[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TEMPEST and other "neat stuff"
Paul Ferguson, [email protected], posts excerpts from an article on TEMPEST.
With all due respect :-), the article is largely nonsense.
> 8<------ Snip, Snip ------[ edited ]------
> (c) 1990 Christopher J. Selin [email protected] [email protected]
> Eavesdropping On the Electromagnetic Emanations of Digital Equipment:
> The Laws of Canada England and the United States
> This document is a rough draft. The Legal Sections are overviews.
> .....
> In the United States it is illegal for an
> individual to take effective counter-measures against
> TEMPEST surveillance. This leads to the conundrum that it
> is legal for individuals and the government to invade the
> privacy of others but illegal for individuals to take steps
> to protect their privacy.
This is distinctly not the case. You can take any countermeasures you want.
The precise standards are classified (some SECRET, some CONFIDENTIAL COMSEC),
so you can't find out how good the government's abilities to eavesdrop are,
or precisely what level of protection the government thinks is necessary
to protect classified information, or how good the NSA thinks the Russians are,
but as long as you're not using classified information as your sources,
you can do anything you want. (If you're not protecting yourself *enough*,
the FCC will get on your case, but over-protection is fine.)
> 2. TEMPEST is an acronym for Transient Electromagnetic Pulse
> Emanation Standard.
TEMPEST isn't particularly about transients or electromagnetic pulses, it's about
overall electromagnetic emissions. Electromagnetic Pulses are the big fast spikes you
get from nuclear explosions (or similar slower spikes from lightning, etc.)
and the techniques you use for protection against EMP don't solve your TEMPEST
problems, and vice versa, though both kinds of protection are some help for the other.
In my previous incarnation as a Tool of the Military-Industrial Complex,
I never saw TEMPEST expanded as an acronym in any of the documents I read.
> TEMPEST is a defensive standard; a device which
> conforms to this standard is referred to as TEMPEST Certified.
More specifically, a device that's been tested by an NSA-approved testing lab
and has all the paperwork blessed by the NSA is TEMPEST-certified.
The NSA puts out an "Evaluated Products List" (the name changes every
couple of years) which has approved TEMPEST hardware, NCSC-Orange-Book rated
operating systems, etc.
> The United States government refuses to release details
> regarding TEMPEST and continues an organized effort to censor the
> dissemination of information about it. For example the NSA
> succeeded in shutting down a Wang Laboratories presentation on
> TEMPEST Certified equipment by classifying the contents of the
> speech and threatening to prosecute the speaker with revealing
> classified information. [cite coming].
The Wang Labs people probably had access to the classified documents -
if you have them, you're responsible for not giving out classified information,
and material derived from classified information might deserve classification.
But that's not the same as saying it's "born classified", which is how
nuclear weapons design information is treated (no comments on the legality
of that approach...) Now, it may be that the NSA are overzealous in presuming
the classified nature of the material in the presentation before hearing it;
I don't know the details of the case, but access to classified material
legitimately affects your ability to discuss its contents in public.
> 3. This Note will not discuses how TEMPEST relates to the
> Warrant Requirement under the United States Constitution.
> Nor will it discuss the Constitutional exclusion of foreign nationals
> from the Warrant Requirement.
(*My* copy of the Constitution doesn't say that foreign nationals are
excluded from "the people" who have specific rights to due process,
and the 14th Amendment clearly requires at least the States not to deprive
*any* person of life, liberty, or property without due process,
and not to deny equal protection to anyone within its jurisdiction,
as well as not abridging privileges or immunities of U.S. citizens.
Somehow the recent governments haven't felt that applies to them or something...)
In the case of the Crippler Chip, however, you knew it had a built-in wiretap
when you bought it, which changes some of the reasonable expectations about
privacy a bit.
Bill Stewart