Re: Tyler's Education
Now this might matter. If there's a phone line near the surveilled computer, then no blackbag op is necessary. Thus, "fishing" is much easier. If they've got to roll the trucks, then they'll probably need to have something fairly concrete to nail you with. -TD From: John Kelsey <[EMAIL PROTECTED]> Reply-To: John Kelsey <[EMAIL PROTECTED]> To: "J.A. Terranson" <[EMAIL PROTECTED]>, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Re: Tyler's Education Date: Tue, 6 Jul 2004 09:32:19 -0400 (GMT-04:00) From: "J.A. Terranson" <[EMAIL PROTECTED]> Sent: Jul 4, 2004 12:57 AM To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Re: Tyler's Education Interestingly, I have had more than one report of aural acquistion of typists keystrokes being used to attempt to calculate the content of a short keysequence (I assume a password is what was meant by "short keysequence"). These reports indicated "poor, but occasionally lucky results". I wonder if this follows the technique used by Song, Wagner, & Tian to attack SSH-encrypted passwords by watching keystroke timings. J.A. Terranson [EMAIL PROTECTED] --John Kelsey _ MSN Life Events gives you the tips and tools to handle the turning points in your life. http://lifeevents.msn.com
Re: Tyler's Education
From: "J.A. Terranson" <[EMAIL PROTECTED]> Sent: Jul 4, 2004 12:57 AM To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Re: Tyler's Education Interestingly, I have had more than one report of aural acquistion of typists keystrokes being used to attempt to calculate the content of a short keysequence (I assume a password is what was meant by "short keysequence"). These reports indicated "poor, but occasionally lucky results". I wonder if this follows the technique used by Song, Wagner, & Tian to attack SSH-encrypted passwords by watching keystroke timings. J.A. Terranson [EMAIL PROTECTED] --John Kelsey
Re: Tyler's Education
At 01:09 AM 7/4/04 -0400, Yeoh Yiu wrote: > >Optic fibre. > Enclosed in a pressurized conduit. Monitor the pressure. Harder to tap without being noticed.
Re: Tyler's Education
As far as education goes, if you're constantly seeing black vans with big funky antennas on them parked in front of your house any time you're on the computer, you've really got far more serious worries than just a bit of TEMPEST. It's either time to line up your lawyers because of stuff you do know you've been doing, or else time to get your shrink to up your meds a bit. On Sat, 3 Jul 2004, Major Variola (ret) wrote: > And digital edges are sharp, in the Ghz even when the "clock" is in the Mhz. > And boxes need ventilation slots. ... water cooling At 07:35 PM 7/3/2004, Thomas Shaddack wrote: I expect much bigger problem in the attached cables and connectors. It's been 15-20 years since I worked on TEMPEST environments, so technology has overtaken most of what we were doing. We tested the TEMPEST room at 450 MHz, and needed something like 100-120 dB of shielding to be comfortable with it, and at those frequencies, you'd easily find leakage if the copper-wool packing in the joints wasn't tight. Our VAX ran at something like 10 MHz, and our Sparcstations might have been as fast as 40 MHz, but basically there wasn't a lot of high-frequency signal out there, even with harmonics. The standards for cable penetration were that a waveguide hole needed to be N wavelengths deep and no more than 1/x wide (I think it was something like half-wave wide), and most of ours were an inch or two deep with quarter-inch holes. That was convenient for running fiber through. If you stuck a paper-clip about halfway through, the RF meter would peg. These days, of course, most of the equipment's at much higher frequencies; I doubt the room would be meaningfully tight with 5GHz machines. Power connections were filtered, which was much more expensive, using boxes with big inductors in them. That part of the job would be much easier today - the VAX needed three-phase power, and the room drew lots of amps, as did the two one-ton water-cooled Liebert air conditioners. That AMD 64-bit CPU might look like a space-heater, but it really isn't that bad. And a laptop's a lot better. We occasionally used TEMPEST-shielded PCs. They weren't bad - they had solid metal boxes, and special shielded cables for the rather heavy keyboards, and the monitors were a bit bulky. The monitors were mostly CGA or mono text - maybe some EGA, but basically they were a lot lower end that you'd want today. Don't expect that laptops will keep you out of trouble - I once had a laptop projecting its image onto a TV I was near. The image was out of sync, with three partial images, and it was probably in the 640x480 days, maybe 800x600, ~1997, but I'd done nothing special and it was an average TV. Probably the signal was leaking out the VGA jack on the laptop. The easy part of TEMPEST monitoring is finding some signal. The hard part is sorting it out from the noise. If they're not nearby, they're unlikely to be using TEMPEST on you; they're much more likely to be tapping your ISP connections. Bill Stewart [EMAIL PROTECTED]
Re: Tyler's Education
At 04:35 AM 7/4/04 +0200, Thomas Shaddack wrote: >On Sat, 3 Jul 2004, Major Variola (ret) wrote: > >> And digital edges are sharp, in the Ghz even when the "clock" is in the >> Mhz. > >How much do the "spread spectrum clock" feature on the modern motherboards >help here? They do complicate things. But I bet their spread-spectrum jitter is derived from a PRNG. All your PRNGs are belong to us. 'Specially because you can just buy them and either analyze their output, or strip the layers and get back to the Verilog. >> And boxes need ventilation slots. > >Not necessarily. Indeed Centaur/Via's x86 w/ crypto is advertized as "fanless" >There are other ways of heat transfer. A good way could >be water cooling for transport of the heat from the CPU and other parts to >a massive metal heatsink that's the part of the case, with an optional fan >on its outside. Voila, water cooling is not only for case mod freakz >anymore. Just put the ventilated box in a bigger box and use some steel wool in the ductwork to the outside... >> Any questions? > >I expect much bigger problem in the attached cables and connectors. How to >solve this? Shielding. Shielded room. Shielded building. Basic idea: electro-magnetic disturbances penetrate only a short distance into conductors. Folks who deal with low noise amplifiers deal with this all the time. Ground loops. Faraday cages. Low voltage differential signalling. Grounded thin metal layer over your LCD display. I once worked for a chipmaker and they had a metal room. Horrible ventilation. Copper gaskets on all the seams. You could probe a chip in there, with a microscope and micromanipulators. But they also had a PC which kinda nulled out the RFI issue. However that PC's output would not have escaped. The power cables from the outside to inside are an issue too. As Schneier says, pros go after people, not tech; which is not to say you can ignore RF tracking if you're a target. I don't think you can "fish" with van Ecyk (sp?) tech, although wardriving/flying sorta counts, except that those are intentional emitters. If I promise you a green card or citizenship, and give you a grand, will you install this gizmo between the keyboard and computer for me when you're cleaning the office? (Assuming you're an 'illegal' working for shit wages and the Suit has credentials, or cash, or both. Ask Nicky Scarfo about this..) Or plug a camoflaged 802.11blah AP into a RJ-45 and listen from the van... (Succeptible to sweeps, but how often are they done? And real pros use bursty bugs that aren't broadcasting all the time, eg in the woodwork of the State Dept.)
Re: Tyler's Education
On Sun, 4 Jul 2004, Dave Emery wrote: > Would you care to comment on any technical or other details ? I do not have the detailed technical details I would have liked - I did ask some of these types of questions and received little more than careful "decline to answer"s. What I do know is that this type of monitoring is being done on a regular, although limited scale, in FISA proceedings. The targets are generally CRT emissions, and the distance between target and acquisition gear is under .5 miles - still a shocking range which I was totally unprepared for. I engaged one of the operators in a discussion about the tempest resistant typefaces, and he was unaware of them. Food for thought... Interestingly, I have had more than one report of aural acquistion of typists keystrokes being used to attempt to calculate the content of a short keysequence (I assume a password is what was meant by "short keysequence"). These reports indicated "poor, but occasionally lucky results". I have also been told that there is a broadcasting keyboard cable inline device which is in wide use (this is pretty easy to do, but requires blackbagging - something that was a lot more limited prior to 9/11). -- Yours, J.A. Terranson [EMAIL PROTECTED] "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden
Re: Tyler's Education
Thomas Shaddack <[EMAIL PROTECTED]> writes: > > And boxes need ventilation slots. > > Not necessarily. There are other ways of heat transfer. A good way could > be water cooling for transport of the heat from the CPU and other parts to > a massive metal heatsink that's the part of the case, with an optional fan > on its outside. Voila, water cooling is not only for case mod freakz > anymore. > > > Any questions? > > I expect much bigger problem in the attached cables and connectors. How to > solve this? Optic fibre.
Re: Tyler's Education
On Sat, Jul 03, 2004 at 09:41:44PM -0500, J.A. Terranson wrote: > On Sat, 3 Jul 2004, Major Variola (ret) wrote: > > > At 07:18 PM 7/3/04 -0400, Tyler Durden wrote: > > >I dunno...as an ex-optical engineer/physicst, I'm sceptical about this > > whole > > >scary "tempest" bullcrap. Even if it can be made to work fairly > > reliably, I > > >suspect deploying it is extremely costly. > > Scary or not, I can attest from first hand personal knowledge that this > type of monitoring is in active use by the US, and has been for over 4 > years (although it's only been "mainstream" for ~2). Would you care to comment on any technical or other details ? Tempest monitoring of raster scan CRTs has been around for a long long time... but most current LCD displays are much less vulnerable as pixels are switched in parallel (and of course not painted at high speeds allowing optical monitoring). But many video cards generate the rasterized stuff anyway... and use that interface to talk to the LCD monitor. Tempest monitoring of energy on communications lines and power lines related to internal decrypted traffic has been around since before the Berlin tunnel... and used effectively. But the heyday of this was the mechanical crypto and mechanical Teletype era... where sparking contacts switched substantial inductive loads. Tempest monitoring of CPU and system behavior is a newer trick in most cases if it is effective at all in typical situations. Obviously Tempest monitoring of copper wire ethernet LAN traffic is possible. Wireless LANs, of course, aren't a Tempest issue. Perhaps some keyboards radiate detectable keystroke related energy... But given the current statist tendencies here and elsewhere, it would not surprise me at all to hear that any and all techniques for surveillance anyone has shown to be effective are likely in active use - there is money, interest, and a great lowering of inhibitions. And certainly there has been more than enough open discussion of Tempest type side channel attacks, unlikely the folks behind the curtain have just ignored all of it... On the other hand the cost, complexity and sophistication of the gear required to extract information at useful ranges is still daunting compared to other methods of obtaining the same information (such as black bag jobs with disk copiers and use of trojans to capture passphrases). -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493
Re: Tyler's Education
On Sat, 3 Jul 2004, Major Variola (ret) wrote: > At 07:18 PM 7/3/04 -0400, Tyler Durden wrote: > >I dunno...as an ex-optical engineer/physicst, I'm sceptical about this > whole > >scary "tempest" bullcrap. Even if it can be made to work fairly > reliably, I > >suspect deploying it is extremely costly. Scary or not, I can attest from first hand personal knowledge that this type of monitoring is in active use by the US, and has been for over 4 years (although it's only been "mainstream" for ~2). -- Yours, J.A. Terranson [EMAIL PROTECTED] "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden
Re: Tyler's Education
On Sat, 3 Jul 2004, Major Variola (ret) wrote: > And digital edges are sharp, in the Ghz even when the "clock" is in the > Mhz. How much do the "spread spectrum clock" feature on the modern motherboards help here? > And boxes need ventilation slots. Not necessarily. There are other ways of heat transfer. A good way could be water cooling for transport of the heat from the CPU and other parts to a massive metal heatsink that's the part of the case, with an optional fan on its outside. Voila, water cooling is not only for case mod freakz anymore. > Any questions? I expect much bigger problem in the attached cables and connectors. How to solve this?
