From: Rocco Rosano Date: Thu Aug 10, 2000 6:16pm Subject: Re: The Tempest Surrounding Tempest [Debunking the Myth] Good, very good article. There are very few TEMPEST issues, these days. There are some exploitable emanations, Hi-Jacks, and Piggy-backs, but by and large, most of them are now TSCM problems. The days of RED, PINK (NATO) and BLACK bleeds-overs ---- and most over powered monitor issues are rectified with effective grounding. TEMPEST problems are only at issue when the target is immersed or surrounded by the opposition which can have access to power lines, grounds and other penetrators without the fear of discovery. A Piggy-Back devices can be used to capture to capture a RED signal, amplified it and retransmit it or jumper it to a BLACK area. While it exploits an exploitable emanation (the emanation being a TEMPEST issue) the attack is really a TSCM issue (overall) and involves (usually) some measure of penetration. The 30 year old RF flooding technique is an example of a one type Hi-Jack Operation. Not generally practices anymore, they are all variations of targeting a RED emanation with a very clean carrier. As the carrier passes through the target, an exploitable emanation modulates the carrier. Through an A-B subtraction (available on most S/As today) the RED signal is extracted. Again, the emanation (a TEMPEST issue) is the target; but, the Flooding carrier is a TSCM issue. Most exploitation potentials (RED emanations) rapidly degrade because the power behind them (using today's technology) is small to start with. The exploitation of RED emanations are further complicated because of the ambient EM noise in the spectrum. Oddly enough, a TSCM, itself was once vulnerable to TEMPEST problems. An old fashion WR-550 countermeasures receiver made a very distinctive sound when fired-up. If you heard a WR-550 go through a start-up sequence, a prudent HoIS operative would (naturally) remotely deactivate the active portion of a clandestine surveillance devise (CSD). Most of the older TSCM search receivers had a very prominent and powerful IF output. It was rumored that some CSDs had a protective receiver that terminated the active element of the CSD when ever in the proximity of a 21.4MHz signal (the standard IF out for a countermeasures receiver). But, again, most all of these types of threats are more than 30 or 40 years old; dating back to well before I graduated ITC and attended the TSCM course. Again, great article - congrat's to the contributors. Rocco Rosano Reynoldsburg, Ohio "James M. Atkinson, Comm-Eng" wrote: > http://www.forbes.com/tool/html/00/aug/0810/mu9.htm > > Forbes.com: 8/10/00 - News: The Tempest Surrounding Tempest > > August 10, 2000 > > The Tempest Surrounding Tempest > By Arik Hesseldahl > > NEW YORK. 4:30 PM EDT-Echelon, Carnivore and Tempest. The names > could come from the script of a techo-thriller movie. > > But to people who follow the intelligence community, they're > real, and the cause for lots of speculative theories. > > Echelon is said to be the global telecommunications surveillance > network run by the National Security Agency. Carnivore is an > Internet eavesdropping tool used by the FBI. > > Then there's Tempest. With Tempest technology, the story goes, > the information displayed on one's computer screen can be read > from across the street by capturing the radiating emanations > from the monitor itself using special equipment and a > directional antenna. > > But the reality behind Tempest is much more mundane, according > to government documents and people familiar with it. While the > story behind Tempest is grounded in a kernel of truth, it has > been so distorted in the retelling that it has become something > of an urban myth. > > A front-page report in The Wall Street Journal on Aug. 7 > attempted to get to the heart of Tempest technology, but instead > perpetuated more bad information. For example, the Journal > wasn't aware that one of the primary sources for the story, > Frank Jones, of Codex Data Systems, pleaded guilty in 1997 to > one federal count of possession of illegal surveillance devices, > and is widely considered disreputable by several people in the > surveillance industry. (A spokesman for Dow Jones Co., parent of > the Journal, had no comment on the story.) > > Moreover, Codex says it no longer makes the "DataScan Tempest > Monitoring System" that the Journal says the U.S. Army had > contracted to buy at $20,000 each. Terrance Kawles, Codex's vice > president and general counsel, insists, however, that the Army > had at one time expressed in an interest in buying the system. > (Full disclosure: Forbes.com published an item about Codex's > Tempest device in 1998.) > > Steve Uhrig, president of SWS Security, a U.S.-based firm that > manufactures surveillance and intelligence gathering equipment > for governments and the military, says he is extremely skeptical > about Jones. He says that, in his opinion, Jones gives the > entire electronic surveillance industry a bad image by making > "outrageous claims about nonexistent products." > > "Jones has been a spy groupie for about 17 or 18 years," he > says. "I don't think he's ever manufactured a product or > provided a legitimate service. He makes it difficult for > legitimate companies who tell the truth about their product's > capabilities." > > Jones says Codex stopped selling DataScan devices after finding > there was little market for them. And while he says he doesn't > have any of the devices left, he could, given the right > components, still demonstrate his technique. Nor does he claim > to have any expertise in Tempest technology. > > "We're now strictly involved with software development," he > says. "Tempest is old news." > > The Journal story also left readers under the impression that > the full content of a document displayed on a computer screen > can be captured from several hundred yards away. > > That's not correct, says James Atkinson, president and chief > engineer of the Granite Island Group, a security consulting firm > in Gloucester, Mass. Atkinson is a telecommunications engineer > who specializes in the field of technical surveillance > countermeasures (TSCM), the practice of finding hidden bugs and > wiretaps. A former U.S. Air Force officer, he says he is one of > few people working in the private sector who have graduated from > the NSA's Tempest School at Lackland Air Force Base outside San > Antonio, Tex. > > Tempest is not a spying technology, he says, and anyone who says > otherwise is either lying or misinformed. It is a classified > government standard meant to prevent spying on computer monitors > and other equipment from afar. Breaking down the acronym that is > its name gives a hint: Telecommunications Electronics Material > Protected from Emanating Spurious Transmissions, the key word > being "protected," of course. > > And while its exact details are a secret, much about Tempest > technology can be gleaned by reading between the lines of > mind-numbing government documents with titles like "Requirements > for the control of electromagnetic interference characteristics > of subsystems and equipment." > > Another document, this one a military handbook entitled "Radio > Frequency Shielded Enclosures," describes "Tempest shielding" as > being designed to "reduce the conducted and radiated emissions > from within the sensitive environment to an undetectable level > outside the shielded enclosure in uncontrolled areas." > > Although sneaking a peak at what's on someone else's computer > screen from a distance is theoretically possible, Atkinson says, > it is very difficult to do, extremely costly and impractical. > > Atkinson says that government buildings where sensitive > information is processed are designed with the idea of > minimizing the leakage of emanations from computer monitors and > other equipment. And while the government does take the threat > of eavesdropping on these emanations seriously, picking up a > signal from a monitor is "extraordinarily difficult." A would-be > spy must either be really close to the monitor with the right > equipment, or have a very sensitive, very large antenna and very > favorable conditions when at a greater distance. > > "If you're doing this in a demonstration in a hotel room, from > only a few feet away, it's a slam dunk," he explains. "But once > you're beyond anything more a dozen feet, it gets really dicey. > While technically you can do it, you'd need antennas that are 30 > feet long and about 50 feet wide." > > He once calculated the size of the antenna that would be > required, to pick up monitor emanations from a computer inside > the White House while outside on the street. He estimates it > would take an antenna 45 feet tall and 30 feet wide extended > into the air about 30 feet. The antenna would have to be mounted > on the trailer of the semi truck filled with complex signals > intelligence equipment, parked right outside on Pennsylvania > Ave. > > "Can you see someone doing that outside the White House without > attracting attention?" he asks. "I don't think the Secret > Service would be amused." > > But Jones maintains it can still be done using off-the-shelf > components. > > "There are people who would have you believe that you need > millions of dollars worth of equipment and years of training to > do this, and I'm telling you that's a load of crap," he says. > "This stuff is not rocket science. The fact is I get e-mails > from college students who say they are building these scanners > in the lab." > > And even without the practical limitations presented by first > getting close enough to the signal and obtaining the right > antenna and equipment, there's also the problem of finding the > right signal. > > "There are so many competing electromagnetic signals from the > surrounding environment that picking any one of them out is > practically impossible, especially from any distance," says > Uhrig of SWS. > > And even under the best of conditions, the odds are high against > actually reproducing a full video image of exactly what is on > the target monitor, says Atkinson. > > "If you have a big enough antenna, and point it at a computer > that is not properly shielded, bonded and grounded, > theoretically, you could pick up fragments of information that > are useful from an intelligence point of view," he says. > > But he believes the government's Tempest standards are meant to > act like a document-shredder of the air, only better. > > =================================================================== > Everybody's into computers... Who's into yours?* > =================================================================== > James M. Atkinson Phone: (978) 546-3803 > Granite Island Group Fax: (978) 546-9467 > 127 Eastern Avenue #291 http://www.tscm.com/ > Gloucester, MA 01931-8008 jmatk@t... > =================================================================== > Lizard, The Other White Meat > =================================================================== > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.onelist.com/community/TSCM-L > > or email your subscription request to: > subTSCM-L@t... > =================================================== TSKS 1203 From: James M. Atkinson, Comm-Eng Date: Thu Aug 10, 2000 7:15pm Subject: Re: The Tempest Surrounding Tempest [Debunking the Myth] At 7:16 PM -0400 8/10/00, Rocco Rosano wrote: >Good, very good article. > >There are very few TEMPEST issues, these days. > >There are some exploitable emanations, Hi-Jacks, and Piggy-backs, but by >and large, most of them are now TSCM problems. The days of RED, PINK >(NATO) and BLACK bleeds-overs ---- and most over powered monitor issues are >rectified with effective grounding. TEMPEST problems are only at issue >when the target is immersed or surrounded by the opposition which can have >access to power lines, grounds and other penetrators without the fear of >discovery. Assuming of course that the opposition can get inside the isolation or "stand off" zone, and can isolate and obtain enough of the signal before it diminishes into the noise floor. If we take a -85 dBm "Compromising Emanation" at say 310 MHz (common SA emanation) and apply a very modest path loss we end up with the signal in the noise floor after a very short distance. If we then put a little bit of "Shielding, Bonding, Grounding, and Filtering" on the equipment we can drive the initial emanation into the noise floor (reduce it) long before the signal is would be of use to an eavesdropper. If we have a -85 dBm signal, and then knock it down by 110 dB we end up knocking it down to below -195 dBm. Since this puts us 20 dB BELOW the thermal noise floor (on Earth) the eavesdropper is going to have a tough time exploiting the emanation (unless he has access to liquid nitrogen). >A Piggy-Back devices can be used to capture to capture a RED signal, >amplified it and retransmit it or jumper it to a BLACK area. While it >exploits an exploitable emanation (the emanation being a TEMPEST issue) the >attack is really a TSCM issue (overall) and involves (usually) some measure >of penetration. Agree'd... more then a few times a TSCM'er has found a compromising emanation and then traced it to a screw that was not torqued down right/snapped off or a bad gasket that had been sabotaged. In other cases filters had been manipulated or bypassed all together, ground compromised. My favorite were the senior officer who insisted on bringing their walkie talkies into the SCIF, or who got bent out of shape when you removed the microwave oven due to HI-JACK issues. >The 30 year old RF flooding technique is an example of a one type Hi-Jack >Operation. Not generally practices anymore, they are all variations of >targeting a RED emanation with a very clean carrier. As the carrier passes >through the target, an exploitable emanation modulates the carrier. >Through an A-B subtraction (available on most S/As today) the RED signal is >extracted. Again, the emanation (a TEMPEST issue) is the target; but, the >Flooding carrier is a TSCM issue. Ah, but with today's technology the eavesdropper can use the ambient RF environment to provide power for a hostile device (TEAPOT is a wonderful thing). >Most exploitation potentials (RED emanations) rapidly degrade because the >power behind them (using today's technology) is small to start with. The >exploitation of RED emanations are further complicated because of the >ambient EM noise in the spectrum. Agree'd... and since the size has also decreased (from acres to inches). What took up a 100,000 square foot 20 years ago can now go into a small safe the size of a file cabinet. Egads... look at the old KY-3 and KG-13, and then look at the new stuff that replaced it. I also look back fondly on the old equipment that used a digital signal with potentials of over 30 volts, and then compare it to the more modern ECL circuits. > >Oddly enough, a TSCM, itself was once vulnerable to TEMPEST problems. An >old fashion WR-550 countermeasures receiver made a very distinctive sound >when fired-up. If you heard a WR-550 go through a start-up sequence, a >prudent HoIS operative would (naturally) remotely deactivate the active >portion of a clandestine surveillance devise (CSD). Most of the older TSCM >search receivers had a very prominent and powerful IF output. It was >rumored that some CSDs had a protective receiver that terminated the active >element of the CSD when ever in the proximity of a 21.4MHz signal (the >standard IF out for a countermeasures receiver). Actually several CSD's in use today shutdown for 72 hours if a strong enough NLJD signal is detected. This is of course why the NLJD, Xray, and so on must be considered an alerting device. Heck, even some SA's should be considered an alerting device due to the rather strong signals they leak (which is why we want to terminate any unused port into a load, and add some extra screening to the instruments various ports. >But, again, most all of these types of threats are more than 30 or 40 years >old; dating back to well before I graduated ITC and attended the TSCM >course. > >Again, great article - congrat's to the contributors. > >Rocco Rosano >Reynoldsburg, Ohio =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1204 From: Screaming Date: Thu Aug 10, 2000 6:39pm Subject: RE: WE ARE OUT OF OIL First funny thing I have read for a long time It did make me chuckle thanks jma 1205 From: Night Baron Date: Fri Aug 11, 2000 0:39am Subject: Bugs Bugs are nothing more than transmitters or signal transducers that are illegal when used to eavesdrop on others with out court ordered authority in most cases. Some are not illegal when utilized, such as telephone listening devices employed by someone who is a party of the conversation (in some states)but it is not illegal to own them. You can buy simple stuff that mom,dad and the kiddies can use to sing songs or talk over thier radio as a toy, they have short ranges and are as legal as any other consumer device. Ham Radio hobbiest make transmitters all the time to engage in thier hobby. Electronic students make them to learn about RF and thousands of hobbiest do as well. Transmitters are used by industry in control systems and transmitting data on a process to a central location. So having a transmitter is not illegal. What you do with it is what is important. Sure there are guidelines as to how much power can be used, or how long an antenna may be or the strength of the signal, but the possesion of the object is not illegal, the way you use it may be. I could take a child's walkie talkie and set it up as a close range transmitter and it would not be illegal unless I used it to eavesdrop in an illegal way. Even then it is proven after the fact and the information has already been stolen. Ever hear a baby monitor in a home through a scanner or a handheld phone through a scanner, this isn't illegal but it is very effective in gathering information, and the transmitter is owned and used by the consumer legally, so your point of illegal to posse is false. I learned how to make transmitters and tap phones when I was 12 years old, are you going to go around and arrest everyone who builds a device like this, no you wouldn't have a police force large enough. Can you get those who use them illegally, yes some but even then you can't get everyone because anyone who has ever had a grudge against someone or a suspition that thier spose is cheating or just plain nosey will have thought to use thier kids toy walkie talkie or wireless mic or tape thier own phone (remember Monica and Linda?) to gather some information at one time or another. You should know how these work and how they are used and how they are hidden and that also includes the fact that to do this you need to have had one in your possesion at one time or another, else you will never be able to prtoect against it, and be just as blind and deaf to the treat as those you seek to help. Night Baron 1206 From: Doug Ellsworth Date: Fri Aug 11, 2000 4:43am Subject: Re: The Tempest Surrounding Tempest [Debunking the Myth] Once again, Congrats to Jim and Steve (and Forbes) for a responsible article. Also, remember the old composite video monitors? Composites pounded out a much higher amplitude signal than modern VDTs. The signals were more primitive and simplistic as well. Composites were in common usage during the infancy of the microcomputer, and this coincided with the advent of TEMPEST measures. Coincidence? Or co-incident? -Doug ----- Original Message ----- From: James M. Atkinson, Comm-Eng To: TSCM-L Mailing List Sent: Thursday, August 10, 2000 2:55 PM Subject: [TSCM-L] The Tempest Surrounding Tempest [Debunking the Myth] http://www.forbes.com/tool/html/00/aug/0810/mu9.htm Forbes.com: 8/10/00 - News: The Tempest Surrounding Tempest August 10, 2000 The Tempest Surrounding Tempest By Arik Hesseldahl NEW YORK. 4:30 PM EDT-Echelon, Carnivore and Tempest. The names could come from the script of a techo-thriller movie. But to people who follow the intelligence community, they're real, and the cause for lots of speculative theories. Echelon is said to be the global telecommunications surveillance network run by the National Security Agency. Carnivore is an Internet eavesdropping tool used by the FBI. Then there's Tempest. With Tempest technology, the story goes, the information displayed on one's computer screen can be read from across the street by capturing the radiating emanations from the monitor itself using special equipment and a directional antenna. But the reality behind Tempest is much more mundane, according to government documents and people familiar with it. While the story behind Tempest is grounded in a kernel of truth, it has been so distorted in the retelling that it has become something of an urban myth. A front-page report in The Wall Street Journal on Aug. 7 attempted to get to the heart of Tempest technology, but instead perpetuated more bad information. For example, the Journal wasn't aware that one of the primary sources for the story, Frank Jones, of Codex Data Systems, pleaded guilty in 1997 to one federal count of possession of illegal surveillance devices, and is widely considered disreputable by several people in the surveillance industry. (A spokesman for Dow Jones Co., parent of the Journal, had no comment on the story.) Moreover, Codex says it no longer makes the "DataScan Tempest Monitoring System" that the Journal says the U.S. Army had contracted to buy at $20,000 each. Terrance Kawles, Codex's vice president and general counsel, insists, however, that the Army had at one time expressed in an interest in buying the system. (Full disclosure: Forbes.com published an item about Codex's Tempest device in 1998.) Steve Uhrig, president of SWS Security, a U.S.-based firm that manufactures surveillance and intelligence gathering equipment for governments and the military, says he is extremely skeptical about Jones. He says that, in his opinion, Jones gives the entire electronic surveillance industry a bad image by making "outrageous claims about nonexistent products." "Jones has been a spy groupie for about 17 or 18 years," he says. "I don't think he's ever manufactured a product or provided a legitimate service. He makes it difficult for legitimate companies who tell the truth about their product's capabilities." Jones says Codex stopped selling DataScan devices after finding there was little market for them. And while he says he doesn't have any of the devices left, he could, given the right components, still demonstrate his technique. Nor does he claim to have any expertise in Tempest technology. "We're now strictly involved with software development," he says. "Tempest is old news." The Journal story also left readers under the impression that the full content of a document displayed on a computer screen can be captured from several hundred yards away. That's not correct, says James Atkinson, president and chief engineer of the Granite Island Group, a security consulting firm in Gloucester, Mass. Atkinson is a telecommunications engineer who specializes in the field of technical surveillance countermeasures (TSCM), the practice of finding hidden bugs and wiretaps. A former U.S. Air Force officer, he says he is one of few people working in the private sector who have graduated from the NSA's Tempest School at Lackland Air Force Base outside San Antonio, Tex. Tempest is not a spying technology, he says, and anyone who says otherwise is either lying or misinformed. It is a classified government standard meant to prevent spying on computer monitors and other equipment from afar. Breaking down the acronym that is its name gives a hint: Telecommunications Electronics Material Protected from Emanating Spurious Transmissions, the key word being "protected," of course. And while its exact details are a secret, much about Tempest technology can be gleaned by reading between the lines of mind-numbing government documents with titles like "Requirements for the control of electromagnetic interference characteristics of subsystems and equipment." Another document, this one a military handbook entitled "Radio Frequency Shielded Enclosures," describes "Tempest shielding" as being designed to "reduce the conducted and radiated emissions from within the sensitive environment to an undetectable level outside the shielded enclosure in uncontrolled areas." Although sneaking a peak at what's on someone else's computer screen from a distance is theoretically possible, Atkinson says, it is very difficult to do, extremely costly and impractical. Atkinson says that government buildings where sensitive information is processed are designed with the idea of minimizing the leakage of emanations from computer monitors and other equipment. And while the government does take the threat of eavesdropping on these emanations seriously, picking up a signal from a monitor is "extraordinarily difficult." A would-be spy must either be really close to the monitor with the right equipment, or have a very sensitive, very large antenna and very favorable conditions when at a greater distance. "If you're doing this in a demonstration in a hotel room, from only a few feet away, it's a slam dunk," he explains. "But once you're beyond anything more a dozen feet, it gets really dicey. While technically you can do it, you'd need antennas that are 30 feet long and about 50 feet wide." He once calculated the size of the antenna that would be required, to pick up monitor emanations from a computer inside the White House while outside on the street. He estimates it would take an antenna 45 feet tall and 30 feet wide extended into the air about 30 feet. The antenna would have to be mounted on the trailer of the semi truck filled with complex signals intelligence equipment, parked right outside on Pennsylvania Ave. "Can you see someone doing that outside the White House without attracting attention?" he asks. "I don't think the Secret Service would be amused." But Jones maintains it can still be done using off-the-shelf components. "There are people who would have you believe that you need millions of dollars worth of equipment and years of training to do this, and I'm telling you that's a load of crap," he says. "This stuff is not rocket science. The fact is I get e-mails from college students who say they are building these scanners in the lab." And even without the practical limitations presented by first getting close enough to the signal and obtaining the right antenna and equipment, there's also the problem of finding the right signal. "There are so many competing electromagnetic signals from the surrounding environment that picking any one of them out is practically impossible, especially from any distance," says Uhrig of SWS. And even under the best of conditions, the odds are high against actually reproducing a full video image of exactly what is on the target monitor, says Atkinson. "If you have a big enough antenna, and point it at a computer that is not properly shielded, bonded and grounded, theoretically, you could pick up fragments of information that are useful from an intelligence point of view," he says. But he believes the government's Tempest standards are meant to act like a document-shredder of the air, only better. =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" To subscribe to the TSCM-L mailing list visit: http://www.onelist.com/community/TSCM-L or email your subscription request to: subTSCM-L@t... =================================================== TSKS 1207 From: A Grudko Date: Thu Aug 10, 2000 3:41pm Subject: Re: Introduction ----- Original Message ----- > Installing a clandestine surveillance package (CSD/CSP) is to planting a > surveillance device, as cabinet making is to carpentry Moral of the story....never buy wooden furniture from jma O ~>)))}}}} /|` _____ / \ [ ] Andy Grudko - Johannesburg 1208 From: Stuart Wachs Date: Fri Aug 11, 2000 6:58am Subject: Re: The Law Regarding Bugs Is Complicated Hello list members. Although I've followed the discussion for a year or so, this is my first contribution. I am a lawyer who specializes in issues related to bugs. Some of the comments about bugs need to be addressed because they are incomplete. As all of you no doubt know, bugs are regulated under various state laws and under a federal law known as "title III." One section of title III defines bugs as any device which, because of how it's designed, makes the device "primarily useful for the surreptitious interception." Manufacture, sale, possession or advertising of bugs is illegal. Consequently, although having a transmitter is not illegal under title III, putting a transmitter in a pen is illegal. Another section of title III regulates the use of bugs. That section in general outlaws all uses of bugs or any other mechanical means of secretly intercepting communications, unless the use is permitted by state law. For example some states like New York allow a person to secretly record a conversation but only if the person doing the recording is a party to the conversation. This is called one-party consent. The two sections intersect in some instances. For example, using a telephone recorder can be legal or illegal depending on how the unit activates. If the user has to turn it on for each phone call, then the recorder is not "primarily useful for the surreptitious interception" and the person doing the recording in a state that allows it has one-party consent. In contrast, if lifting the receiver activates the recorder, then the recorder is illegal and the legality of its use will depend on whether the person using the recorder is part of the conversation. The odds of getting caught are low but hardly infinitesimal. Title III regularly finds its way into divorce cases. Moreover, the federal government periodically busts spy shops and similar businesses. When it does, agents seize business records including sales invoices. From there, the government's only decision is which fish to fry. This area of law is complicated because title III was not well written. However, every legal attack on title III has failed. The take-home message, therefore, is to proceed with great caution and, when in doubt, get advise. Stuart Wachs -----Original Message----- From: Night Baron To: TSCM-L@egroups.com Date: Friday, August 11, 2000 3:19 AM Subject: [TSCM-L] Bugs >Bugs are nothing more than transmitters or signal transducers that >are illegal when used to eavesdrop on others with out court ordered >authority in most cases. Some are not illegal when utilized, such as >telephone listening devices employed by someone who is a party of the >conversation (in some states)but it is not illegal to own them. You >can buy simple stuff that mom,dad and the kiddies can use to sing >songs or talk over thier radio as a toy, they have short ranges and >are as legal as any other consumer device. Ham Radio hobbiest make >transmitters all the time to engage in thier hobby. Electronic >students make them to learn about RF and thousands of hobbiest do as >well. Transmitters are used by industry in control systems and >transmitting data on a process to a central location. So having a >transmitter is not illegal. What you do with it is what is important. >Sure there are guidelines as to how much power can be used, or how >long an antenna may be or the strength of the signal, but the >possesion of the object is not illegal, the way you use it may be. I >could take a child's walkie talkie and set it up as a close range >transmitter and it would not be illegal unless I used it to eavesdrop >in an illegal way. Even then it is proven after the fact and the >information has already been stolen. Ever hear a baby monitor in a >home through a scanner or a handheld phone through a scanner, this >isn't illegal but it is very effective in gathering information, and >the transmitter is owned and used by the consumer legally, so your >point of illegal to posse is false. I learned how to make >transmitters and tap phones when I was 12 years old, are you going to >go around and arrest everyone who builds a device like this, no you >wouldn't have a police force large enough. Can you get those who use >them illegally, yes some but even then you can't get everyone because >anyone who has ever had a grudge against someone or a suspition that >thier spose is cheating or just plain nosey will have thought to use >thier kids toy walkie talkie or wireless mic or tape thier own phone >(remember Monica and Linda?) to gather some information at one time >or another. You should know how these work and how they are used and >how they are hidden and that also includes the fact that to do this >you need to have had one in your possesion at one time or another, >else you will never be able to prtoect against it, and be just as >blind and deaf to the treat as those you seek to help. > >Night Baron > > > > > >======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.onelist.com/community/TSCM-L > > or email your subscription request to: > subTSCM-L@t... >=================================================== TSKS > > 1209 From: Robert G. Ferrell Date: Fri Aug 11, 2000 11:11am Subject: Re: [The WSJ Article is a Complete Bullshit] >Let me say again... TEMPEST (at least according to THOUSANDS of pages >of government documents I have) deals with the "Shielding, Bonding, >Grounding, and Filtering" of equipment processing classified >materials. >It DOES NOT involve eavesdropping equipment or methods, but instead >involves the technology used to protect against "compromising >emissions". Absolutely correct. I recently finished dismantling a legacy TEMPEST facility in Reston, VA. It was 100% geared toward preventing unauthorized interception of signals generated by computer and communications equipment. Purely defensive. RGF Robert G. Ferrell, CISSP ======================================== Who goeth without humor goeth unarmed. ======================================== 1210 From: James M. Atkinson, Comm-Eng Date: Fri Aug 11, 2000 0:21pm Subject: Strange Request Here is one of my stranger requests, I am seeking a source from whom I can obtain several hundred pounds of ground up POPULATED circuit boards (I would prefer newer multi-layered fiberglass boards). I used to obtain such materials from a local salvage company, but they stopped grinding down PCB's last Fall. I need the pieces to be small enough to pass though a quarter inch screen, but I will also need pieces small enough to pass though even smaller screens. I actually need about 8 five gallon cans of four different sized "grindings" (19mm-3/4 inch, 6.3mm-1/4 inch, 2mm-#10 Screen, and 1.4mm-#14 Screen (32 cans total). The "grindings" will be used to teach TSCM students, and I will gladly travel anywhere in New England to pick up the materials (and will also be happy to supply the containers). -jma =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1211 From: James M. Atkinson, Comm-Eng Date: Fri Aug 11, 2000 0:29pm Subject: Re: The Law Regarding Bugs Is Complicated At 7:58 AM -0400 8/11/00, Stuart Wachs wrote: > Hello list members. Although I've followed the discussion for a year or >so, this is my first contribution. > > I am a lawyer who specializes in issues related to bugs. Some of the >comments about bugs need to be addressed because they are incomplete. Your comments on the subject at hand are greatly appreciated. > As all of you no doubt know, bugs are regulated under various state laws >and under a federal law known as "title III." One section of title III >defines bugs as any device which, because of how it's designed, makes the >device "primarily useful for the surreptitious interception." Manufacture, >sale, possession or advertising of bugs is illegal. Consequently, although >having a transmitter is not illegal under title III, putting a transmitter >in a pen is illegal. It also applies to anything that has been modified to render it more useful as an eavesdropping device, and the shear act of concealing it could put someone in a pinch. > Another section of title III regulates the use of bugs. That section in >general outlaws all uses of bugs or any other mechanical means of secretly >intercepting communications, unless the use is permitted by state law. For >example some states like New York allow a person to secretly record a >conversation but only if the person doing the recording is a party to the >conversation. This is called one-party consent. Yes, but something else to consider is that the if the phone connection crossed state lines at any point then the federal courts have ruled in favor of the more restrictive state. For example is one side of the call is in a one party state, but the other side is in a two party state that the two party rule applies in both cases. Taking that one step further, if someone in a one party state calls someone in the two party state and records the call then they have just run afoul of T3 (both criminally and civilly). > The two sections intersect in some instances. For example, using a >telephone recorder can be legal or illegal depending on how the unit >activates. If the user has to turn it on for each phone call, then the >recorder is not "primarily useful for the surreptitious interception" and >the person doing the recording in a state that allows it has one-party >consent. In contrast, if lifting the receiver activates the recorder, then >the recorder is illegal and the legality of its use will depend on whether >the person using the recorder is part of the conversation. The device also has to comply with 47 CFR, Part 68 or it is also illegal (most recorder drop out units are not Part 68 compliant). > The odds of getting caught are low but hardly infinitesimal. Title III >regularly finds its way into divorce cases. Moreover, the federal >government periodically busts spy shops and similar businesses. When it >does, agents seize business records including sales invoices. From there, >the government's only decision is which fish to fry. I have seen (as recently as a few days ago) T3 get drawn into workmans comp cases, insurance cases, SEC cases, and so on. > This area of law is complicated because title III was not well written. >However, every legal attack on title III has failed. The take-home message, >therefore, is to proceed with great caution and, when in doubt, get advise. > >Stuart Wachs While the statute is a tad bit vague (to the layman) the case law is actually quite strong. The whole situation pivots on intent, and function the product was originally built, advertised, and marketed for. Once a company calls a product a "Phone Bug" (such as what Ramsey did) it is a little had for them to then backpedal and claim it was only a wireless microphone. If they then offer similar products to complement the other product (such as a pre-amplified microphone then they simply dig themselves into a deeper hole). When someone like XANDI or CONY offers large variants of devices they not only to they "curse" their products, but that also provide a "curse" on similar products. Look at some of the CONY specs, and then at the RAMSEY, DECO, DIY, Quantum, and other "kits"... the intent is rather clear. If a product is marketed, built, and sold as a surveillance device in Japan (ie: Cony, Sun-Mech. Micro) and some spy shop in the US sells it claiming it is for use as a "wireless microphone" then customs will be showing him the error of his ways. -jma =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1212 From: A Grudko Date: Fri Aug 11, 2000 2:34pm Subject: Re: WSJ article on TEMPEST Quote > In a nutshell TEMPEST deals with "Shielding, Bonding, and > Grounding"... not the actual interception of signals (It deals with > blocking the signal... period). I may have been misinformed. To err is human, unless you are a politician in which case my understanding of the terms of reference in the indictment depend on the definition of the act itself and as in this instance there was no direct contact between the probe and the device in question so I do not believe the sweep it self constituted the act of TEMPET. Andy Out of Jo'burg but not completely out of touch. 1213 From: Date: Sat Aug 12, 2000 5:36am Subject: Re: Strange Request Jim Are you taking any new students for a day or couple of days or week? Thanks DMM Clockdepot@a... 1214 From: James M. Atkinson, Comm-Eng Date: Sat Aug 12, 2000 0:57pm Subject: Re: WSJ article on TEMPEST At 9:34 PM +0200 8/11/00, A Grudko wrote: >Quote > > > In a nutshell TEMPEST deals with "Shielding, Bonding, and > > Grounding"... not the actual interception of signals (It deals with > > blocking the signal... period). > >I may have been misinformed. >To err is human, unless you are a politician in which case my understanding >of the terms of reference in the indictment depend on the definition of the >act itself and as in this instance there was no direct contact between the >probe and the device in question so I do not believe the sweep it self >constituted the act of TEMPET. > >Andy >Out of Jo'burg but not completely out of touch. [grin] Er, ah... What do you mean an "act of TEMPEST"? TEMPEST is a discipline within the umbrella of Emissions Security, and not an act in unto itself. You would engage in an act of TEMPEST evaluation, or TEMPEST design, TEMPEST Compliance Repair, TEMPEST Filtering etc... but not actually commit an act of TEMPEST. For example, you would not engage in "TEMPEST Eavesdropping" unless you are watching people measure shielding efficiency, or playing with magnetic loops, etc. Keep in mind that TSCM, TEAPOT, HIJACK, TEMPEST, etc are all SISTER programs that address technical security from a slightly different angle. For example you have a TEAPOT I am still trying to find out what the definitions of "IS" is... (ouch) -jma =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1215 From: James M. Atkinson, Comm-Eng Date: Sun Aug 13, 2000 1:41am Subject: Biconical Antenna's [Groan] I've got to stop these 18 hours days, or at least clone myself. [Groan] I've gotten several questions about antenna distances on higher threat sweeps, and though it would be wise to post the following. The following is based on a modified version of about 40 separate government, commercial, and related EMC/EMI measurement (including such classics as 461, 462, 419, 285, part 18, etc). When using a 3110 or 3104 Biconical antenna I start with the antenna parallel to the closed entry door at a distance of four feet, measured from the centerline (not tips) of the bird cage elements. The antenna is oriented so that the balun is pointing towards the door and is mounted to on a tripod with wheels. The "boom" is extended just for enough for the antenna to clear the nylon standoff when the antenna is in the vertical position. The sequence is started with the balun 120 cm off of the floor (2 foot tripod and a 2 foot nylon stand off).Use a 100 kHz IFBW with a 15 second sweep time, collect 3 or more traces (at least 5000 points each), average them, and then download the traces to computer or dump it to disk The antenna platform is then moved 120 cm along the wall and the sequence repeated until the entire wall, floor, windows, and ceiling are completely covered. A similar sequence is then repeated around all furniture (from 120 cm away), and all open areas of the room not previously checked. Then switch the antenna to horizontal and diagonal polarizations and repeat These antenna can cover 20 MHz to 500 MHz, and I would suggest passing the signal though a 25-30 dB preamp mounted to the antenna with a one meter cable (RG-214 with N connectors) before passing it to the SA (where it gets another 20-25 dB of amplification). Be sure to keep your cable runs below 50 foot, and add filters as appropriate to reduce amplifier saturation. While the antenna are typically calibrated from 20/30 MHz to only 300 MHz they can be used higher (to 450-500 MHz) by simply applying an antenna correction table. A 30*30 foot conference room would give us 60 measurement positions with 4 polarization positions each. Budget about 60 seconds per position/polarization to do the sweeps, save the data, and move the antenna. This works out to about 1 hour per polarization, or four hours for the entire room. Of course we will still need to run a loop, double ridged horns, and rod around the room, but I have found the Biconical to be incredibly valuable on a radiated signals sweep as it really digs into the high threat bands. As we move closer to the threats (the under 7 cm surface sweeps) the Biconicals become less valuable, but for sweeping large volumes of space they are invaluable. -jma =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1216 From: A Grudko Date: Sat Aug 12, 2000 3:52am Subject: Re: Debunk WSJ article on TEMPEST . ----- Original Message ----- > >I learned long ago that if the speaker works as a speaker, than it is not a > >microphone. If it does not work as a speaker, you better check it out or > >better yet, remove it. As long as a speaker is emmiting sound (i.e. Musac) it can't be a mike, although as James pointed out you can phase a mike in in the cabling closeby. If it's a PA system, used occasionally, whilst there is no emmitted sound disturbing the diaphram, it will work as a mike. Assume 8 ohms at the speaker, add audio transformer up to 600 ohm and you have a 'dynamic' mike. Not very sensitive but......(thereafter read the books, do the courses). Many electriconic - and electrical - devices are telephonic, i.e. converting audio (vibration) to an electrical signal. It just so happens mikes are desisged to optimise the effect. Andy Somewhere in Sunny SA, Sunday morning. 1217 From: A Grudko Date: Sun Aug 13, 2000 3:06am Subject: Source of inaccurate TEMPEST info. In defence of my published errors in this regard, both in this list, in articles and in a TSCM book had published in the early 90's, the internet has helped debunk a lot of psudo-spy tech/ops. ideas. My original understanding of TEMPEST came from a single book, published in the US (somewhere in my library at the office), which described it as the reading of data from a PC monitor at a distance. At the same time we discovered that the technique worked on the bench and QED thought the description was correct. Of course, part of the problem for us, stuck at the tip of Africa, pre internet, was how to get full details on what appeared to be classified US research. If I ever get to publish a second edition of the book there will be many corrections. Humbled. From a secret destination in the African bush on holiday (typing quietly so the wife doesn't realise I'm on the 'net). Andy Grudko 1218 From: Date: Sat Aug 12, 2000 10:31pm Subject: Re: Strange Request Mr. Atkinson, I would greatly appreciate more information regarding the TSCM classes you mentioned in the message below. If any other list members have more information regarding TSCM courses/seminars, and/or computer forensics courses/seminars, please send it to this list or directly to me. Again, I will appreciate any responses I may get. Thank you. Niko On Fri, 11 Aug 2000, James M. Atkinson, Comm-Eng wrote: > Here is one of my stranger requests, > > I am seeking a source from whom I can obtain several hundred pounds > of ground up POPULATED circuit boards (I would prefer newer > multi-layered fiberglass boards). I used to obtain such materials > from a local salvage company, but they stopped grinding down PCB's > last Fall. > > I need the pieces to be small enough to pass though a quarter inch > screen, but I will also need pieces small enough to pass though even > smaller screens. I actually need about 8 five gallon cans of four > different sized "grindings" (19mm-3/4 inch, 6.3mm-1/4 inch, 2mm-#10 > Screen, and 1.4mm-#14 Screen (32 cans total). > > The "grindings" will be used to teach TSCM students, and I will > gladly travel anywhere in New England to pick up the materials (and > will also be happy to supply the containers). > > -jma > > > =================================================================== > Everybody's into computers... Who's into yours? > =================================================================== > James M. Atkinson Phone: (978) 546-3803 > Granite Island Group Fax: (978) 546-9467 > 127 Eastern Avenue #291 http://www.tscm.com/ > Gloucester, MA 01931-8008 jmatk@t... > =================================================================== > Lizard, The Other White Meat > =================================================================== > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.onelist.com/community/TSCM-L > > or email your subscription request to: > subTSCM-L@t... > =================================================== TSKS > > 1219 From: Screaming Date: Sun Aug 13, 2000 0:39pm Subject: RE: Source of inaccurate TEMPEST info. (typing Quietly) Have a Great Holiday Andy jc 1220 From: James M. Atkinson, Comm-Eng Date: Mon Aug 14, 2000 8:28am Subject: WSJ TEMPEST Article Retraction Curious, The Wall Street Journal just ran the following retraction about the TEMPEST article they presented (but failed to research) last week. Sad, really sad... -jma > >Corrections & Amplifications >FRANK JONES, president of Codex Data Systems Inc., said in an Aug. 7 >page-one article that the company had signed a "contract" with the >Army 18 months earlier to produce "under a dozen" $20,000 >computer-screen monitoring devices for testing. Now, in response to >questions raised about the contract, Codex will say only that the >military has shown "interest" in the device and that the company >hasn't "actively marketed" it since July 1998. An Army spokesman >said the Army can find no record of any contract between Codex and >the Army. Since the article was published, it has been learned that >Banco do Brasil obtained a $109,451 court judgment in 1995 against >Mr. Jones and some of his companies for failing to deliver >electronic-surveillance equipment that the bank had paid for. While >not disputing the judgment, a Codex lawyer says the transaction was >a "business loan," notes that "businesses fail all the time," and >declines to elaborate. It also has been learned that Mr. Jones once >pleaded guilty to a federal felony charge of possession of illegal >interception devices and was sentenced last year to five years >probation. =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1221 From: James M. Atkinson, Comm-Eng Date: Mon Aug 14, 2000 8:44am Subject: Re: Source of inaccurate TEMPEST info. At 10:06 AM +0200 8/13/00, A Grudko wrote: >In defence of my published errors in this regard, both in this list, in >articles and in a TSCM book had published in the early 90's, the internet >has helped debunk a lot of psudo-spy tech/ops. ideas. Isn't the Internet a great thing. Not only does it make the word a smaller place, but we can also use it to improve our profession, to share tips, and so on. >My original understanding of TEMPEST came from a single book, published in >the US (somewhere in my library at the office), which described it as the >reading of data from a PC monitor at a distance. At the same time we >discovered that the technique worked on the bench and QED thought the >description was correct. I know. Due to the van Wick article published in 1985 the public siezed on the subject, and in the absence of real information they simply created their own. Over the years I have read over a dozen books, articles, and mentions by "TEMPEST Experts" in the public sector who actually have zero formal technical training on the subject, and who have actually never worked in the field. Of course when we compare the "public books" about TEMPEST with the government textbooks, handbooks, and standards we find that most of the information in the public sector is based on pure fantasy and psuedo-science. >Of course, part of the problem for us, stuck at the tip of Africa, pre >internet, was how to get full details on what appeared to be classified US >research. If you would like I would be happy to upload the van Eck article to a directory on my website, as well as a few thousand pages of government standards on the subject. This way you can download and print them (free of charge). >If I ever get to publish a second edition of the book there will be many >corrections. > > >Humbled. >From a secret destination in the African bush on holiday (typing quietly so >the wife doesn't realise I'm on the 'net). >Andy Grudko Have a good holiday, and try to stay off of the computer while on vacation. -jma =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1222 From: James M. Atkinson, Comm-Eng Date: Mon Aug 14, 2000 10:09am Subject: Re: WSJ TEMPEST Article Retraction Whoops, I didn't mention the following: The retraction ran in todays (8/14/00) hard copy version of the Journal on page A-2, and the on-line version as well. It is one of the weakest of retractions, and fails to mention that the "secret technology of TEMPEST eavesdropping" in and of itself is a myth as well. The original WSJ article was pure hype, and was based on fantasy and urban legends. -jma At 9:28 AM -0400 8/14/00, James M. Atkinson, Comm-Eng wrote: >Curious, > >The Wall Street Journal just ran the following retraction about the >TEMPEST article they presented (but failed to research) last week. > >Sad, really sad... > >-jma > > > > > > >Corrections & Amplifications > >FRANK JONES, president of Codex Data Systems Inc., said in an Aug. 7 > >page-one article that the company had signed a "contract" with the > >Army 18 months earlier to produce "under a dozen" $20,000 > >computer-screen monitoring devices for testing. Now, in response to > >questions raised about the contract, Codex will say only that the > >military has shown "interest" in the device and that the company > >hasn't "actively marketed" it since July 1998. An Army spokesman > >said the Army can find no record of any contract between Codex and > >the Army. Since the article was published, it has been learned that > >Banco do Brasil obtained a $109,451 court judgment in 1995 against > >Mr. Jones and some of his companies for failing to deliver > >electronic-surveillance equipment that the bank had paid for. While > >not disputing the judgment, a Codex lawyer says the transaction was > >a "business loan," notes that "businesses fail all the time," and > >declines to elaborate. It also has been learned that Mr. Jones once > >pleaded guilty to a federal felony charge of possession of illegal > >interception devices and was sentenced last year to five years > >probation. > > > =================================================================== > Everybody's into computers... Who's into yours? > =================================================================== > James M. Atkinson Phone: (978) 546-3803 > Granite Island Group Fax: (978) 546-9467 > 127 Eastern Avenue #291 http://www.tscm.com/ > Gloucester, MA 01931-8008 jmatk@t... > =================================================================== > Lizard, The Other White Meat > =================================================================== > > > >======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: >http://www.onelist.com/community/TSCM-L > > or email your subscription request to: > subTSCM-L@t... >=================================================== TSKS =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat =================================================================== 1223 From: Jordan Ulery Date: Tue Aug 15, 2000 10:16am Subject: Intern Seeking Position The following was posted on the Defense Investigator's list. I offered to post on other lists and the lady agreed. I do not know the woman, and am posting merely as a good deed (or as Sister would say , a corporal work of charity). At any rate: Sheila Leigh Bond wrote: > Good Afternoon Everyone, > > My name is S. Leigh Bond and I am a computer professional interested > in blending my present knowledge of IT Security into a career in > private investigation. I am interested in learning the business from > the ground up and hope to find a PI firm in the Philadelphia (PA) > area that would be interested taking on a NON-salaried intern. 1224 From: Date: Tue Aug 15, 2000 0:19pm Subject: BLack Ice Defender Anti-Virus/Hacker Software Heard this software is pretty good for security concerns. HAVE A GREAT DAY !!! ---------- http://www.networkice.com/ [Non-text portions of this message have been removed] 1225 From: Robert G. Ferrell Date: Tue Aug 15, 2000 0:52pm Subject: Re: BLack Ice Defender Anti-Virus/Hacker Software >Heard this software is pretty good for >security concerns. If you have a high speed (xDSL or Cable Modem) always-on Internet connection and are running any Windows OS, Black Ice Defender is your first and best line of defense. IMO. RGF Robert G. Ferrell, CISSP ======================================== Who goeth without humor goeth unarmed. ======================================== 1226 From: David Miller Date: Tue Aug 15, 2000 1:13pm Subject: RE: BLack Ice Defender Anti-Virus/Hacker Software Here is a URL that compares the personal firewalls (of which BlackIce is one). http://securityportal.com/cover/coverstory20000717.html -----Original Message----- From: Robert G. Ferrell [mailto:rferrell@r...] Sent:Tuesday, August 15, 2000 12:53 PM To:TSCM-L@egroups.com Subject:Re: [TSCM-L] BLack Ice Defender Anti-Virus/Hacker Software >Heard this software is pretty good for >security concerns. If you have a high speed (xDSL or Cable Modem) always-on Internet connection and are running any Windows OS, Black Ice Defender is your first and best line of defense. IMO. RGF Robert G. Ferrell, CISSP [Non-text portions of this message have been removed] 1227 From: Date: Tue Aug 15, 2000 3:04pm Subject: Court Throws Out Wiretapping Rules Court Throws Out Wiretapping Rules .c The Associated Press By KALPANA SRINIVASAN WASHINGTON (AP) - A federal appeals court dealt law enforcement authorities a setback Tuesday in their efforts to keep criminals from using such telephone features as conference calls and call-forwarding to thwart surveillance. The court determined that the Federal Communications Commission failed to adequately take into account consumer privacy concerns and costs imposed on the industry when the agency required surveillance capabilities added to the telecommunications network. The decision could also have implications for the FBI's new ``Carnivore'' surveillance system, which can monitor e-mails. One provision thrown out by the court required phone carriers to provide to law enforcement agents all numbers dialed after the subject of a wiretap order connects a call. That was intended to ensure authorities could get the actual number being called, even if a suspect first used a 1-800 number or a calling card. Privacy groups had argued that the provision could give authorities access to information beyond the scope of the wiretap such as credit card or bank account numbers. A three-judge panel of the U.S. Circuit Court of Appeals for the District of Columbia agreed and sent that back to the commission. Another provision struck down would have given investigators information about all parties to a conference call, even if some are put on hold and are no longer talking to the target of the legal wiretap. Authorities with a court order also could have determined when someone was using call-forwarding, three-way calling or other features or when that person placed a call even if it was not completed. Privacy groups, which had challenged the rules saying they expand government surveillance beyond what the law permitted, applauded the court action. ``The court told the FCC that it was wrong to give in to the FBI's surveillance demands at the cost of privacy,'' said James X. Dempsey, Center for Democracy and Technology, a privacy advocate. The United States Telecom Association said the items thrown out by the court would ``only serve to impose extraordinary and unnecessary costs on carriers'' and possibly raise phone rates for residential customers. The FCC's rules, set in place nearly a year ago, helped to implement a 1994 wiretapping law. The agency stepped in after the Justice Department, FBI and the telecommunications industry failed to agree on a plan. Federal officials expressed hope that the court's concerns can be addressed to keep the rules in place. ``Essentially, we're seeing now folks engaged in criminal activity using those types of technology to thwart law enforcement,'' said Stephen Colgate, assistant attorney general at the Justice Department. For example, some might use calling cards to frustrate agents, he said. Tuesday's ruling upheld provisions that require telecommunication carriers to provide information on so-called digital packet-switched communications. In these types of communications, calls are broken up into a number of data packets carrying both identifying information and content. These packets travel different routes on the network and are reassembled at their destination. Privacy advocates had argued that because the content and the information identifying the caller cannot be separated, the government would get more than a simple trace order allowed. The court did stipulate in its decision that law enforcement agencies still need lawful authorization to intercept content. That typically would require officials to meet a higher standard such as those of a search warrant. Privacy groups said the court's assertion could have implications for Carnivore, the FBI's court-approved system for monitoring people's e-mail messages. ``The court has clarified the legal standards that law enforcement must meet before monitoring new modes of communications. The decision calls into question the legality of the FBI's controversial Carnivore system,'' said David Sobel, general counsel of the Electronic Privacy Information Center. Colgate said the Justice Department will take into account the court's decision as part of its ongoing review of Carnivore. The court also left in tact a provision that allowed police, with a judge's permission, to track cellular phone users by their location at the beginning and end of a call. On the Net: Court opinion available at http://www.cadc.uscourts.gov/ Federal Communications Commission site: http://www.fcc.gov/ Electronic Privacy Information Center: http://www.epic.org/ Justice Department: http://www.usdoj.gov/ United States Telecom Association: http://www.usta.org/ 1228 From: Date: Tue Aug 15, 2000 1:54pm Subject: RE: BLack Ice Defender Anti-Virus/Hacker Software Decent package combining packet filtering with intrusion detection. Many people don't realize that cable modem/DSL/etc. connect your system to the Internet 24/7. Firewalls should be mandatory for anyone who wished to retain control of their systems. Good Points =========== Friendly administration. Automaticly updates firewall rules to deny attackers. Automated intruder traceback. Good pricing/support model. Bad Points ========== Runs on the user system. Good for a mobile laptop, but generally bad for a LAN situation. Firewalls should be on their own system. Only runs on Windoze systems. A program can only be as secure as the OS it is running under. The automated intruder traceback can itself be interpreted as a scan attack. The automatic firewall rule update is of limited value. What I Do ========= I have a small LAN in my home with a few systems on it for my kids and I. I use a separate Pentium 120 based system as my firewall/gateway to my ISP. I run OpenBSD ( http://www.openbsd.org ) with ipf and ipnat and NOTHING else. I am not running any servers, so I don't allow incoming traffic, anyway. My user systems all run Norton Anti-virus with Live Update scheduled weekly. If anyone has any questions, feel free to email me off-list. Bob Washburne - Computer Security Specialist and Professional Paranoid rcwash@c... Minor rant: The term "black ice" was coined by William Gibson in his cyber-punk novels. In his world people had interfaces installed in their brain and they would "jack in" to the net. ice - software copy protection grey ice - copy protection which would damage the attacker's computer (kind of like the old C=64 software which would jam your disk drive if it thought it was copied.) black ice - copy protection which would kill the attacker him/herself (remember, their brain is directly connected to the net...). So to call you program "black ice" is about as pretentious as placing a ninja icon in your TSCM ad (or wearing any of those funky costumes the list was ranting about earlier.) --- Original Message --- patedwards@w... Wrote on Tue, 15 Aug 2000 13:19:54 -0400 (EDT) ------------------ Heard this software is pretty good for security concerns. ---------- http://www.networkice.com/ ----- Sent using MailStart.com ( http://MailStart.Com/welcome.html ) The FREE way to access your mailbox via any web browser, anywhere! 1229 From: Agent_X Date: Tue Aug 15, 2000 0:37pm Subject: Re: BLack Ice Defender Anti-Virus/"cracker" Software >Heard this software is pretty good for >security concerns. > > > > > > HAVE A GREAT DAY !!! > > > > ---------- > >http://www.networkice.com/ > >Here are two know issues with Black Ice NetworkICE BlackICE High UDP Port Block Delay Vulnerability NetworkICE BlackICE Defender and Agent do not block incoming UDP port connections above 1021 when configured with either the Trusting, Caution, or Nervous setting. Back Orifice 1.2 utilizes a high UDP port by default, thus any command issued by a Back Orifice client can go unprotected by BlackICE. The infected machine's reply will trigger IP address blocking by BlackICE. A small time gap exists between the issue of the first Back Orifice command and the time at which BlackICE blocks the offending IP address. The number of Back Orifice commands that can bypass BlackICE depends on the speed the remote user can execute them (the commands can be easily automated with scripts to increase the speed or can be launched from different IP addresses). BlackICE may be vulnerable to other malicious attacks originating from UDP based programs. NetworkICE ICECap Manager Default Username and Password Vulnerability ICECap Manager is a management console for BlackICE IDS Agents and Sentries. By default, ICECap Manager listens on port 8081, transmits alert messages to another server on port 8082, and has an administrative username of 'iceman' possessing a blank password. A remote user could login to ICECap manager through port 8081 (using the default username and password if it hasn't been modified) and send out false alerts. In addition, the evaluation version of ICECap Manager has the option of utilizing Microsoft Access' JET Engine 3.5. This creates a security hazard because JET Engine 3.5 is vulnerable to remote execution of Visual Basic for Application code. Therefore, remote users may execute arbitrary commands on ICECap Manager through the use of the default username and password and JET Engine 3.5. More information can be found regarding the JET Database Engine 3.5 vulnerability at the following URL: http://www.securityfocus.com/bid/286 -- Agent X PGP Keys available by request. PGP Fingerprint (6.5.2) : 1953 A923 9B1F C710 5C94 AE05 E0BA F51F E9B6 AD85 PGP Fingerprint (2.6.2): 8C 9A BE D5 41 3F 96 C8 D2 8C 1D B1 5F 59 55 FF 1230 From: Ian Carter Date: Wed Aug 16, 2000 2:14am Subject: Re: BLack Ice Defender Anti-Virus/Hacker Software > Heard this software is pretty good for > security concerns. Black Ice is a nice firewall and AtGuard was also, till it was purchased for the Norton Internet Security program - (AtGuard was great at blocking out those annoying adverts). Personally I now use Black Ice and ZoneAlarm "both at the same time" * Black Ice because of its reliability (and reasonable cost) and Zone Alarm because its free, and blocks your outgoing ports which Black Ice does not. Together and programmed properly (ZoneAlarm, especially) they do make a formidable team. As an extra I use StealthLogger (Its a Key Logger and activity generator) which compiles an account of everything that happens to my computer,, what I type, what programs are in use etc. (A great file to back-up in case of crashes). It also has the facility to covertly email what I have done to any email address I choose, although I don't use that facility on my computer - but of course it could be useful. (Yes there are other programs that can do the same and catch pictures of the screen but, this one is so small its virtually unnoticeable). Reading between the lines - - Black Ice would not pick up the actions of StealthLogger - but ZoneAlarm would as it protects both the receiving and 'sending' through modem ports. StealthLogger, well,, enough said... Best Regards - Happy Computing - Ian. PS: * Whenever you install a program 'ALWAYS' close down everything else, then shut down and reboot. This avoids program conflicts later (crashes) between their operating files. 1231 From: James M. Atkinson, Comm-Eng Date: Wed Aug 16, 2000 9:55am Subject: Stalker Thread, NY Man Arrested For Threatening Lieberman Good Monring, In private sector TSCM we occasionally have to deal with a "raving lunatics and crackpots with stalker mentalities". Due to this I thought the following article would be of interest to the list. I would also like to suggest that the list discuss how to deal with such problems, how to handle "techno-stalkers" and review services and advice that we can offer our clients to counter the misuse of technology against them. On the one hand we may have a client (a CEO for a Fortune 500 firm) who wants their cat swept for "Implanted Orgonian Tracking and Surveillance Devices" who really needs to get therapy (God bless the X-Files). On the other hand we may have an attorney contact us who is being stalked by an ex-client who has bugged their phones and is constantly following and terrorizing them. -jma =========================================================== NY Man Arrested For Threatening Lieberman http://news.excite.com/news/r/000815/17/campaign-lieberman-threat Updated 5:52 PM ET August 15, 2000 By Gail Appleson, Law Correspondent NEW YORK (Reuters) - A 23-year-old New York man was placed under house arrest Tuesday on charges that he made a death threat to Sen. Joseph Lieberman, the Democratic vice presidential choice, during the Howard Stern radio talk show. Lawrence Christian Franco, who works in the paper distribution department at Newsday in Long Island, was arrested late Monday night by the Secret Service at his Farmingdale home. He was arraigned in Brooklyn federal court Tuesday afternoon. A federal magistrate judge placed him under house arrest, ordered him to wear an electronic monitoring bracelet and undergo a psychiatric examination. The magistrate also barred Franco from using the phone without the permission of his father, with whom he lives. If convicted of threatening to kill or inflict harm upon a major candidate for the office of vice president, Franco faces up to three years in prison. According to court papers, Franco had called the Howard Stern show at about 6:25 a.m. Monday and identified himself as "Nazarene." After an assistant screened Franco's call, he was allowed to go on the air and allegedly threatened to kill or harm Lieberman. Court papers said that Franco allegedly said that he "hates that Jesus crap. So that Lieberman guy has gonna go. He is gonna take my bullet. He's going to take it." When Stern asked Franco whether he was threatening Lieberman, Franco replied that he was "not threatening, I'm telling you right now. ... You got the killer on the air. ... And that is me right here." Stern told Franco that when callers make inflammatory statements that appear to be threats, law enforcement authorities take the comments seriously. Stern then told Franco that if he was joking, he should say so. Instead of apologizing, Franco then allegedly made additional threats against Lieberman and law enforcement in general. "I hate church. I hate churchgoers. I hate them all," he allegedly said. When Stern warned him that the FBI might come to his door, Franco allegedly responded "I'll kill them, I'll kill them all." He allegedly repeatedly said he was not joking and would have "guns out the window" if the FBI came to his home. The Secret Service traced the call, which lasted about five minutes, and determined that it came from Franco's home. Court papers said the occupants of the home allowed them to search Franco's room where they found a pellet gun. When Secret Service agents located Franco, he allegedly admitted making the call and said he had chosen Lieberman as a target because the Connecticut Senator had been popular topic on the Howard Stern Show. Lieberman, who was named by Al Gore last week as his vice presidential running mate, is an Orthodox Jew. He came to national prominence in September 1998 when he was the first Democratic senator to denounce President Clinton's affair with White House intern Monica Lewinsky as morally wrong. However, Lieberman voted against impeachment. He has also been an outspoken critic of the entertainment industry for years and Tuesday he lashed out at Hollywood for promoting sex and violence on screen. =================================================================== Everybody's into computers... Who's into yours? =================================================================== James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... =================================================================== Lizard, The Other White Meat ===================================================================