Re: [TSCM-L] {2296} Re: 303 Sweeps in one year, 13 finds = 4.29% find ratio

# rant2008v2.0= .c

include rant2007.h

To the list, not to any specific person.

What do you defi= ne as a "competent sweep team"?

<= /div>

Not to be the devils advocates or anything, but most sw= eep teams do 

not specialize in performing sweeps and instead perform it as a side<= span class="Apple-converted-space"> 

job, wi= th minimal (if any) actual competence.  Competence in this 

profession requires that TSCM be pursued as a full = time vocation, 

with a hefty investment in both training and equipment, AND a stead= y 

strea= m of sweeps to keep in practice. If you have the equipment and 

the training, but= only do 2-3 sweeps per month, or do ten sweeps per 

month (but lack the training a= nd equipment) the results will 

eventually be disastrous.

If a TSCM team is permitted by the cl= ient to take the appropriate 

amount of time to perform a sweep then there is no ch= ance that a bug 

is going to be missed, but when the client tells you that they are=  

only g= oing to pay you for a half day on the site, and expect you to 

sweep 2500 feet of o= ffice space there is a high probability that you 

will miss everything.

If you want some ugly s= tatistics, then lets explore some... and 

please try to follow my logic so that you= do not thing I am just 

pulling these numbers out of the lower end of my digestive= tract.

Let = us assume for a moment that an executive has a typical office 

that is 15 feet by 2= 0 feet (senior executive in a New England 

office), that the site of the building i= n relatively secure, of 

recent construction, moderately good facility security, vi= deo 

sec= urity systems, access control, etc. The great unwashed masses can 

not access this = executives office; however, trusted staff, cleaning 

people, service and maintenanc= e people can, etc.

His office contains 300 square feet of institutional grade carpet, 

modestly= priced free standing furniture, and all furnishings are 

light enough so that two = people can easily move then by themselves, 

or a single person can move them out of= the room with a furniture <= /div>

jack. Wrap around windows (on a 6th floor), solid wood = door set in a 

steel jamb, sheet rock and steel screw stud walls, suspended ceiling=  

track = and tiles, and a 5 foot plenum cavity between the false ceiling 

and the true ceil= ing. The true floor and true ceiling are poured 

concrete over a steel deck, and th= e steel deck is supported by steel =

I-beams which are bolted, bonded, and covered i= n fire insulation. A 

<= div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin= -left: 0px; ">dry pipe sprinkler system is present, a fire annunciator and = strobe 

= is in his office, there are no speakers (other then the annunciator). 

The lock on = his door is a Medeco M3, there is a properly installed 

door latch, the hinged are = welded, and a latch plate is present.

A wall mounted thermostat is present in the room,= that controls an 

HVAC manifold in the hallway to control airflow into two ceiling=  

mounte= d vents in the room through a 10" duct, but there is no 

independent blower or heat= exchanger above the false ceiling of his 

office, just flexible duct work that can= be removed for inspection.

There are two pieces of framed art on the walls, one analog= clock 

= (battery operated), an iPod and speaker, two digital telephones, two 

network conne= ctions, one laptop, and the only wiring into the room 

are those pairs used for the= phone or data, and there are no unused 

wires in the room. This business controls = both the floor above and 

below this office, as well as all physical space in the b= uilding and 

as the TSCM inspector you have full access to all adjoining spaces, 

the PBX, = all wiring, etc. You have full access to the entire 

building, but have been engage= d to only inspect HIS OFFICE.

Within the office is a rolling desk chair (leather), two = guest 

c= hairs, a small conference table with four chairs (7 chairs total), 

one waste paper= basket, one desk, one credenza attached to the desk, 

one lateral file cabinet, an= d all furniture is wood with small =

amounts of steel hardware or braces.

There is a duplex powe= r outlet next to the desk that feeds a ten 

outlet power strip, and a duplex outlet= near the conference table <= /div>

that is unused. There are six additional, but unused du= plex power 

outlets in the room. All power for the power outlets comes from a 

single feed= from the circuit breaker dedicated to this office, and 

the power feed does not se= rvice any other office. The lighting in the 

room is on a second breaker circuit, a= nd consists of partial light 

via a non dim-able wall mounted sconces, two Halogen = desk lamps, and 

six florescent fixtures mounted into the ceiling track. The lighti= ng 

is c= ontrolled by 4 wall mounted switches.=   There are no tombstones or=  

pedestals in either the floor, nor has there= been any physical 

penetrations in either his true ceiling or true floor from prio= r 

power= connections (it is all solid concrete).

So, here are some rough numbers.

300 sq ft of carpet

=

300 sq ft of true floor (inspected from floor below)

300 sq ft of ceiling tile (removed from grid and inspected)

300 sq ft of true ceiling (inspected from this floor)

300 sq ft of true ceiling (inspected from floor above)

35 linear feet of sheet rock wall, 13 feet high (sheet roc= k to true ceiling)

35 linear feet of windows, 6 ft open= ing

Since th= e windows are 6 feet high, there is 210 square feet of glass, 

and 56 linear feet o= f gasket to inspect. On the window side there is 

a 10 inch wooden sill, with sheet= rock and masonry below and above <= /span>

the window. All total there is 700 square feet o= f sheet-rock to be 

inspected including the area above and below the windows. To 

complicat= e matters the window frame of aluminum and uses a four 

stage, two part gasket so t= hat you have to remove four pieces of trim 

form the inside and one piece of gasket= just to get the to edge of =

the glass, and then the soft gasket has to be inspecte= d from the 

outside of the building once the interior inspection is complete.

The only conduct= ors in the walls are the single run of BX for the 

power, all of this is run in ver= tical segments and is inspectable, =

and the 8 foot conduit stubs for the communicat= ions cables. There is 

=

no insulation in the walls. There is a total of 14 segments = of BX 

w= ire in the room (250 feet total), and then a 85 ft segment to the 

breaker panels s= o we have 325 feet of 120 VAC 15 amp wire (all BX), 

less then 20 actual outlets fo= r power. The ceiling and wall mounting 

lighting fixtures and controls involves 145= feet of BX, and 90 feet 

of BX back to the breaker panel. Total amount of BX to be= inspected 

is 570 linear feet (three conductors plus BX jacket).

Since this office shares wa= lls, ceilings, and floors with adjoining 

offices we have to inspect any wire segme= nt or outlet/switch in an 

adjoining wall so we actually end up with 3 breaker pane= ls to 

i= nspect, 5586 linear feet of BX, 112 duplex outlets, 44 light 

switches, 11 power st= rips, and 58 wall sconces or desk lamps.

The phone is a simple Avaya digital set, the c= onnections in the wall 

are Cat 5, 4 pair, Plenum rated cable for both the phone an= d the 

d= ata. The Ethernet jacks and phone jack are TSB-568B, and contain 

provisions for Po= E (power over Ethernet), and all conductors of both 

the phone wiring and the data = network are connected to a supervised=  

port of a hub or switch, even on the unused = jacks.

This = gives you 561,600 cubic inches of open space to inspect, and 

403,200 cubic inches = of confined wall cavities to inspect in addition 

to thousands of feet of wiring. T= he big thing that will trip up most=  

sweep teams is the 403,200 cubic inches, and= the thousands of feet of wiring.

The lighting fixtures will be fairly easy to inspect,= as you are only 

talking about a few cubic feet of space each, the ceiling tiles a= nd 

gird= are fairly easy to check, and the HVAC duct work easy to isolate 

and clear. The f= urniture is going to really be a hassle, and will 

give you 11,520 cubic inches of = inspected solid space, and 73,728 <= /span>

cubic inches of furniture cavities (drawers and = cushions).

S= weeps are not about square footage, but rather about cubic inches, 

or more accurat= ely, in cubic millimeters.

=

Whew....

So, ***** IF ***** the client gives me the time that I need to<= span class="Apple-converted-space"> 

perform= a proper sweep on the above described premises (which they 

will), AND I am being = well paid for my time (which I will be), then I 

will methodically, and scientifica= lly ensure that the single office <= /span>

is certified as actually free of bugs, wiretaps,= or other mechanism 

of eavesdropping. If however, the client can only get me into = the 

bui= lding for 4 days, then the certainty drops to 98%, and at 2 days 

in the building w= e drop closer to 90%. Now this all assumes that I 

have been in the building before= , and know this room (almost is the=  

biblical sense of the word "know"), and was = involved in laying out 

where the cables all went, how the walls where constructed,= and have 

set all manner of traps in advance for the eavesdroppers.

The question should be a= sked is "how long is your sweep taking", what 

are you doing, and why?

Who makes the ceiling ti= les in your client office? How about the 

chairs? The doors? what kind of wire is i= n the walls Romex, BX, 

conduit, what kind of wall jacks are those, is it Cat 5 or = Cat 7 wire 

in the walls, are the light fixture 120 or 208 volts?

Details, details, details..= . if you pay attention to the details you 

will never miss a bug... ever.

Sadly, most TSCM spec= ialists don't actually know how to perform a 

sweep, or their client doesn't actual= ly trust the sweeper enough to 

give them the access both in premises, budget, and = time to do a 

proper job. This is even a serious problem with U.S. government sweep=  

teams = who are supposed to be protecting classified facilities as they 

frequently are no= t given enough time on target to do a proper job, or 

their hands are tied in what = they they can do, access, or touch (as 

they are not actually trusted by their supe= riors). While some of you 

may find this amusing, there are actually quite a few U.= S. Government 

sweep technicians who are not allowed on ladders, and quite a few 

others wh= o are not allowed to use (or know how to use) spectrum 

analyzer on-site. How many = sweeps per year are these government teams 

actually performing (3, maybe 4 sweeps)= , how long are they allowed to 

be on site (3 days, or 3 weeks)? There are other go= vernment sweep 

teams who are actually forbidden to touch server cabinets or 

operational c= omputer or crypto gear (much to the amusement and 

delight of the spies in China)

How many so c= alled "TSCM professionals" have a clue what an AED is, 

or keep their medical certi= ficates in their wallets (as required by 

law)? Next time you shake hands with some= one who-claims-to-know-shit =

about TSCM ask them to open their wallet and show you = their current 

AED and medical card. If they can't show you both then demand that 

they pay= you $100 in cash on the spot as a fine for being 

professional purveyor-of-bovine-= feces... for that matter, how many =

TSCM "professionals" even know what an AED is (= or one of it's manual 

=

equivalents) or know how to maintain a log book when away fr= om home 

on a sweep (if you are hard-core sweeper you know what I am talking about)= .

How many s= weepers show up for a sweep sober, and not hung over from 

drinking the night befor= e... ask your friendly TSCM expert to take a 

simple breathalyzer test the next tim= e you invite them out to do a 

sweep for you, the results may amaze you. Or better = yet, are they a 

little sleepy at 8 AM because the coffee hasn't quite kicked in ye= t, 

or i= s that a hangover they are nursing because they were out drinking 

until 3 AM, or s= toned from the roach they were working on out in the 

parking lot before the came i= n to start the sweep (and yes, this=  

includes government contractors).

I don't mean to rant (= too much), but most TSCM professionals really 

don't know shit about TSCM, but they= don't really care to know... 

because for them TSCM is just a hobby or a side-job = and not an actual 

profession or vocation. If you know how to do the job, but choos= e not 

t= o do it the right way then your conscience will bother you, but if 

you are blissfu= lly ignorant on how to do the job, and you bugger the 

job up then you will never k= now or care about the bugs that got=  

missed... and neither will your client.

Statistics are a= ctually meaningless, it is either 100% certain, or 

not 100% certain... black and w= hite, not shades of gray. If your <= /span>

client wants to let you do your job (and pay you= appropriately) then 

<= div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin= -left: 0px; ">you can give them certain assurances and guarantees... if the= y want 

= to cheap it out, then you can give them shades of gray. If the client 

wants percen= tages, then compute the non-open-space cubic millimeters 

in the area, and subtract= the cubic millimeters that you actually 

inspected and documented... after you do = this a few times you may 

have an epiphany. If you inspect every cubic millimeter o= f the area 

you are hired to check then you can issue a 100% clear, if not then 

you have = to tell the customer what you could not access, could not 

see, or could not measur= e.

Hint, you= can make a bloody fortune in this profession if you learn 

to do it the right way,= but your also going to have to spend a 

fortune on equipment and training to provi= de on honest service to 

your customers. After a few years the acquisition of equip= ment and 

 

chasing yet a= nother class or new piece of sweep gear, and 80+% of 

every penny you make on a swe= ep gets plowed right back into equipment 

and training (and other direct business e= xpenses).

TS= CM is a passion, a vocation, and something that a few of use pursue 

with a religio= us zeal and fervor.

-jma

At 10:01 PM 1/15/200= 8, Matt wrote:

Along these lines does anyone have an estimat= e on how may devices are

not found by a competent sweep= team?  I realize this is no= t easy to

measure because you don't know what you don't= know.  But we have many

experts on that I think could give authoritative opinion.<= span class="Apple-converted-space">  Anyone want

to take a guess?

Cheers,

Matt

d..._at_geer.o= rg wrote:

"James M. Atki= nson" writes:

 = |

 | OK, so 303 Sweeps in one year, 13 finds = 4.29% find ratio.

 |

Predators home to the singing of the cricket, hence

<= div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin= -left: 0px; ">there may be two dozen silent males in the grass near

the singer thus avoiding the predator (that would be

you) while reaping the rewards of the singer.  If the

singer is found (e= aten), another will self select...

In other words, why should I suppose that the detect= able

one is the only one?

--dan