From: wcs@anchor.ho.att.com
Date: Tue, 25 May 93 19:10:51 PDT
To: cypherpunks@toad.com
Subject: Re: SIGINT and TEMPEST follies
Message-ID: <9305260126.AA20182@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text


In cypherpunks, fergp@sytex.com (Paul Ferguson) replied to my article
(elisions[...] added)
> > [...] The precise standards are classified (some SECRET, some
> > CONFIDENTIAL COMSEC), [...], but as long
> > as you're not using classified information as your sources, you can
> > do anything you want.  [...]

>  I beg your pardon, but this is _not_ the case. TEMPEST requirements
>  are _not_ classified and are available for public scrutiny. (You
>  obviously do not know where to look.)

Ok, there may be standards that aren't classified.  (Good!)
I was referring to NACSIM 5100, 5100A, 5203, and their friends;
different generations of the documents are NACSEM rather than NACSIM.

> > TEMPEST isn't particularly about transients or electromagnetic pulses,
> > it's about overall electromagnetic emissions.
>  
>  You're trying to separate issues that are one and the same. With the
>  proper equipment, I can put you and an IBM Selectric (tm) typewriter
>  on a wooden raft in the middle of Lake Superior, monitor and realize
>  every keystroke that you make and you'd not be the wiser. This type
>  of monitoring is easily defeated by low yield TEMPEST requirements.
>  I've worked in this area, Bill, and have tested these _facts_. I
>  don't care how you care to word it, it _is_ transient
>  electromagnetic emissions.

I'm not arguing about whether the stuff works, I believe that :-)
VT100s and Brother electronic typewriters are two other classic emitters;
I hadn't heard that the IBM was loud, but it's certainly a good target.
The wording *is* relevant when you're discussing whether a proposed
acronym is real or made-up-to-fit, and as I said,
> > I never saw TEMPEST expanded as an acronym in any of the
> > documents I read.
and the proposed expansions are really stretching credibility,
as were the quoted article's contentions that using TEMPEST protection
was illegal.
  
>  I know the technical specifics of TEMPEST (it is an acronym, BTW) 
If it really is, it sounds like they made up the name TEMPEST first and stretched
the words *real* hard to fit, since it's not really about EMP.

> > In the case of the Crippler Chip, however, you knew it had a built-in
> > wiretap when you bought it, which changes some of the reasonable
> > expectations about privacy a bit.
>  This issue is one where I must disagree with you emphatically. 
>  The majority of the American public don't even know about Clipper. 

Sure, but if you're a pro-government court trying to rationalize the
behavior of government officials, as the courts have been doing lately,
the fact that most Americans haven't read the White House Press Releases
or the New York Times won't be given much respect - they've found a 
presumed lack of privacy in the use of cordless phones, and I'll bet you
a floppy disk they'll find some excuse to support unauthorized wiretapping
of Crippler* phones if the things become widespread.

>           Stop the Wiretap (Clipper/Capstone) Chip.
Yeah.  Actually, I won't mind much if government officials use the system
when for their internal communications; it's presumably fairly secure,
and makes it possible to subpoena "secure" conversations by government officials
if we need to, though it does risk giving the NSA more power over the rest of the 
government if they've stolen the keys.

				Bill Stewart


* Clipper is a trademark of Intergraph.