Slashdot Mirror
NSA Releases Historical Documents on TEMPEST
sgunhouse writes to mention Wired's Threat Level has a piece on a recently-declassified document detailing the history of TEMPEST. "It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis. Then he noticed something odd. Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether."
Here's an example of a TEMPEST-sheilded computer - the TEMPEST-shielded Mac SE/30.
Now classified fiber had to abide by an 18" standoff from unclassified lines to avoid EMF leakage...
He's getting rather old, but he's a good mouse.
I'm afraid not, my good fellow.
Van Eck phreaking and lot of panty hose
http://cryptome.org/
nsa-spectrum.zip + Zipped NSA Cryptologic Spectrum Articles 1969-81 April 24, 2008 (31MB)
nsa-tempest.pdf + TEMPEST: A Signal Problem (NSA History) April 24, 2008
No direct link to save JY's bandwidth.
I love the simple solution
"Instead of buying this monster, the Signal Corps resorted to the only other solution they could think of. They went out and warned commanders of the problem, advised them to control a zone about 100 feet in diameter around their communications center to prevent covert interception, and let it go at that."
I am trying to get some time to get into the Spectrum articles.
The Singularity is closer than you think
Quant
Here I was without knowing all this cool stuff. Got to admit, this is damned cool - even if a bit cloak and dagger eh?
Moved to http://soylentnews.org/. You are invited to join us too!
at Teletype Corporation looked like vaults. The engineers, working on secure terminals, took their work very seriously.
"To those who are overly cautious, everything is impossible. "
In Soviet America Tempest-Hat secures you.
There's a good description (albeit, not as technical as it could be) of this phenomenon in Neal Stephenson's Cryptonomicon.
A dutch hacker demonstrated that the voting machine in the Netherland were radiating enough to let someone see the vote from a distance of 15 meter.
Out of two kind of voting machine, one was almost immediatly decertified and the other followed the next year.
Nowday every voting machine should be TEMPEST proof, however there is no standard that one could refer to to verify or specify that the voting equipment is good enough at not revealing the secrecy of the vote.
Could this release of NSA document help fight eVoting?
I found a java simulation here.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
What I think was most interesting about this document was what was left in white-out(this was mentioned in the Wired article) in the report: "Flooding", "Seismic", "anomalies" and why would the headings on these not be classified as well? with the previous "acoustic" section unclassified, at the very least, one can take a guess at what these cover:
Flooding: Probably a protection system which is kinda hinted at in the document but oddly not covered that could exist by flooding the space around a machine with similar signals to obfuscate any readable signal?
Seismic:I would imaging that this would have something to do with machine vibrations used to identify data much like the electromagnetic signatures?
anomalies:background noise...etc?
I worked in a TEMPEST shielded flight simulator bay in the 80's. The entire place was sealed, shielded. Dual door airlock to enter/exit. Power came in and spun a motor which spun a generator so there were zero wires leaving the room that were attached to any equipment inside the room.
After it was constructed I remember when it got tested and certified. The main bay was all metal walls and ceiling. If they found a tiny RF leak they'd spot weld over it When done the inside walls looked like a set from a SciFi movie with tiny laser burns all over.
Ideally you need a fairly old computer for this, with a monitor that scans at normal TV frequencies. I've done this with an Amstrad PCW, which is particularly suitable because the plastic case leaks a lot of RF.
You're also going to need a portable black-and-white TV, a decent aerial, and maybe an aerial booster.
Testing is simple - put a recognisable image up on the screen. This can be the startup screen of an application, a directory listing, even an ASCII-art goatse if you're so inclined. The key is is *must* be a monochrome screen with pixels that are on or off - it won't work with greyscale. There's a subtle side-effect of this, which I'll come to in a moment.
Plug the aerial into the black and white TV. If you're more than a few feet away from the target computer, you're going to need the aerial. The signal you're trying to pick up is *tiny*. Tune the TV until you see what looks like a garbled version of the computer screen - an analogue tuner is best for this. The picture will be extremely weak and noisy, and it will also not be synchronised correctly. Now adjust the horizontal and vertical hold on the TV until you get a stable picture. You should at least be able to make out roughly what's on the screen.
To take it further, you need to break into the TV and add an AM radio. This detects the scanning coils in the monitor, and allows you to generate a sync pulse to lock the TV to the computer. You need to position the TV and AM radio very carefully so the radio isn't picking up the TV scan coils. This is the difficult bit, and in fact I've never got this part to work. I've got readable text off the computer screen before, from about 30 feet. I'd call that working.
Back to the greyscale thing briefly - antialiased fonts use grey pixels on either side of the black or white pixels to "blur" the edges and make the fonts look smoother. This has the effect of lowering the rise time of the signal, and thus not throwing as many harmonics out. Think about it - a switch from a black background to a white pixel is basically a squarewave, but if you step through a couple of shades of grey there's a much lower amplitude change and so the harmonics will be correspondingly quieter. So, anti-aliased fonts prevent Tempest-style attacks, and in fact about 15 years ago you could get "Tempest Fonts" that were basically very fuzzy antialiased fonts.
The other thing is that LCDs don't emit RF harmonics to nearly such an extent. The days of Tempest and Van Eck phreaking are pretty much gone.
Are these as accurate as the "historical documents" on Galaxy Quest? Anyone else reminded of that?
These posts express my own personal views, not those of my employer
Really cool software: Tempest for Eliza. Make use of the old CRT in the corner...
"the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether."
Well, except for the abacus.
Used to know a guy who was even older than me, and pretty good with RF back in the '80's. He could read my Apple ][+ monitor, until I switched from text to what Apple used to call "HiRes graphics". Dunno if he ever rebuilt his equipment and got the picture back, I never heard. It seemed like a peculiar (and slightly crackpot) hobby with no obvious application. Heh.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Now can we have the historical documents on MISSILE_COMMAND, CENTIPEDE, and MS_PAC_MAN?
In Soviet Russia, Chuck Norris will still kick your ass.
Since I'd done work with TEMPEST in the 1980s and was hanging out with a bunch of crypto people, and since the open-source discussions were mostly people saying "Laptops should protect you just fine since they're LCD", I obviously had to speculate about how this could be happening. My guess is that it wasn't the LCD itself that was radiating, but instead was the VGA jack on the back for plugging into a desktop monitor. Most laptops still have those today, and while many people use LCDs rather than CRTs as desktop monitors, they're still connecting by VGA signals using not-particularly-shielded cables, so there should still be plenty of signal around to listen for.
Obviously today's video signals are a lot higher frequency, so you'd need to use some actual computer equipment rather than squinting at a television. I don't know if the digital signal formats are easier or harder to intercept successfully than the VGA analog ones; maybe that'll help.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Presumably if he made the same discovery today (regarding the weakness of a secure communication) and told anyone about it, he'd be arrested, rather than have his work recognised as beneficial.
I guess that's progress for you
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
For an example of TEMPEST exploits being used successfully look up details of Operation GOLD, the Berlin tunnel.
"Bell Telephone faced a dilemma. They had sold the equipment to the military with the assurance that it was secure, but it wasn't. The only thing they could do was to tell the [U.S. Army] Signal Corps about it, which they did."
Can you imagine a Government contractor coming clean these days? You're more likely to get someone like Dick Jones from OCP:
"I had a guaranteed military sale with ED 209. A renovation program. Spare parts for years. Who cares if it worked or not?"
Electromagnetic leakage was well known by 1943. So well known that sinece the mid 1930's the Navy had required all receivers to be specially designed as to not leak out any spurious signals such as the local oscillator, BFO, or IF signals. Plentifully documented in the user and service manuals of said radios.
The scope "spiked" because the teletype needed a whopping 60 milliamps of signal current from a high-voltage current-limited source. The edges of a 60-milliamp signal swinging almost 300 volts will radiate quite a ways from the unshielded patch cables of that day.
But the solution is trivial and inexpensive. A 30 cent capacitor and a 20 cent resistor across the signal wires will roll off the spikes very nicely. The remaining 75 baud signal will not radiate above the noise level.
Electrical leakage was the least of your problems. If one of those spiky ball things came after you, you were doomed.
I piss off bigots.
Of a five page article, most of it is covered with white blocks.
<graybeardmode>
Back in 1979 (IIRC), a college classmate and I discovered that our TI-55 calculators would put out a blast of noise on the AM dial whenever something was written to the LED display! We tuned a nearby radio to the most effective frequency and started exploring.
Imagine our excitement when we discovered there was a different delay between bursts depending on how many LED segments were lit up! (That is, it took longer to display 88888888 than 11111111). Hey! We can make Music!! Frustratingly, we were limited to a 32 step program, so many promising attempts fell short because we needed a few more steps to complete the beat. Still, we came up with a dozen or so different rhythms and had a heck of a time doing it!
</graybeardmode>
I'm sure we weren't the only ones to discover this phenomenon... I'd love to hear from others about their experiences.
I love how the linked report has a large section labled "Seismics", with all the text redacted. The NSA are such teases.
They do release a lot of interesting things though. I've been reading 'Spartans in Darkness', a well-written history of SIGINT in the Vietnam War, by an NSA historian.
http://www.fas.org/irp/nsa/spartans/index.html
I was a radioman in the Coast Guard, we had to go through regular checks to make sure all our equipment was TEMPEST approved. Every 18 months ships go through 'Refresher Training' - all manner of drills and combat readiness training including radio and electronics. A favorite story about ensuring that things were TEMPEST approved was a navy ship that was tracked for days because of the microwave in the chief's mess, every time they popped up some corn the microwave was sending off spurrious emissions. The story is dubious but was amusing for coasties at least. At least the discovery of TEMPEST was probably less disastrous than whoever discovered HERO - Hazards of Electromagnetic Radiation to Ordnance! Whenever loading ammo we had to secure radios/radars.
If you must keep groaning, please try to do it in a rhythm I can dance to
Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether."
Does that include my Dick Tracy secret decoder ring?
We've all heard stories of programming music on a radio from a Commodore PET, or reading the data by converting the flashes from a modem's transmit and receive LEDs, but I'm sure at the start of the electronics era (and especially in a crypto lab during a war) that the concept of being able to listen in on the data processing and glean information from it was staggering.
When our name is on the back of your car, we're behind you all the way!
Too bad we don't have any CRTs with antennae, otherwise I would attempt to test billstewart's suggestion.
The book Spycatcher details how shortly after WWII the British tapped the powerline feeding the coding machine in the French embassy in London. Electrical noise on the line could be correlated with different keys typed on the machine. When this book came out it was banned in Britain.
I got involved in this area when we wanted to use cheap PCs (actually Apple II's) back in the early 80's at a Fort Bragg command for classified processing and communications. (Instead of the multi-gazillion decades-old junk the vendors were selling us.)
.. and let the NSA guys come and listen.
:-) But it was surprising how many governments and agencies world-wide used the common IBM Selectric typewriter and its relatives (even in the most sensitive areas) .. and how easily it could be monitored (every keystroke!) hundreds of meters away.
The signal security guys went nuts, impossible, can't do it, too insecure. Our CG said go ahead and do it, prove you can
So we did. No problem with basically stock Apple II's, monitors, state of the art (then) commercial networking, etc. Easy really, with relatively simple shielding (cable and equipment) techniques, worked fine. Also sent digital data (Kermit or XMODEM) via big encrypted analog modems the Army already had in the system, could even feed the analog signal into the big multi-channel systems the Signal Corps was using for voice and teletype.
Also turns out an external Corvus hard drive we were using (!) was a Most Wonderful broadband jammer, totally masking the few signal traces that were still being emitted.
There were other things happening far earlier (60's and 70's) on the intercept side of things, but I'm not sure what's still classified and what's not, so we won't go there
Years ago the NSA was spending boatloads of money to put copper shielding on all of their PCs and other gear. Then some smart engineer suggested that they shield the entire headquarters building. Nifty.
Seismics (a redacted section in the paper), I'm guessing, has to do with detecting vibrations. The crypto device they talk about apparently uses mechanical relays, which makes perfect sense. One should be able to detect when relay contacts close, and back out some useful information about it. Would love to hear the back story about that. I have yet to come up with a reasonable hypothesis for "Flooding", after dedicating nearly a minute to thinking about it.
...such as humans and animals, as a matter of brain processing.
This is where the idea of tin foil hats came in...
Its nice to see this stuff starting to get declassified.
Back in the late 80's I worked on some electronic key management stuff for the DoD. I was told I could put TEMPEST on my resume, but I was not allowed to tell anyone what it was. On can imagine the kind of odd job-interview situations this produces.
"all information processing machines send their secrets into the electromagnetic ether."
An abacus doesn't: http://en.wikipedia.org/wiki/Abacus
Nor does an old fashioned adding machine:
http://en.wikipedia.org/wiki/Adding_machine#Burroughs.27s_calculating_machine
(Be sure to check out the image of the Burroughs adding machine near the bottom of the page.)
Nor a Manual Typewriter:
http://en.wikipedia.org/wiki/Typewriter
(Be sure to check out the Hansen Writing Ball a little down on the left hand side... It will make you very glad for the keyboards we have today...)
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
One thing this does do is help prevent picking up the wrong fiber cable and plugging it
in. Especially when there may be 50 cables present under the floor.
Or cutting the wrong one when trying to remove cables...
A fun read.
;-)
mode 1 = electric radiation
mode 2 = magnetic
mode 3 = conducted
mode 4 = power line modulation
mode 5 = acoustic
Then a redacted para titled Seismics.
Curious that the title wasn't redacted.
We are probably being baited,
but it's fun to think that seismics is mode 6,
which still works.
I wonder if you can hear a machine operator
hop up when a message shows up
The page numbers are neat too.
I wonder what's on pages 1-25.
dammit,, they released my facebook to the internets...
__t ___e ____ _r________, ____ ___r_____ ______ ____ _o ____ __ ___ __ ________ _r__ _ __i_ __s__ t__ computer, right? I mean in modern times, we don't really have to worry about this at all, right? Cuz there's so much else being processed and sent down a bus by the processor that you'd never pick out the data accurately, and probably not from more than a millimeter away.
College-Pages.com - Online Colleges, Degrees, and Programs
There were openly shared programs for playing music on an am radio placed near the ibm 1620 cpu. Decks of music were passed around and anyone with a smattering of musical talent could play with it.
Since these emi runn oft into space and keep on going, the aliens can find out just about anything they want to and we can't get these waves back ever.
I guess if someone was looking at the sliderule, their brains would emit waves that could be interpreted. I worked on a government project similar to this in 1971.
Not just the 1620. We did the same with our IBM 1130 in the early 70s. I was under the impression it was due to the unshielded core memory (8K, baby!), not the CPU.
Yup. I still remember a call on an open line asking me what the TEMPEST rating of a Symbolics LISP Machine was (I bought the first one at NSA). I told him I didn't know, then called him on a secure line to explain I wasn't permitted to divulge that in the open.