TEMPEST is the use of signal emissions from electronics to be able to see computer screens at a distance by reconstructing those emissions to reconstruct the images on the screen
Situational awareness includes the presence of physical attack vectors. As you'll probably see me repeat a couple times in this reply, it's all about awareness of your exposures (vulnerabilities) and what you choose to do about them to protect yourself (mitigations). Consider the capabilities of the threat actors you're concerned with.
For example, is there broadly available software that implements
TEMPEST methodologies? If yes, and if your devices are in a location physically accessible by a sufficiently large community of people with the intent and means to attack you, then you've got something to worry about.
I'd say TEMPEST attacks are in a category Bruce Schneier would describe
as a "movie plot" threat. I'm just being realistic. I don't know who your adversaries are, so I can't discuss your risks with certainty, but when I consider my own and those of my employer, this is how I look at it. What are the probable capabilities of our probable adversaries and will they enjoy the frequency of contact needed to successfully exploit in this way?
TRADITIONAL ENCRYPTION is public and symmetric encryption methods, one using a shared key and the other using a secret key. With the advent of the first comercially produced quantum computer from IBM this past year
do we have to reconsider our use of traditional cryptographic methods?
Do your adversaries have the funds to procure and operate a quantum computer using methods that, to my knowledge, are not yet practical outside highly specialized lab environments?
Are you *alread* using crypto ciphers that provide "perfect forward secrecy" and using sufficiently large key material? If you're not staying on top of crypto now, it's premature to worry about what's on the horizon since you already have problems you can deal with that you're not.
You could do worse than to assume all communications are being recorded by several entities, and that someday the technology will exist (if it doesn't already) to decrypt those communications. Your objective should be to take economically relevant measures to assure that the information is least
valuable to those entities by the time the information is decrypted.
CLOSED-SOURCE SOFTWARE is non-peer-reviewed software that trys to implement security by the us of obscurity. Its true that its difficult
to reverse-engineer software, but it certainly can be done with an interactive disassembler.
In my opinion the more independent analysis of software, the more
trustworthy it can be said to be. Closed source implies less review,
certainly less independent review, and thus less trustworthy.
Then again, I've been shocked and let down before. When Heartbleed was announced (see heartbleed.com) I was professionally crushed because its discovery flew in the face of my belief that widely used and reviewed open source software is always more trustworthy than closed source software. However, then I realized open source isn't perfect, nor are those who review it. But the more open and visible, the greater the chance of discovery and remediation.
--- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
* Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net (700:100/33)