Tips For Newcomers

To Spy Number Stations

Introduction

So you want to listen to the spies? It's actually quite easy. There are a large number of broadcasts each day. In fact, there's probably at least one going on right now! The purpose of this document is to show you how easy it is to listen in to these transmissions, and give you some tips and pointers, along with suggested frequencies and broadcast times, to make it easy to pick up your first spy station.

Equipment Required

First, you'll need a suitable Shortwave Radio, since Spy Number Stations almost exclusively transmit on shortwave frequencies. If you already have one, you're probably all set. The basic requirements are that it is a "general coverage" receiver, capable of tuning between the allocated shortwave broadcast bands, to what are commonly known as the Utility Bands. Most inexpensive shortwave radios are capable of this, except for the very low end models. This is necessary because most Spy Number Stations transmit outside of the broadcast bands, although often close to the edges of the bands.

If possible, the radio should be capable of Single Sideband (SSB) reception. This is usually indicated by either the presence of USB and LSB modes, or a BFO (Beat Frequency Oscillator. Many Spy Number Stations transmit in sideband, and most others are often best received in sideband mode.

If possible, an outside antenna is always preferred for best shortwave reception. If this isn't possible (due to apartment or townhouse rules, for example), an indoor antenna can still be used. When I was living in an apartment, I made an effective antenna by wrapping many turns of wire around a piece of PVC pipe, which I hung above the window where a curtain rod would go. There are always possibilities.

Stalking Your Prey

In general, most Spy Number Station broadcasts start on the hour, with very few starting at the half hour, or even quarter after or quarter till the hour. So the best time to listen is starting just before the hour. Why just before? Many Spy Number Stations will put their carrier on the air before the broadcast begins. Some have been known to put a carrier on the air hours before a broadcast starts! So be suspicious of open carriers, especially on or near hot number frequencies.

Here in North America, the most commonly heard Spy Number Stations are probably the SS/YL/5FG stations.

A brief explanation about the naming nomenclature of these stations. The general format is language/sex/group size. The SS means Spanish, other possibilities are EE for English, or GG for German. Other less frequently heard languages include Chinese, Russian, Czech, Polish, etc. I have never heard (or even heard of) a Spy Number Station using French. Odd, isn't it?

The YL refers to the sex of the voice, YL is female (a ham radio term, meaning Young Lady) and OM is male (another ham radio term, meaning Old Man). The 5FG means that the groups are transmitted in five figure words, that is a string of five numbers. Other common formats include 4FG for four numbers, and 3/2FG which is a particular case of five figure words with a pause between the third and fourth numbers. Some stations don't transmit numbers, but instead use Phonetics, which are words that stand for letters, such as Alpha for A, Bravo for B, etc.

Take a look at my description of the various types of Spy Number Stations commonly heard.

Each broadcast usually starts with a preamble that is transmitted for a few minutes before the message. This gives the intended receipient (and you!) time to tune in the broadcast. This preamble usually contains the address of the recipient, as a number. After

After this preamble, the length of the message to be sent is usually given as the number of figures. Then the message begins. Some types of stations repeat each figure, others repeat the entire message after it is sent the first time. Most stations then transmit a word to indicate that the transmission is over, such as "final", used by many of the Spanish language stations.

Times To Listen

Fortunately, some Spy Number Stations have regular schedules. The SS/YL/5FG stations are usually very good about this. Some, like the Lincolnshire Poacher, and the Mossad stations, are almost always on the air, on one or more frequencies. Others, such as the Russian Man, are seldom on the same frequency twice, but instead hop around.

To be kept up to date with Spy Number Station transmissions, you may want to join the Spy Number Station Mailing List. It goes out weekly, and contains loggings and other information supplied by other subscribers. It's free, and you can join by visiting www.qth.net.

Cracking The Code

Can Spy Number Station messages be decoded by the listener? The answer is most probably no. It is believed that a One Time Pad is used, which should make it impossible for a message to be decoded. Here's a brief introduction into the world of cryptography, along with some hypothesises as to how Spy Number Station messages are encoded.

Cryptography Basics

Say you have a message that you want to convey to someone else, and you want to encode it so that no one else can read it. How can this be done? There are many methods that have been used in the past.

One of the first methods used a substitution of letters. It is believed that Caesar used this system. For example, the letter A could be substituted by F, B by G, and so on. Or, a completely random substitution system could be used.

Letter      Substitute                   Letter      Substitute
A           X                            N           C
B           L                            O           Z
C           K                            P           T
D           Q                            Q           F
E           D                            R           V
F           R                            S           G
G           N                            T           M
H           A                            U           U
I           W                            V           H
J           B                            W           O
K           Y                            X           J
L           E                            Y           P
M           S                            Z           I

Unfortunately, this system quickly falls prey to analysis. There are well known tables of the frequency of occurance of each letter in the English language. Given a large enough amount of ciphertext, it would be possible to determine at least some of the more commonly used letters. By examining the partially decoded text, it would then be possible to make guesses at the other letters, by looking at partially decoded words.

Frequency, expressed per 100 letters:
  13 9 8 8 7 7 7 6 6 4 4 3 3 3 3 2 2 2 1 1 1 - - - - -
   E T A O N I R S H L D C U P F M W Y B G V K Q X J Z

A slightly more advanced system could change the substitution used throughout the message by a known algorithm. Unfortunately this method can also be sucessfully attacked, given enough ciphertext. With the computing power available today, any such system could easily be broken, even using a personal computer.

Today there are encryption methods employed by computers, which make use of complex encoding methods using large numbers as keys. These systems too can be broken, given enough computing power. And the National Security Agency is the world's largest buyer of supercomputers!

One Time Pads

One very secure method of encrypting a document is by the use of a One Time Pad. The pad (which may actually more closely resemble a book due to it's size!) contains a listing of random numbers used to encrypt the text. A similar reverse pad is employed by the recipient to decode the message.

Example:

Plaintext:   R   A   D   I   O   H   A   B   A   N   A   I   S   B   O   R   I   N   G
Equivilent: 18   1   4   9  15   8   1   2   1  14   1   9  19   2  15  18   9  14   7


Using the table of truly random numbers from the one time pad: 

    47693 94573 18483 59384 51839 47263 58347 21634 59347 73633 04732
    38483 63933 74342 03843 37549 45839 59843 94784 83744 28483 93843
    47539 72384 19383 94833 03484 58393 ...

Add the cipher equivalent to the random key: 

        R       A       D       I       O.....
       18       1       4       9      15
    47693   94573   18483   59384   51839
    -----   -----   -----   -----   -----
    47711   94574   18487   59393   51854


Transmit new cipher text: 

   47711  94574  18487  59393  51854.....
   
   
The recipient has a copy of the same pad, and uses the same set of random numbers to
decrypt the message (in this case subtracting the random number from the transmitted
number to produce the plaintext.

As you can see, the secret is the use of a set of random numbers to encrypt the message. Other encryption schemes can be broken because if an algorithm is used to encrypt the message, it is possible to deduce that algorithm. With the one time pad, purely random numbers are used. There's no algorithm to generate them, so there's nothing to break. Of course, this assumes that truly random numbers are used. Sophisticated techniques are available for producing random numbers, including the decay of radioisotopes. I also understand that CDROMS are available which contain nothing but random numbers. The random number generators in most personal computers do use rather poor algorithms which don't produce truly random numbers.

As the name implies, the secret is that the pad is only to be used once. This ensures that enough ciphertext is not available to make use of statistical code breaking methods. And, should that code become compromised, no other messages are subject to decryption.

And as it turns out, the pads are actually physically quite small. Russian pads by the 1960's were the size of postage stamps (read with a magnifying glass). Later they became microdots, requiring a microscope to read them. This made it possible to hide them quite easily. The pad could literally be the period at the end of a sentence in a letter! This allowed the pads to be easily conveyed to agents in the field.

As it turns out, one time pad systems have been broken. Perhaps the best publicized case is the decoding of Soviet KGB and GRU messages during World War II by American code breakers. Information about the VENONA project is available on the NSA web page. Supposedly, the Soviets broke the cardinal rule of one time pads, they used them more than once!

So, how do Spy Number Stations encode their messages. Due to the relatively short messages (sometimes 20 or so groups) often heard, it is unlikely that individual letters are encoded. It is possible that each group represents a word, or perhaps even some represent common phrases. Some groups could represent individual letters, for when it is necessary to spell out a name or location. It is also possible that some common words or phrases can be represented by more than one group, this should make attacks on the code much less sucessful.

With a five digit code, 100,000 possible words or phrases could be encoded. A four digit code could encode 10,000 possible words or phrases. But that brings up an interesting point. Just because the message is sent as blocks of four or five digit numbers does not mean that is the actual entryption system used! It is quite possible that they are transmitted that way to make it easier for the agent to copy the message. People deal with short numbers much better than long ones. The actual encryption system could make use of six digit numbers, with 1,000,000 possibilities. This would allow practically every word in the English language to be encoded.

Many descriptions of cryptography that I've read often display ciphertext in five character/digit blocks, so this seems to be standard. That being the case, the fact that Spy Number Stations transmit messages in five (or sometimes four) digit blocks probably has nothing to do with the actual size of each unit of ciphertext.

Drawing Some Conclusions

Even though it is extremely unlikely that a Spy Number Station message will ever be sucessfully decoded, some interesting things can be deduced, or at least guessed at.

It is quite likely that not all, in fact perhaps very few, of the messages transmitted are actual messages to agents. For example, the SS/YL/5 stations seem to transmit two types of messages, those of a length of exactly 150 groups, and those with fewer (usually much fewer) groups. The 150 group messages are by far the most common. They could be training exercises, or dummy messages, designed to confuse the "other side's" cryptographic forces.

It's also probable that many of the other messages are also false. It may be desirable to trick the opposition into thinking that you have more agents than actually exist. What better way than to send lots of messages to them?

Further backing up the belief that some of the transmissions of for training purposes are the observed broadcasting schedules. Transmissions from the NCS site in Remington, VA have been observed in the 60 meter band during the daytime. This frequency is much too low for propagation outside of North America. These broadcasts may be used to train agents before they are sent into the field.

Some very curious observations may also be made:

Why do so many of the world's intelligence agencies use basically the same method for communicating with their agents? We are led to believe that the Counting Station broadcasts are by the CIA, that many of the SS/YL/5 broadcasts are from Cuba, the Lincolnshire Poacher transmissions are from the British MI6 agency, and the Russian Man is Russia's method of communicating with agents. Then there's the New Star Chinese stations. Not to mention the German number stations formerly used by East Germany (some of which still seem to be on the air!). Israel is slightly different, the MOSSAD transmissions use phonetics, rather than numbers.
And here's a question I've yet to see answered - why no French Spy Number Stations! Isn't that odd? And I don't believe that I've seen any reports of Arabic stations either.
Why are some frequencies hotbeds of Spy Number Station (and other bizzare stations) activity? Take 6840 kHz. While it hasn't been as active recently, it used to be the frequency for spooks. It had everything. And some strange stuff still pops up there from time to time.
Communism is dead. (At least according to the US government, Mainland China not included). The Cold War is over. So why are Spy Number Stations still so active?

Several recent books about spies that have been caught reveal that they often received messages by copying numbers broadcast over shortwave radio. Sounds a lot like the Spy Number Stations we know and love. Yet, no one from within the intelligence community (of any nation) has revealed any information about these broadcasts, even retired persons. It would be nice to get just a little confirmation about the purposes of these broadcasts, even without compromising agents or national security.

Why?

With all of today's advanced communication systems, why still use Spy Number Stations to transmit messages to agents in the field? There are a number of reasons why this may still be considered a valid method of communication. Foremost, there is no direct link between the agent and the agency. No letter or package is mailed. No telephone call is made. No modem or internet communication link can be established. Basically, there's no evidence that someone received the message. This may be the most compelling reason to continue using such a system.

Second, it allows a large number of agents to be contacted at the same time. One broadcast can be received by all agents in a given area.

Finally, it may be the most suiable method to reach agents who live in remote parts of the world, where modern communication facilities do not exist. Indeed, there are still many parts of the US where an internet connection is not a local call!

Conclusion

I hope this brief introduction to Spy Number Stations has been useful, and provided enough information for you to begin your journey into shortwave's "mysterious side".

You are visitor number

csmolinski@erols.com Chris Smolinski