🚀 go-pugleaf

In article <vera2CHL5HB.KBF@netcom.com>, David Adams <vera2@netcom.com> wrote:
>I bought a surplus plotter a while back that was enclosed a Tempest R.F.
>proof box.  The box even has a metallized (gold?) window so you can
>watch the plotter as it draws.  Still got the box somewhere if anyone
>is real paranoid.
>
>By the way, this implies that not only CRT's can be spied on, but also
>plotters, and probably printers, modems, and everything else that has
>digital bits flipping around inside.


	Back when I was a kiddie, I had a talk with a guy who apparently
	was trying to with the upcoming Navy bid for Tempest PCs (8088 ones!).
	Anyway, one of the other things he mentioned was that they were
	looking into special keyboards because, and he may have been pulling
	my leg, as the keys are used they wear differently, and thus their
	acoustics chance, and by using the sound of the spacebar (distinctive),
	they could map out the rest of the sounds from they keyboard, making
	a cheapie audio mike plenty to spy on a workstation used to input
	sensitive data.

	Thinking about it now, it sounds completely ridiculous.  But then,
	so does the idea of a Tempested plotter.  ("Hey, they're drawing . .
	. .. Hmm, Ah, sensitive plans for the .. Ah, I see! NCC1701!  Ha!
	Wait until my comrades see this!")

--
 The big mistake that men make is that when they turn thirteen or fourteen and
 all of a sudden they've reached puberty, they believe that they like women.
 Actually, you're just horny. It doesn't mean you like women any more at
 twenty-one than you did at ten.                --Jules Feiffer (cartoonist)

[Newsgroups line edited: This was going to bizarre places]

In <2dts8g$52c@cville-srv.wam.umd.edu> rsrodger@wam.umd.edu (R S Rodgers) writes:

>	Back when I was a kiddie, I had a talk with a guy who apparently
>	was trying to with the upcoming Navy bid for Tempest PCs (8088 ones!).
>	Anyway, one of the other things he mentioned was that they were
>	looking into special keyboards because, and he may have been pulling
>	my leg, as the keys are used they wear differently, and thus their
>	acoustics chance, and by using the sound of the spacebar (distinctive),
>	they could map out the rest of the sounds from they keyboard, making
>	a cheapie audio mike plenty to spy on a workstation used to input
>	sensitive data.

>	Thinking about it now, it sounds completely ridiculous.  But then,
>	so does the idea of a Tempested plotter.  ("Hey, they're drawing . .
>	. .. Hmm, Ah, sensitive plans for the .. Ah, I see! NCC1701!  Ha!
>	Wait until my comrades see this!")

No, it's not ridiculous, this is a genuine threat.  Different keys *do*
sound slightly different, and the best encryption system in the world won't
help you if an opponent can recover the password as you type it in.

Peter.

In article <vera2CHL5HB.KBF@netcom.com>, vera2@netcom.com (David Adams) writes:

|> I bought a surplus plotter a while back that was enclosed a Tempest R.F.
|> proof box.  The box even has a metallized (gold?) window so you can
|> watch the plotter as it draws.
|>
|> By the way, this implies that not only CRT's can be spied on, but also
|> plotters, and probably printers, modems, and everything else that has
|> digital bits flipping around inside.

I heard from a spook that they used to snoop on fax machines, so I took a
Panasonic fax round to the antennas people and tested it with a sepctrum
analyser in their Faraday cage. Beautiful clear signal at 150MHz. But what
would you expect with all those amps pulsing through the write head?

Ross

In article <1993Dec6.102735.16306@cs.aukuni.ac.nz>,
Peter Gutmann <pgut1@cs.aukuni.ac.nz> wrote:
>
>No, it's not ridiculous, this is a genuine threat.  Different keys *do*
>sound slightly different, and the best encryption system in the world won't
>help you if an opponent can recover the password as you type it in.

In effect, no crypto system is secure against a determined and well-endowed
adversary. It's another case of the escalation of technology and
counter-technology. At any moment one thinks one has something
technologically secure, and then the opponent comes out with something from
left field that hadn't even been considered. The above is only one example
of such things--security by mathematics isn't reliable if the adversary
moves out of the domain of mathematics for his tools. Do you know the
"connect the nine dots" problem?

With all the money and motivation governmental cryptologic organizations
around the world have, it's a safe bet that there are techniques available
today most of us would find inconceivable.

Then there are the public and private organizations that don't mind using
"practical" techniques, n'est ce pas? Sayonara.

David


--
David Sternlight         When the mouse laughs at the cat,
                         there is a hole nearby.--Nigerian Proverb

>>>>> In article <2dobps$jcc@sefl.satelnet.org>, skybird@satelnet.org
>>>>> (Scott Pallack) writes:
skybird> In <RATINOX.93Dec2171655@atlas.ccs.neu.edu> ratinox@atlas.ccs.neu.edu (Richard Pieri) writes:

>> The NSA cannot crack PGP. Correction: the NSA /could/ crack PGP given
>> several Crays dedicated to the task for 10 years (give or take a couple).
>> But they can't crack it in a "reasonable" timeframe.

[...]

skybird> Meaningless.

skybird> That the Department of Justice can't crack PGP does not imply the
skybird> NSA or Department of Defense can't.

I believe they did consult the NSA, and that was the answer they got.

And I didn't say they couldn't crack it; I said that they couldn't crack it
in under 10 years (give or take a few)--easilly longer than the statute of
limitations regarding the case.

--
Rat <ratinox@ccs.neu.edu>                Northeastern's Stainless Steel Rat
             PGP 2.x Public Key Block available upon request
    GAT d@ -p+ c++ !l u+ e+(*) m-(+) s n---(+) h-- f !g(+) w+ t- r+ y+
||| | | | |  |  |  |   |   |    |    |    |   |   |  |  |  |  | | | | | |||
`PGP,'  warns Dorothy  Denning,  a Georgetown University professor  who has
worked closely with the National Security Agency, `could potentially become
a widespread problem.'                                       --E. Dexheimer

In <X21-sAkBBh107h@vanward.ci.net> g@vanward.ci.net (Gerald) writes:

>>In article <064303Z02121993@anon.penet.fi> an54588@anon.penet.fi writes:
>>	A lot of people think that PGP encryption is unbreakable and that the
>>NSA/FBI/CIA/MJ12 cannot read their mail. This is wrong, and it can be a deadly
>>mistake. In Idaho, a left-wing activist by the name of Craig Steingold was
>                                                        ^^^^^^^^^^^^^^^
>How big a collection of business cards did he have?

This Craig Shergold thing has gotten so big, I saw it in
a Duty-Free shop in Cancun, Mexico!! It appeared to have been faxed
there, and they had it posted at the front counter.

It took quite a bit of convincing to persuade them that it was a hoax...

Bah
--
-Barrey Jewall - Network Admin. - Novell, Inc. - San Jose - barrey@novell.com-
            I don't speak for Novell, and they don't speak for me.
+-----------------------------------------------------------------------------+
+ They took the fourth amendment, and I was quiet because I don't deal drugs. +
+ They took the sixth amendment, and I was quiet because I'm innocent.        +
+ They took the second amendment, and I was quiet because I don't own guns.   +
+ Now they've taken the first amendment, and I can't say anything at all.     +
+--- Paraphrased from the writings of Mark Eckenwiler (eck@panix.com) --------+

In article <1993Dec6.223647.21196@novell.com>, barrey@Novell.com (Barrey Jewall) writes:

>
>This Craig Shergold thing has gotten so big, I saw it in
>a Duty-Free shop in Cancun, Mexico!! It appeared to have been faxed
>there, and they had it posted at the front counter.
>
>It took quite a bit of convincing to persuade them that it was a hoax...

To what extent is this a hoax? Did the kid never exist?  Is he still alive?
Does he just not want anymore business cards?


--

Chris Volpe				Phone: (518) 387-7766 (Dial Comm 8*833
GE Corporate R&D			Fax:   (518) 387-6560
PO Box 8, Schenectady, NY 12301		Email: volpecr@crd.ge.com

Fogbound Child (samuel@aero.org) writes:

> >> This is trivial to test.  Compile the program using an older compiler,
> >> translate the program into fortran or something or hand-code it in
> >> assembler.
> >> Compare the outputs.
> >> I'll bet they're the same.

> >You'll lose, because they won't be. Even if you run one and the same
> >copy of PGP twice, encrypting one and the same message, to one and the
> >same person - the results will be different. This has already been
> >discussed in alt.security.pgp.

> I believe that Scott was talking about the COMPILER output here. The idea is
> that the same MACHINE code will be generated.

Well, then he's wrong again, because the machine code will not be the
same either. Even two different C compilers will produce different
machine code given the same source, let alone a, say, FORTRAN and a C
compiler, given the (different) sources of two equivalent programs.

> >> BTW--ALWAYS assume that the NSA can decrypt anything you encrypt.

> >Nonsense. There is a provably uncrackable cypher. The One-Time Pad.

> Any cypher can be cracked. It involves Mr Secret Agent holding his pistol to
> some sensitive part of your body and saying "One last time, now. What's the
> key?"

This is not cryptanalysis and is not cypher cracking. They could as
well force the recepient to reveal the contents of the encrypted
message. But all this has nothing to do with the crypto newsgroups.

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

David Sternlight (strnlght@netcom.com) writes:

> >> Doesn't have a PGP key.  Can't see much use for one, either.
> >
> >There are many. Read the docs. Just because you have nothing to hide
> >does not mean that you have no reasons to use public key
> >cryptography.

> Maybe he's read the docs and still feels that way. :-)

Maybe. I just gave him an advise for consideration. Are you speaking
for him? You could use some advices too...

> PGP fans need to keep in mind that most arguments for Public Key don't
> necessarily imply PGP.

Yes, of course. Only, with PGP those goodies are available for free
to the most of the world.

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de        22527 Hamburg, Germany

I send this message not to start a flame war, but to illustrate how they
start.


>> Maybe he's read the docs and still feels that way. :-)
>
>Are you speaking
>for him? You could use some advices too...

The first statement is not only unexceptionable, but softened by a :-).
Bontchev's response is pure flame bait. It is not the first time.

David
--
David Sternlight         When the mouse laughs at the cat,
                         there is a hole nearby.--Nigerian Proverb

In article <2dt2mb$52l@harbinger.cc.monash.edu.au>, acb@yoyo.cc.monash.edu.au (Andrew Bulhak) writes:
>rich@mulvey.com wrote:
>: Daniel Garcia (system overlord) (kender@executor) wrote:
>: : Slaving away in a dark room, vhe@sunnyboy.informatik.tu-chemnitz.de (Volker Hetzer) produced:
>: : >The second is more interesting. I've seen it once in the german TV (serious!!).
>: : >It deals with the possibilities and modern methods of security agencies to break
>: : >into your privacy.
>: : >The guys there had a little transporter-vehicle containing a simple antenna
>: : >some electronics and a monitor. The antenna pointed to a monitor in a flat
>: : >50-100m (meters) away. With little "snow" they could see everything, which
>: : >appears on the screen in the flat.
>: : >It is also possible to put a device around your power-supply-cable and to
>
>: : Yes, it's called TEMPEST (or, is that the name of protection AGAINST such
>: : an attack?).  I've heard a bit about it, read some stuff on it, and gotten
>: : email from people who have seen videos of it in operation (as well as
>: : one from someone who accidently did it with a sony watchman!).
>
>:    TEMPEST refers the defensive techniques used.
>
>:    As a side note, the gov't unloaded a warehouse full of TEMPEST-class
>: IBM XT's a few months ago in CA.  They were immediately grabbed up by
>: lots of amateur radio operators who dislike the way that commodity PC's
>: tend to interfere with their receivers.  :-)
>
>Is this an UL? I heard that TEMPEST was a restricted
>technology, and that such equipment would be incinerated/recycled rather
>than sold.

Probably UL.  However (always a however), there are really two types of TEMPEST
(actually, there are more, but I shan't muddy the waters).  TEMPEST certified
means that each and every unit is tested by a designated tester, and samples
are directly tested.  These are designed and built by people who have TEMPEST
clearances and are not only covered under ITARS, but are considered classified.
TEMPEST rated hardware is stuff which is designed to meet "public" (ie. only
SECRET) specs but not tested.  Samples are typically tested by a designated
tester, but not the whole lot.  I've been told that some of the tests are less
rigorous.  Third (remember, there are two) is TEMPEST qualified (I may have
these last two names twisted), which is nothing more than someone doing the
obvious things to greatly shield the device, in hopes of acting like TEMPEST.

How to spot:

Over priced current technology		TEMPEST qualified
Outrageously priced old technology	TEMPEST rated
Hidiously priced obsolete stuff		TEMPETS certified
--
Dillon Pyron                        |Opinions are mine alone.
TI/DSEG Lewisville Systems Support  |
pyron@dseg.ti.com                   |"They are greedy, misogynoistic,
(214)575-2660  "work"               |egotisitical disgusting little trolls"
(214)492-4656  !work                |
PADI AI-54909                       |

In article <2dt2mb$52l@harbinger.cc.monash.edu.au>, acb@yoyo.cc.monash.edu.au (Andrew Bulhak) writes:
|> Is this an UL? I heard that TEMPEST was a restricted
|> technology, and that such equipment would be incinerated/recycled rather
|> than sold.

At the Dayton Hamvention quite a few years ago, I bought a surplus
Heath/Zenith XT keyboard that had been Tempested. Heavy metal shielded
D-style connector pair in the line to the standard DIN connector,
slightly thicker shielded coil cord, extra shielding around the edges
of the keyboard, etc. I finally retired it when I retired the 8088 PC
it was plugged into.

So I'm inclined to believe other stories that Tempested equipment is
not restricted, and is available elsewhere on the surplus market.

There's a myth floating around that Tempesting your computers is
somehow illegal. It's not. The precise specs for Tempest may be
classified, but there is no law against shielding your computers. In
fact, the US FCC requires that every PC sold meet minimal shielding
standards to limit radio and TV interference. This "Part 15" shielding
is nowhere near as extensive and effective (or expensive!)  as true
Tempest. But I'm sure that as a result of it, it's not *quite* as
trivial to eavesdrop on modern computer equipment as Van Eck did on
completely unshielded equipment a decade ago.

Phil

In <2e8976$3ja@qualcomm.com> karn@unix.ka9q.ampr.org (Phil Karn) writes:

>In article <2dt2mb$52l@harbinger.cc.monash.edu.au>, acb@yoyo.cc.monash.edu.au (Andrew Bulhak) writes:
>|> Is this an UL? I heard that TEMPEST was a restricted
>|> technology, and that such equipment would be incinerated/recycled rather
>|> than sold.

>At the Dayton Hamvention quite a few years ago, I bought a surplus
>Heath/Zenith XT keyboard that had been Tempested. Heavy metal shielded
>D-style connector pair in the line to the standard DIN connector,
>slightly thicker shielded coil cord, extra shielding around the edges
>of the keyboard, etc. I finally retired it when I retired the 8088 PC
>it was plugged into.

...

	Hmm, are you sure it's tempest certified?  Just because it is
shielded does not mean that it is really tempest certified.

	As you point out, the Tempest certification standards are classified;
only specially licenced manufacturers under contract with the government
have access to them.  However, there are many manufactures who produce
Tempest-like shielded equipment, and even test it for low emissions, but they
cannot say whether or not it truly tempest-certified becasuse they do not have
access to the standards.

Ben

--
-----------------------------------------------------------------------------
Benjamin T. Dehner    Dept. of Physics and Astronomy
btd@iastate.edu       Iowa State University
                      Ames, IA 50011
--
Usenet News Admin.
Iowa State University Computation Center
Iowa State University, Ames, Iowa (USA)

In article <btd.755542507@pv7440.vincent.iastate.edu>, btd@iastate.edu
(Benjamin T Dehner) writes...

>In <2e8976$3ja@qualcomm.com> karn@unix.ka9q.ampr.org (Phil Karn) writes:

>>In article <2dt2mb$52l@harbinger.cc.monash.edu.au>, acb@yoyo.cc.monash.edu.au (Andrew Bulhak) writes:
>>|> Is this an UL? I heard that TEMPEST was a restricted
>>|> technology, and that such equipment would be incinerated/recycled rather
>>|> than sold.

>>At the Dayton Hamvention quite a few years ago, I bought a surplus
>>Heath/Zenith XT keyboard that had been Tempested. Heavy metal shielded
>>D-style connector pair in the line to the standard DIN connector,
>>slightly thicker shielded coil cord, extra shielding around the edges
>>of the keyboard, etc. I finally retired it when I retired the 8088 PC
>>it was plugged into.

>	Hmm, are you sure it's tempest certified?  Just because it is
>shielded does not mean that it is really tempest certified.
	I've a firend who is Tempest Certified.  He has acquired, with no
	problems, at flea markets, a number of tempest items.  Including
	complete PC systems.  And he knows what he is buying...

>	As you point out, the Tempest certification standards are classified;
>only specially licenced manufacturers under contract with the government
>have access to them.
	In addition, thos who can demonstrate a sincere desire and ability have
	access.  Check the "Industrial TEMPEST Program", or close to that.  The
	original "you need clearance to get the stanard to see if you can meet
	the standard etc," turned out to be too conviluted to be workable...

thanks
dave pierson			|the facts, as accurately as i can manage,
Digital Equipment Corporation	|the opinions, my own.
200 Forest St			|I am the NRA.
Marlboro, Mass, 01751 USA	pierson@msd26.enet.dec.com
"He has read everything, and, to his credit, written nothing."  A J Raffles

dave pierson (pierson@msd26.enet.dec.com) wrote:
: In article <btd.755542507@pv7440.vincent.iastate.edu>, btd@iastate.edu
: (Benjamin T Dehner) writes...

: >In <2e8976$3ja@qualcomm.com> karn@unix.ka9q.ampr.org (Phil Karn) writes:

: >>In article <2dt2mb$52l@harbinger.cc.monash.edu.au>, acb@yoyo.cc.monash.edu.au (Andrew Bulhak) writes:
: >>|> Is this an UL? I heard that TEMPEST was a restricted
: >>|> technology, and that such equipment would be incinerated/recycled rather
: >>|> than sold.

: >>At the Dayton Hamvention quite a few years ago, I bought a surplus
: >>Heath/Zenith XT keyboard that had been Tempested. Heavy metal shielded
: >>D-style connector pair in the line to the standard DIN connector,
: >>slightly thicker shielded coil cord, extra shielding around the edges
: >>of the keyboard, etc. I finally retired it when I retired the 8088 PC
: >>it was plugged into.

: >	Hmm, are you sure it's tempest certified?  Just because it is
: >shielded does not mean that it is really tempest certified.
: 	I've a firend who is Tempest Certified.  He has acquired, with no
: 	problems, at flea markets, a number of tempest items.  Including
: 	complete PC systems.  And he knows what he is buying...

: >	As you point out, the Tempest certification standards are classified;
: >only specially licenced manufacturers under contract with the government
: >have access to them.
: 	In addition, thos who can demonstrate a sincere desire and ability have
: 	access.  Check the "Industrial TEMPEST Program", or close to that.  The
: 	original "you need clearance to get the stanard to see if you can meet
: 	the standard etc," turned out to be too conviluted to be workable...


I hate to sound ignorant, but would someone please explain to me what this
concept of 'tempest' is?  please respond email, as i rarely get to read this
group...

				- ben