1994-02-07 - Re: TEMPEST - Electronic eavesdropping

Header Data

From: tcmay@netcom.com (Timothy C. May)
To: cypherpunks@toad.com
Message Hash: 477e288967dbbd4ff21032d067e531b8db007c34503699d49eea2443b3517dc3
Message ID: <199402070218.SAA06728@mail.netcom.com>
Reply To: <199402062359.PAA20879@mail.netcom.com>
UTC Datetime: 1994-02-07 02:20:32 UTC
Raw Date: Sun, 6 Feb 94 18:20:32 PST

Raw message

From: tcmay@netcom.com (Timothy C. May)
Date: Sun, 6 Feb 94 18:20:32 PST
To: cypherpunks@toad.com
Subject: Re: TEMPEST - Electronic eavesdropping
In-Reply-To: <199402062359.PAA20879@mail.netcom.com>
Message-ID: <199402070218.SAA06728@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


OK, I've just reread the Seline paper Rob Jackson was referring to
(available by ftpat csrc.ncls.nist.gov::/pub/secpubs/tempest.txt--my
thanks to Rob for providing the pathname to me). I say "reread"
because this is the same 1990 paper that's been reposted several times
to sci.crypt and here to the Cypherpunks list.

Earlier I said, quoting Rob:

> 
> > In the US it not illegal to posess TEMPEST-surveillance equipment but
> > it is illegal to take appropriate counter-measures to prevent 
> > surveillance. The US government has refused to release details of its
> 
> Please provide a reference for this. We've discussed this _many_ times
> on this List, and the consensus is that no such law exists, nor is it
> plausible that folks could be told they cannot "shield" their
> computers.
...stuff elided...

Indeed, most of the Seline paper is devoted to the fact that the
TEMPEST spec itself is classified, which is undoubtedly true. And the
(unconfirmed) assertion that mere possession of RF intercepting gear
that could be used to defeat TEMPEST is illegal.

(I have doubts about this, given the various types of RF receivers,
old television sets with manual tuners, etc. I suppose that if one
were caught with an antenna, a tunable CRT able to "tune in" the
emissions of a nearby--or distant--computer or CRT and display them
the way the NSA's ELINT gadgets undoubtedly do, then this might be
considered evidence of criminal intent--like burglar tools,
password-cracking tools, etc. [And we've had this debate many times as
well, with some saying possession of lockpicking tools is legal,
others saying it's not, etc.])

However, nothing in the Seline report, flawed as it is (IMO), says "it
is illegal to take appropriate counter-measures to prevent
surveillance." That is, go ahead and shield away!

What I think the government is saying is this, and I have no idea if
this is in fact law or if it would hold up in court:

* First, we (the government) have a TEMPEST spec we use to build
equipment to. It tells our vendors how good their stuff has to be. We
don't tell the public this spec, because this would help the Russkies
and the Yellow Hordes, not to mention the French.

* Second, we (your public servants) have our own tricks and techniques
and dislosing the TEMPEST specs would provide damaging information to
our opponents (the Mob, the Serbs, the Cypherpunks, and the
Republicans)--so we aren't talking. And we insist TEMPEST contractors
also keep their mouths shut.

* Third, we (us again) will not allow _eavesdropping_ equipment to be
publically sold, whether for intercepting cellular phone calls, CRT
emissions, whatever. You may find loopholes (telephoto lenses and
giant parabolic mikes, so beloved of dicks), but we've basically
outlawed this stuff.

(sorry if my irreverent tone and change of point of view is confusing
here)

So, nothing about shielding or monitoring emissions (commercial RF
leakage equipment is widely available and measures stuff down many dB
from the unshielded level). Just don't build a Van Eck gadget and let
others know about it (though, again, it's not clear how the courts
would rule on this). And don't disclose TEMPEST specs.

For Cypherpunks, not too much to worry about. We don't want or need to
play at being spooks by monitoring nearby systems, and shielding is
available.

That it's not used much, that we are "soft targets" for determined
surveillance teams, and that we use PGP on insecure machines, etc., is
all well-known. Everything has a cost, and most of us don't perceive a
direct enough threat to our communications and computers to warrant
working inside a local, Faraday-caged machine, keeping passwords in a
separate laptop we carry with us at all times, etc. What's important
for us is to get crypto tools spread ubiquitously. The rest can come later.


--Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power:2**859433 | Public Key: PGP and MailSafe available.




Thread