Project EVIL

For Mein Fraulein...

What is Project EVIL? ::: Who is Mein Fraulein? ::: Conclusions ::: Links ::: Contact

Messages for Mein Fraulein: 1 ::: 2 ::: 3 ::: 4 ::: 5 ::: 6 ::: 7 ::: 8 ::: 9 ::: 10 ::: Easter Eggs

Who is Mein Fraulein?

The Mein Fraulein VoIP numbers stations were an experiment to try to estimate the size, power, and organizational capacity of the online cryptographic community.

It all started after the May 2006 talk at LA2600. Datagram spoke about the history of shortwave numbers stations. Afterwards, we all drifted outside and the conversation drifted to Asterisk and VoIP. Suddenly someone said, "I wonder if we could do a VoIP numbers station?" And Project Evil was born…

The Original Plan

Our original plan was to create four to six VoIP numbers stations and to use One Time Pads to encrypt the messages. The first and last messages would be encrypted using the same One Time Pad. The first message was released in May, and the last was to be released just before the DEFCON conference in August. We felt that if the messages were short enough, and if sufficient interest were generated in the numbers stations, someone would attempt to find a key collision between the messages, and be able to decrypt them.

The first VoIP numbers station was set up with a Manhattan phone number and posted on Craigslist on May 8th, 2006. The content of the messages was picked almost as an afterthought, as was the text posted on Craigslist, and the phrase "Mein Fraulein" was born almost accidentally.

We waited a few days for the listing to mellow, and then we posted the following message to the Spynumbers Spooks List Number Stations mailing list:

Date: Thu, 11 May 2006
To: Shortwave Spy Numbers Stations
Subject: Need help identifying something weird

Message: Hi folks,

Been following numbers stations for a few years now and have run into something that I need help identifying. My apologies if this isn't the right place to be asking, and if someone could point me in the right direction I'd definitely appreciate it.

Anyway, what I found sounds like a numbers station, only it's by phone. I ran across it on Craigslist of all places (actually, a friend of mine found it and passed it on to me). Can anyone verify what this is? The post in question is at http://newyork.craigslist.org/mnh/mis/158815074.html ; I'll reproduce the text below in case it gets pulled.

Subject: For mein fraulein

Message: Mein Fraulein, I haven't heard from you in a while. Won't you call me? 212 //// 796 //// 0735

The message at that number runs for around seven minutes and I'm at work so can't grab audio of it; it starts and ends with music and reads off a bunch of numbers in groups. The voices reading the numbers sound like - well, imagine the stereotypical ransom note cut out from letters in the newspaper glued together. Anyway, if someone could check it out and let me know what they think (or point me to somewhere to ask the question) I'd appreciate it. Maybe it's some weird telephone company test number or something?

Thanks,
John.

Then we sat back to see what would happen…

Interest in the new phenomena of VoIP numbers stations grew quickly. In its first day the Manhattan VoIP number received a few calls. On May 24th, Emmanuel Goldstein mentioned the number during the Off The Hook radio show. The number station started to be flooded with calls from Phone Phreaks around the country.

On May 29th, 2006 we released the second VoIP numbers station in San Francisco. Interest continued to build.

On May 31st, Michael Hampton of Homeland Stupidity wrote an article about our numbers stations that quickly turned into a forum for amateur cryptographers trying to decrypt the messages. And on June 1st, an article about our numbers stations was posted on Slashdot. The amount of publicity our little experiment was getting was truly staggering.

By the end of the month, the stations hade received hundreds of calls and generated countless posts on message boards and blogs across the Internet.

On June 10th we released the third numbers station in Atlanta, and interest continued to build at a feverish pace. According to Homeland Stupidity, even the cryptanalysts at the NSA had taken an interest in our experiment.

Later that same week we made arrangements with the DEFCON conference to present our experiment under the pseudonym "SOCIAL MESSAGE RELAY: Using existing social networks to transmit covert messages in public." In order to keep our subject matter secret only members of Project Evil and Dark Tangent, the creator of DEFCON, knew the truth. We were elated. What could go wrong…

Then, on June 20th, just as interest in the numbers stations was at its peak, disaster struck as we became victims of our own success. The organizers of the Hackers On Planet Earth conference created a copycat numbers station using our own sound clips. Two days later they announced on the Off The Hook radio show that it was all a stunt, and that the person who decrypted their message would win free tickets to the HOPE conference. After this stunt, interest began to wane in our number stations as many people mistakenly believed that HOPE was the originator of all the messages, and not just the most recent one.

On July 3rd we released our fourth numbers station, somewhat earlier than we originally intended, in an attempt to muster up more interest. It quickly became apparent that it wasn't working. While there was still a core group of people as dedicated as ever to decrypting the messages, many people had lost interest. The turning point had been the HOPE contest. Our experiment was coming unraveled. And it kept getting worse.

So we started over…

The New Plan

On July 15th all the members of Project Evil met face to face for the first time to discuss the future of Mein Fraulein. How do we re-kindle interest? How do we stretch this out until DEFCON, now that we're committed to give a presentation? What do we want Mein Fraulein to say? And most importantly, how do we drink an entire case of Guinness before the end of the meeting? The Guinness turned out to be the only easy part…

But we came up with a new plan. First, we decided we would release a large batch of messages within a short period of time. We hoped that this would help re-invigorate interest if people felt something big might be happening. The first of the six new numbers stations was launched on July 19th. And the second was launched on July 25th, with subsequent stations launched every 24 hours thereafter.

Second, we created a backstory for our numbers stations. This gave us, in our own minds, a framework to hang the new set of messages upon. And it allowed us to create a more cohesive set of "Mein Fraulein" messages to post on Craigslist. It also let us create encrypted messages that would be more meaningful to decrypt during out presentation.

The backstory we created is as follows. This is taken verbatim from out meeting notes:

We decided that the messages are being sent by a controlling agency (doesn't matter who) to their agent in the field. Each message triggers a dead drop by the agent. The agent is becoming freaked out by the amount of attention the messages are getting online, and is starting to balk at more missions.

During the dead drop delivery after message 5, our agent was spotted by enemy counter intelligence. The controlling agency informed the agent that their cover might be blown in message 6. And at some point between message 6 and 7 the agent stops responding to messages from control. Thus messages 7, 8 and 9 are all attempts by the parent agency to re-connect with the agent in the field. The 9th message succeeds, and the agent delivers the final package to the dead drop.

The 10th message informs the field agent that their mission is over and that they are being pulled out.

During our meeting we also decided to abandon the key collision scenario for decrypting the One Time Pads. Such a venture, even for very short messages, would have taken a lot of work, coding, computing power, and some good intuitive guesswork. With interest fading and the core group of cryptanalysis becoming frustrated and tired, it seemed unlikely that anyone would attempt to locate a key collision between the messages. And in fact, when we went through and read every post we could find about our numbers stations, there was not one single mention of looking for key collisions.

But this left us with a problem. We had to keep our messages secret until DEFCON, and given how quickly the community had cracked the HOPE cipher, it didn't seem that any traditional cipher would have a hope of resisting them if we were successful in re-kindling interest. So we decided to continue using One Time Pads for the fifth through ninth messages. This allowed us to decrypt those messages for the audience during our talk at DEFCON, which we did on the morning of August 5th. Those decryptions can be found here: message 5, message 6, message 7, message 8, and message 9.

During our talk at DEFCON we also shared with the audience some of our experiences about making the VoIP numbers stations, the reactions of the online cryptographic community, and the mistakes we made along the way.

Even though we gave away the answers to the fifth though ninth messages, there was a tenth VoIP numbers station that we didn't release until the end of our talk at DEFCON. This message didn't use a one time pad. It was cracked by a team of Hackers at the DEFCON conventon.

Now that the final message has been cracked, our project is finally finished. You can read some of our conclusions here.