in a Delta, Tee or daisy chain fashion with the copper strap and saddle clamps. Use 7/8" copper plated steel ground rods. Eight foot long ground rods are minimum; twelve foot ones are better. If you happen to be on a mountain with a repeater site on rock, you don't even need ground rods. Simply lay a few hundred feet of 3 inch strap on the ground and it will couple adequately.

    Remember with the copper strap, no 90 degree turns unless very gently radiused. Very quick pulses will hit that 90 and keep going straight, meaning they won’t get to ground where they can dissipate and still can kill your equipment even after all this effort. I've seen it in videos of testing. Impressive.

    All this is not as difficult as it seems, HOWEVER, you cannot take ANY shortcuts. Do it properly according to Polyphaser's instructions, things will work and you’ll be protected. Take one shortcut, like something you don't understand or seems too difficult, and you're wasting your time.

    I have no relationship with Polyphaser other than as a long time customer. My company manufactures and installs man-rated commo and surveillance systems all over the world. I can't afford to send someone to Delhi or Bogota to replace a piece of equipment damaged by lightning. We learned long ago how to do grounds properly, and if you do them properly, you won't have any problems.

    My own office has had lightning hit in the woods within a few hundred feet of the building. We had zero damage. Others in the area up to half a mile away lost telephones, computers, video and other stuff. In demos, I've seen wires exploded going into a properly protected system, and consumer grade electronics on the protected side unaffected. We've got a lot of antennas and commo here, never disconnect it, and have never lost anything since putting in a proper grounding network some years ago.

    One last thing – the surge protectors have a finite life. The life may be thousands of surges dumped, but a single storm can be dozens. Replace all protectors on a maintenance schedule to ensure continued protection. I stretch things to about every five years between replacements, but sooner would be better. Best to do it on your own terms than to deal with outages from tired protectors after you campaigned so hard to get funding to install them in the first place.

    If you want to discuss this in more detail, email me and we can get together on the phone. I don't have time to key in everything you need to know, but we could discuss it on the phone. Could also send you some photos of large ground networks from some of our jobs. In some cases, the grounding costs more than the equipment. It's worth the effort to do it properly.

    Another message from an officer tasked with putting together EOD procedures for a small department:

    A post I did for another list, in reply to a question posed by an officer tasked with putting together EOD procedures for a small department. It might be of interest here.

    If you are responsible for corporate security, post orders or anything potentially involving explosive devices, you need to know this info. Bottom line is: Don't transmit near suspected explosives packages.

    IED = Improvised Explosive Device. EOD = Explosive Ordnance Disposal. RF = Radio Frequencies, or the signal emitted from anything which transmits, including portable radios, cell phones, Nextels, etc. Squibs are low level explosives used to initiate larger charges, and usually are electrically fired using as little power as a penlight battery.

    So my question is how close do you have to get to a bomb with a Motorola HT 1000 transmitting around 150 MHz before it sets off?

    As a Maryland state licensed explosives shooter with 13 years' experience there, and 160 hours formal schooling in electroexplosive devices courtesy of Holex and your tax dollars, I can discuss this with some degree of authority.

    The answer is: 2.8 feet.

    Scratch that. Change it to: ‘It depends’.

    Some bombs will not be affected by any (reasonable) level of RF. Some bombs will trigger with a small amount of RF on the proper frequency barely above the noise floor. Most devices will fall somewhere between these two extremes.

    A mechanically triggered device may not be affected at all by RF, unless the RF is loud enough and of a suitable frequency to cook the thing, as if it were in a microwave oven. This is not likely. If a device is set to trigger by RF, all bets are off, as you can not know the level of sophistication the bomber has built into the thing. The crudest thing might be a simple receiver, cheap scanner, walkie talkie or some other piece of junk with a wide open front end.

    These potentially could be susceptible to low levels of RF at any frequency. More likely, the bomber would have something more sophisticated, at a minimum a pager and more typically something more elaborate. There would be nothing to be gained by discussing this in any more detail here and now.

    When you see the signs in construction areas about turning off two way radios, that is a basic mandatory requirement which largely is an impotent effort. A lot of work has been done determining the susceptibility of squibs to RF at different frequencies, power levels, length of ‘Seminole’ wiring (the bright yellow insulated 22 gauge solid conductor zip cord wiring you see, also called ‘scab’ wire) to the squibs, etc. These charts all assume a professional explosives tech is handling the squibs on the construction site.

    A professional operation will maintain a short on the ‘bridge wire’ of the squib until the instant of firing, as well as many other safety factors. None of these apply to a bomber who does not care about being in compliance with NFPA (National Fire Protection Ass'n) guidelines, safety, or keeping his license.

    But in reference to the above, very strong RF levels are needed to fire the squibs. A squib, by the way, is a small explosive charge usually electrically triggered by a bridge wire. A bridge wire is a resistive element which heats, instantaneously, when you apply sufficient voltage and current to it. The squib is a low level initiator, used to trigger a high explosive.

    High explosives must be initiated in stages, starting with something easy to ignite like a squib, then progressing through several intermediate stages, up to the main charge. You can't just light a fuse coming out of a stick of dynamite like in the cartoons. If there is a fuse to light, it's attached to a blasting cap, not the actual high level explosive. Low frequencies, like amateur shortwave, at high power levels like many hundreds of watts, at close ranges, were shown in tests to be a potential danger to commercial blasting operations. Higher frequencies, like VHF and UHF public safety, cell phones, etc. were not threats in any normal installation. 

    What happens is the relatively long leads from the firing point to the electric squib in a commercial installation act as antennas. Even though the squib is shorted, it is shorted at the blasting device control panel. This leaves coincident lengths, which of course will be different with each installation, where the leads are resonant at some or another frequency and could couple significant energy into the squib if RF close to that frequency is present.

    In the real world, for this to happen would require a combination of conditions so complex as to be almost impossible. It is unlikely one of the demolition team members would be operating a high powered amateur radio transmitter in his car in immediate proximity to the Seminole wiring laid out to the squibs. Even were this to be the case, he would have to be at a frequency coincidentally close to resonant with one of the squib lines.

    Anymore, displaying signs advising of blasting activity and requesting one to turn off two way radios merely tempts burrheads with CB linears to go key down as they drive by the area. Getting back to the question presented, remember basic physics and basic theory which should be instinctive to anyone involved in TSCM (Technical Surveillance CounterMeasures, or debugging), where field strength decreases exponentially with an increase in distance.

    The well known ‘inverse square law’ is how many of us count on Scanlocks and CPM-700s and the like to detect low powered surveillance transmitting devices. Double the distance between a transmitter and a receive antenna, and the field strength drops to 1/4 the strength. Quadruple the distance, and the field strength is down to one sixteenth. This holds true whether you go from one foot away to four feet away, or one hundred feet to four hundred feet away.

    The reverse is also true. Move in closer (halfway) to an unknown transmitter you are sniffing, and the field strength quadruples. This is how a few milliwatt bug can be found by a Scanlock when a many thousand watt transmitter is a few miles away. At some point when you get close enough, the small bug will be louder than the remote high powered transmitter. Move maybe a few inches away, though, and you might lose the bug and pick up the high powered signal.

    That is not the purpose of this discussion, though. Just laying some foundation. The points with RF around explosive are:

    1) Moving an RF source (two way radio, cell phone) a little further away decreases the strength of RF into the suspect device by a much larger amount.

    2) Only the most crude explosive devices would be triggered by simple RF.

    3) Low frequencies, very unlikely to be used, are far more of a threat than higher frequencies where public service two way communications operate. This may be a bit of a misnomer, as in an IED(Improvised Explosive Device), leads may be shorter and thus closer to resonance and more effective at picking up RF at higher frequencies. Path loss increases as frequency increases though (this means higher frequencies work in our favor).

    4) You must specify a number of exact parameters before you can say whether ‘X’ condition is a danger or not. You would have to know the details of the IED, the frequency of the two way radio, the power output, the antenna efficiency, the precise distance from the transmitter's antenna to the IED, whether anything other than atmosphere is between the transmitter and the IED, and a number of other factors. Most of these are unknowns.

    5) SOP when dealing with any suspected explosive device is to avoid any RF near the thing. The further away the better, the higher the frequency the better. The chances of your two way radio triggering a bomb are slim. However, the chances are not zero. Therefore, avoid using the radio, cell phone or any transmitting equipment in the vicinity of any suspected device. Moving away a distance from a suspected device before you use your radio gives you a substantially larger safety margin.

    Best if you are in the position of having to write procedures for something like this is to contact EOD experts which should be available to your agency, though, not asking for input on a forum like this.

    Lead Acid Battery Tip:

    This site: http://www.batteryfaq.org has very decent info on lead acid batteries such as are used in automobiles.

    Batteries are a critical part of surveillance hardware. It’s good to know the characteristics. Much of our industry gear is powered by lead acid batteries, called SLA, for Sealed Lead Acid. The same info pertains to lead acid in test equipment.

    The main thing is to keep them charged.

    The site is worth some time. Read it and you'll know more about lead acid batteries than practically anyone you'll meet.

    One last research tip courtesy of a newspaper editor friend in SLC:

    Just no bloody idea. I suppose I could do a lot of writing and traveling and get some names, a birth certificate, and then one a generation back, and finally get to immigration records. But that's terribly tedious.

    No, you go to the LDS (Latter Day Saints) genealogical search data base, which is free and has done all that work for you: http://www.familysearch.org and type in some names. They have all – and I  do mean ALL – immigration records. They have Census records back to the 1880s. Their busy little bees have been in every church in Europe microfilming birth/death/marriage records as far back as they go. No, you don't have to join. No, you don't have to make a donation. Yes, they are very nice. No, they don't care if you regularly make virgin offerings to Baal.

    Peanut gallery answers from above:

  • 1.) The period of a megahertz is a microsecond. Period in seconds = 1/frequency.
  • 2.) Current flow in a battery operated circuit is negative to positive external to the source, positive to negative internal to the source
  • 3.) Resonance is when inductive reactance equals capacitive reactance.
  • All for this issue.
  • As before, consider clipping the following and tape it to a Rolodex card for future use:

    Electronic Surveillance Questions and Answers
    From the Listening Post
    Steve Uhrig
    SWS Security

    [email protected]

    Tel 410-879-4035

    See y’all next issue. Same Bat time. Same Bat magazine!

    Copyright (c) 2004 Steve Uhrig, SWS Security