1998-02-09 - Re: Laptop TEMPEST (fwd)

Header Data

From: Jim Choate <ravage@ssz.com>
To: cypherpunks@ssz.com (Cypherpunks Distributed Remailer)
Message Hash: 887360006f8fabb9e837952e78fa66ca006372d18fa79a9759dee7631d673a22
Message ID: <199802091735.LAA21910@einstein.ssz.com>
Reply To: N/A
UTC Datetime: 1998-02-09 17:36:40 UTC
Raw Date: Tue, 10 Feb 1998 01:36:40 +0800

Raw message

From: Jim Choate <ravage@ssz.com>
Date: Tue, 10 Feb 1998 01:36:40 +0800
To: cypherpunks@ssz.com (Cypherpunks Distributed Remailer)
Subject: Re: Laptop TEMPEST (fwd)
Message-ID: <199802091735.LAA21910@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text

Forwarded message:

> Subject: Re: Laptop TEMPEST 
> Date: Mon, 09 Feb 1998 17:07:23 +0000
> From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

> Jim Choate wrote on 1998-02-09 06:57 UTC:
> > Doesn't the FCC have to test the RF emissions of all laptops as well as
> > monitors for sale as Class A and Class B in the US? Shouldn't that material
> > be available? I searched the main site, www.fcc.gov, but didn't find
> > anything regarding this.
> I suspect that FCC material is not helpful with regard to Tempest.

As to calculating a realistic estimate of range to intercept, I disagree

> Results of such EMI tests only measure the general power spectrum
> emitted by a device. Of interest for Tempest purposes however is
> not the power spectrum, but the spectrum of the cross-correlation

I am aware of how to do Tempest in practice as well as in theory.

The process goes something like this. The first target is the vertical
retrace. This signal is usualy the strongest because the voltage required
(and hence the dv/dt) is the largest to sling that e-beam from the lower
right to the upper left. It usualy resides in the 50-70Hz range. The next
target is the horizontal retrace. It slews the beam from the right edge of
the display to the left in order to start another trace. You can use this
signal to syn both the vertical retrace steps (in order to move the beam
down verticaly to start another trace) as well as the ramp that is required
to slew the beam across the screen to write the pixes. Once these 4 signals
are aquired and fed to the appropriate control terminals of a CRT you are
ready to begin decoding the actual trace data for each line of the display.
This is the hardest since the actual modulation of the e-beam is done via a
screen grid (who said tube theory was out of date?) and that signal is quite
small and generaly has a cardoid emission pattern aligned axialy along the
central axis of the CRT tube. So if given a choise you want your antenna to
be behind the viewer in line with the display.

It is of some import to note that larger displays are easier to aquire
usable signals from since the distances the e-beam is slewed and as a result
the control voltages are much larger.

   |                                                                    |
   |       The most powerful passion in life is not love or hate,       |
   |       but the desire to edit somebody elses words.                 |
   |                                                                    |
   |                                  Sign in Ed Barsis' office         |
   |                                                                    | 
   |            _____                             The Armadillo Group   |
   |         ,::////;::-.                           Austin, Tx. USA     |
   |        /:'///// ``::>/|/                     http://www.ssz.com/   |
   |      .',  ||||    `/( e\                                           |
   |  -====~~mm-'`-```-mm --'-                         Jim Choate       |
   |                                                 ravage@ssz.com     |
   |                                                  512-451-7087      |