Some interesting speculations (and with Tempest we are all speculating to
some degree). I see your point, but I believe you are concentrating on
the wrong aspect: required processing power rather than the underlying
question of the type, strength, and info-carying capacity of the
emissions themselves.

Additionally, regarding your central premise, that emissions are less,
rather than more, likely at higher frequencies, I believe you are wrong.
The simplest evidence of this is that it is much harder to do even the
ordinary shielding necessary to get an FCC clearance sticker. At 3GHz
the wavelength is only 10 cm - every component tends to "sing" as an
antenna (a perfect dipole antenna need only be 5 cm long). Moreover,
nonlinearities in component properties often become more pronounced at
high frequencies leading to strong emissions at all harmonics (but,
obviously, mostly for the low-order ones).

However, much of this is beside the point. While Tempest (emsec)
interceptions could concentrate on CPU processor (and related)
frequencies, most descriptions so far (including the original van Eck
paper) concentrate on peripherals, such as the CRT display. Frequences
here are standardized and independent of the CPU-related frequencies.
And we know that CRT emmissions are strong, strong enough to have caused
efforts (TUV, etc.) to reduce emissions for health, rather than emsec
reasons.

Regards,

Posted by Hairy One Kenobi on December 10, 2005, 4:50 am

If you were Registered and logged in, you could reply and use other advanced thread options

> > Actually, if you think about it, low speed systems are much, much

> > easier to detect/compromise, in a tempest sense.

> >

> > Signal emissions are usually the first 5-20 harmonics of the clock

> > speed. A clock of 100 Mhz probably needs a receiving AND PROCESSING

> > bandwidth of 500-1000 Mhz.

> >

> > A clock speed of 3 Ghz can mean a processing bandwidth (analog or

> > digital ) exceeding 10 Ghz.

> > That's a fairly expensive set of kit, super-computing scale, not

> > suitcase sized, portable gear, especially if you are looking for

> > near-real-time recovery, not SETI-style post analysis.

> > Often, these higher frequencies have much less energy/radiated power

> > than lower speed clocks, for a variety of technical reasons.

> > So the detection range (signal over noise) is probably much less,

> > potentially minimising the 'volume' of risk.

<snip>

The real reason is even more simple - faster boxes tend to radiate more and,
since most of that is the computer equivilent of "tum-te-tum, hurry up and
type something", the interferance will help to conceal unshielded keyboard
and screen signals (which is all one is interested in).

> Some interesting speculations (and with Tempest we are all speculating to

> some degree).

Not necessarily (although I certainly don't claim to be an expert!). Even
the most unobservant person will be able to compare and contrast a bit of
Tempested kit that they are using day-in, day-out with the equivilent
standard kit. Last I looked, the UK classification for Tempest was the same
level as the canteen menu at the local Job Centre.

<snip>

> However, much of this is beside the point. While Tempest (emsec)

> interceptions could concentrate on CPU processor (and related)

> frequencies, most descriptions so far (including the original van Eck

> paper) concentrate on peripherals, such as the CRT display. Frequences

> here are standardized and independent of the CPU-related frequencies.

> And we know that CRT emmissions are strong, strong enough to have caused

> efforts (TUV, etc.) to reduce emissions for health, rather than emsec

> reasons.

CRT and keyboard both - the whole point is that you're trying to sniff data
traffic, and any network information is going to be via fibre, which is
itself protected to a greater or lesser degree.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Posted by nemo_outis on December 10, 2005, 11:49 am

If you were Registered and logged in, you could reply and use other advanced thread options

> The real reason is even more simple - faster boxes tend to radiate

> more and, since most of that is the computer equivilent of

> "tum-te-tum, hurry up and type something", the interferance will help

> to conceal unshielded keyboard and screen signals (which is all one is

> interested in).

The putative effects of interference are frequently overestimated. It is
electronic child's play to filter interference and even, given the
enormous redundancy in many signals, to extract information many decibels
*below* the noise floor.

>> Some interesting speculations (and with Tempest we are all

>> speculating to some degree).

> Not necessarily (although I certainly don't claim to be an expert!).

> Even the most unobservant person will be able to compare and contrast

> a bit of Tempested kit that they are using day-in, day-out with the

> equivilent standard kit. Last I looked, the UK classification for

> Tempest was the same level as the canteen menu at the local Job

> Centre.

I disagree. Few have access to Tempest kit to make observations, other
than illustrations in manufacturers' brochures (which disclose little
other than the obvious). A few may work with such devices but almost
always in an environment where physical security confines their
interactions solely to use, not investigation. Virtually no one except
those related to the manufacturer or maintenance crews has a chance to
get "under the hood." Not for nothing are even the standards themselves
classified.

> <snip>

>> However, much of this is beside the point. While Tempest (emsec)

>> interceptions could concentrate on CPU processor (and related)

>> frequencies, most descriptions so far (including the original van

>> Eck paper) concentrate on peripherals, such as the CRT display.

>> Frequences here are standardized and independent of the CPU-related

>> frequencies. And we know that CRT emmissions are strong, strong

>> enough to have caused efforts (TUV, etc.) to reduce emissions for

>> health, rather than emsec reasons.

> CRT and keyboard both - the whole point is that you're trying to sniff

> data traffic, and any network information is going to be via fibre,

> which is itself protected to a greater or lesser degree.

Tapping fibre channels is very difficult but definitely possible (there
are even murky reports of TLAs regularly doing this for deeply submerged
transoceanic cables). However, in most business environments and
virtually all home environments the "last few feet" to the computer
itself are almost always copper cable, not fibre. There is no need for
high-tech fibre-tapping techniques; the copper cables sing like canaries!

And, yes, peripherals like keyboards and screens are very vulnerable.
And, reputedly, so are induced sugnals on things like power and telephone
lines. There are many potential avenues for Tempest (emsec) attacks.

However, the main protection against Tempest (especially for ordinary
users up to medium-security situations) is not that Tempest is not
feasible, but that it is not necessary. In almost every case there are
easier, cheaper, and less tedious ways of compromising security - the old
standby, the hardware keylogger, is one example.

Regards,

Posted by Hairy One Kenobi on December 12, 2005, 5:53 am

If you were Registered and logged in, you could reply and use other advanced thread options

> > The real reason is even more simple - faster boxes tend to radiate

> > more and, since most of that is the computer equivilent of

> > "tum-te-tum, hurry up and type something", the interferance will help

> > to conceal unshielded keyboard and screen signals (which is all one is

> > interested in).

> The putative effects of interference are frequently overestimated. It is

> electronic child's play to filter interference and even, given the

> enormous redundancy in many signals, to extract information many decibels

> *below* the noise floor.

"Child's play"? Gotta have a cite for that one.. admittedly, I'm assuming
that the box is somewhere close to the CRT and keyboard..

> >> Some interesting speculations (and with Tempest we are all

> >> speculating to some degree).

> >

> > Not necessarily (although I certainly don't claim to be an expert!).

> > Even the most unobservant person will be able to compare and contrast

> > a bit of Tempested kit that they are using day-in, day-out with the

> > equivilent standard kit. Last I looked, the UK classification for

> > Tempest was the same level as the canteen menu at the local Job

> > Centre.

> I disagree. Few have access to Tempest kit to make observations, other

> than illustrations in manufacturers' brochures (which disclose little

> other than the obvious). A few may work with such devices but almost

> always in an environment where physical security confines their

> interactions solely to use, not investigation. Virtually no one except

> those related to the manufacturer or maintenance crews has a chance to

> get "under the hood." Not for nothing are even the standards themselves

> classified.

Few != None

Some of us may well have used such equipment for years (hint, hint)

See above for the trivial classification level, at least here in the UK.

Saying that, it's perfectly possible that thr /are/ higher-classification
documents floating around - after all, a UK Defence Screen sequence
(classified as Confidential) was shown on the BBC's Horizon programme in
full. Similarly, some sonar kit fitted to Trafalgar class subs was
classified as Secret - in regards to where on the boat it was placed, and
its specification - but was clearly listed in both Jane's and other
publications.

Wouldn't surprise me overmuch if the exact performance characteristics were
stil classified - basically for what they tell you about the sensors being
employed. Simply estimating the weight of Tempested kit should tell you how
much steel has been involved in the shielding, let alone simply buying
something and taking it apart!

H1K

Posted by nemo_outis on December 12, 2005, 2:44 pm

If you were Registered and logged in, you could reply and use other advanced thread options

>> > The real reason is even more simple - faster boxes tend to radiate

>> > more and, since most of that is the computer equivilent of

>> > "tum-te-tum, hurry up and type something", the interferance will

>> > help to conceal unshielded keyboard and screen signals (which is

>> > all one is interested in).

>> The putative effects of interference are frequently overestimated. It

>> is electronic child's play to filter interference and even, given the

>> enormous redundancy in many signals, to extract information many

>> decibels *below* the noise floor.

> "Child's play"? Gotta have a cite for that one.. admittedly, I'm

> assuming that the box is somewhere close to the CRT and keyboard.

Here's one example of a "canned solution" extracting signals from noise
using FFT integration. This particular device concentrates on audio but
the processes are quite general and apply to virtually all signal
processing. Hell, these things are now pretty standard - they last were
cutting edge when I read about them in Aviation Week in the 60s!

http://www.baudline.com/manual/process.html

>> >> Some interesting speculations (and with Tempest we are all

>> >> speculating to some degree).

>> >

>> > Not necessarily (although I certainly don't claim to be an

>> > expert!). Even the most unobservant person will be able to compare

>> > and contrast a bit of Tempested kit that they are using day-in,

>> > day-out with the equivilent standard kit. Last I looked, the UK

>> > classification for Tempest was the same level as the canteen menu

>> > at the local Job Centre.

>> I disagree. Few have access to Tempest kit to make observations,

>> other than illustrations in manufacturers' brochures (which disclose

>> little other than the obvious). A few may work with such devices but

>> almost always in an environment where physical security confines

>> their interactions solely to use, not investigation. Virtually no one

>> except those related to the manufacturer or maintenance crews has a

>> chance to get "under the hood." Not for nothing are even the

>> standards themselves classified.

> Few != None

> Some of us may well have used such equipment for years (hint, hint)

> See above for the trivial classification level, at least here in the

> UK.

Those who know do not speak; those who speak do not know :-)

You may, as you hint, have some level of access to these things. But
whether that translates into understanding either the defensive and
offensive capabilities of emsec as applied to computers is not clear -
and likely to remain that way, I guess. Use != understand But even if
you do understand, your understanding is of (nearly) zero value to anyone
else if you are constrained from communicating it.

> Saying that, it's perfectly possible that thr /are/

> higher-classification documents floating around - after all, a UK

> Defence Screen sequence (classified as Confidential) was shown on the

> BBC's Horizon programme in full. Similarly, some sonar kit fitted to

> Trafalgar class subs was classified as Secret - in regards to where on

> the boat it was placed, and its specification - but was clearly listed

> in both Jane's and other publications.

> Wouldn't surprise me overmuch if the exact performance characteristics

> were stil classified - basically for what they tell you about the

> sensors being employed. Simply estimating the weight of Tempested kit

> should tell you how much steel has been involved in the shielding, let

> alone simply buying something and taking it apart!

Oh, the performance of most such machines is fairly clearly defined: they
conform to some level of NATO standard AMSG 788 (& 719, 720, 784, etc. as
well as corresponding national standards, including the simple BSI zone
model). However, the contents of those standards are classified!

But even if the standards were right in front of me, I don't want just a
cookbook recipe (standards are generally heavy on "shalls" but silent on
the underlying rationale). No, I want an understanding of what could be
deployed against me, with what capabilities, at what cost, by which
agencies. And none of that is available.

Any fool (well, any technologically competent fool) can shield from emsec
if he just throws money at the problem. RFI/EMI shielding is not exotic
by any means; it's well-travelled technological ground. No, the trick is
knowing whether, say, 50 dB suppression is sufficient (for a particular
class of threat) or whether 100 dB is necessary. Big difference in cost
(including the secondary problems that arise re ventilation & cooling,
etc. and issues regarding usability). Moreover, even technologically
competent fools don't just build and pray - they test and do QA on their
designs. That means very expensive test equipment, equipment that is
prohibitively expensive for onesy-twosy do-it-yourself projects.

Regards,

PS And so far we have largely confined our discussions to passive
emsec. There is a whole other dimension of active emsec where equipment
to be scanned is "bathed" in EM signals which the computer (or whatever
is under investigation) modulates.

Similar Threads	Posted
Advice needed on secure remote datacenter and secure communication	August 24, 2008, 8:36 pm
Secure Auditor secure your windows	April 28, 2008, 6:24 am
Passwords	February 6, 2006, 2:04 am
Boot Passwords	December 21, 2005, 7:35 am
Hashes and Passwords	May 21, 2006, 5:36 am
Bios Passwords	September 29, 2006, 5:35 pm
virtue of salted passwords	November 21, 2005, 12:28 am
Image files as passwords	February 22, 2007, 6:33 am
Legality of decrypting passwords	June 30, 2008, 8:48 am
solutions for storing passwords on a computer	November 4, 2005, 9:03 am

The site map in XML format XML site map