Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!cbnews!cbnews!military From: JEWELLLW@VM.CC.PURDUE.EDU (Larry W. Jewell) Newsgroups: sci.military Subject: Tempest report (eyes-only). Message-ID: <1991Feb9.034453.5301@cbnews.att.com> Date: 9 Feb 91 03:44:53 GMT Sender: military@cbnews.att.com (William B. Thacker) Organization: AT&T Bell Laboratories Lines: 65 Approved: military@att.att.com From: "Larry W. Jewell" In regards to the "TEMPEST" security requirements for computers, I received a lot of "BURN-BEFORE-READING" messages which were inrorm- ative and the following pieces which should not violate anybody or anything. In response to your kind advice, my boss is moving me into a cave! THANKS FOLKS! ;-). ==================================================================== From: carlson@gateway.mitre.org (Bruce Carlson) TEMPEST defines a set of requirements for protection from electronic emanations. A system that is TEMPEST certified will lose its certification (until retested) if you modify any hardware. You can't swap keyboards, plug in a printer, etc. If you use peripherals they must also be certified, or you lose your certification. I don't know the specific government references, but there are quite a few engineers that are qualified to do TEMPEST certifications and they should be able to give you details. TEMPEST protects you from electronic monitoring, but doesn't cover other types of security protection. These are explained in the "Orange Book" from NSA. I think the real name of the book is something like Security Certification Guideline, but its almost always called the Orange Book. There were TEMPEST versions of the Zenith 150, Zenith 248, IBM PC and 3270 PC (AT also, I think) that have been on govt contracts. There are existing TEMPEST versions of the MAC II(ci?) and the GRID microcomputer (the GRID Severe-Environment-TEMPEST (SET)). There is also a TEMPEST version of the HP 3000, but it is sold under another name plate. Most of these machines are at least twice a expensive in the TEMPEST version and may not include all the options since each option would have to be certified (every monitor, etc.) Bruce Carlson carlson@gateway.mitre.org ======================================================================== 41 From: Paul Damian Franzon > This is actually no longer true. To snoop on a computer you need a big antenna and a bunch of electronics. The Govt realized that by simply preventing this through appropriate physical security (ie Dont let big trucks with unknow drivers with antennas into your secure compound :-)) they could save a lot of money on this tempest stuff. PCs used in places like the US Embassy in USSR still use Tempest howver. Paul Franzon ======================================================================== 18 From: willis@cs.tamu.edu (Willis Marti) The short answer is that the specs are also classified. Another part of the answer is that TEMPEST gear is most appropriate in environments where you are willing to pay attention to security. And, finally, if your industrial "opponents" can pay enough to overcome the TEMPEST spec, then they probably spent more than they would have on product development. 1/2 8-) Cheers, Willis Marti (ex-dealer in "spook" stuff)