IBM 5170 TEMPEST variant

Last Updated on January 22, 2024 by Dave Farquhar

I had an inquiry recently regarding the Tempest version of the IBM 5170, also known as the IBM 4459. The IBM 5170 Tempest variant was a version of the conventional IBM PC/AT designed for sensitive environments. It is more of a curiosity today, and there are good reasons why it is rare.

Having spent part of my career in the type of environment where this machine would have been used, I can elaborate on some of its design, and why it was built the way that it was. I may also be able to give some insight into why not many of these devices survive today.

What Tempest was

Tempest was a study of the emissions from a computer. I was aware of this problem in the 1990s, long before I even heard the term. The idea was that with specialized equipment, it was possible to be sitting in a parking lot outside a building, point it in a certain direction, and view what was on a computer screen inside a building.

But it gets worse than that. While CRT monitors were the worst offender when it came to leaking data over the air, it was, and still is, possible to recover the contents of memory with the right equipment, if you can get in close enough proximity.

NSA’s Orange Book, part of the legendary rainbow series, covered TEMPEST, among other early computer security issues. I studied for CISSP long enough ago that the rainbow series was covered in my study materials. There was also a reference to the rainbow series in the movie Hackers. The IBM 4459 was designed to meet Orange Book standards.

How we handle Tempest in modern times

In my government contracting days, periodically someone would come into my cubicle with a tape measure and measure the distance between the two computers I used. If the computers weren’t 2 meters apart I had to shut everything down, rearrange them, and I might face disciplinary action. The only leniency I had was that I could probably get by with 6.5 feet Freedom Units.

My cubicle was sometimes small enough that the only way I could comply was by keeping one computer on the desk and one computer on the floor, on opposite sides of the cubicle.

In the data center, certain computers had to also be 2 meters apart, and that’s part of the reason the floor tiles were the size they were. We would designate what kinds of computers were permitted in each row. Racks that stood back to back to each other had to have the same designation. The idea was that any leakage that could happen in between computers would be of the same data classification. Any data that bled would be data that you could get by other means anyway. We called the classified network the high side and the unclassified network the low side.

We also factored the type of information a system processed as part of its life cycle management. If a system had ever processed classified information, we couldn’t repurpose it on an unclassified network. I also couldn’t use parts from a decommissioned classified system to repair an unclassified system. So if I had a bad RAM module and needed to replace it in a hurry, I had to use a memory module from another unclassified system. Could you use parts from an unclassified system in a classified system? It’s best not to even ask such questions.

Some of the rules were probably a bit different in the 80s and 90s, and the rules may be a bit different now. It’s been a decade-plus since I worked in this world. But this helps us understand the IBM 5170 Tempest variant. The mindset is consistent, even as practices change somewhat.

Why they don’t make Tempest variants today

For the last several decades, and presumably even today, we handle the problem with distance. The reason for that is the lack of systems like the IBM 5170 Tempest today. These rules involving distance and what parts we can mix allow us to process classified information with off-the-shelf equipment. Yes, the same equipment your company uses in its data center may very well also exist in government data centers processing classified information. And that’s okay, as long as everyone follows the precautions.

It’s also likely that physical security measures we took after 9/11 had the indirect effect of benefiting TEMPEST. You just can’t get as close to buildings that process classified information now as you could in the 1980s, especially if you’re carrying anything that looks suspicious.

The IBM 5170 Tempest variant is a relic from another time. A time when we didn’t have these guidelines, so the goal was to prevent the emissions in the first place.

IBM 5170 Tempest versus standard PC/AT

The major difference between the Tempest variant and the one ordinary civilians could buy and use was the case. The case on the Tempest variant was considerably thicker. Not that the standard 5170 was any slouch, but the Tempest variant was even more of a tank. The metal was an eighth of an inch thick. But there was a regular 5170 motherboard inside.

The connectors were also different in an effort to minimize opportunities for emissions to bleed data.

Most critically, the monitor was special. The monitor also came in a thick metal enclosure to minimize RF emissions. Even fewer of the monitors survive today than the IBM 4459 system units.

Use of removable media in the IBM 5170 Tempest

The other special feature of the 5170 Tempest variant was its use of a removable cartridge rather than a conventional hard drive. This allowed users to remove the classified data from the machine and lock it in a safe during non-working hours. The room itself was secure. But in the event that someone got in, the classified data was locked in a safe. An intruder couldn’t get at the data without the combination to the safe, in addition to a valid login on the classified system.

So in the event that you find a 5170 Tempest variant, if it still has the removable drive in it, it probably will not have the cartridge in it. The cartridge would have been destroyed decades ago.

Why the IBM 5170 Tempest is rare

The 5170 Tempest is a rare beast for more than one reason. There were a lot fewer of them made. And the disposal process would have been different than for a run of the mill corporate PC. More 5170s than we’ll ever know escaped corporate life via employees. Corporations simply gave them to employees, or sold them to employees cheaply, because that was the most efficient way to get rid of unwanted systems in the 1990s once their useful corporate life was over.

But that doesn’t fly in the government. Tax money paid for that, so government computing assets are always accounted for. It’s almost a given that private sector companies do not have a complete inventory of what computers they own and where they reside. In government, that is a ridiculous concept. Someone has the full history of every system recorded somewhere. Or they are supposed to. Annual audits take place to make sure those histories are complete and correct the problem when one doesn’t exist. That’s one of the major things that prevent government-owned systems from going home with employees.

Any 5170 that was disposed as government surplus went through a process to do so. And it may have gone through the disposal process more than once. There is a good chance the government sold it to someone authorized to process equipment that once handled classified information, they performed any necessary repairs, and sold it back to another government agency that still used that type of equipment. And only when there was no government agency expressing a need for that kind of equipment anymore did it get a chance to fall into civilian hands.

The IBM 4459 and Computer Reset

In the 1990s, a few such systems did indeed fall into civilian hands. I found some listed for sale in some scans of 1990s Computer Reset catalogs. Computer Reset was a legendary used computer store in Dallas that sold used and surplus computers at a discount. It was the same place that some IBM 7496 prototypes surfaced. In their catalogs, they described the systems as a spy-proof relic of the Cold War.

In a way they were. They absolutely dated to that time. But the precautions didn’t go away with the Cold War. The Soviets weren’t the only country spying on us. And they never were. Even close allies spy on one another.

But I would hesitate to call the IBM 4459 or 5170-Tempest spy proof. Spy resistant, sure. Any competent security professional will tell you there is no perfect security, and the best you can hope for is acceptable risk. But maybe in the 80s and 90s, we thought IBM 4459s were spy proof.

Why it’s possible some IBM 4459 units were destroyed

It is entirely possible that some IBM 5170 Tempest systems were destroyed rather than resold. You probably learned in your first computer class in school that RAM erases when you turn a computer off. It turns out that is an oversimplification. The contents of RAM degrade very quickly if they don’t have power, but they don’t erase immediately. If you take certain precautions right away, you can preserve the contents of RAM even on a powered down system. Law enforcement takes advantage of this sometimes. I presume spies do too.

In my government contracting days, when we got a new printer, we couldn’t just haul off the old printer for corporate-style recycling. I had to take the printer apart and remove the memory modules. Then we shredded the memory modules, Oliver North style. In theory, degraded bits and pieces of the last few documents the printer printed still resided in those memory modules. And shredding those memory modules was cheaper than trying to find out what sensitive information they might still contain.

I don’t know what the rules were in the early 90s, but it is entirely possible that when a Tempest variant of a 5170 was disposed of, someone had to pry off all of the memory chips. Or they may have taken the whole motherboard.

These rules have changed over time. There was a time when overwriting data seven times was sufficient, but today, physical destruction of not just storage but also RAM is the only way to comply with the letter of the law.