More info
Just read the article - thanks Vulture South!
The presentation deck with youtube links is now online;
http://thruglassxfer.com/The%20TV%20people%3F%20Do%20you%20see%20them%3F%20-%20Kiwicon%202014%20-%20v1.0.pdf
And if you're in the region and you've never been then you've got to get yourself to the next Kiwicon, metlstorm put it best: "less like a security conference and more like a security variety show!" - brilliant.
Reading the comments ..
The primary use case here is off-shore partners (particularly) and also remote workers where the enterprise has no independant physical security controls. Controls in these physical environments tend to be derived from contractual relationships empowered through national regulatory frameworks and are penalty driven but require proactive detection.
Agree completely that we're talking baby stuff RE physical access but we are in the strange situation where enterprise routinely provides access to sensitive information on-shore, to un-trusted (or at best semi-trusted) users off-shore, on the basis that the regulatory frameworks (Data Protection/Privacy typically) believe that the data can't get through the glass at the far end. In the middle of all of this the actual physical security off-shore is typically paid by the off-shore party - like having the guy who cleans the crown jewels hire the security detail that ensures he doesn't nick 'em.
To address the thread questions I can see ..
HDMI port: You don't need a second display port, use the primary display port. I used the "second" in the video because it was a laptop. If you find that someone has glued/locked the cable into the port on the PC, check the back of the monitor, you can unplug it there too .. otherwise you're back to cutting the cable or unscrewing the screen.
HDCP: I haven't looked into a solution for HDCP, but I don't see it as unsolveable.
Black text on White BG: Because of the raw nature of the OCR process that I used, I considered inverting it in the decoder but it's a PoC so, meh.
USB or not: clientlessTGXf does not require an Arduino USB device to be connected to the End-User-Compute device. I used one in the video because I'd be a sadistic bastard to make everyone sit through the pain of watching me type it .. lol
GoPro: Yes, but the risks are always minimised based on data reconstruction effort. The experiment here is to see where the argument goes when the entire process is point-n-click or plug-n-play.
Tempest: Yes, emissions attacks are too abstract apparently, hence the off-the-shelf kit. On the keyboard side, the advantage of being active in the signal is through-console networking (take a look at TCXf: http://thruglassxfer.com/TCXf-application-architecture.png).
Hexdump: When I get the web site updated with the source code published early next week you'll find that the OCR training was all (generator, images, arrays) sized for hexadecimal, specifically because I was going to use hexdump as the clientless generator. However I had too many recognition errors between [A4F] and [08B], so I simplified it to a binary encoding and implemented it in script (arguably more portable). Trust me when I say that I value my weekends too much to be re-inventing the world for no value.
But this one has to take the icon -- "I swear to all the Nameless Gods of Cthulhu's arsehole" .. ROFL.
Biting the hand that feeds IT
