Re: SOFT TEMPEST (fwd)
Forwarded message:
Subject: Re: SOFT TEMPEST Date: Mon, 09 Feb 1998 16:44:52 +0000 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
The software that displays the license number plus activation instance random code in your windows toolbar as an easy receivable spread spectrum barcode would have to take care of this depending on how exactly your license agreement is formulated. This can be resolved in many ways.
Has your technique been verified by any 3rd parties who are not affiliated with you or your firm? Do you expect to do any public demonstrations of this technology in the near future? Would it be possible to arrange for a indipendant 3rd party to receive a test setup for evaluation?
The technique of hunting software license violators via Tempest monitoring is not really targeted at providing 100% accurate and reliable identification of abuse at any point of time as
That's good. The thought that given current technology a signal reception van could pull one monitors display out of a building that could potentialy have 1,000+ pc's (my last job had about 1500/floor and 3 floors) at a range of say 200 ft. is truly incomprehensible. If it works that is a feat worth many laurels.
(e.g., has bought a single copy of an expensive CAD software but uses it on over 80 workstations all day long), which then can justify to get court relevant proof by traditional means of police investigation.
You show up in my companies parking lot without my permission and start snooping you'll be the one sitting in jail facing industrial espionage charges. Any defence lawyer worth a damn would be able to blow this out of the water, private citizens don't have the right to invade my privacy any more than police without a warrant - and that take probable cause.
One obvious countermeasure are Tempest shielded computers or rooms,
It's the monitors that need shielded, the computers already sit in a Faraday cage. Simple copper screen glued to the inside of the monitor case with a paper sheild and then grounded will resolve that problem. Be shure to put a grounded screen on the front of the tube as well (similar to those radiation shields that some companies make that don't work because they aren't grounded).
Another countermeasure are software reverse-engineering and modifying the broadcast code. This is around as difficult as removing dongle checking code: Not impossible, but for the majority of users too inconvenient.
A simple Gunn Diode oscillator driving a broad-band 100W rf amplifier will swamp any signal you could hope to catch. Cost, about $250 ea. With the new low-power transmitter rulings there wouldn't be much anyone could do about it either.
an interesting application. Tempest research requires some expensive equipment (special antennas, very high-speed DSP experimental systems, an absorber room, etc.).
Gee, and to think that when I've done this sort of stuff I only used a Commodore 1702 composite monitor and some rf amplifiers and filters... Duh, silly me. Any claim that it can *only* be done with lots of money is almost always wrong. ____________________________________________________________________ | | | The most powerful passion in life is not love or hate, | | but the desire to edit somebody elses words. | | | | Sign in Ed Barsis' office | | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http://www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|
On Mon, 9 Feb 1998, Jim Choate wrote:
That's good. The thought that given current technology a signal reception van could pull one monitors display out of a building that could potentialy have 1,000+ pc's (my last job had about 1500/floor and 3 floors) at a range of say 200 ft. is truly incomprehensible. If it works that is a feat worth many laurels.
I don't know about displaying the screens of several thousands of PC's at a site, but you can easily select any given screen of several dozens of PC's. Using $100 worth in equipment plus a [>>$100] quality frequency generator. At HIP'97, I watched a van Eck demonstration given by a German professor. Using cheap analog equipment and one of the better HP frequency generators, he pulled screen images from the power line, the networking cable, and out of thin air. Since the oscillators in the devices to be monitored all have slightly different frequencies, you can actually tune the monitoring equipment to a specific PC. Even if there are numerous PC on the same floor of the building. I am told screen images can be captured up to 600 meters along the power line. Now all this was done without the use of a DSP. I can only imagine what one could capture after adding a DSP to the setup. -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
On Tue, Feb 10, 1998 at 03:03:53AM +0100, Lucky Green wrote:
Now all this was done without the use of a DSP. I can only imagine what one could capture after adding a DSP to the setup.
Miles... Given static screen images and thousands of repetitions in a few seconds the processing gain from integration of the signal verus the uncorrelated noise over thousands of cycles gets quite interesting. And add to that the tricks one can do with comb filters and combining together the correllated energy from several harmonics of the dot clock one can see that getting signal out from under the trash is easy even at considerable distances. It has, in fact, been speculated that the larger NSA geo and near geosync ELINT/COMINT satellites probably have the required capability to accomplish this from orbit (with football field sized antennas this isn't out of the question at all). Also the "frequency generator" you talk about needs not be some extremely expensive HP synthesizer (often of course available for a few dollars at the local ham radio flea markets in any case), but simply a good voltage controlled crystal oscillator on the right frequency. These are $5 parts... -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
On Mon, 9 Feb 1998, Dave Emery wrote:
On Tue, Feb 10, 1998 at 03:03:53AM +0100, Lucky Green wrote:
Now all this was done without the use of a DSP. I can only imagine what one could capture after adding a DSP to the setup.
Miles...
Given static screen images and thousands of repetitions in a few seconds the processing gain from integration of the signal verus the uncorrelated noise over thousands of cycles gets quite interesting. And add to that the tricks one can do with comb filters and combining together the correllated energy from several harmonics of the dot clock one can see that getting signal out from under the trash is easy even at considerable distances.
That would be my analysis as well. Note that the van Eck demonstration I saw didn't even make use of the common analog tricks, such as using a super heterodyne receiver. Not to mention the near magical capabilities of a few Fourier transforms for pulling a nice, fat signal spike out of all that "white noise". There wasn't a single person watching said demonstration in that brutally hot tent at HIP'97 that didn't walk away impressed. And I can off the top of my head come up with a design that would improve the gain by at least 20dB over what was used there.. -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
On Tue, Feb 10, 1998 at 06:46:55AM +0100, Lucky Green wrote:
There wasn't a single person watching said demonstration in that brutally hot tent at HIP'97 that didn't walk away impressed. And I can off the top of my head come up with a design that would improve the gain by at least 20dB over what was used there..
I wasn't impressed. That main tent was an old circus tent and was huge with enough room for one thousand people. Unfortunately it had the effect of focusing and amplifying the already excessive heat on the sweating and dehydrated victims sitting in it. By the final day an attempt had been made to open it up a bit more and to spray cold water on it. The first thing I saw was a demonstration of the "Van Eck effect". The idea was to pick up the screen display of someone's monitor at a distance to read the information off it. The lecturer was a German professor and spoke heavily accented English. He was very much as a German professor might be shown in a film. He spoke a lot about "Ze Incriminating Emissions", which seemed rather funny at the time. He had an aerial, which looked like an unconvincing Dr Who prop, attached to a standard TV. The circus tent atmosphere led somehow to the impression that he was a stage magician performing tricks. Also the audience's habit of cheering after each trick didn't help. On the target PC screen were a few words in a very large font and he was able to display this up on the TV. He also put a device around the power supply lead and could pick up a better picture this way. There were mutterings from the audience, many of whom seemed unimpressed. At the question session the poor chap got a rather hard ride. The gist of it being "What we have been shown is twenty years old, there are modern digital techniques that are much better". His reply was "They are very expensive and we have only just got the equipment and the results aren't finished yet." The counter measures were Tempest shielding. In short if your password is visible on your monitor in letters three inches high and there is a van outside your office with a large aerial and German plates this might mean trouble. Or maybe the NSA can pick it up anyway from America using the "newer techniques". -- Steve Mynott "no man or group of men shall aggress upon the person or property of anyone else." -- Murray N. Rothbard
participants (4)
-
Dave Emery -
Jim Choate -
Lucky Green -
Steve Mynott