Re: WAS: Thermal Imaging Decision Applicable to TEMPEST?
>David Koontz wrote: > >Is the average person susceptible to TEMPEST attacks? At 01:22 PM 06/13/2001 -0700, John Young wrote: >Probably most people are not subject to TEMPEST attacks >in the same way they are not in need in crypto. The average person's equipment could be eavesdropped relatively easily if somebody wanted to. I remember once seeing the screen from my laptop displayed on a near television set - the sync was all wrong, but the characters were relatively readable, and somebody who wanted to mount a real TEMPEST attack could easily do so. Reading data off the CPU is becoming harder as CPU speeds go up, but if you can grab the keyboard and display signals, that's usually good enough. This kind of interference is not supposed to happen, of course, but if you read the FCC information included with most computers, it'll generally say that they're intended for office use, not home, and a bit about who to complain to if somebody's PC bothers your TV. As home computers become more common, and more powerful, there may be tighter restrictions on emissions, though perhaps the upcoming digital TV technology is less affected by it. The main difference between crypto attacks and TEMPEST attacks is that crypto attacks can affect your communications from a distance, while TEMPEST attacks require the attacker to be nearby, or at least to put an eavesdropping device nearby. That doesn't mean they can't be in a van out on the street (depending on your equipment and theirs), but it's an attack that needs individual targeting of suspicious people or places with relatively expensive equipment rather than a Carnivore-like attack that can stay in one place and hoover up data wholesale from lots of people; the difference in cost of the attack also means that TEMPEST scanning probably will be mainly used with warrants against people strongly suspected of actual law-breaking, as opposed to internet eavesdropping on the general public and on people who are politically unpopular but not necessarily criminal. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: WAS: Thermal Imaging Decision Applicable to TEMPEST?
David Koontz wrote: >Is the average person susceptible to TEMPEST attacks? [And more on TEMPEST technics.] Probably most people are not subject to TEMPEST attacks in the same way they are not in need in crypto. And as crypto protection gets built in to consumer products as understanding for the need increases, it is probable that similar protection against TEMPEST will be built into common devices -- as David noted, this will likely come through regulations of EMI, with lucrative add-ons for "mil-grade" protection. In the meantime, again as with crypto, those at highest risk are most definitely seeking TEMPEST protection as they learn of the capability of intelligence agencies and their commercial emulators to pry into a wide range of confidential affairs. So says TEMPEST protection marketers. Well-to-do persons are buying TEMPEST protection products after being advised by financial and security consultants to do so, and they want "mil-grade" stuff to protect against the justice and tax investigators chasing them from country to country often helped by intel, even mil-intel, snoops. Drug kingpins are not the only buyers. Sellers of TEMPEST products and services claim there is a huge market, domestic and foreign, for their offerings, which is hampered by export regs, again like crypto. Export approvals go through processes similar to those of crypto a few years back -- submit your product/service, and wait for an answer, but not receive precise requirements beforehand. NSA does the crucial review. Some suspect that analysis of weaknesses of the products is being done for future application. TEMPEST customers ask about this possibility and what could be done about it. And if not satisfied they go looking to other countries for products. Global persons are especially fearful of TEMPEST by their own countries as well as the US -- whom they suspect of cooperating with law and tax agencies worldwide through burgeoning law enforcement and intelligence-sharing treaties along with export control regimes. I also notice that more gov/mil advertisements for security services and products now list TEMPEST requirements right alongside encryption. Once the TEMPEST requirements were confidential as were those for encryption. The TEMPEST industry is booming, relatively speaking, and look hungrily at the crypto liberation model. The dribs and drabs we get out of NSA are lapped as if myrhh, not for what they reveal but for what they portend could be coming. Snake-oilers are rushing to reshape promo materials to fit what is being FOIA-ed. Now, what's coming next in secret comsec technology as the defense industry goes after mass markets, scaring customers, selling them salvation? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
WAS: Thermal Imaging Decision Applicable to TEMPEST?
Is the average person susceptible to TEMPEST attacks? "Arnold G. Reinhold" wrote: > > TEMPEST is not shut down by any means. This decision applies to homes > and places where there is an reasonable expectation of privacy (like > a phone booth). The status of computers in offices, cars, and public > places is less clear. Your data stored on someone else's computer > outside you home is apparently not protected (they got Kyllo's > electric bills legally without a warrant). In any event, the NSA can > still use TEMPEST against foreign nationals and overseas, the FBI can > use it against US nationals with a warrant, and the government can, > de facto, use it secretly, as many people believe they now use > wiretapping, to develop information that leads to other evidence that > is admissible. > TEMPEST is the control of compromising emanations - the prevention of secrets leaking out. Contrast this with FCC or EN regulations for EMI and difference is separating secret from not secret information - RED BLACK separation. Not having looked at any of the NACS*M documents on John Youngs site, and not having seen them for almost 30 years otherwise, one emphasis you see is on frequency content of emissions. The FCC specs start at a frequency where you could interfere with CB radios. Changes in the last decade or so, driven by the Europeans to eliminate such things as power factor flicker on lights caused by the motor in your laser printer have greatly added to how well protected the equipment is that we buy today. The major concerns are low frequency stuff, meeting EMI integrity in installation (actually using properly shielded cables and the like), and maintaining RED BLACK separation. One could hypothesis that so much of TEMPEST has been declassified because it is essentially covered by FCC and EN regulations. If you look at modern military grade crypto gear designed for office use, it appears to be similar in design to COTS electronics. Looking through some of the more recent Air Force manuals on John Youngs site you see an emphasis on controlling accidental emissions - decoupled phones when on hook, no transmitters or devices that could generate RF in secure facilities and the like. There is a specification on his site that originates from the CIA (which controls security compartmentalized information), that essentially relaxes physical EMI protections. You can build a SCIF without copper mesh in the walls today. An important element is physical separation (distance) between any attacker and equipment that can radiate (at mandated reduced levels). Thats not to say that the average computer user can't run up against (knowingly or unknowing) a problem they can't cure. How would the average guy deal with coupling between an ethernet cable and a phone line? Guess what, if you adhere to what you read in the manuals you can be more likely to be immune from monitoring than not - the difference is that unless you do it, no one is going to do an RF sweep of your home or office. (I recall a getting a trouble call while in the Air Force from a civilian contractor at a classified location. Seems their Gold phone (a secure phone system with link encryption to a small central switch) was receiving radio station AM 610 when ever the handset was offhook. Something very embarassing to say the least for a phone intended for SCI. Turns out there was a ground loop on an audio cable to the phone set, and a cold solder joint acting as a rectifier - an accidental crystal radio. We cured this by rote examination of the installation against guidelines (at least to find the ground loop). Several years later I happened accross the same phenonenom in a video game while working for a video arcade game company - same radio station, too.) Today I design digital equipment that operates in the gigahertz and up range - as will most computers in the next year or two. There is an additional barrier to monitoring digital microwave rate signals. The equipment is terribly expensive, and out of budgetary range of all but private corporations and national governments. -- remove "no_spam_" from Reply-to address - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]