1998-02-09 - Re: TEMPEST (fwd)

Header Data

From: Jim Choate <ravage@ssz.com>
To: cypherpunks@ssz.com (Cypherpunks Distributed Remailer)
Message Hash: 200982af9ce09a4411fb636d8153b978ca48ed3d1f817cbab033a08347a723ff
Message ID: <199802092316.RAA24851@einstein.ssz.com>
Reply To: N/A
UTC Datetime: 1998-02-09 23:17:52 UTC
Raw Date: Tue, 10 Feb 1998 07:17:52 +0800

Raw message

From: Jim Choate <ravage@ssz.com>
Date: Tue, 10 Feb 1998 07:17:52 +0800
To: cypherpunks@ssz.com (Cypherpunks Distributed Remailer)
Subject: Re: TEMPEST (fwd)
Message-ID: <199802092316.RAA24851@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text

Forwarded message:

> Subject: Re: TEMPEST
> Date: Mon, 09 Feb 1998 21:07:22 +0000
> From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

> Things are somewhat more complicated and I am not convinced that
> the e-beam is the primary source of radiation.

Only of the individual pixel modulations. Go back and re-read my post you
missed a whole slew of implications. The vertical and horizontal positioning
is via the yoke not the screen grid. Electrostatic steering of an e-beam
is expensive and slow, you can't change the charge on the plates that fast.

In regards the data for the individual scan lines, where else are you going
to modulate that beam than a screen grid? This is a high-voltage low-current 
point. You can't drive the beam off the screen, the inside of the tube is
coated in a carbon based chemical called 'aquadag' that will short the beam
to ground and blow your flyback transformer in short order. Not to mention
that the inertia of the e-beam will be a bit of a hassle to deal with as
well. It won't move that fast.

> Your claim that
> the Tempest radiation is modulated by the screen grid does not agree with
> my practical experience: All signals I get are close to harmonics of
> the dot clock and not of the screen grid rate.

The screen grid is where the dot clock goes to modulate the e-beam, or is
your claim we're going to modulate the filament directly? If so I would
suggest you re-take your electronics class and learn how to read a schematic
a tad better. A short trip to either your local library or electronics
repair business will pay off wonders. You're looking for a Sam's Photo-Facts
on the particular monitor you are examining. There is also the fact that the
dot clock itself is a low-voltage low-current device until it gets to the
tube drive electronics where it switches the high voltage drivers to the

If your getting your signal off the harmonics you're doing it the hard way.
Go back and re-read your texts on Fourier Transforms and then do a
power-spectrum analysis on the signals to the tube; what you will find is
that the primary frequencies get the majority of the signal (eg 1st harmonic
of a square wave (ie a dot clock) only gets, at best, 1/3 of the energy of
the primary).

In any case, it's the high voltage emissions of the tube drive electronics
that are detected, not the small 5V to 12V drive signals. The same is true
for LCD, Plasma, and other flat panel displays. You detect the high-voltage
emissions of the display drive electronics. Note that on active transistor
displays (where you don't have the high voltage bias as in a LCD) you don't
get these sorts of emission magnitudes and they are *much* harder to detect.
In addition in the active transistor displays the display drive electronics
should buffer the data and so, unlike a CRT, you don't have to send each
individual pixel every time. You can actualy send only the changes and
impliment those. Unless you're integrating the signals you receive your
Tempest display will be gibberish.

> In addition, the
> Tempest monitor cannot distinguish between an all-black and an all-white
> image, which it should in the case of a screen-grid caused modulation.

What? This is malarky. If the screen is black the filament emissions are
being blocked by the screen grid and the charge cloud gets shunted to ground
via the aquadag coating. This means there is no current, and as a
consequence no emitted rf field to monitor. And what keeps it from blowing
the flyback in this case is that the charge cloud acts as a capacitor
and limits the dv/dt to something that the flyback can deal with, it has to
leak past the screen grid.

You can also discern this using Tempest to monitor NTSC where the black
pulse is a negative going pulse at the end of the scanline waveform. It's
there so the receiver electronics can know when to turn the e-beam off so
you don't get those annoying retrace lines across your screen when it moved
back to the left and down one line. Since it's a negative going pulse with
respect to the vertical and horizontal retrace it's dv/dt is going in the
opposite direction. If you get a schematic find the horizontal retrace clock
and disable it and monitor the display.

> If there is indeed a screen-grid modulation, then it is *much* weaker
> than any modulation that you get by software dithering.

This is just plain silly. The switching of the software is drowned in a sea
of such noise on the board. Anyone who claims they can pull a valid signal
off a cpu pcb at more than a few feet is a liar or else they have some
pretty remarkable extra-terrestrial technology. There are litteraly 10's of
thousands of state transitions all over the pcb that are going on in
parallel and the positive transition fields cancel the negative transition
fields so what you end up with is a hash of noise. 30 seconds of looking at
a spectrum analyzer will make this obvious.

In modern computers what drives the crt is the data residing in the video
frame buffer that drives the output electronics on the card and not the
data on the cpu pcb.

> Monitors are pretty strange antennas: For instance, my monitor still
> radiates quite well (although noticeably weaker) if I switch its power
> supply off.

It can take as much as 20 minutes to drain a good high-voltage supply (read
the documents of all power supplies that operate above a couple hundred
volts, it should include the discharge time constant - you want to wait
through at least 3 of those). There is also the issue that a crt tube sitting
unconnected in the open dry air will develop enough of a charge to knock the
shit out of you if you're silly enough to grab the grounding connection on
the side with one hand and be grounded to earth with the other. So even if
the machine is turned off you get a continous charge build up on the tube
that gets drained through various resistors to ground. Unfortunately this
is a pretty incoherent signal and low power as well.

I routinely deal with voltages in the 1MV range and currents (usualy not at
those voltages) in the 100A range (I build 12 ft. Tesla Coils for grins and
giggles that throw discharges in the 8-12 ft. range). When you start talking
about voltages above a few hundred there isn't any such thing as 'off', only
a higher impedance path to ground and longer time constants.

NOTE: if you do decide to play in your monitor then make shure that one of
      your hands is in your back pocket at *ALL* times. Otherwise make shure
      there is somebody there to call 911 so they can haul your body off. If
      you don't the discharge leakage current through your heart *when* you
      make a mistake will cause it to go into ventricular fibrillation
      (v-fib). Unless you got a de-fibrillator handy your dead in about 3

> Just the passive resonance of the chassis gives a clear
> signal in around a meter radius with a simple untuned dipole antenna.

If they get within a meter of my machine I seriously doubt they will be
using VanEck but rather rubber hose or eye ball monitoring...

We're talking real world here not some Tom Clancy novel.

> Switching off a monitor alone does not protect you from eavesdropping
> a VDU signal, especially if the signal is not just text but a pattern
> optimized for reception.

True, but instead of being within a couple hundred feet (the average
succesful range for interception) you're now talking about 10's of feet.
At that range my dogs barking will let me know that Mallet is in the house.

> After I unplug the VGA cable however, I can't pick up any signal with
> our Tempest receiver unless I bring the antenna almost in contact with
> the cable or connector.

Duh, can you say 'impedance'....go back and study your analog and rf
electronics. A monitors off impedance per line is somewhere in the 50 to 75
ohms range. The impedance of a wire hanging in the air is much higher and as
a consequence the current flow and as a result the emitted em field will be
much lower.

> The closed PC chassis also appears to be no very
> big source of VDU emanations, certainly much below the levels that
> our receiver can detect.

And this surprises you? A pc chassis, provided you put all the screws in it
and don't have lots of holes in it, is a Faraday Cage, it's the reason they
make them out of expensive metal and not cheaper plastic.

A very effective method to confuse Van Eck is to have several monitors
sitting next to each other with different displays. A more active display
is much more effective than one that is static (eg. such as a person typing
in an email to cypherpunks).

I strongly suggest the following reference:

High-speed Digital Design: a handbook of black magic
H.W. Johnson, M. Graham
ISBN 0-13-395724-1
~$60 US

   |                                                                    |
   |       The most powerful passion in life is not love or hate,       |
   |       but the desire to edit somebody elses words.                 |
   |                                                                    |
   |                                  Sign in Ed Barsis' office         |
   |                                                                    | 
   |            _____                             The Armadillo Group   |
   |         ,::////;::-.                           Austin, Tx. USA     |
   |        /:'///// ``::>/|/                     http://www.ssz.com/   |
   |      .',  ||||    `/( e\                                           |
   |  -====~~mm-'`-```-mm --'-                         Jim Choate       |
   |                                                 ravage@ssz.com     |
   |                                                  512-451-7087      |