>On Mon, 24 Apr 2000, concept wrote:
>> Does anyone have any recommendations for more technical
>> TEMPEST-proofing documents? I am unable to find
>> anything of serious substance on the web. Could
>> someone recommend an offline source?
Check out cryptome.org, John Young's site; I think there are some
TEMPEST-related documents there.
There are several popular approaches, most of which aren't really useful to
the amateur.
0) Make sure there aren't obvious TEMPEST listeners nearby,
suspicious vans with moby antennas, new chips added to your keyboards, etc.
Yes, unfortunately, that's the useful one :-)
Radio emissions do the usual square-cube-law power thing,
so the more distance between you and a listener, and the more
other keyboards and monitors, the better. Just because you're paranoid
doesn't mean they're not out to get you, but if your web server is at a
big hosting center, there are enough other sources of signal that
it's easier for them to crack into your system or blackbag your hardware.
1) Build a Faraday cage room; these days you need at least 100dB shielding,
which will probably cost you $50-100K for a good room. That's really
much tougher to build than 50-60dB shielding you can get with wire mesh
or some of the nice conductive-fiber cloth, and you have to pay
really close attention to all your seams, air ducts, fiber ducts, etc.
Back when I ran a TEMPEST computer room, 100-120dB was enough,
and VAXes put out a lot more power than modern PCs,
but all of it was much lower frequencies and less penetrating than
current 500MHz computers. If you've got a friend in the
ElectroMagnetic Compatibility Testing biz, you may be able to
borrow a room on occasion, if all you want is a quiet place to use your
laptop.
2) Use really quiet computers. You can buy some on the government-contractor
market; if you're asking the question on a list like cypherpunks,
and haven't read the public source material yourself, you probably don't
have the
EE skills to build your own, which involves much deep wizardry, but you can
probably figure out how to use shielded cables and such to prevent leaks.
Simply using a laptop isn't quiet enough (I've received laptop screen images
on my television, though that presumably came from the external VGA port.)
A decade ago, these tended to cost about $5K more than the same PC,
non-TEMPEST, though a large fraction of that cost was the amortized
cost of testing and certifying the things, rather than the actual cost
of building them.
3) Use a small Faraday cage that can hold your computer,
but isn't big enough to hold you. I think the cost of the
shielded-rack-mounted AT&T 3B2 computers was about $10-20K more
than the non-TEMPEST version, and it did a good job on
filtering power supplies and penetrations for fiber.
(And again, lots of the cost is certification, not technology.)
The problem is how to get your data in and out securely.
This is a fine mechanism for running a remailer or digibank,
where all the data comes in on the communication fibers,
but it's not as useful if you need a keyboard or monitor.
And again, shielding that was good enough for a 25MHz machine
isn't necessarily enough for a 500MHz machine.
4) Use non-electronic equipment. Get the Cryptonomicon and learn Solitaire
(or one of the other RC4-on-playing-cards variants.)
Relearn to use an abacus and slide rule and pencils and manual typewriters.
Find out if you can still buy flash paper anywhere.
Learn to speak Navajo, or Tongan Polynesian dialects, or Tibetan,
or Cockney rhyming slang, or Teenage-slang-of-the-month.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
