HOWTO Commit Corporate Espionage

bart_scriv writes "Worried about who might be spying at your company? Businessweek looks at the latest in espionage gadgets and technology in response to the recent HP boardroom scandal. The article looks at devices designed for counter-espionage, which range from mundane confidential email services to sophisticated camera and listening-device detectors. '...for every method of spying, there's a counteroffensive. One of them is the eavesdropping protection kit, manufactured by Dynasound in Norcross, Ga. To secure a room in an office building, devices are placed on ceiling plenums, floors, HVAC ducts, doors, walls or windows — basically anywhere voices can travel.'"

Yeah, that'll work

[Aliencow]

WHO GOES THERE? Another protection: vanishing e-mail. Called VaporStream, the system lets people send e-mails that cannot be tracked, copied, forwarded, or printed--leaving no trail. Users pay $39.99 a year to subscribe to the service and must log into the site every time they want to send a confidential e-mail. Wow, I'm sure nobody will ever find a way to print it out or take a screenshot of it.

Re:

[B3ryllium]

Uh. In the transaction you describe, one end of the deal (the steroid seller) might want a copy ... so a printout or a screenshot could be used for blackmail or extortion purposes.

Re:

[russ1337]

The chance of this could be reduced by showing the details (sender-recipient etc) of the e-mail on one page, and show contents of the e-mail on another. Of course, filming or recording the transition between the two could be incriminating.

I recall from a PGP app, the ability to show the e-mailed text in a muddy yellow box with slightly darker writing, this any compression from a screen capture makes it very hard, if not impossible to read.

All of this still doesn't address your concern though - it just

Re:

[Fulcrum of Evil]

Or you could accept that this is only useful when the recipient is complicit in wanting the email to vanish later.

Re:

[russ1337]

So how can we be sure this service isn't an NSA honeypot?

Re:If you comply you should have nothing to hide

[eln]

If you aren't doing anything evil why do you need secrecy (or privacy)?

Because I don't like to be spied on. The thought of people going through my personal files or even listening in on my private conversations creeps me out. I also don't like to use public restrooms with the stall door open, and I don't live in a completely transparent house.

If I'm a business, I want privacy because I don't want my competitors learning information about my future plans or strategies that they could use to their advantage. If I have a product that I've spent billions researching and developing, I don't want my competitor to steal it and start selling it before I do.

Re:If you comply you should have nothing to hide

[aplusjimages]

If you aren't doing anything evil why do you need secrecy (or privacy)?

The government always follows this saying with "Do as I say not as we do." BTW Nice sig.

Re:

[shawn(at)fsu]

After reading you sig thanks to the mention it got from someone else, I was wondering, wouldn't it be easy to make the argument that goverments who fear their people are just as apt to by tyranicle. I mean the USSR feared it's people so it sent them to prisions in sibera or worse for trival reasons. The same can be said about Sadam's goverment and probably many others. I mean it seems that all tyrnaical goverments fear the people and fear that they will learn and rise up and thus the goverments rule with an

Why do I need secrecy?

[giafly]

If you aren't doing anything evil why do you need secrecy (or privacy)?

Because "people who live in glass houses shouldn't throw stones" does not imply "people who don't throw stones should live in glass houses".

Re:

[rthille]

Sorry the mods' sarcasm detectors are on the fritz this morning...

Re:

[eMbry00s]

If privacy is removed from the workplace, potential whistleblowers will not be able to do disclose information when companies do things that break laws (wether moral or juridical).

Re:

[gugux]

Since you comply there is no reason to spy on you.

Re:

[GWBasic]

If you aren't doing anything evil why do you need secrecy (or privacy)?

I'm hoping your questions is rhetorical. Let me give you a few examples:

• Richard Nixon bugged John Lennon because he was a political opponent.
• Dr. Martin Luther King Jr. was on the CIA's watch list.
• Illegal != evil. There are illegal activities in the USA that aren't evil. In order to avoid debate, I'll point to the past example of alcohol prohibition. Back in the 1920s, it was illegal to call up your buddy to sample his latest bre

Re:

[ZWarrior]

If you aren't doing anything evil why do you need secrecy (or privacy)?

Heh, I realize that this poster is only trying to get a rise out of the rest of us, but I thought I might post in response to this.

I find it interesting that every time privacy is brought up, this is the phrase that we hear EVERY time. However, I never hear anyone ask them a simple question in response --- "Do you close the door when using the public restroom?" Think about it, you close the door because you really don't want to be both

Re:

[owlnation]

Yes, but since the major preoccupations of anyone who works in Corporatia are, "covering your ass" and "passing the buck", I don't think that anyone will have any use for email you can't store and use as a future weapon against one of your backstabbing brown-nosing colleagues.

Re:

[Instine]

yer the print protection sounds like a fairly stupid claim too far.

FTFA I REALLY like the lazer listener idea though. How clever is that! I want one now. But I'm not going to falk out 50,000USD for it. I'm quite sure that I could build one for less than a grand.

Re:

[plover]

A friend of mine did that over 20 years ago when he was a kid, using just a homebuilt Heathkit HeNe laser. He shined the laser on a window, and aimed a telescope at the window. He taped a CdS photocell at the focal point of the telescope and built it into a simple audio amplifier. Even with that crude setup he was able to make out that loud sounds happened inside the house from across the street.

I bet using a modern phototransistor matched to the wavelength of an off-the-shelf laser diode plus a $100 Ta

Re:

[Smallpond]

I was trying to think of a good, cheap countermeasure. I guess gluing a small speaker to the window connected to a white noise generator (or the company music-on-hold system) would work.

Re:

[plover]

Right idea, but music is a poorer choice than white noise. A sophisticated eavesdropper could acquire his own copy of the music you use, and "subtract" the known waveform from the received waveform, leaving just the ambient room sounds. If the volume of the music makes you talk louder, it's all the better for the listener.

And just so you don't think you're safe just because you're IMing over an SSL port, with the proper sensor (a Hamamatsu H6780-01 photosensor module) the same telescope can be used to s

Re:

[sootman]

Wow, I'm sure nobody will ever find a way to print it out or take a screenshot of it.

Or take a picture of the screen. My monitor is 1600x1200 and my camera is 2048x1536. It takes "screenshots" just fine.

Get smart phone.

[krell]

Do these guys also sell a cell phone built into a shoe, go to with the cone of silence?

Great lengths at great heights

[ian_mackereth]

I had occasion to visit the office of a major oil company CEO in Melbourne (Australia) a few years ago, while it was being fitted out.

Along with the obvious requisites like the bedroom and the seperate airconditioning (he was the only person in the building allowed to smoke!), the windows were double-glazed and had a white-noise generator in between the panes to foil any sneaky lasers from other oil companies' CBD high-rises!

I was at first bemused at the expense of it all, but then I thought about the millions he'd get as salary, and the hundreds of millions affected by the decisions made in that office, and thought better of it...

Re:Great lengths at great heights

[voice_of_all_reason]

Fool. Windows can't stop ninjas.

Re:Great lengths at great heights

[BadAnalogyGuy]

Who's the fool? Ninjas are stopped just fine with Windows. It's pirates that Windows can't stop.

Re:Great lengths at great heights

[Single GNU Theory]

Posts like that make me wish mod points could go to eleven.

Re:

[n2art2]

Forget Ninjas. . . . What about a virus? I thought everyone knew that Windows suck at security.

That's why I run Linux

[wiredog]

It stops both of them.

Re:

[Profane MuthaFucka]

Linux is a wide-open penguin hole. Wait, that didn't come out right.

Re:

[Scrameustache]

Forget the pirates, You should see what zombies do to windows!

Re:

[Lumpy]

and every bit of it thwarted easily in a low tech way....

Find a IT guy that is disgruntled, (not hard at any company) and either pay him for a copy ofthe CEO's laptop contents or other tidbits.

$10,000.00 cash waved in front of a IT guy that is training his indian outsourced replacement or hearing of the cost cutting changes that management is goign to aim for would be all over that low risk bit of work.

Hell I bet you could get entire copies of the accounting database for the right amount of money.

All you ne

Re:

[DamnStupidElf]

Hmm, my guess is that the white noise generator is practically worthless between the panes. The first pane will reflect a certain percentage of the laser, and the second pane will reflect another percentage of the laser. Subtract the two reflected signals, adjusting for the distance between the panes and the reflectance percentages, and the result will be the difference between sound on the inside and outside of the window minus the white noise. What might actually work is to attach a separate white noise g

Serve them right

[tygerstripes]

God knows I don't get anything out of our meetings, so how some industrial spy is supposed to is beyond me. Serve them right if they absorb non-productivity osmotically...

Bozon cloud?

[ldholtsclaw]

Sounds like you've got the kind of envrionment that precipitates Bozon Cloud formation ...

Bozon: A quantum unit of stupidity.
This term I picked up from Headcrash (Roadkill on the Information Superhighway) by Bruce Bethke. A very entertaining read, I might add. Bruce himself is a great guy too, as I discovered while he was our Special Guest at the last Chattacon (a Science-Fiction convention in Chattanooga). I could say something about the ProctoProd(tm), but I don't want to ruin the book.

Re:

[dptalia]

I had this really scummy guy who kept trying to hit me up for insider information... I always told him I was looking for outsider informatin! The outsiders always seemed to know more than us poor peons....

Re:

[garwain]

I hear you there... Nothing beats spending 4 hours sitting there drinking coffee, then walking out asking a co-worker if he had any idea what the purpose was. Only thing I find worse than an office meeting is a church meeting, that I'm not paid to attend, but don't seem to have much choice...

Fixed 40 Years Ago

[dankstick]

Problem Solved [wikipedia.org].

Best Device USB thumbdrive

[bryz]

How about a thumbdrive? With capacities seemingly doubling every couple months, it should be real easy to swipe off a good amount of data.

Re:

[z0idberg]

That has a low-tech solution. Do what my (very large) company does and have Windows NT as the standard desktop. No USB support. Shithouse when you need to run any software made this century but hey! no USB support!

Illegal in the US and many other countries

[TrueJim]

Note that corporate espionage for the purpose of uncovering Trade Secrets is generally illegal in the U.S. That's why companies mark documents as "proprietary," for instance; doing so identifies the document as something that the company considers a trade secret. If you use corporate espionage techniques to obtain such a document (i.e., if the company doesn't exercise due diligence in making sure that such documents aren't publicly disclosed) then relevant Trade Secret laws would apply.
http://en.wikipedia.org/wiki/Trade_secret [wikipedia.org]

Interestingly

[k2r]

the US / NSA has been proven to use echelon for industrial espionage in other countries eg. on Enercon in Germany: www.europarl.eutopa.eu, search for "Enercon" [europa.eu]. It's quite difficult to find anything in English on this, but there's a lot of stuff in German about this case.

k2r

Re:

[Anonymous Coward]

I'm in the Netherlands, and a former colleague told me he was offered a IT job once by an US company into "filter software", you know, monitor your employees surfing behaviour etc., but in reality it turned out to be the NSA. They wanted him to outsource him to work "on location" at one of their biggest customers, a huge oil company. They told him getting in and getting the job was easy because the head of IT was also employed by them... They also told him they were in a lot of countries and governments, of

Good think he didn't take it...

[Vr6dub]

...He is either lying or has a hard problem keeping sensitive things to himself. They (the DoD) wouldn't release classified information like that to a potential employee.

assuming it's already in CVS

[castlec]

cvs commit -m "added more theft options." corporate_espionage.c

But I want to know where to sell the info!!

[neo]

Sure, I've collected all this great data, but now how to I find a buyer? Do I just walk up to the competition's CEO and say "Hey, I got the goods on company XYZ, how much is that worth to you?" Do I take out an ad in the paper... or 2600? I need real answers.

Seriously. I want this to be my full time job, but this article doesn't tell you shite.

Re:

[Billosaur]

Sure, I've collected all this great data, but now how to I find a buyer?

we-buy-secret-corporate-info.com

Re:

[frdmfghtr]

Sure, I've collected all this great data, but now how to I find a buyer? Do I just walk up to the competition's CEO and say "Hey, I got the goods on company XYZ, how much is that worth to you?"

You could do something like that...

http://www.washingtonpost.com/wp-dyn/content/artic le/2006/07/05/AR2006070501717.html [washingtonpost.com]

Re:

[k4_pacific]

It's probably easiest to use it to extort money from the company you stole it from. That way, you don't have to bother actually finding a buyer, just threatening to should be enough.

Re:

[h890231398021]

That's what these people [washingtonpost.com] tried. Didn't work so well, though.

Re:

[gd23ka]

Which is why you shouldnt try to sell Audi secrets to Volkswagen. If at all
go after their supply chain. The F500 as well as banks and insurances cooperate.
If youre prepared to do the time, I would recommend small to medium sized businesses
to whom you can indeed sell competitor information. Dont expect to be paid
millions though.

Re:

[mutterc]

Sell it to the company's employees, who would probably love to know what's really going on.

Trade Secrets

[Sensi]

Sometimes it's as easy as walking by to get all the info you need.

http://flickr.com/photos/reboof/259086845/ [flickr.com]

Three words

[Billosaur]

Cone of Silence.

Re:

[Rob T Firefly]

*leans out from under cone*

WHAT??

Anyone else thinking..

[Channard]

.. that you'll pay your money, open the boxes they send you to find that they all contain egg cartons and a few tubes of pritt-stick?

Odd use of "buy antispy stuff" FUD here...

[xxxJonBoyxxx]

OK, so Slashdot is famous for putting marketing FUD on its main page, but even I don't get how putting anti-spy devices in would have prevented the head of HP from spying on people. (I can imagine the work order crossing the CEO's desk: "Hmmm...here's a request from some peon for a company anti-spy installation to prevent what I'm up to. Denied, ya' think?")

Well, that does it.

[Rob T Firefly]

Thank you, Slashdot, for putting up a page with this title for me to read over the company's network. I was getting ready to be fired soon anyhow.

Re:

[Billosaur]

If you think that's bad, how do you think your employer feels when they see you reading about Uranus...

Note: Ha-ha! Didn't expect a Uranus joke in an article on corporate espionage, did you?!?

Re:

[tehcyder]

Ha-ha! Didn't expect a Uranus joke in an article on corporate espionage, did you?!?

The person reading this over your shoulder is a complete fuckwit who enjoys wearing his wife's panties on his head while masturbating to horse porn videos and smoking crack cocaine.

Ha-ha!

It's Easy

[Anonymous Coward]

If you have access to the network racks it's easier than you might think. Plug a microphone into an empty network socket, a patch lead from the microphone socket to a socket in your office, and an amplifier plugs into the wall socket in your office. Boardroom meetings were bugged like this for six years by a friend of mine and nobody noticed a thing.

Bug sweeps might not find anything because no RF is emitted.

For added discretion:

[Ayanami Rei]

Purchase a bunch of simple RJ45 "protective caps" or covers and use them in all of the unused outlets in the room. You could then modify one of the caps to contain the microphone without looking out of place.

http://www2.elecom.co.jp/cable/accessory/ld-rj45ca p/image/img.jpg [elecom.co.jp]

monkey see monkey do

[thedrunkensailor]

and we learn this from the most amusing of monkeys: the federal government.

White Noise Generator ... $6,000 and up ... WTF?!?

[user1003]

$6000 and up for a white noise generator? WTF?? Anyone with basic electronics skills can build one with parts that will cost about $10. Anyone with basic coding skills can code one for free in about 10 min.

Am I getting something wrong here, or did corporate greed just get worse?

Bugging

[Alioth]

Bugging an office has never been easier, now that data cables run into all of them!

Old toys

[TrueKonrads]

Most of the toys mentioned in article are pretty lame and sucky. Granted, for the PI or Spy that buys everything off-the-shelf, the counter-surveilance mentioned works, but otherwise it sucks, here's why (pont by point)

White-noise generators assume that You have no access to the room or that it is impossible to plant a small piece on the person. Say, bump in "accidentally" into the CEO in question and place a 5 square milimeter chip. It will have an internal clock and mic. Once the CEO is out in fresh air, it will transmit the data back in one encrypted burst and destroy the information it had.

Pretty much the same applies for cameras. One, you assume they are broadcasting within some pre-defined spectrum and do so all the time. Again, do a remote on/off or encrypted packet burst and such suverlance mechanisms fail. Besides, with advent of WiFi, if your super agent picks up emissions in 2.4Ghz range, he'll assume it's wifi and let it rest. Also, you can sramble the transmission, do a frequeny hop and bob knows what else.

About that phone-line tap: Do we live in dark ages? Nobody has analogue phones and taps that feed off phone current.You can't detect it over ISDN lines (most offices) and it deosn't do anything for cell networks.

No comments on vapourstream :)

I have to admit, that the laser window snooping is the most effective in the list, as it is probably the easiest method and most reliable. For nice security, go low-tech : Have a friendly chat near a cooler (no windows), in a bath-house (most devices choke on humid air, transmission also would suck) or in a pool or sea (waves splashing, children, loud music).

Besides, the entire chain of communications should be scure, aka TEMPEST approach - if once bit of wire is not tempest - entire chain is invalid. If one of the two persons in conversation, repeats what he heard over dinner table with his wife - what's the point?

Re:

[Frosty Piss]

I have to admit, that the laser window snooping is the most effective in the list, as it is probably the easiest method and most reliable.

And that's the thing. Most industrial espionage is from disgruntled employees / former employees with lose lips. You can't solve this problem with electronics. Look at the HP thing: Sure the leaker used email to talk to the reporter, but he didn't have to. Remember Deep Throat?

Re:

[drauh]

you've forgotten the Cone of Silence.

Duh, wifi spy clock.

[amcdiarmid]

Try a Wall Clock with a wifi camera and microphone.

Something like this: http://www.spycameras.com/item4.htm [spycameras.com]

I'd look for a more real office type wall clock, but you get the idea. After all, what corporate meeting room doesn't have wifi?

Privacy Lost

[Stupidfat]

In a related story, it was found in a co-relation study that there was a relationship between privacy advocation and parental status. It was found that parents with even a single child over the age of 6 months have learned to give less than a shit about privacy.

Gadgets and HP Scandal

[Narcogen]

What does one have to do with the other? The HP scandal revolves around a leak at the very top-- a member of the board of directors who supplied inside information directly to journalists. What the heck do all these amateurish gadgets have to do with anything? And how is being aware of them or being able to protect oneself from them of any value when one of your own board members is giving information to the press? There's no technological silver bullet for that kind of problem. Trying to connect these two subjects is just silly.

Re:

[Anonymous Coward]

This is slashdot

News for^H^H^H^H^H^H^H^H Nerds.^H^H Stuff that matters^H^H^H^H^H^H^H^H^H^H^H^H

Place sensitive calls from server room

[fyoder]

Of course, it can also be difficult to hear the person on the other end of the phone.

Ego and adolescent mentality

[dpbsmith]

Woot! Secret decoder rings! Invisible ink! See-bak-ro-scopes! And that great key to popularity, "Fool your friends!"

And those X-Ray Specs... (do they really see through clothing? Better get a pair, it's the only way to find out! And even if you can't, you always get a reaction by pretending they do...)

Gee whillikers, CEOs must be saying to themselves, now that I'm a big-deal important person, I can send away for ALL that stuff! Boy, will my friends be impressed when they realize my words are so important th

Low Tech and Cheap

[thorkyl]

Go to a garage sale and buy a TV put it on channel 13 with no antenna
    White noise generator

Defeat laser listener
    Place radio on window sill with sub woofer pointed at glass

Stop all eaves dropping
    don't talk us a #2 pencil and legal pad
      Shred the pad then burn the shredded paper then put the ashes in a bucket of water

Secure phones

[cesarbp]

I developed a secure phone software to be used by corporate users against espionage. It uses a Microsoft PocketPc or Smartphone, encrypt the voice using AES (Advanced Encryption Standard) with 256 bits key and uses Elliptic Curve Cryptography to do key exchange (ECDH 571 bits). I don't know if into US the corporate people can use this kind of huge cryptography. My site is at http://www.raseac.com.br/ [raseac.com.br] I think if your corporate people want some privacy, this product is a good solution.

Simple principle - also available in Germany

[cheros]

Given the simple principle these things work on (voice transmission over crypto wrapped data channel) the prices charged for them are generally plain rediculous, and I've seen them all over the planet.

Furthermore, unless the source is available for the product it will not be subjected to independent review, and any claim that it's thus 'the best' or even 'secure' is thus meaningless, as is your website claim "no backdoors to our knowledge". That claim would still be valid if you allowed a US NSA official s

Re:

[cesarbp]

About "Given the simple principle these things work on (voice transmission over crypto wrapped data channel) the prices charged for them are generally plain rediculous, and I've seen them all over the planet.":
Why not ask us about our price?.

The main problem with source code to independent review is the fact of deploying sensible code to be copied and deployed under another product name.

About "no backdoors to our knowledge" :
It is under contract:
The "no backdoors" exists in our product because we

Re:

[cheros]

I'm game for the price - I'll email you from your website.

As for 'not publishing for fear of duplication' - I agree, that is on one hand a problem. On the other hand, it would allow others to pitch in as well, not to mention the fact that you could publicly be seen as having the best code. So, in the middle lies the question if your code could be reviewed under NDA by an independent party.

I can see you commit yourself contractually to the 'no backdoors', but I'm observing the fact that such a committment

Re:

[cesarbp]

Thank you for your nice words. I am a small developer that have done the things totally alone, including the site.
About "The best" i wrote in my site, was about "one of the best" encryption specifications using key exchange, i corrected the errors i wrote previously, thank you.
About "No backdoors", i agree with you, it is not a solution to the problem, but it is a good beginning.
About "An independent evaluation", i agree with you, the best way is deploying the source code to an independent review under a

Re:

[cheros]

Well yes, but you're going to sell sod all if you don't respond to email queries asking for a price. I sent you 3 in total, so enjoy being a poor developer because you're not going to get an income from this without customers.

And I stand by my comments - there is ALWAYS a potential for unintentional backdoors. Your assurances, although well intended, are not enough to sell in the security market. Without independent product evaluation you're asking people to believe you that it's not spyware infested, wi

Re:

[cesarbp]

Dear Mr. Cheros.
Sorry if i did not respond to your e-mail, i will see what is happening because i did not receive them.
I personally reply all incoming e-mails my site receives and your information is very important for me.
I will deploy a message page inside my site to allow direct messages and correct this problem.

Again sorry for this problem, my product is a decent product, works well and i have customers using it for more than two years and they enjoy it a lot.
Regards.
Cesar.

what about REAL spy gadgets?

[schweini]

i guess i'm not the only one who is a bot dissapointed by these spy gadgets, since they all seem a bit wannabe-james-bond.
anybody know of real high-tech (or highly sneaky) gadgets that real spies use or used?
one of my favourites was the Great Seal Bug [spybusters.com]

Doing bad business

[Oshkoshjohn]

If you are conducting business about which you don't want others to know, then face-to-face is still the best. A wooded area, away from buildings, on a windy day is just good practice. Finally, never do shady things with people you haven't known all your life.

Re:

[jgercken]

Naw, that wouldn't be conspicuous at all. Honey I'll be back in 4 hours. I have to drive to the hills for another business meeting. Traditionally this has been done in strip clubs, or is that what you meant by "wooded area"?