Re: WAS: Thermal Imaging Decision Applicable to TEMPEST?

2001-06-17 Thread Bill Stewart


>David Koontz wrote:
> >Is the average person susceptible to TEMPEST attacks?

At 01:22 PM 06/13/2001 -0700, John Young wrote:
>Probably most people are not subject to TEMPEST attacks
>in the same way they are not in need in crypto.

The average person's equipment could be eavesdropped relatively
easily if somebody wanted to.  I remember once seeing the
screen from my laptop displayed on a near television set -
the sync was all wrong, but the characters were relatively readable,
and somebody who wanted to mount a real TEMPEST attack
could easily do so.  Reading data off the CPU is becoming
harder as CPU speeds go up, but if you can grab the
keyboard and display signals, that's usually good enough.

This kind of interference is not supposed to happen, of course,
but if you read the FCC information included with most computers,
it'll generally say that they're intended for office use, not home,
and a bit about who to complain to if somebody's PC bothers your TV.
As home computers become more common, and more powerful,
there may be tighter restrictions on emissions,
though perhaps the upcoming digital TV technology is
less affected by it.

The main difference between crypto attacks and TEMPEST attacks
is that crypto attacks can affect your communications from a distance,
while TEMPEST attacks require the attacker to be nearby,
or at least to put an eavesdropping device nearby.
That doesn't mean they can't be in a van out on the street
(depending on your equipment and theirs),
but it's an attack that needs individual targeting of
suspicious people or places with relatively expensive equipment
rather than a Carnivore-like attack that can stay in one place
and hoover up data wholesale from lots of people;
the difference in cost of the attack also means that
TEMPEST scanning probably will be mainly used with warrants
against people strongly suspected of actual law-breaking,
as opposed to internet eavesdropping on the general public
and on people who are politically unpopular but not necessarily criminal.







-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



Re: WAS: Thermal Imaging Decision Applicable to TEMPEST?

2001-06-13 Thread John Young

David Koontz wrote:

>Is the average person susceptible to TEMPEST attacks?

[And more on TEMPEST technics.]

Probably most people are not subject to TEMPEST attacks
in the same way they are not in need in crypto.

And as crypto protection gets built in to consumer products
as understanding for the need increases, it is probable that
similar protection against TEMPEST will be built into common
devices -- as David noted, this will likely come through regulations
of EMI, with lucrative add-ons for "mil-grade" protection.

In the meantime, again as with crypto, those at highest risk
are most definitely seeking TEMPEST protection as they
learn of the capability of intelligence agencies and their
commercial emulators to pry into a wide range of confidential
affairs. So says TEMPEST protection marketers.

Well-to-do persons are buying TEMPEST protection products
after being advised by financial and security consultants to
do so, and they want "mil-grade" stuff to protect against the
justice and tax investigators chasing them from country
to country often helped by intel, even mil-intel, snoops. Drug
kingpins are not the only buyers.

Sellers of TEMPEST products and services claim there is
a huge market, domestic and foreign, for their offerings, which
is hampered by export regs, again like crypto. Export approvals
go through processes similar to those of crypto a few years
back -- submit your product/service, and wait for an answer,
but not receive precise requirements beforehand. NSA does
the crucial review.

Some suspect that analysis of weaknesses of the products
is being done for future application. TEMPEST customers ask 
about this possibility and what could be done about it. And if
not satisfied they go looking to other countries for products.

Global persons are especially fearful of TEMPEST by their
own countries as well as the US -- whom they suspect of
cooperating with law and tax agencies worldwide through
burgeoning law enforcement and intelligence-sharing treaties 
along with export control regimes.

I also notice that more gov/mil advertisements for security
services and products now list TEMPEST requirements
right alongside encryption. Once the TEMPEST requirements
were confidential as were those for encryption.

The TEMPEST industry is booming, relatively speaking, and
look hungrily at the crypto liberation model. The dribs and drabs
we get out of NSA are lapped as if myrhh, not for what they
reveal but for what they portend could be coming.

Snake-oilers are rushing to reshape promo materials to fit
what is being FOIA-ed.

Now, what's coming next in secret comsec technology 
as the defense industry goes after mass markets, scaring
customers, selling them salvation?



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]



WAS: Thermal Imaging Decision Applicable to TEMPEST?

2001-06-13 Thread David G. Koontz

Is the average person susceptible to TEMPEST attacks?

"Arnold G. Reinhold" wrote:
> 
> TEMPEST is not shut down by any means. This decision applies to homes
> and places where there is an reasonable expectation of privacy (like
> a phone booth). The status of computers in offices, cars, and public
> places is less clear. Your data stored on someone else's computer
> outside you home is apparently not protected (they got Kyllo's
> electric bills legally without a warrant). In any event, the NSA can
> still use TEMPEST against foreign nationals and overseas, the FBI can
> use it against US nationals with a warrant, and the government can,
> de facto, use it secretly, as many people believe they now use
> wiretapping, to develop information that leads to other evidence that
> is admissible.
> 

TEMPEST is the control of compromising emanations - the prevention of
secrets leaking out.  Contrast this with FCC or EN regulations for
EMI and difference is separating secret from not secret information -
RED BLACK separation.  Not having looked at any of the NACS*M documents
on John Youngs site, and not having seen them for almost 30 years
otherwise, one emphasis you see is on frequency content of emissions.
The FCC specs  start at a frequency where you could interfere with
CB radios.  Changes in the last decade or so, driven by the Europeans
to eliminate such things as power factor flicker on lights caused by
the motor in your laser printer have greatly added to how well protected
the equipment is that we buy today.

The major concerns are low frequency stuff, meeting EMI integrity in
installation (actually using properly shielded cables and the like),
and maintaining RED BLACK separation.  One could hypothesis that so
much of TEMPEST has been declassified because it is essentially covered
by FCC and EN regulations.  If you look at modern military grade crypto gear
designed for office use, it appears to be similar in design to COTS
electronics.
Looking through some of the more recent Air Force manuals on John Youngs
site you see an emphasis on controlling accidental emissions - decoupled
phones when on hook, no transmitters or devices that could generate RF
in secure facilities and the like.  There is a specification on his site
that originates from the CIA (which controls security compartmentalized
information), that essentially relaxes physical EMI protections.  You can
build a SCIF without copper mesh in the walls today.  An important element
is physical separation (distance) between any attacker and equipment
that can radiate (at mandated reduced levels).

Thats not to say that the average computer user can't run up against 
(knowingly or unknowing) a problem they can't cure.  How would the average
guy deal with coupling between an ethernet cable and a phone line?  Guess
what, if you adhere to what you read in the manuals you can be more likely
to be immune from monitoring than not -  the difference is that unless
you do it, no one is going to do an RF sweep of your home or office.

(I recall a getting a trouble call while in the Air Force from a civilian
contractor at a classified location.  Seems their Gold phone (a secure
phone system with link encryption to a small central switch) was receiving
radio station AM 610 when ever the handset was offhook.  Something very
embarassing to say the least for a phone intended for SCI.  Turns out there
was a ground loop on an audio cable to the phone set, and a cold solder
joint acting as a rectifier - an accidental crystal radio.  We cured this
by rote examination of the installation against guidelines (at least to
find the ground loop).  Several years later I happened accross the same
phenonenom in a video game while working for a video arcade game company 
 - same radio station, too.)

Today I design digital equipment that operates in the gigahertz and up 
range - as will most computers in the next year or two.  There is an
additional
barrier to monitoring digital microwave rate signals.  The equipment is
terribly
expensive, and out of budgetary range of all but private corporations and
national governments.


-- 
remove "no_spam_" from Reply-to address



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]