To: ukcrypto@maillist.ox.ac.uk
Subject: It is really me - the story of Soft Tempest
Date: Sun, 08 Feb 1998 15:09:40 +0000
From: Ross Anderson
Is this story correct?
The Washington Post gives a highly distorted account of some very
important scientific work we have done. I suggest that list members
read our paper -
If these rumors are true, I guess we will face a similar discussion on free availability in the area of TEMPEST equipment. Does privacy protection also include the free choice of protection mechanism?
I say this: our discovery, that Tempest protection can be done in
software as well as hardware, puts it beyond the reach of effective
export control. So yes, you now have a choice. You didn't before,
Ross Anderson
----------
http://www.washingtonpost.com/wp-srv/WPlate/1998-02/07/060l-020798-idx.html
British Technology Might Flush Out Software Pirates
By John Burgess
Washington Post Foreign Service
Saturday, February 7, 1998; Page H01
CAMBRIDGE, England— It's a technique that intelligence
agencies have used for years: Park a van filled with
monitoring gear near an embassy and listen for the faint radio
signals that computers routinely emit when they are on.
Analyze those signals for clues to the data that are on the
computers.
Now researchers at the University of Cambridge, home of
groundbreaking work in intelligence over the years, are trying
to adapt this technology to the fight against software piracy.
With special code written into software, they say, computers
could be made to broadcast beacons that would carry several
hundred yards and identify the software they were running,
complete with serial numbers of each copy.
Vans run by anti-piracy groups could pull up outside a
company's office and count the number of software signals
emanating from it. If, say, 50 beacons for a particular title
were detected but the company had licensed only two copies
of the software, that could become evidence on which a court
would issue a search warrant.
Ross Anderson, a University of Cambridge lecturer who is
overseeing the project, said the idea originated last year when
Microsoft Corp. Chairman Bill Gates visited the university
after his private foundation announced a $20 million donation
to the school. Gates told officials that, among other things, he
would love the university to come up with new anti-piracy
techniques.
So far, Microsoft isn't enthusiastic about the university's
approach, Anderson said. "They have some reservations.
Obviously there are Big Brother aspects," he said. A
Microsoft spokeswoman said the company has no plans to
adapt the technology.
Emilia Knight, a vice president at BSA Europe, a trade group
that combats software piracy, said such an anti-piracy system
might be technically feasible. But she noted many practical
questions on the legal side, such as how the system would
differentiate between companies pirating software and those
legally using multiple copies of programs.
Knight said that concerns of privacy and consumer rights
might make the system a no-go for industrialized countries.
But in places like Eastern Europe, she suggested, where piracy
is rampant and there is no tradition of such protections, the
software signal detectors might be acceptable.
Richard Sobel, a political scientist who teaches at Harvard
University and researches privacy issues, called it "an
appalling idea."
"If the technology is there to identify what software people are
using, there's the prospect to figure out what people are doing.
. . . It sounds like a horrible violation of privacy," Sobel said.
In Britain, however, it might seem less controversial. Here
authorities have long used similar techniques to ferret out
people who fail to pay the annual license fee of about $150
that the law requires for each TV set in the country.
Cruising the streets here are vans carrying equipment that can
detect emissions from a TV set's "local oscillator," the part
that turns a station's signal into a picture. If the gear senses a
TV set inside a house from which there is no record of a
license payment, this is used as evidence to levy fines.
The system also can tell what channel people are watching
because the oscillator gives off a slightly different signal for
each one.
Anderson's researchers have built a prototype that can detect
the type of software running on a machine from short range --
the hallway outside the room where the computer is running.
Anderson said they are ready to build prototype hardware
with a longer range, at a cost of about $15,000-$30,000 -- if
the lab can find a customer. So far, none has stepped forward.
© Copyright 1998 The Washington Post Company
----------
Date: Sat, 7 Feb 1998 13:05:45 -0500
From: Stewart Baker