[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TEMPEST and other "neat stuff"




Paul Ferguson, [email protected], posts excerpts from an article on TEMPEST.
With all due respect :-), the article is largely nonsense.
> 8<------ Snip, Snip ------[ edited ]------
> (c) 1990 Christopher J. Selin [email protected] [email protected]
>  Eavesdropping On the Electromagnetic Emanations of Digital Equipment:
>  The Laws of Canada England and the United States
>  This  document is  a rough draft. The Legal Sections are overviews.
> .....
>    In  the United  States it is  illegal for  an
>    individual  to  take   effective  counter-measures   against
>    TEMPEST surveillance.  This  leads to the conundrum that  it
>    is legal  for individuals and  the government to  invade the
>    privacy of others but illegal for  individuals to take steps
>    to protect their privacy.

This is distinctly not the case.  You can take any countermeasures you want.
The precise standards are classified (some SECRET, some CONFIDENTIAL COMSEC),
so you can't find out how good the government's abilities to eavesdrop are,
or precisely what level of protection the government thinks is necessary
to protect classified information, or how good the NSA thinks the Russians are,
but as long as you're not using classified information as your sources,
you can do anything you want.  (If you're not protecting yourself *enough*,
the FCC will get on your case, but over-protection is fine.)

>    2.  TEMPEST  is an  acronym for  Transient Electromagnetic  Pulse
>    Emanation Standard.   
TEMPEST isn't particularly about transients or electromagnetic pulses, it's about 
overall electromagnetic emissions.  Electromagnetic Pulses are the big fast spikes you
get from nuclear explosions (or similar slower spikes from lightning, etc.)
and the techniques you use for protection against EMP don't solve your TEMPEST 
problems, and vice versa, though both kinds of protection are some help for the other.

In my previous incarnation as a Tool of the Military-Industrial Complex,
I never saw TEMPEST expanded as an acronym in any of the documents I read.

>    TEMPEST  is  a defensive  standard; a  device which
>    conforms to this standard is referred to as TEMPEST Certified.
More specifically, a device that's been tested by an NSA-approved testing lab
and has all the paperwork blessed by the NSA is TEMPEST-certified.
The NSA puts out an "Evaluated Products List" (the name changes every
couple of years) which has approved TEMPEST hardware, NCSC-Orange-Book rated
operating systems, etc.

>         The  United  States  government refuses  to  release details
>    regarding TEMPEST and continues an organized effort to censor the
>    dissemination of  information  about it.    For example  the  NSA
>    succeeded in shutting  down a  Wang Laboratories presentation  on
>    TEMPEST Certified equipment  by classifying  the contents of  the
>    speech and threatening  to prosecute  the speaker with  revealing
>    classified information.  [cite coming].

The Wang Labs people probably had access to the classified documents -
if you have them, you're responsible for not giving out classified information,
and material derived from classified information might deserve classification.
But that's not the same as saying it's "born classified", which is how
nuclear weapons design information is treated (no comments on the legality
of that approach...)  Now, it may be that the NSA are overzealous in presuming
the classified nature of the material in the presentation before hearing it;
I don't know the details of the case, but access to classified material
legitimately affects your ability to discuss its contents in public.
  
>    3.  This  Note  will not  discuses  how  TEMPEST relates  to  the
>    Warrant Requirement under  the United  States Constitution.  
>    Nor will it discuss the Constitutional exclusion of foreign nationals
>    from the Warrant Requirement.

(*My* copy of the Constitution doesn't say that foreign nationals are
excluded from "the people" who have specific rights to due process,
and the 14th Amendment clearly requires at least the States not to deprive
*any* person of life, liberty, or property without due process, 
and not to deny equal protection to anyone within its jurisdiction,
as well as not abridging privileges or immunities of U.S. citizens.
Somehow the recent governments haven't felt that applies to them or something...)

In the case of the Crippler Chip, however, you knew it had a built-in wiretap
when you bought it, which changes some of the reasonable expectations about
privacy a bit.


		Bill Stewart