Forwarded message:

Subject: Re: TEMPEST Date: Mon, 09 Feb 1998 21:07:22 +0000 From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>

Things are somewhat more complicated and I am not convinced that the e-beam is the primary source of radiation.

Only of the individual pixel modulations. Go back and re-read my post you missed a whole slew of implications. The vertical and horizontal positioning is via the yoke not the screen grid. Electrostatic steering of an e-beam is expensive and slow, you can't change the charge on the plates that fast. In regards the data for the individual scan lines, where else are you going to modulate that beam than a screen grid? This is a high-voltage low-current point. You can't drive the beam off the screen, the inside of the tube is coated in a carbon based chemical called 'aquadag' that will short the beam to ground and blow your flyback transformer in short order. Not to mention that the inertia of the e-beam will be a bit of a hassle to deal with as well. It won't move that fast.

Your claim that the Tempest radiation is modulated by the screen grid does not agree with my practical experience: All signals I get are close to harmonics of the dot clock and not of the screen grid rate.

The screen grid is where the dot clock goes to modulate the e-beam, or is your claim we're going to modulate the filament directly? If so I would suggest you re-take your electronics class and learn how to read a schematic a tad better. A short trip to either your local library or electronics repair business will pay off wonders. You're looking for a Sam's Photo-Facts on the particular monitor you are examining. There is also the fact that the dot clock itself is a low-voltage low-current device until it gets to the tube drive electronics where it switches the high voltage drivers to the tube. If your getting your signal off the harmonics you're doing it the hard way. Go back and re-read your texts on Fourier Transforms and then do a power-spectrum analysis on the signals to the tube; what you will find is that the primary frequencies get the majority of the signal (eg 1st harmonic of a square wave (ie a dot clock) only gets, at best, 1/3 of the energy of the primary). In any case, it's the high voltage emissions of the tube drive electronics that are detected, not the small 5V to 12V drive signals. The same is true for LCD, Plasma, and other flat panel displays. You detect the high-voltage emissions of the display drive electronics. Note that on active transistor displays (where you don't have the high voltage bias as in a LCD) you don't get these sorts of emission magnitudes and they are *much* harder to detect. In addition in the active transistor displays the display drive electronics should buffer the data and so, unlike a CRT, you don't have to send each individual pixel every time. You can actualy send only the changes and impliment those. Unless you're integrating the signals you receive your Tempest display will be gibberish.

In addition, the Tempest monitor cannot distinguish between an all-black and an all-white image, which it should in the case of a screen-grid caused modulation.

What? This is malarky. If the screen is black the filament emissions are being blocked by the screen grid and the charge cloud gets shunted to ground via the aquadag coating. This means there is no current, and as a consequence no emitted rf field to monitor. And what keeps it from blowing the flyback in this case is that the charge cloud acts as a capacitor and limits the dv/dt to something that the flyback can deal with, it has to leak past the screen grid. You can also discern this using Tempest to monitor NTSC where the black pulse is a negative going pulse at the end of the scanline waveform. It's there so the receiver electronics can know when to turn the e-beam off so you don't get those annoying retrace lines across your screen when it moved back to the left and down one line. Since it's a negative going pulse with respect to the vertical and horizontal retrace it's dv/dt is going in the opposite direction. If you get a schematic find the horizontal retrace clock and disable it and monitor the display.

If there is indeed a screen-grid modulation, then it is *much* weaker than any modulation that you get by software dithering.

This is just plain silly. The switching of the software is drowned in a sea of such noise on the board. Anyone who claims they can pull a valid signal off a cpu pcb at more than a few feet is a liar or else they have some pretty remarkable extra-terrestrial technology. There are litteraly 10's of thousands of state transitions all over the pcb that are going on in parallel and the positive transition fields cancel the negative transition fields so what you end up with is a hash of noise. 30 seconds of looking at a spectrum analyzer will make this obvious. In modern computers what drives the crt is the data residing in the video frame buffer that drives the output electronics on the card and not the data on the cpu pcb.

Monitors are pretty strange antennas: For instance, my monitor still radiates quite well (although noticeably weaker) if I switch its power supply off.

It can take as much as 20 minutes to drain a good high-voltage supply (read the documents of all power supplies that operate above a couple hundred volts, it should include the discharge time constant - you want to wait through at least 3 of those). There is also the issue that a crt tube sitting unconnected in the open dry air will develop enough of a charge to knock the shit out of you if you're silly enough to grab the grounding connection on the side with one hand and be grounded to earth with the other. So even if the machine is turned off you get a continous charge build up on the tube that gets drained through various resistors to ground. Unfortunately this is a pretty incoherent signal and low power as well. I routinely deal with voltages in the 1MV range and currents (usualy not at those voltages) in the 100A range (I build 12 ft. Tesla Coils for grins and giggles that throw discharges in the 8-12 ft. range). When you start talking about voltages above a few hundred there isn't any such thing as 'off', only a higher impedance path to ground and longer time constants. NOTE: if you do decide to play in your monitor then make shure that one of your hands is in your back pocket at *ALL* times. Otherwise make shure there is somebody there to call 911 so they can haul your body off. If you don't the discharge leakage current through your heart *when* you make a mistake will cause it to go into ventricular fibrillation (v-fib). Unless you got a de-fibrillator handy your dead in about 3 minutes.

Just the passive resonance of the chassis gives a clear signal in around a meter radius with a simple untuned dipole antenna.

If they get within a meter of my machine I seriously doubt they will be using VanEck but rather rubber hose or eye ball monitoring... We're talking real world here not some Tom Clancy novel.

Switching off a monitor alone does not protect you from eavesdropping a VDU signal, especially if the signal is not just text but a pattern optimized for reception.

True, but instead of being within a couple hundred feet (the average succesful range for interception) you're now talking about 10's of feet. At that range my dogs barking will let me know that Mallet is in the house.

After I unplug the VGA cable however, I can't pick up any signal with our Tempest receiver unless I bring the antenna almost in contact with the cable or connector.

Duh, can you say 'impedance'....go back and study your analog and rf electronics. A monitors off impedance per line is somewhere in the 50 to 75 ohms range. The impedance of a wire hanging in the air is much higher and as a consequence the current flow and as a result the emitted em field will be much lower.

The closed PC chassis also appears to be no very big source of VDU emanations, certainly much below the levels that our receiver can detect.

And this surprises you? A pc chassis, provided you put all the screws in it and don't have lots of holes in it, is a Faraday Cage, it's the reason they make them out of expensive metal and not cheaper plastic. A very effective method to confuse Van Eck is to have several monitors sitting next to each other with different displays. A more active display is much more effective than one that is static (eg. such as a person typing in an email to cypherpunks). I strongly suggest the following reference: High-speed Digital Design: a handbook of black magic H.W. Johnson, M. Graham ISBN 0-13-395724-1 ~$60 US ____________________________________________________________________ | | | The most powerful passion in life is not love or hate, | | but the desire to edit somebody elses words. | | | | Sign in Ed Barsis' office | | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http://www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|