Re: [PLUG] Password guessing with a microphone

2024-01-12 Thread Ted Mittelstaedt 
He first one is a known issue which is why professional image modifiers will
run their modded images through an analog stage (take a picture of the
screen with a film camera then scan the developed picture)

The second one is pure bullcrap.  That story is a modification of a story
from the spy vs spy genera.  That story is that some spy in the german
office who was a secretary learned how to type in morse code patterns, so
they would type out german secret documents for the german high command and
while they were typing the noise of their typing was transmitting morse code
of those documents to an off hook phone that was on a call to an accomplice.

That story was a modification of the actual reality, documented here:

 https://people.duke.edu/~ng46/collections/crypto-underwood.htm

I guess the AI proponents are so desperate for people to believe that AI is
the greatest thing since sliced bread they will invent anything.

AI in computing is just another Microsoft Bob.  In 5 years it will have some
solid niche applications but everyone will be laughing at the current ideas
of AI putting us all out of work and most of the AI dumped into the next
version of Windows will have been deprecated as being worthless.

Ted

-Original Message-
From: PLUG  On Behalf Of Keith Lofstrom
Sent: Thursday, January 11, 2024 2:52 PM
To: plug@lists.pdxlinux.org
Subject: [PLUG] Password guessing with a microphone

This shades towards plug-talk, except that it specifically involves how we
configure and use our Linux computers.



I use keyboards with clicky keys, sometimes in the same room as devices with
microphones. 

I read the mostly excellent "A History of Fake Things on the Internet" by
Walter Scheirer, 2024 Stanford University Press, reminding me that
everything we do leaks information.

The book points out that every pixel on a specific digital camera imager has
a different offset and gain - when you post two photos, the pixel field can
be analyzed to show they come from the same imager, even if cropped or
modified in GIMP.  The techniques can easily detect image tinkering.

I was surprised to discover that the citation trail leads to a paper I wrote
for an integrated circuit conference, decades ago (with a zillion cites,
I've earned tenure of I want it). 

All your web photos are belong to us.

---

Anyway, physical keyboard keys will also have these small variances, but
mostly, so does your individual typing style.
A computer microphone hearing me type this would notice a lot of backspaces;
I type somewhat spastically.

After listening to a large enough corpus of typing, and RECORDING ALL OF IT,
and ANALYZING THE HELL OUT OF IT, a smart-enough AI-like program could make
some accurate guesses of what specific keys I am typing. 

Also what keys I ALREADY typed in past sound recordings, perhaps YEARS ago,
with a long-enough audio recording file.

Including the SPECIFIC key sequences that I type entering passwords.  Some
websites and apps require that frequently.
MANY training opportunities for a clever program hooked up to a microphone,
perhaps a parabolic dish microphone blocks away, pointed at the outside
window of my office.

I just added some sound damping to that window. 

Yes, I've changed my passwords, but not the brain that remembers them and
the hands that type them; my mind and muscles follow patterns that can
vastly narrow down the brute force search space for a password that works.  

The passwords may be machine-generated random strings; my small hesitancies
and mistakes while typing a random string will also show up in an audio
record.  Bracketed by my grumbles: "type my password AGAIN???"

Typical phone conversations are less than 10 kilobits per second compressed
(with pauses); for a 2000 hour work-year, 10% typing time, that is less than
a gigabyte per year.  With SSDs costing $30 per terabyte recently, that is 3
cents a year per target.  Stored forever.

The surveillance microphone will cost a lot more, but mass-produced
electronics can be cheap as well. 
If the "microphone" is a hack on your smart phone, perhaps government
sponsored ...

... well, time to respond with "can't happen here" or "why would they target
me" or "xkcd/538 Security pipe wrench", but then, that's what THEY want you
to think.

It is amusing that some prefer that we waste our paranoia on the poor and
the foreign and the sexually different.
Or on the agro-Americans who suffer those sad paranoias.
But then, that's what THEY want you to think.

Sweet dreams!

Keith L.

-- 
Keith Lofstrom  kei...@keithl.com

[PLUG] Password guessing with a microphone

2024-01-11 Thread Keith Lofstrom 
This shades towards plug-talk, except that it specifically
involves how we configure and use our Linux computers.



I use keyboards with clicky keys, sometimes in the same
room as devices with microphones. 

I read the mostly excellent "A History of Fake Things on
the Internet" by Walter Scheirer, 2024 Stanford University
Press, reminding me that everything we do leaks information.

The book points out that every pixel on a specific digital
camera imager has a different offset and gain - when you
post two photos, the pixel field can be analyzed to show
they come from the same imager, even if cropped or modified
in GIMP.  The techniques can easily detect image tinkering.

I was surprised to discover that the citation trail leads
to a paper I wrote for an integrated circuit conference,
decades ago (with a zillion cites, I've earned tenure of
I want it). 

All your web photos are belong to us.

---

Anyway, physical keyboard keys will also have these small 
variances, but mostly, so does your individual typing style.
A computer microphone hearing me type this would notice a
lot of backspaces; I type somewhat spastically.

After listening to a large enough corpus of typing, and
RECORDING ALL OF IT, and ANALYZING THE HELL OUT OF IT,
a smart-enough AI-like program could make some accurate
guesses of what specific keys I am typing. 

Also what keys I ALREADY typed in past sound recordings,
perhaps YEARS ago, with a long-enough audio recording file.

Including the SPECIFIC key sequences that I type entering
passwords.  Some websites and apps require that frequently.
MANY training opportunities for a clever program hooked up
to a microphone, perhaps a parabolic dish microphone
blocks away, pointed at the outside window of my office.

I just added some sound damping to that window. 

Yes, I've changed my passwords, but not the brain that
remembers them and the hands that type them; my mind and
muscles follow patterns that can vastly narrow down the
brute force search space for a password that works.  

The passwords may be machine-generated random strings;
my small hesitancies and mistakes while typing a random
string will also show up in an audio record.  Bracketed
by my grumbles: "type my password AGAIN???"

Typical phone conversations are less than 10 kilobits
per second compressed (with pauses); for a 2000 hour
work-year, 10% typing time, that is less than a gigabyte
per year.  With SSDs costing $30 per terabyte recently,
that is 3 cents a year per target.  Stored forever.

The surveillance microphone will cost a lot more,
but mass-produced electronics can be cheap as well. 
If the "microphone" is a hack on your smart phone,
perhaps government sponsored ...

... well, time to respond with "can't happen here" or
"why would they target me" or "xkcd/538 Security pipe
wrench", but then, that's what THEY want you to think.

It is amusing that some prefer that we waste our paranoia
on the poor and the foreign and the sexually different.
Or on the agro-Americans who suffer those sad paranoias.
But then, that's what THEY want you to think.

Sweet dreams!

Keith L.

-- 
Keith Lofstrom  kei...@keithl.com