JEWELLLW@VM.CC.PURDUE.EDU (Larry W. Jewell) (02/09/91)
From: "Larry W. Jewell" <JEWELLLW@VM.CC.PURDUE.EDU>
In regards to the "TEMPEST" security requirements for computers, I
received a lot of "BURN-BEFORE-READING" messages which were inrorm-
ative and the following pieces which should not violate anybody or
anything.
In response to your kind advice, my boss is moving me into a cave!
THANKS FOLKS! ;-).
====================================================================
From: carlson@gateway.mitre.org (Bruce Carlson)
TEMPEST defines a set of requirements for protection from electronic
emanations. A system that is TEMPEST certified will lose its
certification (until retested) if you modify any hardware. You can't
swap keyboards, plug in a printer, etc. If you use peripherals they
must also be certified, or you lose your certification.
I don't know the specific government references, but there are quite
a few engineers that are qualified to do TEMPEST certifications and
they should be able to give you details.
TEMPEST protects you from electronic monitoring, but doesn't cover
other types of security protection. These are explained in the "Orange Book"
from NSA. I think the real name of the book is something like
Security Certification Guideline, but its almost always called
the Orange Book.
There were TEMPEST versions of the Zenith 150, Zenith 248, IBM PC
and 3270 PC (AT also, I think) that have been on govt contracts.
There are existing TEMPEST versions of the MAC II(ci?) and the
GRID microcomputer (the GRID Severe-Environment-TEMPEST (SET)).
There is also a TEMPEST version of the HP 3000, but it is sold
under another name plate. Most of these machines are at least twice
a expensive in the TEMPEST version and may not include all the options
since each option would have to be certified (every monitor, etc.)
Bruce Carlson
carlson@gateway.mitre.org
======================================================================== 41
From: Paul Damian Franzon <paulf@mcnc.org>
>
This is actually no longer true. To snoop on a computer you need
a big antenna and a bunch of electronics. The Govt realized that
by simply preventing this through appropriate physical security
(ie Dont let big trucks with unknow drivers with antennas into your secure
compound :-))
they could save a lot of money on this tempest stuff.
PCs used in places like the US Embassy in USSR still use Tempest howver.
Paul Franzon
======================================================================== 18
From: willis@cs.tamu.edu (Willis Marti)
The short answer is that the specs are also classified. Another part of the
answer is that TEMPEST gear is most appropriate in environments where you
are willing to pay attention to security. And, finally, if your industrial
"opponents" can pay enough to overcome the TEMPEST spec, then they
probably spent more than they would have on product development. 1/2 8-)
Cheers,
Willis Marti (ex-dealer in "spook" stuff)
henry@zoo.toronto.edu (Henry Spencer) (02/11/91)
From: henry@zoo.toronto.edu (Henry Spencer) >From: "Larry W. Jewell" <JEWELLLW@VM.CC.PURDUE.EDU> >... And, finally, if your industrial >"opponents" can pay enough to overcome the TEMPEST spec, then they >probably spent more than they would have on product development. 1/2 8-) A side note on this, which got made in private mail to me after I posted a quick followup on the original, is that even if your gear is *not* Tempest-qualified, the odds are excellent that a determined spy can get results faster and cheaper by means other than electronic eavesdropping. The government's concern with Tempest gear is all basically paranoia; there has been no known case of computer emissions actually spilling anything to the bad guys. Espionage cases are almost invariably "inside jobs". It is probably easier to bribe your janitors than to eavesdrop on your monitors. -- "Maybe we should tell the truth?" | Henry Spencer at U of Toronto Zoology "Surely we aren't that desperate yet." | henry@zoo.toronto.edu utzoo!henry
cash@convex.com (Peter Cash) (02/12/91)
From: cash@convex.com (Peter Cash) In article <1991Feb9.034453.5301@cbnews.att.com> "Larry W. Jewell" <JEWELLLW@VM.CC.PURDUE.EDU> writes: >This is actually no longer true. To snoop on a computer you need >a big antenna and a bunch of electronics. The Govt realized that >by simply preventing this through appropriate physical security >(ie Dont let big trucks with unknow drivers with antennas into your secure >compound :-)) >they could save a lot of money on this tempest stuff. Not all eavesdropping methods rely on antennas. It is possible to pick up the signal generated by a keyboard by wiretapping--and the wire does not necessarily have to be one that you intend to be transmitting a signal on. The book _Spycatcher_ describes, for example, how British intelligence cracked a French diplomatic code. The French had a teletype hooked to an encryption device, which then transmitted the encoded signal over a wire to its destination outside the embassy. The British tapped the wire, and were able to pick up the pulses from the teletype. Thus, they were able to intercept both coded and clear transmissions at once. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Die Welt ist alles, was Zerfall ist. | Peter Cash | (apologies to Ludwig Wittgenstein) |cash@convex.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cramer@uunet.UU.NET (Clayton Cramer) (02/14/91)
From: optilink!cramer@uunet.UU.NET (Clayton Cramer) In article <1991Feb11.052309.4004@cbnews.att.com>, henry@zoo.toronto.edu (Henry Spencer) writes: > A side note on this, which got made in private mail to me after I posted > a quick followup on the original, is that even if your gear is *not* > Tempest-qualified, the odds are excellent that a determined spy can get > results faster and cheaper by means other than electronic eavesdropping. > The government's concern with Tempest gear is all basically paranoia; > there has been no known case of computer emissions actually spilling > anything to the bad guys. Espionage cases are almost invariably "inside > jobs". It is probably easier to bribe your janitors than to eavesdrop > on your monitors. This reminds me of an incident that happened many years ago when I worked at Jet Propulsion Labs. Not a military installation, but they were secured rather like one, and security was made even more so after terrorists threatened to bomb JPL on July 4, 1976 (both the U.S. Bicentennial and Viking's landing on Mars). There were photo id badges required to enter the lab. Those of us that worked in the Space Flight Operations Facility had a separate magnetic stripe card badge to get us into the building. Really secure against unauthorized entry, right? So one night, the "non-interruptible power supply" for the whole building went out. Data had to be recovered from the stations of the Deep Space Network. What happened? One of the janitors hit a big switch downstairs with his mop handle while cleaning the floor. So I decided to take a careful look at the badges used by the janitors in SFOF. Sure enough, no picture badges, and a generic mag stripe card to get them in every room in the building. All these security precautions could have been easily circumvented by getting a job with the janitorial firm (an outside contractor), and just walking in the door with a mop. Does it seem like the people responsible for "security" like to play with neat toys? -- Clayton E. Cramer {uunet,pyramid,pixar,tekbspa}!optilink!cramer "The tree of liberty must be watered periodically with the blood of tyrants and patriots alike. It is its natural manure." -- Thomas Jefferson You must be kidding! No company would hold opinions like mine!
major@uunet.UU.NET (Mike Schmitt) (02/15/91)
From: bcstec!shuksan!major@uunet.UU.NET (Mike Schmitt) > From: optilink!cramer@uunet.UU.NET (Clayton Cramer) > Does it seem like the people responsible for "security" like > to play with neat toys? Though I'm reluctant to admit I was once one of those security people - there is a tendency to focus on hi-tech security - and overlook the obvious. Sometimes I think that 'security people' don't use common sense. Then, again - lots of army "security people" are warrant officers. (I never said I "liked" warrant officers). [I have no idea where I'm goin with this - bye] mike schmitt "Burn Before Reading!" "Pierce One Eye!" "Not Releasable to Anyone!"