I've always found TEMPEST related topics to be interesting. Here's a released NSA article from the 70s on the subject. It's a bit heavily redacted yet, but there are still some good bits:

http://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf

You would be surprised at the number of people I come across that think TEMPEST is a myth or purely the realm of TV. I work for a company that does TEMPEST testing and RF security consulting. TEMPEST isn't really an issue for most people or even most companies, but in certain situations is worth being aware of. Carrying out a TEMPEST attack is not as complicated as most people assume. The difficulty is in large measure proportional to the distance from the device you are attacking. Imagine a shared office space where the attackers can rent office space immediatly adjacent to the intended target. That being said I think TEMPEST is still very unlikely to be the first or only avenue of security attack in any situation.

Depends on the environment I suppose. I've seen some recent work in grabbing signals from wired keyboards with a fairly minimal setup. Sneaking minimal equipment like that into a storage closet for a day or two may be far less risky than bribing a janitor who might get a guilty conscience later on.

if i'm already close enough to stick equipment in a storage room or in the room why wouldnt you just take the CPU or install a keylogger or boot into linux and take the data?  There are of course reasons why those wouldnt work.  My point is that any kind of sexy tempest way of doing it is probably much more trouble and money than just doing it the "old fashioned way"

Chris-G, I'm with Jason on this one.  If all you need is some data (and you're sure you only need it once) then your approach works.  If you need continued access to an ongoing stream of information, then you should look at making sure the target thinks their security is adequate.

This being the ethical hacker forums, I'm sure someone is asking why not just hack in?  Maybe the box is no-network.  Maybe having the target increase it's security posture is just unacceptable.  Maybe you're a foreign government/competing corporation and your fingerprints just can't be on this one bit.  In that case moving to a completely passive attack such as TEMPEST may be the way to go.  Unless you are caught in the act (but how would this happen if you rent the office next door as in the scenario above), the target will never know it is under attack.  No IDS can protect you from a passive attack.

Sure, you could do that, or you could enclose the whole office in a faraday cage.  Neither is particularly cost effective or practical (as you noted) so nobody (short of spy agencies and really paranoid people) take such measures.  This makes a TEMPEST attack particularly effective when all else fails.

I believe that intelligence agencies and military routinely surround sensitive areas in faraday type construction.   

On a side, but related note, I remember sitting at a cell forensics course.  We had stuck one of our phones in a faraday bag prior to imaging it.   Lo and behold, the thing actually rang with an incoming call.   FAIL.