So Daniel sent us this one, and I have to say, it might be the best opening image we've ever been handed. Operation Acoustic Kitty. The CIA, in the nineteen sixties, surgically implanted a microphone, a battery, and an antenna into a live cat. The idea was to drop the cat near Soviet diplomats having conversations in parks, and let the cat do the listening. The program cost something in the range of twenty million dollars in today's money. And on the first mission, the cat allegedly got hit by a taxi. The whole thing was declassified in two thousand and one. Daniel's question is essentially this: what does that capability look like now, when you don't need to modify a cat? What is the actual state of nation-state remote listening in twenty twenty-six, and how much of what sounds like science fiction is already operational?
The cat story is one of those things where the more you sit with it, the more it tells you. Not about cats. About how intelligence agencies think about the problem. The constraint in nineteen sixty-five wasn't will, it wasn't funding, it wasn't even creativity. It was engineering. The gap between what you wanted to do and what physics allowed you to do was so enormous that you ended up in a room seriously debating whether to wire up a cat. That gap has closed in ways that are genuinely difficult to overstate.
And the cat, to be fair to the cat, did not consent to any of this.
No. And case officer Robert Wallace has actually pushed back on the taxi story. His version is that the program was terminated because the cat was untrainable, not because it got flattened on its first outing. Which is somehow both more and less dignified. But the point stands either way. The engineering was the bottleneck. And the engineering got solved. Just not by improving cats.
So let's go through what actually exists now. And I want to flag something before we start: there's a real spectrum here between what's been demonstrated in a research lab, what's been confirmed as operationally deployed, and what's in the realm of plausible speculation. I want us to be honest about where each thing sits on that spectrum.
That's the right frame. And it's one a lot of coverage gets wrong, because the incentive is to make everything sound like it's already aimed at your window. Some of it is. Some of it isn't. Start with laser microphones, because that's probably the most cinematic one and also the most real.
Right. Bouncing a laser off a window pane, reading the vibrations the sound inside the room causes, and reconstructing the audio. How good is this actually?
It's genuinely good, and it's been good for longer than most people realize. The basic physics has been understood since the nineteen seventies. What's changed is miniaturization, signal processing, and the ability to compensate for noise. A modern laser interferometry setup can recover intelligible speech from a window at ranges of several hundred meters under good conditions. The "good conditions" caveat matters a lot. You need line of sight. You need a relatively rigid window that couples well to the acoustic field inside. You need minimal vibration from wind or traffic. And you need time to tune your signal.
So it's not "point laser at building, receive speech." There's a setup cost.
There's a real setup cost. And the countermeasures are actually reasonably effective. Window films that add mass and damping to the glass reduce the coupling between interior sound and glass vibration. White noise generators placed against the glass are quite effective because they flood the vibration signal with broadband noise that's very hard to subtract out algorithmically. The more sophisticated version is active vibration cancellation, where you're driving the window with a counter-signal. That's expensive but it's what you'd use in a secure facility.
So if you're a foreign embassy and you're worried about this, you have options.
You have options. The problem is that most people and most organizations don't implement them because the threat feels abstract. And the countermeasures only work if they're actually deployed properly. A white noise machine on the wrong side of the room, or a window film that wasn't installed correctly, doesn't give you the protection you think it does.
There's something almost poetic about that. The defense is available. Most people just don't bother.
Which is a theme that runs through basically every category we're going to discuss. The capability exists. The countermeasures exist. The gap is operational discipline, not technology.
Okay. Acoustic side-channel attacks. This is where it starts getting genuinely strange. Because we're not talking about listening to someone speak. We're talking about recovering information from sounds that aren't speech at all.
This is the area I find most fascinating from a pure research standpoint, and also the one where the gap between "demonstrated" and "deployed" is probably largest. The keystroke acoustic side-channel is the oldest version. You can train a classifier on the sound of individual keystrokes and recover what someone is typing with quite high accuracy. There are papers going back to the early two thousands on this. More recently, people have shown you can do it over Zoom, using the microphone of a nearby device picking up keyboard sounds during a call.
That one feels very close to practical.
It is close to practical. It requires a reasonably quiet environment and some training data, but the accuracy numbers in recent papers are high enough that you'd take it seriously as an operational capability. The MIT Visual Microphone work is a different flavor. That's the research where they showed you could recover audio from the vibrations of objects in a video. A potato chip bag. A glass of water. A plant. The video has to be high frame rate, ideally above the Nyquist frequency for speech, which means you need specialized cameras for most applications. But the principle is demonstrated.
The potato chip bag thing broke my brain when I first encountered it. You're looking at a video of a bag of chips and you can hear what someone was saying nearby.
The physics is real. Sound causes pressure variations in the air, those pressure variations cause tiny mechanical movements in any object with some compliance, and if you have high enough temporal resolution in your imaging, you can invert that. The question is always about signal-to-noise ratio and whether you can get the frame rate you need. At standard video frame rates, you're limited. At high-speed camera frame rates, the capability is genuine.
Has any of this moved from the lab to operational use?
The keystroke recovery, I think it's reasonable to assume some version is in active use by sophisticated actors. The visual microphone, I'm less certain. The sensor requirements are still specialized enough that it's not a general-purpose tool. Coil whine side-channels are another one worth mentioning. The electromagnetic emissions from a device's power supply vary with computational load in ways that can leak information about what's being processed. That one has been demonstrated for screen content recovery, which is alarming.
Meaning someone with the right equipment nearby could potentially infer what's on your screen from the electrical noise your computer makes.
In controlled conditions, yes. The range is limited. But "limited" is doing a lot of work there. If the adversary can get into the same building, or the adjacent room, the physics becomes workable.
By the way, today's episode is coming to you courtesy of Claude Sonnet four point six, which is writing our script right now. I always find it slightly amusing that we discuss surveillance technology in a script generated by an AI. Anyway. Software implants. This is the one that's unambiguously operational.
This is the category where there's the least ambiguity about deployment. Pegasus, developed by NSO Group in Israel, is the most documented. The Citizen Lab at the University of Toronto has catalogued confirmed cases across dozens of countries. The key capability is what's called a zero-click exploit, meaning the target doesn't have to tap a link or open a file. The implant is delivered through vulnerabilities in the operating system or in apps like iMessage or WhatsApp that process data automatically. Once installed, Pegasus can access the microphone, the camera, the location, encrypted messages, essentially everything.
So the phone becomes the bug. Which is the most efficient possible outcome if you're an intelligence agency, because the target is already carrying it everywhere and has already solved the battery problem for you.
The target charges it for you. Takes it into private meetings for you. Carries it into secure facilities sometimes, which is a whole separate problem. The NSO Group has maintained that Pegasus is sold only to governments for legitimate law enforcement purposes. The Citizen Lab documentation tells a more complicated story. Confirmed targets have included journalists, opposition politicians, human rights lawyers, and heads of state. The French president's number appeared in the Pegasus Project dataset. The Indian opposition. Dozens of others.
And Pegasus isn't alone.
Not even close. Intellexa's Predator is another commercial spyware platform with a similar capability profile. FinFisher, which has gone through various corporate reincarnations, has been around since the early twenty-tens and has been found on devices in authoritarian states targeting dissidents. There's a whole commercial market for this, which is one of the more disturbing developments of the last decade. Nation-state capability, priced for a wider range of buyers.
The commercialization of this is important. Because historically you could say "well, only the NSA or GCHQ has this." Now you're saying a government with a mid-tier budget can buy this off a shelf.
And the vendors operate in a legal gray zone that's been very difficult to regulate. There have been export control actions against NSO Group in the United States. The European Parliament conducted an investigation. But the market hasn't been shut down. It's fragmented and partially moved to less scrutinized vendors.
Okay. RF retro-reflectors. This one I want to spend time on because it's the most elegant piece of engineering in the whole space, and most people have never heard of it.
The Great Seal Bug. Start there, because it's the origin and it's beautiful in a very sinister way. In nineteen forty-five, Soviet schoolchildren presented the American ambassador with a hand-carved wooden replica of the Great Seal of the United States. It hung in his study in Spaso House in Moscow for seven years. It contained a passive resonant cavity device designed by Léon Theremin, yes, the same person who invented the theremin instrument, that had no battery, no active electronics, no power source of any kind. When a Soviet operator outside the building illuminated it with a directed radio frequency beam, the cavity resonated in a way that was modulated by sound waves in the room, and the reflected signal carried the audio. The Americans found it in nineteen fifty-two and were so confused by what they were looking at that it took some time to understand the mechanism.
No battery. No power. Just physics. For seven years.
Seven years. And the Snowden leaks of the NSA ANT catalogue in twenty thirteen showed that this class of device is still in use. There are entries in the catalogue for retro-reflector implants that work on the same basic principle, updated for modern frequencies and miniaturization. The advantage is obvious: a passive device has no emissions when not being interrogated, no battery to die, no power signature to detect. If you're sweeping a room for bugs, you're looking for active electronics. A retro-reflector is invisible to most standard detection methods.
How do you find one?
You have to actively illuminate the space with a radio frequency signal and look for anomalous reflections. Which is a much more involved sweep. TSCM, technical surveillance countermeasures, at the high end includes this kind of non-linear junction detection and active RF interrogation. But it requires specialized equipment and expertise. Most "bug sweeps" don't go that deep.
So the Great Seal Bug's descendants are sitting in rooms right now, and the people in those rooms have no idea.
Almost certainly, yes. The technology is well understood, miniaturization has made the devices much smaller than Theremin's original, and the operational advantages haven't changed. If anything they've improved because the signal processing on the interrogation side has gotten much better at extracting clean audio from the reflected signal.
I want to pause here and note that we've now covered laser microphones, acoustic side-channel attacks, software implants, and retro-reflectors, and every single one of them is real, documented, and in use. The cat cost twenty million dollars and got hit by a taxi. Or didn't. Depending on who you ask.
The engineering problem has been solved multiple times over, in multiple different ways, with completely different physical mechanisms. That's the thing. It's not one capability that improved. It's a whole portfolio of capabilities that each matured independently.
Through-wall sensing. This is the one that feels most like science fiction to me, and I want to know how much of it is.
Less than you'd hope. MIT has been doing remarkable work in this space for over a decade. RF-Pose uses WiFi signals to track human body positions through walls. The signals bounce off the body and return to a receiver, and a neural network trained on paired data can reconstruct pose and movement. More recent work has extended this to heartbeat detection and breathing rate at range, through walls, without any device on the person.
Meaning you can tell that someone is in a room, roughly where they are, and whether they're alive, without entering the room and without them carrying any device.
At ranges that are operationally meaningful. The WiFi CSI, channel state information, approach uses commercial WiFi hardware, which is remarkable. You're not talking about specialized radar equipment. You're talking about repurposed commodity hardware that can detect motion and in some cases breathing through a wall. The mmWave radar approach, which uses millimeter-wave frequencies in the sixty gigahertz range, has even better resolution and can in principle recover audio-frequency vibrations from surfaces through walls, though that's closer to the research frontier than confirmed operational deployment.
The WiFi one is the one that keeps me up at night, conceptually. Because the hardware already exists everywhere.
The attack surface is every building that has WiFi, which is effectively every building. The research has been published openly, which means the capability is not secret. Whether it's been operationalized by intelligence agencies, I'd be surprised if it hasn't been in some form, but I can't point to confirmed cases the way I can with Pegasus.
Let's talk about the things on the skeptical list. Because I think it's important to be honest about what doesn't hold up.
The gyroscope-as-microphone is real and demonstrated. The MEMS gyroscopes in smartphones have a resonant frequency in the audible range and can pick up sound vibrations. The problem is that most operating systems have restricted gyroscope access in ways that limit the sampling rate available to apps, specifically because this attack was published. So it's a real capability that has been partially mitigated by software policy. It's not fiction, but it's not a current practical threat for most people.
Satellite-based audio collection.
Almost certainly fiction. The physics of recovering audio from a satellite at orbital altitude from ground-level vibrations is extraordinarily challenging. You'd need telescope-class optics and extraordinary atmospheric stability to do laser interferometry from orbit. I've seen this claim in various places and I'm deeply skeptical. It conflates satellite imagery, which is real and impressive, with audio collection, which has completely different physical requirements. If anyone has evidence of this being operational I'd love to see it, but I don't think it exists.
Havana Syndrome.
This is the genuinely contested one. The syndrome is real in the sense that the affected individuals experienced real symptoms. The debate is about mechanism. The directed energy hypothesis, that a pulsed microwave or ultrasound weapon was used to cause neurological injury, is technically plausible. The Frey effect, where pulsed microwave radiation causes a perceived sound in the skull, has been known since the nineteen sixties. There are published analyses suggesting some Havana Syndrome cases are consistent with directed pulsed radio frequency energy. But there's also significant scientific disagreement, and alternative explanations including mass psychogenic illness and pre-existing conditions haven't been ruled out. The intelligence community assessment has been inconclusive. I think the honest position is: the directed energy capability probably exists in some form, whether it was deployed against American personnel in Havana and elsewhere is genuinely uncertain.
Which is a deeply unsatisfying answer.
It is. But I'd rather give you the honest uncertainty than a confident wrong answer.
Okay. I want to zoom out and talk about what the throughline here actually is. Because I think there's a version of this conversation that's just a list of scary technologies, and I don't think that's the most useful frame.
The throughline for me is what I'd call the democratization of the capability, and I mean that in a genuinely alarming way. Operation Acoustic Kitty required the CIA, substantial funding, a surgical team, and a cat. Today, Pegasus is a commercial product. WiFi sensing research is published in open-access papers. Laser microphone designs are available online. The barrier to entry for the basic capability has dropped dramatically.
And the number of actors who can deploy it has expanded correspondingly.
Not to nation-state parity across the board, but the gap has narrowed. A well-resourced criminal organization, a mid-tier intelligence service, a corporate espionage operation with serious backing, they can access capabilities that twenty years ago were genuinely only available to the major signals intelligence agencies.
There's also something interesting about the shift in what you're targeting. The cat was targeting a conversation in a park. The conversation was the thing. Now the most efficient attack is not to listen to the conversation but to compromise the device that the person is using to have encrypted conversations.
Which is why end-to-end encryption, which is genuinely good cryptography, hasn't solved the problem. The cryptography is fine. The endpoints are the vulnerability. If you own the phone, you don't need to break the encryption. You're reading the plaintext before it's encrypted and after it's decrypted.
Pegasus is the clearest example of this. Signal is cryptographically sound. If your phone is running Pegasus, Signal doesn't protect you.
The adversary is not trying to break Signal. They're reading over your shoulder at the software level. And this is a fundamental shift in where the attack surface is. It moved from the communication channel to the communication device, and then from the communication device to the operating system, and then from the operating system to the zero-day exploit market that feeds the implant vendors.
Talk about the zero-day market for a second, because I think most people don't understand that there's a literal commercial market for undisclosed software vulnerabilities.
It's a substantial market. A zero-day exploit for a remote code execution vulnerability in a major mobile operating system, something that lets you run arbitrary code on the target device without user interaction, is worth millions of dollars. There are brokers. There are buyers. Governments are significant purchasers. The going rate for an iOS zero-click remote code execution exploit has been reported in the range of two to two and a half million dollars. That's the price for a single vulnerability. And once it's used, it may get patched, so there's ongoing demand.
So there are people whose full-time job is finding vulnerabilities in iPhone software, not to report them to Apple, but to sell them to governments.
That's the market. And it creates a perverse incentive structure where the most valuable thing you can do with a vulnerability is not fix it. Which is in direct tension with the security of every person who uses that device.
What does any of this mean practically? For people who aren't foreign ministers or dissidents, what's the actual threat model?
For most people, the honest answer is that nation-state-level surveillance is not their threat. If you're not a journalist covering a sensitive government, an opposition politician in an authoritarian state, a human rights lawyer, a corporate executive with genuinely valuable trade secrets, or someone with a personal connection to a high-value target, the probability that Pegasus is on your phone is very low. The resource cost is still not trivial, and these tools get used against specific targets.
But the lower end of the capability spectrum is more broadly relevant.
The acoustic side-channel stuff, particularly keystroke recovery, is relevant to anyone working in a shared or semi-public space on sensitive material. The laser microphone threat is relevant to anyone having sensitive conversations in a room with windows and line of sight from a public space. The retro-reflector threat is relevant to anyone who needs to certify a room as genuinely secure. And the software implant threat is relevant to anyone in a high-risk category, which is a larger group than people think.
What actually works as a countermeasure? Not the exotic stuff, the practical stuff.
For the laser microphone: white noise generators against the glass, window film, and if you're serious, acoustic dampening treatment of the room. For software implants: regular OS updates are genuinely important because they patch the vulnerabilities that exploit chains rely on. Avoiding unknown links and attachments reduces the click-based attack surface, though zero-click exploits bypass this entirely. For high-risk individuals, device compartmentalization, meaning separate devices for sensitive communications, reduces the value of any single compromise. There are also hardened devices and operating systems specifically designed for this threat model.
GrapheneOS.
GrapheneOS is the most serious consumer-available hardened Android implementation. It has meaningful security improvements over stock Android, including much tighter sandboxing and reduced attack surface. It doesn't make you immune to a well-resourced nation-state adversary, but it raises the cost of compromise substantially.
For the retro-reflector threat specifically?
You need a professional TSCM sweep that includes active RF interrogation. The standard bug sweep with a handheld RF detector will not find a passive retro-reflector. This is not a DIY problem. If you genuinely need to certify a space as secure against this class of threat, you need people with the right equipment and training. And you need to re-sweep periodically because the threat doesn't expire.
There's a phrase that keeps coming back to me as we've been talking through this. The cat was absurd because the engineering was hard. The engineering got easier. The capability didn't get less invasive, it got more.
More invasive, more accessible, more deniable, and more difficult to detect. The cat, for all its indignity, at least had to be in the same park as the target. A software implant works from anywhere. A retro-reflector works through a wall. A laser microphone works from across a city block. The physical distance between the surveillance apparatus and the target has increased while the intimacy of the access has increased simultaneously. You can be further away and see more.
That's genuinely disquieting. The geometry of it.
And the geometry is still changing. The through-wall sensing research is advancing. The zero-day market is well-funded. The commercial spyware industry, despite regulatory pressure, has not been shut down. The trajectory is more capability, lower cost, more actors.
Is there anything on the defensive side that matches that trajectory?
Honestly, the most significant development on the defensive side is probably the maturation of end-to-end encryption as a default in consumer communications, which happened over the last decade. The fact that Signal exists and is widely used, that iMessage uses end-to-end encryption by default, that WhatsApp adopted it, that's a meaningful shift. It forced the adversary to move to endpoint compromise rather than channel interception. Which is a harder attack, even if it's still achievable.
So encryption won the channel fight and lost the endpoint fight.
That's a reasonable summary. The channel is now generally well-protected for most people using mainstream apps. The endpoint is the current battleground, and it's a harder problem because the attack surface is everything the operating system does, which is everything.
I want to come back to something you said earlier about the commercial market. Because I think there's a governance question here that doesn't get enough attention. NSO Group is an Israeli company. The US has put it on an entity list. The EU has investigated it. And yet the market continues.
The governance challenge is that this is a dual-use technology problem with no clean solution. The underlying capability, the ability to remotely access a device for investigative purposes, has legitimate law enforcement applications. Every serious intelligence service and law enforcement agency has legitimate needs in this space. The problem is the absence of meaningful oversight over who the commercial vendors sell to and what those buyers do with the capability. NSO Group's stated policy is that they don't sell to authoritarian governments. The documented cases suggest the controls are either insufficient or not enforced.
And the vendors that come after NSO Group, the ones that emerge in jurisdictions with less scrutiny, are going to have even weaker controls.
That's the dynamic. Regulatory pressure on the known vendors creates market pressure toward less regulated alternatives. It's not an argument against regulation, it's an argument that regulation alone is insufficient. You also need the vulnerability disclosure side, pushing operating system vendors to patch faster and reduce the zero-day inventory that these exploit chains depend on.
The cat, at the end of the day, was a failure because the engineers couldn't make the cat work. Today's equivalent fails when the operating system patches the vulnerability. Which is a much faster feedback loop, potentially.
Potentially. The patch cycle for a disclosed zero-day in a major OS is measured in days to weeks now. The problem is that the exploit vendors find new ones. It's a continuous race. And the zero-day market ensures there's always financial incentive to keep finding them.
Alright. Practical takeaways. If someone is listening to this and they want to actually update their behavior based on what we've discussed.
First, if you're in a high-risk category, and that's journalists, activists, lawyers working on sensitive cases, corporate executives with genuinely valuable information, you should treat your phone as a potentially compromised device. That means thinking about what you say near it, what you use it for, and whether you need a separate clean device for your most sensitive communications. Second, OS updates are not optional. The zero-day market depends on unpatched vulnerabilities. Every time you delay an update, you're extending the window during which known exploits work against you. Third, if you need to have a genuinely sensitive conversation, the window situation is real. A room with windows facing a public area is not a secure room without acoustic countermeasures. Fourth, professional TSCM sweeps for high-risk environments are worth doing, and they need to be done by people who actually know what they're looking for.
And for most people?
For most people, the honest answer is that the nation-state threat is not aimed at you. But the lower-end version of some of these capabilities is more accessible than it used to be, and basic hygiene, updated software, some thought about your physical environment for sensitive conversations, is worth the small effort it costs.
The cat cost twenty million dollars and didn't work. A Pegasus license costs a fraction of that and does work. The capability has not become less serious. It's become more serious, cheaper, and harder to detect. That's the through line.
And the lesson from the cat is not that intelligence agencies are incompetent. It's that they will try anything, and when the engineering improves, they will use it. The cat was what you did when the engineering was terrible. What you do when the engineering is good is considerably more concerning.
Okay. Let's wrap it there. Big thanks to Hilbert Flumingtop for keeping this whole operation running. And Modal, as ever, is the backbone of the pipeline that makes this show possible every single day. If you want to dig into the back catalogue, find us at myweirdprompts.com, and if you're on Telegram you know where to find us. This has been My Weird Prompts. I'm Corn.
And I'm Herman Poppleberry. We'll see you tomorrow.
