SOFT TEMPEST

Markus Kuhn Markus.Kuhn at cl.cam.ac.uk
Mon Feb 9 11:21:29 PST 1998



"WebWarrior3 at InfoWar.Com" wrote on 1998-02-08 17:29 UTC:
> So, when the software police pull up outside of my
> place of business see that there are six instances of a program being
> displayed with one license I can expect a warrant to be issued?  That
> would suck.

The software that displays the license number plus activation instance
random code in your windows toolbar as an easy receivable spread
spectrum barcode would have to take care of this depending on how
exactly your license agreement is formulated. This can be resolved
in many ways.

The technique of hunting software license violators via Tempest
monitoring is not really targeted at providing 100% accurate
and reliable identification of abuse at any point of time as
you seem to imply. Nor is it alone an effective tool of proofing
abuse. It is more an additional tool in getting an initial hint
that a company is violating a software license at large scale
(e.g., has bought a single copy of an expensive CAD software but
uses it on over 80 workstations all day long), which then can
justify to get court relevant proof by traditional means of
police investigation.

> Unfortunatley, I do not have the time to read through the entire
> document at the URL provided, and can't save it either from the .pdf ...
> the defensive measures sound interesting.

One obvious countermeasure are Tempest shielded computers or rooms,
but these are rather expensive, inconvenient and not always reliable.
Another countermeasure are software reverse-engineering and modifying
the broadcast code. This is around as difficult as removing dongle
checking code: Not impossible, but for the majority of users too
inconvenient.

> Also, does this only work with CRTs or can it detect LCD too?

Oh, yes, beautifully! Ross' TFT laptop radiates better
than the CRT on my desk here. It is true that LCD displays do not have
the <400 kHz signals caused by the deflection coils that are of concern
for the TCO/MPR low-radiation standards. But they radiate as well in the
>1 MHz range where the information carrying signals are
broadcasted as harmonics of for instance the dot clock rate.
LCDs are connected to high-speed drivers with sharp edges and lot's
of nice harmonics.

One more remark: This was so far unfunded research initiated by
our private interest in the subject of compromising radiation. In
this field, the available research literature is very close to zero
(there are the van-Eck/Moeller/Smulder papers and that's it basically), and
all the real knowledge is tightly guarded by the military and diplomatic
community. We hope that developing commercial applications for
compromising radiation will open the way to non-military funding
and open research in this field. Copyright protections seems to be
an interesting application. Tempest research requires some
expensive equipment (special antennas, very high-speed DSP
experimental systems, an absorber room, etc.). If Microsoft or
someone else would like to make some Tempest funding available, I think
this should be highly welcome if the results are going to be published
in the open literature. There is no good reason, why knowledge about
compromising emanations should be restricted to the military
community in a time where industrial espionage with these techniques
is probably a larger threat to economies than the results of foreign
intelligence operations.

The preprint of our first paper on this is now on my home page.

Markus

-- 
Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK
email: mkuhn at acm.org,  home page: <http://www.cl.cam.ac.uk/~mgk25/>








More information about the cypherpunks-legacy mailing list