On 9/15/05, Kirk McLoren <[EMAIL PROTECTED]> wrote:
Average person has no idea of how they have no security.
--Kirk
http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_Emanations_Revisited/preprint.pdf The link leads to a PDF full-text file of a research paper:
"Keyboard Acoustic Emanations Revisited
Li Zhuang, Feng Zhou, J. D. Tygar
University of California, Berkeley
{zl,zf,[EMAIL PROTECTED]
ABSTRACT
We examine the problem of keyboard acoustic emanations. We
present a novel attack taking as input a 10-minute sound recording
of a user typing English text using a keyboard, and then recovering
up to 96% of typed characters. There is no need for a labeled
training recording. Moreover the recognizer bootstrapped this way
can even recognize random text such as passwords: In our experiments,
90% of 5-character random passwords using only letters can
be generated in fewer than 20 attempts by an adversary; 80% of 10-
character passwords can be generated in fewer than 75 attempts.
Our attack uses the statistical constraints of the underlying content,
English language, to reconstruct text from sound recordings
without any labeled training data. The attack uses a combination
of standard machine learning and speech recognition techniques,
including cepstrum features, Hidden Markov Models, linear classi-
fication, and feedback-based incremental learning."
Kirk, the "Average Person" has nothing to fear from this kind of
attack. The computers and users which might be subject to an attack of
this complexity are far from average. That kind of target,
probably supported by intelligence and encryption professionals*, is
not likely to be in a situation where high quality sound recordings can
be collected from the keyboard over long sessions of typing.
You are correct in saying that the "Average Person" has no security.
But the "average" target is subject to much simpler attacks,
because of these sorts of vulnerabilities (more or less in order of
ease of attack):
Social engineering
Low quality passwords
Poor network habits, e.g. using misconfigured or untrustworthy
browsers and mail tools, surfing to untrusted sites, identical passwords on many
sites, opening junk mail, opening mail attachments, trusting phish
mail,
Physical access to target system
Vulnerable targets, e.g. all variants of Windows, Mac OS9 and earlier, poorly administered Unix and Linux systems.
Poor encryption techniques, e.g. WEP, SMS, and A5
http://www.google.com/search?q=WEP+encryption+flawed&btnG=Search
http://www.google.com/search?q=GSM+encryption+flaws&btnG=Search
This list is hardly complete. I just wanted to stress that adequate
risk assessment is always the first step in any kind of security
effort, whether it's for personal security or national security.**
taryn
<http://ornae.com/>
*Granted this is often an oxymoron.
**The complete indifference to, lack of, and/or failure of, risk assessment may be the
single most infuriating feature of the current administration. Billions
spent chasing straw men as our infrastructure crumbles.
___
Biofuel mailing list
Biofuel@sustainablelists.org
http://sustainablelists.org/mailman/listinfo/biofuel_sustainablelists.org
Biofuel at Journey to Forever:
http://journeytoforever.org/biofuel.html
Search the combined Biofuel and Biofuels-biz list archives (50,000 messages):
http://www.mail-archive.com/biofuel@sustainablelists.org/
