This entry is part 5 of 9 in the series Tradecraft for Patriots

In this installment of the tradecraft for patriots series, we’ll talk about one facet of communications used to ensure that you’re talking to the right person. In independent cell-based operations, you may find yourself needing to meet up with someone you don’t know who is part of the information chain, or who is a cutout for someone else you’re working with. Anyone who has dipped their toes into the awkward and even dangerous world of online dating knows how difficult it can be, especially in a crowded public place, to know which person is the one you’re supposed to meet. Now multiply that with the knowledge that if you approach the wrong person, you could be endangering yourself, your family, contacts, or even your whole cell or group. You need a solid way to identify people—and telling your contact that “I’ll be wearing a Gadsden flag T-shirt, tactical pants and a III% cap” is not it. (See our previous article on the gray man.) Enter the sign/countersign. It’s a password set of sorts: you say the first half, and your contact—if he is in fact your contact—replies with the second half. Let’s take a look at what these are and how to make a good one.

Signs and countersigns (or challenge phrases) have been used for many, many years in various espionage and military applications. One of the most well-known challenge phrase sets was “flash” and “thunder,” used in World War II. In this application, one party would say “flash” and the other would respond “thunder” as a password. The countersign was “welcome.”

It’s important to note that in many cases, signs and countersigns employed a concept known as a shibboleth, or a linguistic marker. This actually started way back in ancient times. The full account is in Judges 12:1-15. Even the ancient Israelites were using challenge phrases.

12, 4 Then Jephthah gathered together all the men of Gilead, and fought with Ephraim: and the men of Gilead smote Ephraim, because they said, Ye Gileadites are fugitives of Ephraim among the Ephraimites, and among the Manassites.

5 And the Gileadites took the passages of Jordan before the Ephraimites: and it was so, that when those Ephraimites which were escaped said, Let me go over; that the men of Gilead said unto him, art thou an Ephraimite? If he say Nay;

6 Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

The beauty of the shibboleth is that it serves a two-fold purpose. First, it establishes whether the person is ‘safe’ to talk to (as in, part of the friendly force or the contact you’re looking for). Secondly, it establishes that person as either being in or out of a specific demographic or linguistic group, serving as a doublecheck in case of possible compromise of the passphrase. Due to native speaking patterns of various languages, certain sounds exist in one language but not another. Native speakers of that language will recognize it instantly if someone is trying to impersonate friendlies by using the phrase. In the case of “welcome,” the word uses a “w” sound that native German speakers would pronounce as “v.” In the Pacific theater, American troops would use the word “lollapalooza,” which was impossible for Japanese troops to pronounce.

Operating here in the States, shibboleths may not be nearly as effective in most cases. If you’re aware that the person you’re meeting is a native English speaker, however, and they mispronounce a countersign shibboleth, it’s a good sign that you’re not dealing with the person you’re looking for.

When choosing a challenge phrase, you want something that can be pre-arranged between the parties meeting, and something that if overheard would not be remembered as anything significant. Walking up to a complete stranger in a crowded place, for instance, and saying “FLASH!” might be a bad idea. Casually asking someone if they’ve tried the Veal Parmesan in a particular restaurant (especially if the establishment doesn’t have that particular dish) might be a better option. Bryan Black has a few other ideas as well:

Another way of developing a sign and countersign can be with single words that are worked into sentences that aren’t pre-established themselves. For example, let’s use blue as the sign and moon as the countersign. The sign I might give you could be “I’m sure feeling blue today” or even “don’t hold your breath, you might turn blue.” As long as it has the sign “blue” somewhere in the sentence, that’s your key to give me the countersign within a phrase that has “moon” in it. This can be a challenge on the fly for the person giving the countersign. Your reply has to have the word moon in it, but also has to fit the context of the initial sign phrase. “I only hold my breath during a full moon.”

Regardless of which method or phrase you use, it should be obvious that you don’t want to use the same one for very long, or do something stupid with it that defeats the entire purpose. Someone sent me a screenshot once from their group; their leadership put a post online, in a forum thread in which they did the following:

  1. Announced a need for OPSEC in face to face meetings
  2. Announced their intention to use a sign/countersign phrase.
  3. Announced the phrase in the thread. It was on the “clearnet,” or regular internet, with no encryption—-nothing.  The thread was behind a “members only” fence, which is child’s play to the NSA and other agencies.
  4. Told everyone not to post it anywhere, or tell anyone.

What’s wrong with this picture? Perhaps the better question is, what is right with this picture? If your group is relying on simple passwords on forums to keep “non-members” out, you might as well directly email God and everyone the information you’re hiding. If you’re posting your challenges anywhere on the clearnet, you might as well just assume that everyone knows them. Don’t go to the trouble of setting up measures to protect yourself, and then don’t protect your measures.

At some point, patriots will either need to learn some tradecraft, or they’ll get caught/arrested/killed. Alternatively, they’ll get someone else caught/arrested/killed. It’s that simple.

Series Navigation<< Tradecraft for Patriots: The Chess GameTradecraft for Patriots: The Moscow Rules Part 1 >>
Clef two-factor authentication