Re: Sealing wax & eKeyboard
"Anything displayed on your screen is visible to the guy across the street with a TEMPEST detector unless you work in a Faraday cage. " No, no you have the whole thing wrong. As May recently stated, "crypto is economics". It's one thing for "them" to set up a camera to look at some Arab guy's computer down on Atlantic Ave in Brooklyn. It's an entirely different thing if, by using a virtual keyboard, "they" have to do the same thing for millions of people. (And in case it's not obvious, the cost probably won' be in the hardware but in the installation costs, and the fact that the probability of detection of such efforts is nonzero, thus nullifying their "investment".) If I have a plan to smash a plane into the Empire State building, I'll probably work harder to hide it. If I'm sharing mp3's on Kazaa or whatever and I don't want to have RIAA make an example out of me, that virtual keyboard may be just right. The real danger of crypto and, I'd argue, a virtual keyboard in this case, is that by spending tiny fractions of money we can make it prohibitively costly for "them" to monitor a large number of transactions. Forget unbreakability. Forget Faraday cages (you don't have anything that important to hide anyway). Cheap, easy and scalable is the only way to bumrush this show. -TD
From: Sunder <sunder@sunder.net> To: Thomas Shaddack <shaddack@ns.arachne.cz> CC: Tyler Durden <camera_lumina@hotmail.com>, timcmay@got.net, cypherpunks@minder.net Subject: Re: Sealing wax & eKeyboard Date: Wed, 16 Jul 2003 13:23:02 -0400 (edt)
Geez! You guys have the DUMBEST ideas ever! For fuck's sake, go and RTFA! (For the dumb: READ THE FUCKING ARCHIVES!)
Anything displayed on your screen is visible to the guy across the street with a TEMPEST detector unless you work in a Faraday cage. Failing that a hidden pinhole camera, or an RF transmitter attached to your cable -- hell these are available for hobbist use right now: x10.com has small devices that you can use to broadcast video from one room to another. Getting the same done for VGA, XVGA, etc. shouldn't be any harder.
Using IR or RF is one of the stupidest things you could possibly do. Think! IR and RF are detectable from a distance!
Ok, some IR auth is ok, provided it's in a sealed chamber and no photons leak out. i.e. think of a two cylinders, sealed at the ends where the cables go, where one fits inside the other... sort of like fiber optic cables and connectors. No leaks.
Direct contact's obviously fine, so long as your alleged attacker can't tap into it.
----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------
On Wed, 16 Jul 2003, Thomas Shaddack wrote:
However, this will work around the keyboard loggers, but will cause development of eg. programs saving the screenshots at the moment of a mouseclick. (Which is definitely more detectable - by storing bulk amounts of data - than just a plain keylogger, disadvantaging the adversary somehow.) Also won't protect against ceiling cams, if they'd have enough resolution to see the screen clearly enough.
Couldn't there be some challenge-response device, eg. over IrDA or radio waves or direct contact (eg, iButton DS1955B or DS1957B), which would be unlocked by something like a PIN code? How to avoid the leakage of the PIN and subsequent seizure of the device then?
_________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
On Wed, 16 Jul 2003, Tyler Durden wrote:
"Anything displayed on your screen is visible to the guy across the street with a TEMPEST detector unless you work in a Faraday cage. "
No, no you have the whole thing wrong. As May recently stated, "crypto is economics".
Well, ok, it "all depends on your security model" is certainly the 1st factor to consider with how much you're willing to spend on it being a constraint to that. If your threat model is simply to have generic good security incase someone steals your machine, then so long as all your files are encrypted, the theif just gets whatever the hardware is worth at "it fell of a truck" prices, and no more. If your threat model is the fully armed and armorded ninja attack at 3:00am -- which was what I gathered was what Sampo's originally presented question, then you can assume your attacker would have enough resources to pull off a TEMPEST van across the street, etc. So do you want crypto to keep a rogue government out of your fiels, or keep your kid sister from reading your email? etc... An on screen virtual keyboard is much easier to see than a real keyboard even by a shitty pinhole camera. A real keyboard would have to be viewed from above, otherwise, all you can do is infer the keystrokes - which gives you a hint of what they are for a passphrase, but not much else. On screen keyboard can be seen much easier and your mouse pointer gives you away. So it all depends on who "they" is. Either way, if "they" believe you are a nice jucy target, and their chances to net lots of data off your machine are high, they will park the TEMPEST SUV outside your door. Not much question of that... If "they" are watching everyone for patterns and you don't stick out like a sore thumb, there's not much need for any of the above.
Empire State building, I'll probably work harder to hide it. If I'm sharing mp3's on Kazaa or whatever and I don't want to have RIAA make an example out of me, that virtual keyboard may be just right.
No, virtual keyboard won't save your ass. Your ISP will had it over on a plate along with trimmings (traffic logs, etc.) If you're sharing MP3's on Kazaa, you're easy to find, and logs are proof enough. All the RIAA troll has to do is download one song off your IP, prove it came from your IP, and get the ISP to give them logs, and you're toast. Doesn't matter that your hard drive has since been wiped or encrypted or is unreadable. Using crypto to protect files you have already shared with the public is neurotic as a security measure.
The real danger of crypto and, I'd argue, a virtual keyboard in this case, is that by spending tiny fractions of money we can make it prohibitively costly for "them" to monitor a large number of transactions.
And if you do and are noticed, "they" will spend that money because you will be an obvious and clear target. If they can get away with "why don't you just show us what you have - what do you have something to hide?" line to cow sheeple into giving them access, in their mind, you'd be the one to make their careers.
Forget unbreakability. Forget Faraday cages (you don't have anything that important to hide anyway). Cheap, easy and scalable is the only way to bumrush this show.
Again, what's your threat model, who is your attacker, how much are you willing to spend on it? ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------
hi, We can give a tempest demo just with a radio .There is a fun project called tempest for eliza which gives an insight of the computer security. Tempest for Eliza is a program that uses your computer monitor to send out AM short wave radio signals. You can then hear computer generated music in your radio. it teaches you that your computer can be observed. Tempest for Eliza works with every monitor, every resolution. you don't have to be root. http://freshmeat.net/projects/tempestforeliza/?topic_id=71%2C43 http://www.erikyyy.de/tempest/ Regards Sarath. --- Tyler Durden <camera_lumina@hotmail.com> wrote: > "Anything displayed on your screen is visible to the > guy across the street > with a TEMPEST detector unless you work in a Faraday > cage. " > > No, no you have the whole thing wrong. As May > recently stated, "crypto is > economics". It's one thing for "them" to set up a > camera to look at some > Arab guy's computer down on Atlantic Ave in > Brooklyn. It's an entirely > different thing if, by using a virtual keyboard, > "they" have to do the same > thing for millions of people. (And in case it's not > obvious, the cost > probably won' be in the hardware but in the > installation costs, and the fact > that the probability of detection of such efforts is > nonzero, thus > nullifying their "investment".) If I have a plan to > smash a plane into the > Empire State building, I'll probably work harder to > hide it. If I'm sharing > mp3's on Kazaa or whatever and I don't want to have > RIAA make an example out > of me, that virtual keyboard may be just right. > > The real danger of crypto and, I'd argue, a virtual > keyboard in this case, > is that by spending tiny fractions of money we can > make it prohibitively > costly for "them" to monitor a large number of > transactions. Forget > unbreakability. Forget Faraday cages (you don't have > anything that important > to hide anyway). Cheap, easy and scalable is the > only way to bumrush this > show. > > -TD > > > > > > > >From: Sunder <sunder@sunder.net> > >To: Thomas Shaddack <shaddack@ns.arachne.cz> > >CC: Tyler Durden <camera_lumina@hotmail.com>, > timcmay@got.net, > >cypherpunks@minder.net > >Subject: Re: Sealing wax & eKeyboard > >Date: Wed, 16 Jul 2003 13:23:02 -0400 (edt) > > > >Geez! You guys have the DUMBEST ideas ever! For > fuck's sake, go and > >RTFA! (For the dumb: READ THE FUCKING ARCHIVES!) > > > >Anything displayed on your screen is visible to the > guy across the street > >with a TEMPEST detector unless you work in a > Faraday cage. Failing that a > >hidden pinhole camera, or an RF transmitter > attached to your cable -- hell > >these are available for hobbist use right now: > x10.com has small devices > >that you can use to broadcast video from one room > to another. Getting the > >same done for VGA, XVGA, etc. shouldn't be any > harder. > > > >Using IR or RF is one of the stupidest things you > could possibly > >do. Think! IR and RF are detectable from a > distance! > > > >Ok, some IR auth is ok, provided it's in a sealed > chamber and no photons > >leak out. i.e. think of a two cylinders, sealed at > the ends where the > >cables go, where one fits inside the other... sort > of like fiber optic > >cables and connectors. No leaks. > > > >Direct contact's obviously fine, so long as your > alleged attacker can't > >tap into it. > > > >----------------------Kaos-Keraunos-Kybernetos--------------------------- > > + ^ + :25Kliters anthrax, 38K liters botulinum > toxin, 500 tons of /|\ > > \|/ :sarin, mustard and VX gas, mobile > bio-weapons labs, nukular /\|/\ > ><--*-->:weapons.. Reasons for war on Iraq - GWB > 2003-01-28 speech. \/|\/ > > /|\ :Found to date: 0. Cost of war: > $800,000,000,000 USD. \|/ > > + v + : The look on Sadam's face - > priceless! > >--------_sunder_@_sunder_._net_------- > http://www.sunder.net ------------ > > > >On Wed, 16 Jul 2003, Thomas Shaddack wrote: > > > > > However, this will work around the keyboard > loggers, but will cause > > > development of eg. programs saving the > screenshots at the moment of a > > > mouseclick. (Which is definitely more detectable > - by storing bulk > >amounts > > > of data - than just a plain keylogger, > disadvantaging the adversary > > > somehow.) Also won't protect against ceiling > cams, if they'd have enough > > > resolution to see the screen clearly enough. > > > > > > Couldn't there be some challenge-response > device, eg. over IrDA or radio > > > waves or direct contact (eg, iButton DS1955B or > DS1957B), which would be > > > unlocked by something like a PIN code? How to > avoid the leakage of the > >PIN > > > and subsequent seizure of the device then? > > _________________________________________________________________ > Tired of spam? Get advanced junk mail protection > with MSN 8. > http://join.msn.com/?page=features/junkmail > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
participants (3)
-
Sarad AV
-
Sunder
-
Tyler Durden