Keyboard Sound Aids Password Cracking

stinerman writes "Three students at UC-Berkley used a 10 minute recording of a keyboard to recover 96% of the characters typed during the session. The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. The research paper [PDF] notes that '90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'"

My Luggage

[Valiss]

'90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.'

Looks like you're screwed because my luggage password is 5 digits long, but all digits are numbers in a sequential order starting with one. Ha ha!

Re:My Luggage

[loimprevisto]

What? 1,2,3,4,5? Only an moron would use that combination for their luggage!

Re:My Luggage

[Rick.C]

What? 1,2,3,4,5? Only an moron would use that combination for their luggage!

Shhhh! That's not the combination he set - that's the TSA's "back-door" combo.

Re:My Luggage

1 2 3 4 5? That's amazing! I've got the same combination on my luggage!

Sincerely,
President Skroob

Re:My Luggage

[notthe9]

Do you realize that there is only a 1 in 100000 chance of that! Astounding!

Re:My Luggage

[TheOldSchooler]

1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!

Re:My Luggage

[BlakLanner]

And change the combination on my luggage!

Re:My Luggage

[isometrick]

I suspect it is (in reality) much higher than that, given the password/key/combo choosing standards of the general public.

Don't assume that each possibility is equally likely . :)

Re:My Luggage

Quick, jump, the joke is about to go over your head!!!

Re:My Luggage

[notthe9]

I suspect it is (in reality) much higher than that

You just don't get math. You see, you have 5 digits, each of which can be anything from 0-9. That's ten possibilities in each place. You have 1xxxx, 2xxxx, and so forth. Then each of those has ten possibilities in each place (11xxx, 12xxx... 21xxx...), giving 100. Follow this through, and you get 10000. Since 12345 is a single, unique 5 digit number it has one occurrence.

1 possibility out of the 10000. Quite simple, really.

Hope you've learned something.

Re:My Luggage

[Torontoman]

Yeah well my secret combo will be the last sequence you try!! Beat that!

Re:My Luggage

[John+Courtland]

You're missing a zero. 00000-99999 is 100,000 different combinations.

As an aside, the fact that a good Spaceballs joke can't survive even /. saddens me.

Re:My Luggage

You just don't get mathematics.

The possible combinations aren't evenly distributed. Some are more likely than others due to the way people choose numbers.

Re:My Luggage

[notthe9]

You're missing a zero. 00000-99999 is 100,000 different combinations.
D'oh! I said 100000 the first time (when I actually thought about 10^5.) This time I tried to use one more digit and came up quizically wrong.

Re:My Luggage

[Retric]

People use a non-random process when choosing passwords. Which is why dictionary attacks work.

Most people use important dates for 5 or 6 digit passwords. aka 5/15/72. or 12/12/04 ect

People also like 12345,54321 ect. Thus a simple dictionary of dates and the simple number patterns tend to crack a good percentage of numeric passwords much faster than a true random attack would. Which is why he might "suspect it is (in reality) much higher than that"

Re:My Luggage

[c0n0]

Actually, the number of combinations on any numeric system (in any base) is given by:

base ^ no. of digits

For example, on a base 2 system (binary), if you have only one digit you get 2^1 possible combinations, i.e. 2 (0 and 1).
On a decimal system (base 10), if you have 2 digits it'd be 10^2 = 100 (from 00 to 99).

Therefore, 12345 has 5 digits, assuming each one goes from 0 to 9 we can say that the possible number of combinations is 10^5 - 100,000.

On a side note, you quoted just part of his sentence and took it out of context.

He said:

I suspect it is (in reality) much higher than that, given the password/key/combo choosing standards of the general public.

so there's a whole chunk of sentence after the comma that you (conveniently) forgot/ignored.

He was trying to say that not all numbers should have the same weight the same, because eventhough in theory there's equal chance of any combination getting picked by anybody, the reality probably is that most of the time people will go with a popular combination such as 12345, 00000, 11111, etc, so the likelyhood of such numbers being picked is higher

So basically you:

-took something out of context only to attack someone
-just don't 'get math'
-showed a great example on how can 'quite simple' sometimes can be 'quite difficult'.

Re:My Luggage

[c0n0]

by 10^5 - 100,000 I meant 10^5 = 100,000, sorry for the typo

Re:My Luggage

[HateBreeder]

Man, you're pathetic.

You didn't even read his post, yet you flame him.

Since reading isn't your strong side and you obviously don't get math, let me help you out here.

Note the last line of the parent's post:
"Don't assume that each possibility is equally likely . :)"

Which means, in even simpler terms, that you can't assume that the probability for a specific combination of numbers is 1 / "Number of possible combinations".

I'm giving you credit here by assuming that you know "why" each possibility isn't equally likely... but maybe that's a far stretch when it comes to you.

I hope you learned something.

Re:My Luggage

[notthe9]

Dude, no need to get all up ons, y'know.

You just can't argue with the math to the e to the mat to the ics if you's know what I mean.

Redbox for keyboards now?

[otomoton]

Does this mean that instead of keystroke loggers, spyware is now going to monitor our microphone input? This almost sounds like something out of a bad 80's movie.

Re:Redbox for keyboards now?

[o7400]

That's it. From now on, whenever I'm typing a password I'm going to scream at the top of my lungs. How about that stopid password stealers!?

Re:Redbox for keyboards now?

[TripMaster+Monkey]

Spyware attempting to hash out your keystrokes by listening to the keypresses instead of grabbing the strokes directly is a bit like a person trying to enjoy music by watching the equalizer lights flicker instead of using the speakers.

Re:Redbox for keyboards now?

[Enigma_Man]

That's exactly what this article is about though... They can get your keystrokes with 96% accuracy just by listening to them over a period of time.

So, theoretically, yes; malware could listen to microphone input of you typing and work it backwards into key logging. If spyware's already on your system though, it'd be easier just to log the keys in the system. But you could figure out what someone else is typing just by recording it.

-Jesse

Re:Redbox for keyboards now?

[Daniel_Staal]

...like a person trying to enjoy music by watching the equalizer lights flicker instead of using the speakers.

Hey, I've done that! It's a great exercize for increasing the pattern-matching ablities of your brain! You have no idea how good it feels when you finally 'hear' the music just by watching the lights...

(Well, at least I think so.)

Re:Redbox for keyboards now?

[TheViciousOverWind]

You have no idea how good it feels when you finally 'hear' the music just by watching the lights...

Why don't you volunteer for a charity? It sounds like you have enough time on your hands to save the world singlehandedly.

Re:Redbox for keyboards now?

[X0563511]

and then the'll just use a notch filter and take the human vocal range out, leaving plenty of low and high freq sounds to play with.

Re:Redbox for keyboards now?

[cei]

Well, I've heard about a guy who was pretty severely colorblind who could color-correct photos in Photoshop by the numbers and come up with better results than those who didn't share his impairment. It's interesting to me when meta content becomes content in its own right... if the lights of the EQ become just as valid a form of expression as the sounds driving them.

Re:Redbox for keyboards now?

[avronius]

Some potential titles for the afore mentioned 80's movie:
"Remix Of The Killer Tomatoes"
"Return Of The Password Snatchers"
"They Listened from Within"
"Buffy The Keystroke Logger" (not quite on-topic)
"I Know What You Typed Last Summer"
"Eavesdropper"
"The Computers Have Ears"

The unrelated horror film we're most likely to see?
"The Blog" - with Steve McQueen re-animated to reprise his role as "Steve Andrews"
Genre: Horror / Sci-Fi / Comedy
Tagline: Indescribable... Indestructible! Nothing Can Stop It!
Plot Outline: An inane personal web log consumes all bandwidth in its path as it grows and grows.

Re:Redbox for keyboards now?

[Daniel_Staal]

Why don't you volunteer for a charity? It sounds like you have enough time on your hands to save the world singlehandedly.

I am now out of college.

Re:Redbox for keyboards now?

Did you take the blue pill or the red pill first?

Re:Redbox for keyboards now?

[gi-tux]

When I first saw the headline, I thought that maybe they were doing time analysis on the keystrokes to guess the fingers used and which row on the keyboard. If that were the case, I would just type my password using a couple of fingers and do some very accurate timing (given I used to be a drummer, I can get pretty accurate) an that would throw them off.

However, this is a little harder, I have to hit each and every key so that it makes exactly the same sound. This is extremely difficult because even if I use exactly the same pressure and exactly the same stroke on every key, then the spring might be different, or the switch might be slightly different on a few keys and still give hints.

I think that the best defense is to learn to type at about 1200 words per minutes (100 characters per second) so that the sound is just one constant stream and they would be incapable of breaking it down. Like the German "zip gun" from WWII, the MG-42 which fired around 1200-1300 rounds per minute and sounded like a zipper to the Allied soldiers. The constant short zip sounds also made it difficult to locate the gun when in cover.

Re:Redbox for keyboards now?

[Dominatus]

The lights of the EQ are just the coefficients of the transformed signal. This is actually how most compression techniques compress and store digital mediums.

In other words, that form of expressing the signal isn't metadata, it is the data.

Re:Redbox for keyboards now?

[AviLazar]

I've heard about these deaf guy's, who could compose music that would move the soul.

Robert Franz
beethoven
George Martin

Most color specialists (forget the exact title) work largely on numbers. It is a science with them. What we may say is a perfect picture, they will say is perfectly flawed.

Re:Redbox for keyboards now?

[hokeyru]

Yeah, but now you have to worry about whether your officemate's computer is compromised. And I had just stopped giving a shit about other people's computers.

Re:Redbox for keyboards now?

[VATechTigger]

I just wonder what all those fap fap fap sounds that eminate from my computer work area when im browsing late at night after the girlfriend goes to sleep will translate into.......

Re:Redbox for keyboards now?

[shotfeel]

That's just one of the other side effects of those hallucinogenic drugs.

Re:Redbox for keyboards now?

I once saw a crazy techno/industrial song, that, at a certain point, all of the equalizer settings displayed a crude graphic of the artits face..
Velvet Acid Christ, I think they were called?

Re:Redbox for keyboards now?

[wx327]

ING Direct is implementing an optional method of inputting your PIN on their website. You can either type it in using the keyboard, or click on buttons that correspond to the digits you want to enter.

Will we soon see an article on /. on covert mouse tracking?

Re:Redbox for keyboards now?

[hunterx11]

But it is in fact possible to identify music without listening to it.

Re:Redbox for keyboards now?

[Enigma_Man]

Hmm, that's interesting. It's good to have options, but I think I'd rather default to using the keypad. Having a big, obvious number pad up on the screen isn't so good for keeping shoulder-surfers at bay. If you were just at your house though, and worried more about keyloggers than someone peering over your shoulder, it's a good idea.

Something that upsets me about the couple of bank websites I've tried is they have an extremely small _maximum_ amount of characters available for passwords, like on the order of 4-5 characters.

-Jesse

Re:Redbox for keyboards now?

[danila]

That would essentially make airborne computer viruses possible!

A virus infects one computer in an office installs spyware, listens to typing in the office, generate a dictionary of likely passwords and then attempts to attack nearby computers (just scan the subnet/workgroup) by using overheard passwords.

Re:Redbox for keyboards now?

That's I always loudly speak out every key I press. You know? To drown out the noise of a key press in case there is a hidden microphone in the room.

Re:Redbox for keyboards now?

[Platypii]

Aphex twin did this

http://www.bastwood.com/aphex.php

Re:Redbox for keyboards now?

It really owns to just rephrase what the parent poster means and get 'interesting' mod points for it, doesn't it?

Re:Redbox for keyboards now?

[Anpheus]

That's not entirely true, good software design can befuddle or disable keylogging capabilities (but the keylogging software can 'fight back', a perpetual cycle) but if it isn't necessary to actually put the software on the machine, then a small listening device could be planted anywhere without being hardware dependent (such as putting the hardware in the keyboard itself.)

Re:Redbox for keyboards now?

[Jeff+DeMaagd]

I think the point is that you can hide a device somewhere around the computer without having to actually tamper with the computer.

I'm not surprised with the tech, I thought there was a tech journalist that had it demonstrated to him by government security researchers a few months ago.

Re:Redbox for keyboards now?

[myov]

How does it deal with things like shift/caps-lock, alt characters (I use a mac, none of that alt-#### stuff), backspace, and me intetionally throwing loggers off by alternating the fields (mouse/tab) or position?

Re:Redbox for keyboards now?

oh, you heard of a guy? i'm convinced. clearly worth the +5.

Re:Redbox for keyboards now?

[ralmin]

I wonder what effect MP3 or other lossy compression has on such images. Since these codecs are designed to remove inaudible content, and much of the image data is probably inaudible.

Re:Redbox for keyboards now?

[Dirtside]

Thank god I've spent the last five years practicing how to make keyboard clicking sounds with my mouth. You'll never get my password!

Re:Redbox for keyboards now?

[Dirtside]

Well, I've heard about a guy who was pretty severely colorblind who could color-correct photos in Photoshop by the numbers and come up with better results than those who didn't share his impairment...if the lights of the EQ become just as valid a form of expression as the sounds driving them.

The thing is, the numbers displayed for the graphic image are just alternate representations of the same data. All the data is still there. A graphic equalizer isn't equivalent to the waveform of the sound it represents, it just shows (as far as I know) the amplitude of the signal at various frequencies. But only a small selection of frequencies; there's not enough data displayed in the EQ to reconstruct the original signal. To put it another way, there are multiple distinct signals that can have the exact same EQ representation.

Still, that guy's ability is pretty amazing.

Re:Redbox for keyboards now?

[PPH]

One good belch[*] while typing should mask it quite well.

[*]substitute appropriate sound effect of bodily origin as appropriate.

Re:Redbox for keyboards now?

[superflyguy]

Wrong solution. Just type the password one-handed, while hitting any keys on a spare keyboard.

Keyboard specific?

[markass530]

I'd have a hard time believing this method transcends all keyboard models, and all typists.

Re:Keyboard specific?

Are you implying that most (not all) typists don't have similar, but consistent speed differences between keystrokes?

I mean seriously, the only speed differences to expect between all typists are that of the left and right hands. I could imagine something silly like lefties typing certian keys following others faster than righties. And even then, most people are right handed.

Re:Keyboard specific?

[MankyD]

I'd have a hard time believing this method transcends all keyboard models, and all typists.

It doesn't, but it does work for most keyboards, and that's the catch. Keyboards must be specifically designed to counter it. Thus far, most aren't.

Re:Keyboard specific?

[tont0r]

why not? from just listening to Keyboard X, it will start collecting data for that keyboard and that typist. however, one thing that would screw it up is if the typist just randomly changing his or her typing speed.

Re:Keyboard specific?

how bout these types

Re:Keyboard specific?

[SpaceLifeForm]

And the Das Keyboard can help.

Re:Keyboard specific?

[sTalking_Goat]

Read the article but not the paper. I could see some immediate flaws. For people who learned traditional typing methods and make few mistakes (ie. most heavy computer users) this could work.

For people like me who never learned to type the "correct way" and use a mish-mash of styles and methods, or someone with fat fingers who makes a lot of mistakes, or the typing dyslexic, the system might be flawed. Also I'd imagine a twisted Keyboard would sound very different from a rectangular straight keyboard.

Its not a catch-all system but it would probably work on most people...

Having a recording of short known sequence could probably narrow the error margin a lot though....

Re:Keyboard specific?

[temojen]

I for one have a weird typing pattern, because my right hand won't turn completely palm down (injured in a traffic accident). so I type with my whole left hand and two fingers of my right.

Re:Keyboard specific?

[HikingStick]

I would contend that it could work on all keyboard types, including "projected" keyboard arrays, and even if the users type using non-standard methods ("hunt and peck"). In some ways, this is just like voice recognition. It has come a long way toward identifying spoken words from different people with different vocal quality, tones, inflections, and even accents. Given enough time, any system could be trained to decode a specific typist's particular idiosyncrasies. As the technology matures, the algorithms will learn to accomodate for a broader range of factors and patterns. This is tangental to previous research that discovered screen content could be recreated by collecting light overflow from CRT and LCD displays. Should someone combine both methods, it would be just like sitting home and watching the desktop remotely...

Re:Keyboard specific?

[Koiu+Lpoi]

Just learn Dvorak. Done.

Re:Keyboard specific?

Learn logic.

Re:Keyboard specific?

[utlemming]

Better yet, I wonder how merely shifting your hands to the left or to the right by one character, then you could effectively defeat this method. The same typing pattern would be used as on other parts of the keyboard. The only way to defeat this method would to intitively guess that the person was shifting their hands.

Re:Keyboard specific?

[SatanicPuppy]

One thing I've noticed is that people type their passwords differently from everything else they type. I type mine so often its like one long click, and I hit shift multiple times during it, and sometimes hold that for 3 characters or so. I'm not a pure traditionalist typer either...my little fingers are kinda arthritic, so they only get used occasionally.

I'd be interested to see if this would work, but I don't have any real faith in it working under practical conditions. To really try and snoop someone's password, you'd have to have a well-placed, very sensitive microphone, and it could never move. Sure you could hack someones desktop mic, but mines a headset and it lays where ever I throw it...Not conducive to this sort of use.

Re:Keyboard specific?

[TripMaster+Monkey]

I've seen this objection several times in this discussion, so I think I should respond here.

The audio recording required for deciphering the keystrokes needs to be different for every combination of user and keyboard. There is no way a universal key could be developed; even if the same make and model of keyboard were being used, the amount of wear the keyboard has experenced would contribute to differences in the sound, and this system depends on isolating unique sounds for each keypress. Also, different users have different typing styles...a recording of one user typing will be fairly useless in determining the keystrokes of another user.

Also, the rhythym of typing is entirely beside the point here...again, the point is that each key makes a slightly different, unique sound when pressed. Given the sounds of enough keystrokes, the order in which they were pressed, and a knowledge of the language being typed in, it is easy to determine which sounds correspond to which letters. Think of it as a simple substitution cipher.

Re:Keyboard specific?

[1u3hr]

Just learn Dvorak. Done.

No. They analyse the clicks by comparing them with English letter frequencies. So it doesn't matter what the key is marked as, it's what you're using it for that is recorded.

Re:Keyboard specific?

the the keyboard?

Re:Keyboard specific?

[Jesus_666]

Then type everything in base64 and let the computer decode it. Problem solved.

Re:Keyboard specific?

[aardvarkjoe]

I will defeat this by entering my password in Morse code.

Oh, crap.

Re:Keyboard specific?

[prgrmr]

ever watch someone with dyslexia type?

Re:Keyboard specific?

[Enigma_Man]

Also I'd imagine a twisted Keyboard would sound very different from a rectangular straight keyboard.

The algorithm in the description doesn't have/need a baseline recording of any particular keyboard, it learns as it goes along, using pattern, and dictionary-style decoding. It just listens for all sorts of different sounding keystrokes, then starts to assume things as it goes along. If you type the same three different sounding characters in a row a whole bunch of times, it's probably the word "the" rather than "zoe". It can use common words and lengths of words to figure it out, even if you're typing on a homemade, metal keyboard that sounds 100% unique from any other board.

-Jesse

Re:Keyboard specific?

[chucks86]

Yeah, they use the backspace key a lot.

Re:Keyboard specific?

[Opie812]

on

Re:Keyboard specific?

[that+_evil+_gleek]

Does is matter if it's soft-click or old fashion ibm clicky? What about pc-jr style software 'click', could that mask
the actual click?

> First, it isolates the sound of each individual keystroke. Second, it takes all of the recorded keystrokes and puts them >into about fifty categories, where the keystrokes within each category sound very similar. Third, it uses fancy machine >learning methods to recover the sequence of characters typed, under the assumption that the sequence has the statistical >characteristics of English text

I'd say this would help more recovering emails, etc , than, passwords, Also, it assumes you can get those sounds in the first place, I'm guessing if you plant the bug, you can quickly type in each key, or make note of the make and model, etc.
Distinguing app keystrokes, from passwords, from text might be difficult, I'm guessing they just produce a big dump, similiar to a key stroke log... Vi users, might give them some grief, or anything that isn't modeless.

Re:Keyboard specific?

[Maxo-Texas]

So if you do any mousing- or as I do sometimes- copy part of the signon with the mouse as part of the password then it won't work. --- Seems like you could FooL it by HittING cerTAIN keyes HARDER or softer etc while entering Passwords. --- I imagine the volume relative to the mike helps determine the distance to the key. --- In general- seems like typing very softly during passwords would stop this.

Re:Keyboard specific?

So let's assume that we can record noise around the keyboard for a substantial period of time.

We give ourselves a sizable budget.

We needn't require a microphone to be *right there*, it could be done at a distance given expensive microphones and dishes, or interferometry.

Let's also assume that we have lots of time to do signal processing on what we've recorded.

Now we realize that keys on a keyboard make particular sounds.

They make sounds when being depressed downwards. These vary, because (for instance) the pressures being used will vary by user and by activity. Anger might result in much stronger keystrokes.

The keys *also* make sounds when they are released. These will vary a lot less, since they are usually returned into place by little springs.

We also have timing information -- the amount of time between up and down, and the time between pairs of up/down.

Let's assume our user types substantial amounts of plain language text. (It's even better if she is a programmer, and uses the non alpha/whitespace/punctuation keys more frequently).

Now we try to map the data we have (up noise, down noise, up/down timing, inter-key timing) with language frequency information. If it's well-written standard English (or, say, C), this makes it easy. If there are "bugs" or deviations, we can probably sort these out with enough recording.

We probably arrive asymptotically at a complete and accurate transcript from any recording of the keyboard in question.

Now if we're lucky we can figure out which is the password we want.

Let's try an assumption: upon arrival at the keyboard, the first keystrokes will be part of a login and/or keychain unlock.

Other things we can listen for are "ssh foo.bar.com", the typing-in of some URL, or mouse-clicks.

Also, with time information we can compare with any recorded network traffic traversing parts of the Internet we can watch (even if the traffic is well-encrypted with a MITM resistant mechanism).

Acquiring passwords this way is "just" another way a well-funded, well-organized adversary can compromise your security. It is expensive to defend against this style of attack, which can be done more easily than direct interference with equipment, and can be done without being able to see the keyboard.

Re:Keyboard specific?

[strcmp]

Perhaps using "alternative keyboards" will be construed as obstructing justice, as is using Firefox.

Re:Keyboard specific?

[bronney]

It doesn't apply to me for sure. I grew up without a computer and only my uncle in my whole family has a computer back then. Since he uses it during the day, he let me use it during the nite when he's asleep. But the computer is also situated in his bedroom.

So when I used it I had to be real quiet. And generally, this extends to my steps on creaky wooden houses in canada, the way I close doors, and the way I pour water in a glass. And I still do them since it's a childhood thing.

These peeps will also have a hard time activating my mic and logging me because if my mic is ever one at the stand, it'll give a nice woo woo feedback and I would hear it :) That is if you managed to un mute the mic from the buggy liveware hehe.

applicability?

[MooseTick]

If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.

Re:applicability?

[TripMaster+Monkey]

How about a parabolic or shotgun mike?

Re:applicability?

[Narcissus]

My laptop has a built-in microphone 'somewhere' near my keyboard. I don't know if this is too close to actually get anything from, though: it alls sounds quite similar to me, when I happen to be talking via VoIP with a friend who refuses to:
a) get a standalone mic; and
b) stop coding while he's talking to me...

Re:applicability?

[someone300]

A tiny wireless microphone can be taped underneath the keyboard.

A camera would have to be given the right viewpoint, would likely be bigger, and the keyboard might move out of the camera's range.

Re:applicability?

[LLuthor]

Most keyboards already have a microphone close enough - and handily enough, it is attached to the same computer. The rest is just a software implementation which is easy enough to propogate through spyware.

Re:applicability?

[rot26]

Good idea. They sell those at the same movie prop houses that carry 57-shot revolvers, self-igniting gasoline, and phones with "AT&T" written on every surface.

Re:applicability?

[TripMaster+Monkey]

Are you attempting to insinuate that parabolic or shotgun microphones don't exist? If so, you might want to watch the next pro football game that's on....look for the guy with the big headphones, carrying around a plastic dish.

Re:applicability?

[Migraineman]

If I've got access to install spyware on your computer, why would I go through the Rube-Goldbergian process of recording sound, processing, etc? Can't I just sniff the keypresses directly?

Now, using the mic in a laptop to sniff sounds made by *other* computers would be pretty slick.

Re:applicability?

[crc32]

You could use an IR laser mike, if you have line-of-sight to an office window. You don't need to see the keyboard, just some object in the room.

Re:applicability?

How about a telephoto zoom lens?

Re:applicability?

Unfortunately, this means those wonderful IBM keyboards are going to be a security hole. :(

Re:applicability?

[rot26]

I'm not saying they don't exist, I'm just saying they don't work like you think they work. The ones on the football field probably help mask ambient crowd noise, but they don't do much, if anything, to increase the gain of the target audio. Audio frequencies, especially in the range of the human voice (i.e. relatively low) are HIGHLY non-directional.

Now if you want something that actually WORKS, try a laser microphone or an array of mic's in tubes of varied lengths with each tube resonating at a likely component of the targeted frequency range. (Still not directional, but has a lot of gain.)

Re:applicability?

[MyLongNickName]

Yeah... cause if I can get hold of your keyboard, I would never think to add a keystroke logging device. You can get them cheap, attach to the cord going to the case, and viola.... 100% reliable.

Re:applicability?

[stinerman]

Are you insinuating that coconuts are migratory?

Re:applicability?

[RicktheBrick]

If they can do this with a keyboard than why can't they identify alot more sounds and make something useful. I would think they could identify sounds like a leaky water or gas pipe. I would think they could identify someone calling for help. I would think they could indentify the breaking of glass or someone attempting to break into a house. I would think that they could identify the sound of something burning. With the always on connection of broadband and properly place microphones around the house than maybe the computer could be a life or home safer for many people.

Re:applicability?

[Mr2cents]

I read about a museum that uses two parabolic dishes to transmit the sound of a ticking clock across the room. When you stand near the focal point, the sound becomes hearable. Also, I heard of an art-project that would consist of two parabolicly carved stones placed on each side of a river, so you could talk to each other across the river. I don't know if it was carried out. It would be a really nice piece of hacker-art, though.

Re:applicability?

[slavemowgli]

Or how about a laser mic? If there's little to no background noise in the room you're trying to listen in to, then you can probably still get results even from a relatively big distance.

Re:applicability?

[bcattwoo]

Also, I heard of an art-project that would consist of two parabolicly carved stones placed on each side of a river, so you could talk to each other across the river. I don't know if it was carried out. It would be a really nice piece of hacker-art, though.

North Carolina State University has just such an art project in front of the main library. Each person sits inside a parabolic dish spaced about 100' apart. Granted it's not that far but other than a little echoing it sounds like the person is right behind you even at normal speaking volume. I don't think most of the students even know what the big blocks of concrete are there for though.

Re:applicability?

[TripMaster+Monkey]

They've already been doing this for a while with gunshots.

Re:applicability?

[AlltheCoolNamesGone]

Do you really want to live in a world like that?

Sure.... great.... It would stop break ins, fire's etc...

But whats to stop the goverment from monitoring other things? For our "safety" of course...

Ever read 1984?

Re:applicability?

[lonasindi]

microphones with very-near directional pickup patterns exist on their own, and aided by a parabolic dish can very effectively 'zero in' on a specific sound. It is not inconceivable to conceal a microphone somewhere in a room and point it in the general direction of the keyboard and get some success. Obviously it's still not better than a simple microphone under the keyboard, but I think you're underestimating the ability to isolate sounds.

Re:applicability?

You should be awared that tradition wired telephone and certain cell phone can all be turned into remote listening device without the listener ever being physically near that phone. Telephone by splicing wire on switchboard and cell phone is even easier, just set the phone to autopick up without ringing.

Re:applicability?

[SamSim]

Sound doesn't need line-of sight. If you had access to the technology, you could conceivably do this using a laser mike from an open window across the street, or through the wall from the room behind the computer.

Re:applicability?

[someone300]

Yeah, you could do that, however they're more noticable, especially if the USB/Keyboard port on the computer is visible, which is done quite a lot in security aware installations.

You can get small wireless microphones that just look like them little rubber things that stop your keyboard from sliding around, which are a lot more hidden...

I don't really look at the bottom of my keyboard, but I do look at the back of my computer quite regularly.

Eventually, security aware people will probably start looking for obvious signs they've been bugged through this method, but it could be a lot harder to detect. These things would probably work if they were stuck to anywhere on the desk or the keyboard. RF signal detectors should detect wireless ones though.

I suppose it's about using the right tool for the job

Re:applicability?

[Pharmboy]

It was also done here although for slightly different reasons.

Re:applicability?

[timelorde]

Yeah... cause if I can get hold of your keyboard, I would never think to add a keystroke logging device. You can get them cheap, attach to the cord going to the case, and viola.... 100% reliable.

'cept that I always keep my passwords in a text file so that I can copy and paste using the mouse.

Beats having to type all of those )@#&^!*#$ characters.

Re:applicability?

[DrEldarion]

Kickass, guess all these loud fans in my case have a dual-purpose now!

Re:applicability?

[zizzo]

How about a zoom lens?

The parent poster is right. Photographic techniques are probably easier across the board. But there is no reason you can't use both.

I'm ok though. I type in my password with mittens in a dark room. I wish they would let me out of here.

Re:applicability?

[booyabazooka]

Perhaps using a microphone better suits some situations wherein video surveilance is illegal, but audio is okay?

Re:applicability?

[bkr1_2k]

They have these at lots of Universities. I believe Berkeley has one I know the College Park campus of University of Maryland has one, and I think I've seen them at schools in Boston and San Diego as well. These were used a long time ago as "secret rooms" and such so people could pass messages. I can't remember which society started using them first but there are examples in several, if I remember correctly. Athens or Rome, perhaps? I don't remember for sure...

Re:applicability?

[kniLnamiJ-neB]

There's a room designed just this way in the US Capitol building. There are 2 odd-colored stones set in the floor design (at the focal points) and you're in a large domed room. When one person stands on each stone, they can talk very quietly and still be heard by the other person over all the other people in the room.

Re:applicability?

[trigeek]

How about using the bluetooth hack that enables you to listen in on conversations? (not just phone conversations). It was slashdotted a few weeks ago. If you could hack a bluetooth connection to their cell phone, you could listen to their typing through their cell phone. I wonder what kind of audio quality this method requires?

Re:applicability?

[jallen02]

Ellipses and their focal points. If you make a room an Ellipse and then stand at the two focal points of the ellipse the sound bounces perfectly to the next focal point. So you can whisper and be heard 50-100 ft away. Same principles, lots more physics and sharp things ;-)

Re:applicability?

[Bob+4knee]

In the mid to late '80s the rules for a SCIF were concerned with the sounds being picked up through a glass window (vibrations). At least that's what they told us when they stuck us in the basement. This would have been about '87 or so.

Re:applicability?

[HermanAB]

Most people have a telephone right next to their computer. Any telephone mic can be enabled remotely. It is only Hollywood spies who have to go and plant bugs - real spies just turn the phone on remotely.

Re:applicability?

[Bastian227]

If you can get a mike that close to a keyboard to listen to the keystrokes, then you can probably place a micro camera and get the same results.

A mic that close is not needed. If you have a window in the room, typing sounds will vibrate the window. Those vibrations can be detected and interpreted using a laser.

Re:applicability?

[PiratePTG]

they don't work like you think they work. The ones on the football field probably help mask ambient crowd noise, but they don't do much, if anything, to increase the gain of the target audio.

Almost right... The "Big Ears" (yes, that is their name, Google for them) parabolic reflectors work by focusing the intended audio onto the pickup face of a standard microphone. They don't necessarily increase the gain of the audio, but they decrease the signal to noise of the audio. Off-axis audio gets reflected back out the other side of the reflector, while the on-axis audio gets reflected to the face of the mic. And even the position of the mic in the reflector is adjustable, so you can compensate for distance. By reflecting the undesired audio out of the reflector, there is an apparent increase in desired audio gain. Big Ears don't mask undesired audio, it simply reflects it back out away from the mic pickup.

try a laser microphone

Wouldn't work in this application. A laser mic needs something to "reflect" off of. Like a window or the face of a framed picture. The hard surface merely becomes the diaphram of the mic, the reflected laser signal is converted to audio pulses just like a moving coil over a fixed magnet would be. Pointing a laser mic at a keyboard would get you almost nothing. The tops of the keycaps are usually concave, and have a matte finish, which would effectively scatter the laser beam. And if you did just focus on one key, as soon as it was pressed, or a finger got in the way TO press it, you'd lose the signal. And besides, if you could point a laser at the keyboard, why not just get a camera?!

an array of mic's in tubes of varied lengths with each tube resonating at a likely component of the targeted frequency range. (Still not directional, but has a lot of gain.)

Ummm... Sorry... wrong again... The original "shotgun mic" got it's name from the number of "barrels" it had. It would have been more appropriate to call it a "gatling-gun mic". The design was to have a number of tubes cut to resonate at different frequencies all barreled together, with a parabolic reflector (see Big Ears above) mounted on the rear, with a SINGLE mic inside of the reflector to pick up the audio. The "shotgun" effect did nothing to increase the gain of the audio, but works again by focusing desired audio onto the pickup head of a mic. The different length tubes did resonate at different frequencies, and increased the frequency response of the mic (the early shotguns used crystal elements). The apparent directionality of the mic was because side and rear audio was blocked from the pickup mic, by the fact it was in a parabolic chamber behind the tube stack. A stack of mics inside tubes as you suggest would kinda sorta work, but the electronics necessary to multiplex all that audio together, without introducing phase distortion, would be way too complex or even remotely practical.

"Shotgun/gattling gun" mics are no longer used these days. At least I have never seen one in the wild. The directional "shotgun" mics used today are basically a tuned chamber with a pickup element that gets it's directionality from phasing the desired audio. Audio from the rear or sides arrive at the pickup element out of phase and are cancled out. On-axis audio arrives in phase "with itself" and is picked up. Any gain from the mic again comes from decreasing the signal to noise, and through preamps built into the microphone. The tuned chamber itself does nothing to increase the gain of the desired audio.

Now, all that said, I could easily build a wireless mic transmitter in less room than a postage stamp takes up, and again easily mount it close enough to a keyboard to pick up the keystrokes. A whole lot easier than trying to mount a camera somewhere to see the keyboard. The only downside to trying to crack a password by recording the keyclicks is that the keyboard probabally needs to be fairly isolated. A keyboard in a room full of keyboards is not going to be easy to pick up. The signal to noise would be a factor to deal with. Not impossible, but certainly adds additional complexity, and inaccuracy, to the recording/cracking process.

Just my nickle's worth...

Re:applicability?

[petermgreen]

iirc theres a setup like that with metal dishes at jodrell bank too.

Re:applicability?

[crc32]

Why couldn't you point the laser mic to an object in the room, and record the sounds that impinge on that object?

Re:applicability?

[rot26]

A laser mic needs something to "reflect" off of. Like a window or the face of a framed picture.

Or a shiny CRT positioned 8" away from the keyboard?

The original "shotgun mic" got it's name from the number of "barrels" it had

You may be right. But I think the consensus is probably that the term "shotgun" mic came from its shape; long and narrow to allow for ports in the housing to do magic with the phasing of the source audio to further narrow the cardioid pattern. These were also called "super-cardioid" mics I think.

but the electronics necessary to multiplex all that audio together, without introducing phase distortion, would be way too complex or even remotely practical.

You wouldn't want to record a string quartet with one, that's for sure. But for some applications, distortion (of any kind) would essentially be irrelevant.

"Shotgun/gattling gun" mics are no longer used these days. At least I have never seen one in the wild.

The military still uses them, and next time you watch a shuttle launch, you may see a few scattered around. I have no idea what they're used for.

Anyway. Nobody is going to hide anything like that inside a room, I was just... uh. I dunno.

Not that anybody is still reading this thread anyway.

The whole idea of the original article seemed like BS... even granting that it's possible to determine which keys were pressed during normal data entry (which I'm doubtful of) passwords are ENTIRELY different... I am a moderately fast typist (maybe 60wpm) but during the few milliseconds it takes me to enter my password I bet it's more like 600 wpm... it's just a "ka-whump" and if you were looking over my shoulder you probably STILL wouldn't be able to see what I typed in. This is because I do it so often (even at work where I have to change my goddam password every 90 days). Among other reasons. And most tech-savvy people I know are pretty much the same. Etc.

Another old fashioned way to get passwords w audio

[xxxJonBoyxxx]

Another old fashioned way to get passwords w audio: Just tap the "help desk" phone line.

It's a good thing...

[Nuclear+Elephant]

... that my voice is my passport.

Re:It's a good thing...

[Lispy]

wich is not recordable because?

Did I miss a joke here?

Re:It's a good thing...

Watch Sneakers.

Re:It's a good thing...

[Terragen]

Did I miss a joke here?

http://www.imdb.com/title/tt0105435/

Re:It's a good thing...

[Sawbones]

"my voice is my passport, verify me" is a line from the movie "sneakers". Average movie so it's debatable whether you missed a joke or not :)

Re:It's a good thing...

[macshome]

The voiceprint authentication that Mac OS 9 used was actually pretty good. I was at SE summer Camp at Apple in '99 and the guy who ran the speech program at Apple had the whole room line up and try to imitate his voice to unlock an iMac.

Long story short, only his voice would unlock it.

Re:It's a good thing...

[saider]

But could he unlock it if he had a cold and his "node was stubbed up".

Re:It's a good thing...

[null+etc.]

Average movie

WHAT?!?!?! You're not a geek, what are you doing posting on /.???

Re:It's a good thing...

[Kelson]

my voice is my passport.

Verify me.

Re:It's a good thing...

[arose]

Computer: Please say your password.
User: One, two, three, four, five.
Computer: Incorrect voice or password, one atempt left.
User: I've got a cold you damned machine. One...
Computer: Incorrect voice or password, active laser protection activated...

Re:It's a good thing...

[Kelson]

Well, I'd tell you about the joke, but then I'd have to kill you.

Re:It's a good thing...

[paco3791]

I have to say I agree, maybe It's just nosalgia but this is a great movie, right up there with Real Genius in my opinion.

Re:It's a good thing...

[nester]

Are you serious?! That movie was dumb as hell and there were a bunch of impossibilities and mistakes. eg, raising the room temp to 98.6 to mask body heat -- skin temp is about 20 degrees cooler, your clothes even more so, and your skin temperature is not evenly distributed. A thermal camera could still see gradients.That's just one example.

Re:It's a good thing...

is that a sneakers quote?

Re:It's a good thing...

Are you serious? I hope that's not your best example of flaws in Sneakers (which is a great movie). First we're not talking about thermal cameras that go off at any thermal gradient. Imagine how many false alarms you'd have when your monitor turns off or your computer goes to sleep mode and the temperature suddenly drops.

Alarm IR sensors are sensitive to specific ranges of IR. Raise the room temperature to 98.6 and the background radiates in the exact same range as the human body. When the background is the same as the target, the signals are not (in general) strong enough to trigger a response. If the sensitivity of the systems is so high then a computer shutting off or an air conditioner turning on will cause false alarms.

In a room temperature environment skin temperature is in the low 90s. Look it up sometime.

So we've proven that 1) You don't know how PIR sensors work 2) You don't know the actual skin temperature 3) You wouldn't know a good movie if it jumped up and bit you.

Whistler: I want peace on earth and good will towards man.
Abbott: We are the United States Government. We don't do that sort of thing.

Re:It's a good thing...

[null+etc.]

A thermal camera could still see gradients

First, I doubt a thermal "camera" was being used, since thermal cameras are useful only if you need to be able to visually interpret temperature patterns. More likely, a simple infrared sensor was used, which measures the ratio of the energy radiated by an object at a given temperature to the energy emitted by a blackbody at the same temperature.

skin temp is about 20 degrees cooler

Thermal sensors don't measure "skin temperature". They measure the aggregate amount of heat energy surrounding a body, or in the case of simple room sensors, the aggregate temperature of room "sections".

That movie was dumb as hell

Do you object to the film purely on technical merit, or do you just dislike the plot in general? I thought the plot was great, with important overarching themes that appeal to both the technical and non-technical person.

Re:It's a good thing...

Your post reminded me of an age long question: Why does Rumplestiltskin says his name in a songs whose main theme no longer applies by the act of singing it?

Re:It's a good thing...

[fool36]

Did I miss a joke here?

If it's modded 5 Funny... you missed the joke.

If you have to ask... you probably won't think it's funny.

75 attempts?

[jlower]

'90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.
All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

Re:75 attempts?

[sammy+baby]

Plenty of them. Implementing a lockout out of X number of bad attempts can open you up to some hairy denial of service attacks. Want to lock out a user for a few hours? Just fail to login as that person 5 times.

Not to say that the alternatives don't have their weaknesses, but this one certainly does as well.

Re:75 attempts?

[gamer4Life]

You can program it to guess the password 3 times a day and within several weeks, the password will be yours. Still a reasonable timeframe.

Of course if the person changes the password every 3 weeks...

Re:75 attempts?

[stinerman]

Our login passwords at school will let you try as many times as you want so long as you give it some time (an hour or so) in between attempts.

Also notice that these are random character passwords. Most people use stuff like "scruffy123", not "ywxhfq"

Re:75 attempts?

What kind of password system lets you try 75 (or even 20) times?

It would be useful for opening an encrypted hard drive, or on a pgp key.

Re:75 attempts?

Since you have a list of possible passwords, you'll probably be able to guess if it's more likely to be 'qjinkmrreyruqrrl' or 'thinkmoreyoutool'.

Re:75 attempts?

[oneiros27]

Some 'lock out after (x) attempt' implementations are rather stupid -- they only do it, if it's done in one session. (most of the ones I've dealt with in applications ... OSes tend to be better, but even then it's a toss up)

When I'm trying to remember a password I've forgotten, as some of the systems I deal with lock after three failures, I'll try two passwords, disconnect, reconnect, try two more, etc.

Now, not all systems will allow this, but some of the bad implementations will let this go on for ever. (hopefully there's someone monitoring the logs, or you won't even notice if they're doing it slowly enough)

Re:75 attempts?

[chinadrum]

One would hope you'd be locked out before then. The problem is that most people don't use random passwords. When the keys you record return Fluf[]y you can guess the missing letter mom typed was 'f' to fill in Fluffy. Bang one try. It's back to the old physical security deal.

Re:75 attempts?

[unexpected]

Well, I assume that their research was mostly to see if the audio recording can help someone crack a password and in fewer attempts than say a brute force attack. In either case, what you would probably do is acquire the password hash and guess the correct password on another machine before using it to log in.

Re:75 attempts?

[bsdrawkcab]

All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

True enough, but even with login attempts limited, would you be comfortable with a 1.3-character password? That's in effect what this attack does to your high-entropy key.

Re:75 attempts?

[grassy_knoll]

'90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80% of 10-character passwords can be generated in fewer than 75 attempts.

All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

One used by marketing?

[badum-ching]

Seriously, good point. But for security, I'd also expect the lockout to remain until manually cleared... not cleared automatically after a certain time. Otherwise the method works, just takes longer ( i.e. must factor in the lockout time ).

Re:75 attempts?

People seem to forget that a password of length n takes a time linear in n to type, but exponential in n to guess. That's where the security comes from, not from some lousy lockout system. Even if you know that an adversary can try 1 billion passwords per second, a password of the proper length will stay safe.

Re:75 attempts?

[Rocketship+Underpant]

"90% of 5-character random passwords using only letters can be generated in fewer than 20 attempts by an adversary"

Presumably, if you tried 5 attempts on 4 different accounts each, you'd still have a 90% chance of getting access to one.

Re:75 attempts?

That's why my password is h%("vd|}2[?#(2.

Or was it h%("vd|}2[/#(2. ?

Damn, now I'm going to miss out on the karma since I can't remember my password.

Re:75 attempts?

[cbiffle]

What kind of password system lets you try 75 (or even 20) times?

An offline system!

I can think of two cases:

1. You have a hashed version of the password. Hashing every possible typed password and looking for collisions: prohibitive. Hashing 75 possibilities and looking for collisions: trivial.

2. You don't have to get in right away. Try twice a day for a month and a half. More than likely, it won't take you that long.

Re:75 attempts?

I do that to my boss's email account when I don't want him in on the weekends.

Re:75 attempts?

[-brazil-]

The problem is that long, non-dictionary passwords are hard to remember and will get written down on a sticky note under the keyboard. Or, if rarely used, forgotten entirely.

Re:75 attempts?

How you do not forget your admin password.
I work at a dozen sites each with different admin passwords. Even one place has a 15 character/number/special character long password.
I am not allowed to write them down or store them on the my laptop for security reasons. So I do my best to remember them all.

I have often sat down at their computer and tried 20 times to remember the admin password - usally after a long weekend. After about 20 times I go find the cheif security guy and ask if he has changed it or what is it.

Re:75 attempts?

[SatanicPuppy]

Where I work it's three times, and the lockout on the critical systems doesn't expire--you have to be reactivated by an admin. The exception is root, but root can only log on when sitting in front of the keyboard, in the multi-locked and monitored server room.

Most of our connectivity is onsite anyway...VPN access is pretty tightly regulated...so for us to be DOS vulnerable, the attacker would have to be inside the building, on the network, and by "on" I mean "plugged into" because my boss thinks "wireless security" is an oxymoron.

It's more maintenance and more of a pain in the butt to work with than a less secure system, but we never have security related problems.

Re:75 attempts?

[corpsiclex]

also, in the case of servers running SSH, ftp, etc..you can't really lock out every user just because one hit the bad password limit. say that limit is 5 bad passwords; the attacker would only need 4 IPs to guess the correct password.

Re:75 attempts?

[doublem]

my boss thinks "wireless security" is an oxymoron.

Smart Person.

He/She probably saves a lot of time and money by sticking to technology that can be locked down properly.

Re:75 attempts?

[mckennage]

All the systems where I work will lock you out after 5 bad attempts. What kind of password system lets you try 75 (or even 20) times?

Most of them. Even if you think it is set to only allow 5. I do penetration tests all the time where the client has systems configured to lock out for a period of time after 5 invalid attempts. If the lockout period is short (e.g., 30 minutes), then that hardly limits an attacker from trying hundreds of passwords per day.

The other problem is, they usually configure the system to reset the counter after 30 minutes. So I whip up a script that guesses 4 passwords every 30 minutes for all employees. That allows you to guess almost 200 passwords per day for every account, with little risk of locking anything out.

Re:75 attempts?

[killmenow]

I use a very long random string of digits that would take a very long time to brute force.

Luckily, it's also very easy for me to remember this entire string of random digits. I'm so sure you'll never be able to guess the rest, I'll give you the first eight bytes: 3.141592...

Re:75 attempts?

[papasui]

This is exactly how I exploited a Novell network while in high school.. I wrote a keystroke logger and then intentionally entered my own password wrong serveral times until I was locked out. I called the Sysadmin over and he logged in on the computer and reset my password. I then pulled his password from the logger and made my own sysadmin account 'jdoe'.

Re:75 attempts?

[swillden]

Of course if the person changes the password every 3 weeks...

... it won't make much difference.

How long? Well, let's see. Assuming that there are 75 possibilities to test, and you can test three per day, the odds that you get the password in the first three week period are 3*21/75 == 63/75 == 84%. So there's a 16% chance you won't get it in the first three weeks. Assuming you can get another audio recording after the password change (you should easily be able to tell from the recording that the password changed), and assuming you end up, again, with 75 possibilities, the odds that you'll go six weeks without getting in are 0.16^2 = 2.6%. The probability of not getting in after nine weeks is 0.4%, 12 weeks is 0.07% and 15 weeks is 0.01%.

That's if you're only attacking one person. If you can record the keyboards of a dozen people, then the probability of getting at least one of them in any given three-week period is basically 100% (99.99999997%), assuming the same number of possibilities per password. In practice, that assumption won't hold. Some of the keys on the keyboard are bound to have more distinctive sounds, and when you record a password that uses those, you'll have fewer possibilities to test. If time is no object, just keep recording until you find a password whose sound is unambiguous, and you can get in even if the system allows no failures.

Don't underestimate what a smart and persistent attacker can do with an apparently-weak attack. Attacks that are much weaker than this one can be parlayed into very practical and even nearly-guaranteed breaks if the attacker is persistent.

Re:75 attempts?

[lachlan76]

I knew someone who did something similar, although with an unprecedented level of stupidity. He read the admin's password over his shoulder, and created an admin account to use.

He made one slight mistake though....his username was carrij. The new account was carrij2 ;)

Re:75 attempts?

[stormshaker]

By default the windows administrator account can't be locked out with too many attempts...

Re:75 attempts?

Or even better. Start by hacking the Administrator/root account and root will not have access after 5 tries if the there is lock down on all accounts.

Re:75 attempts?

[DavesWorld334]

Yes but most corporations have horrible computer security. You can get the employee's userID, and their SSN, and call the company's help line to have the password reset and/or the account unlocked. It's security by assumption that only employees will contact the help center and use the unlock / reset method. For the record, I'm very confident the company I work for (a bank) would probably unlock an account 3-5 times in one day with a 0% chance of "noticing" anything wrong with that may requests. As usual, Mitnick is / was right. Humans are the weakness, not the system.

Re:75 attempts?

Lots of people use the same password in several places. If they use the same password in 8 places, then I guess the chances of breaking the password are 50%.

lock out?

[Lawrence_Bird]

won't most systems lock a user out before 75 attempts?

Re:lock out?

[winkydink]

No, but they should.

Re:lock out?

[Dare+nMc]

> won't most systems lock a user out before 75 attempts?

Cool, new workplace prank, lock down all the office computers, with failed password attempts.
(a manual DNS attack, so guess not a new concpet, but probably still patentable, until I hit submit that is) doh

As the article says:

[tabkey12]

It just goes to show that when you have physical access to a computer, the security's already broken...

Re:As the article says:

[vorm]

It just goes to show that when you have physical access to a computer, the security's already broken..

I suspect one could use some sort of phone tap or even a laser microphone from outside the building, therefore not requiring physical access to the computer.

Re:As the article says:

[Illserve]

Who says you need physical access to do this?

All I have to do is hack one computer in a room remotely, then fire up that machine's microphone. Now I can crack everything within audible range.

Re:As the article says:

[slavemowgli]

Indeed. And even if you do have physical access to a machine, you'll probably prefer this kind of "passive" sniffing where the computer itself is not modified (with neither additional hardware nor software being installed) over more active methods.

Plus, it also works if someone brings their own laptop - this method would be great for catching passwords etc. on trains, for example. Railsnarfing, anyone?

Re:As the article says:

[SlashDread]

Perhaps I should not give the great secret away, but listening in somewhere does not neccisarely require fysical access.
I see this as a variety of "Van Eyck Phreaking", and suspect there are multiple more ways of knowing passwords by measuring surroundings instead of the thing itself.

Re:As the article says:

[Bazer]

Not necessarily physical with one of these and some work on the process.

Re:As the article says:

[AnyoneEB]

This may not be physical access to the computer, though. The user could be typing in a password for a network or internet log-in.

Hunt and peck for safety?

[Alcimedes]

Go figure, typing properly now means you get your password cracked.

Guess that's all the more reason to keep that Cheetos bag crinkling as you type. Gotta stop the commies!

Re:Hunt and peck for safety?

[LLuthor]

Its not like any normal secure network lets an attacker try 20 times. Just mistype a few characters and select them using the mouse to delete them - thereby increasing the number of attempts required exponentially.

Re:Hunt and peck for safety?

[E8086]

I did that back in HS, the computer "lab" in the library was crowded and it was very easy for shoulder surfing and watching the person next to you single key typing, slowly. There's always the on screen keyboard, unless you're at the Windows login. You can also hit the right/up arrow keys or a function key not used by the app, they'll break up your typing rythm but won't add characters to a pword you're typing, no need to hit backspace which sometimes has a unique sound if it's one of the larger keys; spc enter/return/shift.

WARNING

[JamesD_UK]

Security experts recommend you don't speak the name of the key you're hunting for as you type your password with a single finger.

Re:WARNING

[someone300]

I read my password out while typed it when I was showing someone how to do something on the computer.

Thank God it wasn't an important password ;)

good idea

[tont0r]

i like how they used basic methods of cryptanalysis in order to help find out what is what. an example is how they mentioned about the Digraphs such as TH from THE, which is a very common word. so its easy to pick out from the group because you can 'listen' for the space bar key and if only 3 keys are hit and they have been matching others, you can then find out what E is.
then lets say you find out whats THE is, then you find another word that is 5 letters that starts with 'THE', then you are going to find out what R is, then what I is (from there and their) and so on and so on. so good for them for just using basic methods :)

Great...

[crc32]

Now I'll need tinfoil wallpaper too, time to go to Cosco...

Re:Great...

[rtaylor]

Now I'll need tinfoil wallpaper too, time to go to Cosco...

Tinfoil was eliminated by the government and replaced with aluminum foil. Your wallpaper and hats only make you believe you're safe.

Re:Great...

[OzPeter]

If you knew your world history you would know that it was an early 20th century right wing plot to get the US to use aluminum instead of the aluminium that the rest of the world uses.

You see while aluminum looks and feels a lot like aluminium, it is actually a differant material, so much so that it cannot be used as a tinfoil hat replacement.

Thus by duping the US citizens into believing that aluminum was just as good as aluminium (and more patriotic for the country), the government easily gained the capability of reading all of your thoughts, even when you thought they couldn't [*]

As of now, the rest of English speaking world sits smuggly by wearing our aluminium foil hats, safe in the knowledge that our thoughts are secure.

[*] Unfortunatley there was a side effect to being able to read the thoughts of everyone in the US. The summaries of such thoughts are used to brief the president in order to help him direct policy. But starting with the Shiny Shiny movements of the mid 80's suceeding presidents have slowly become paralysed by the thoughts of the mass population. This has come to a head with GWB being briefed hourly about how the population feels about JLo and Bennifer, while other, more important items are ignored.

The only possible solution to this is to disband the remote thought readings, but when confronted with leftist radical ideas like this, the CIA/Industro-Military Complex reacts violently and labels such ideas as being the work of terrorists. (It should be noted that these people are known to have holdings of aluminium manufacturers in other countries, thus securing their *private* supply of aluminium foil hats).

Re:Great...

[BrainBarker]

Now I'll need tinfoil wallpaper too, time to go to Cosco...

Cosco makes strollers and playpens.
Costco sells bulk paranoia supplies.

However, if you have children young enough for strollers, no one can hear your keyboard anyway...

Re:Great...

[mdarksbane]

I want to know who actually modded that *insightful*. Can we meta-moderate +5 Funny?

Re:Great...

[cmburns69]

What does tinfoil have to do with the Chinese Overseas Shipping Company?

.. Oh, I get it.. You meant COSTCO !

Re:Great...

[OzPeter]

All I can say is that I am glad slashdot moderation isn't used for anything serious. The other day I made a serious comment, and was moderated funny. Today I make a funny comment and I get moderated insightful? Sheesh ..

Re:Great...

a JLo and Bennifer joke? what year is this? 2003?

thts why im s0 l33t.

[JVert]

H0miez hav mic's all 0ver i know. So I do wh4t is ne3ded to k3ep my info s4fe.

Use ASCII numerics, or pound the keyboard at login

[ScentCone]

Honestly, I've always wondered about this. But then it occurs to be that you could type the ALT+Numeric equivalent of your password characters, just to throw off the bad guys. You know, ALT+100 = "d", etc. Or, just bang the drum slowly when entering the password - loud, thumpy keystrokes. Or put the keyboard in your lap momentarily to alter the acoustic signature.

Or, don't worry. I mean, realistically, what are the odds of this crack actually happening in the non-ultra-spooky world? And once you're in that playground, it's biometrics, smartcards, etc., anyway, right?

Berkley != Berkeley

Why do we trust a computer science research paper coming from a Business College?

Re:Berkley != Berkeley

[stinerman]

It is actually a typo on my part, not caught by Taco. The paper in question is from the CS Dept of UC Berkeley.

Re:Berkley != Berkeley

It is actually a typo [...] not caught by Taco.

I'm amazed. No, stunned. No.. umm, what's the opposite of "amazed" again? :o)

Re:Berkley != Berkeley

un-amazed.

Re:Berkley != Berkeley

[joebeone]

not only that... Doug Tygar is no student; he's a well-respected prof. that specializes in security and privacy.

Yes...

...and type without rythm or the sandworms will get you.

Easy Fix

[jatemack]

Just make a clicking noise with your tongue and the roof of your mouth as you type. It sounds almost identical, and you'll automatically sync the sound up with each keystroke.

Try it.

It would work on me

[L.+VeGas]

Being an unsophisticated mouth-breather, I always mutter out loud anything I type.

Great....

[RancidMilk]

Now I am going to have to look out for both seeing people and blind people looking/listening over my shoulder. Will my passwords ever be safe?

Glad I have a touchstream!

[ToadMan8]

I'm glad my TouchSTream LP by the now defunct Fingerworks makes no noise at all while I type ;)

Well they can't root my box...

using this method because I leave all my passwords blank.

No problem

[Big+Nothing]

Just keep the music pouring out of the speakers, and you're safe :-)

Typing

[keyne9]

Wouldn't this only apply to people who type "properly"? Or did this apply to any and all forms of bastardized typing methods (for example, hunt'n-peck)?

Re:Typing

[aevan]

Was just thinking that.

"For security reasons all passwords must be 8 characters long, a mixture of upper and lower case letters and numbers, changed weekly, and entered using only your baby finger at an inconsistant speed."

Hunt & Peck-your new first layer of password defense.

Syncopation

[ackthpt]

When I type passwords or PINs I syncopate my typing to throw off anyone who may be watching.

"What was his password?"
"I don't know, but it has a catchy beat!"

Crap! I use a Model M!

[allanc]

With these clicky buckling springs, they'll be able to sniff my password from miles away!

Re:Crap! I use a Model M!

[bhtooefr]

Luckily, I have a stash of Dell QuietKeys behind me, so I can swap out keyboards for critical password entry.

Trivia bit: This article refers to differences in key sound with different keys as one way to "read" the keyboard.

A Model M is one of the worst when it comes to sound being different on different keys.

Not going to stop me from using one, though...

Re:Crap! I use a Model M!

[MrEd]

Seriously, if you get someone who types 120wpm it sounds like a gatling gun...

Different sounds

[Namronorman]

I notice that keys I use the most are the loudest and sound different, probably from wear. Stating that, how easy would this cracking method work on a brand new keyboard (or perhaps a laptop keyboard)?

...and it corrects typos!

[petej]

From Appendix A:

Original text. Notice that it actually contains two typos, one of which is fixed by our spelling corrector.

Also I notice this paper was funded in part by the USPS. What is the USPS doing with this type of research?

Re:...and it corrects typos!

[bluesoul88]

"What is the USPS doing with this type of research?"

Not delivering my goddamn mail, for one thing.

Re:...and it corrects typos!

[vertinox]

What is the USPS doing with this type of research?

To find methods to read your unopened mail by listening to it.

They actually found a practical use

[the_skywise]

for membrane keyboards!

Re:They actually found a practical use

[macshome]

Sweet! Now my Timex Sinclair is secure again!

Combine this with cell-phone recording...creepy

[Mr.+Slippery]

"Sounds let eavesdroppers determine what you're typing" plus "cellphone companies can remotely install software to activate the microphone when the user is not making a call" equals "a creepy feeling up and down my spine".

My phone is sitting right next to my keyboard now...so let me just say hi to my fans in domestic surveillance who might be listening to me typing this...

Time for new kb hit the markets

Something like this http://www.datahand.com/

Re:But get this

[Valiss]

Someone get this guy a Netfilx subscription.

Seven Simple Steps

[vorm]

1) Hide recording device in boss's office.
2) Crack boss's password using method mentioned
3) Log in as your boss and send a few nasty emails
4) Snicker as boss cleans our his/her desk
5) Apply for previous boss's position
6) ???
7) Profit

Quiet Keyboard?

So where can I get a totally silent keyboard?

And here I thought I wanted one of those old IBM-style micro-switch keyboards that go CLACKITY-CLACK!

Agent x86

[Molina+the+Bofh]

Be careful, chief. Lets type in the cone of silence.

Re:Agent x86

[Chosen+Reject]

But wouldn't that make what you type float around as big bold letters in the big cone of silence?

Now it's time to say goodbye, to all our company..

This reminds me of a sysop I once worked with. Every time he logged in you could clearly identify the rhythm of M-I-C-K-E-Y M-O-U-S-E. Sometimes he was even stupid enough to hum the tune as he typed it. And this idiot was one of the senior IT guys at a major oil company.

No doubt the guys at systm know about this...

[nothingx]

I was watching an episode of systm where they showed how to put together a mythtv box, and when they got to the part about typing the root password I noticed the keyboard became oddly silent. I figured it had something to do with this, but didn't know it could actually be done.

If they'd done a little more research....

[Ancient_Hacker]

If they'd done a little more research, they might have come across the report of a certain national crypto agency, in the 1950's, having several blind personnel able to do the same thing with typewriters. it's a bit easier with typewriters as the fwap! of the type bars hitting the paper has more variation than your typical computer keyboard.

Pffft....

[Spy+der+Mann]

I prefer visual snooping. It's much more effective :)

Re:click clack

Ahahaha! Now I have your password! Ahahah! *profits*

Re:Any decent authentication system..

At our place of work, three failed attempts equals account lockout. This requires the user getting onto another computer (can't use the current login/pass, so will have to get someone blessing) and going to a web interface to unlock the account using a completely different password. Rinse, repeat, lather, ...if they fail again.

Public Humiliation

[Ieshan]

Especially when looking for the Any Key.

Re:But get this

Get a free iPod Nano 4GB!

Up your ass, dude.

Mod this spamming jackass down.

A little known fact

[Klowner]

It's also incredibly helpful when they mumble their password as they type it.

DUPE

[Gudlyf]

dupe

Re:DUPE

[xsarpedonx]

*cough* . The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously. *cough* Good try though, you at least read the titles...

Re:DUPE

[TCQuad]

He took the wrong story. Here's the correct link to the dupe.

Step 6.

[Spy+der+Mann]

Make sure nobody does the same thing to you.

Re:Use ASCII numerics, or pound the keyboard at lo

[Psykechan]

I use the Dvorak layout myself. It would help prevent this in two ways.

1. The keystroke timing would be much different
2. Constantly making errors which require much backspace pressing

Been there, done that

[coyote-san]

25 years ago (gah!) I really freaked out my boss because I made a big production of turning my back to him as he typed the root password. I turned back and told him what he just typed.

It wasn't anything fancy, just familiarity with the sound that keyboard made and the usual pauses as fingers move to various keys.

I also used to be able to tell you what number was dialed from the touchtones.

P.S. a college friend said that he would occasionally talk to others in morse code after a long duty shift when he was in the military. Forget the nonsense in the introductory material - anyone who really knows morse code and knows it fast hears it as words. It's not hard to take the final step and speak it like you hear it.

Re:Been there, done that

[bcattwoo]

25 years ago (gah!) I really freaked out my boss because I made a big production of turning my back to him as he typed the root password. I turned back and told him what he just typed.

Was it "password"?

Re:Been there, done that

No, no, that's way to easy. It was ofcourse "GOD" 'cause you know how these bosses like to feel superior.

Re:Been there, done that

[Barryke]

From the article:

There are even some preliminary results showing that computers make slightly different noises depending on what computations they are doing, and that it might be possible to recover encryption keys if you have an audio recording of the computer doing decryption operations.

This article is just a joke, for sure.

Re:Been there, done that

[slashdot-me]

My computer makes very distinct sounds during certain operations. Scrolling, for example.

Re:Been there, done that

25 years ago (gah!) I really freaked out my boss because I made a big production of turning my back to him as he typed the root password. I turned back and told him what he just typed.

Ah, but you were working at TI on the Speak-n-Spell project.

Re:Been there, done that

My older computer would make noise when scolling documents, while I was playing audio. Like there was cross talk on the buss line sor something. I could recall the diferent sounds depending on what folders I opened and scolled etc.

bluejacking

[mossmann]

1. Jack the target's phone.
2. Have it call your recording station.
3. Record keystrokes.
4. Recover passwords.

Re:Another old fashioned way to get passwords w au

[null+etc.]

Another old fashioned way to get passwords w audio: Just tap the "help desk" phone line.

Or, an even easier way, give them candy:

http://news.bbc.co.uk/1/hi/technology/3639679.stm

Seriously, this "audial cracking" is a great idea (which I coincedentally thought of while watching "Sneakers".) Combine it with a laser microphone, and you can "sniff" passwords from far away, without requiring any additional equipment to be installed on the site being compromised.

I think so

[the_mighty_$]

This technique must be usable on most keyboards, because judging from this the FBI sometimes uses (or has used in the past) this technique. From the page:

Audio surveillance. This method is a variation of Attack #4. FBI technicians install an audio bug near your computer. The sounds generated by the keyboard can be analyzed. By comparing these sounds with the noises made during generation of a known piece of text, the FBI can often deduce your passphrase - or come so close that only a few characters need to be guessed.

Oh and by the way, that page was written in 1998, so these UC-Berkley students (and the /. editors) are about 7 years slow.

Re:I think so

These guys do it *without* the known piece of text though; as a statistician, I applaud them!

Re:I think so

[drew]

Even without RTFA:
The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously.
(emphasis mine)

They are acknowledging that what you describe has been possible for some time, but what they have been able to achieve different.

Re:I think so

[igb]

It's hard to know what's true and what's not in Peter Wright's paranoid delusions (Spycatcher) but that book documents using a microphone to listen to the sounds of a cipher machine being set in an embassy circa 1955. The book was written in the late seventies. It doesn't matter if it's true or not: he knew the idea and wrote it down. ian

Re:I think so

[KillShill]

it was written in 1998 so that means the FBI were using it for oh, the past 20+ years.

do you think they would divulge their secrets if no one else knew? by 1998, just about every "security" and "intelligence" agency had already surpassed it.

Re:I think so

That's why real geeks like deathmetal. Screw the bugs....

Due South

[kannibal_klown]

I remember an episode of "Due South." It was a silly show, but at least somewhat entertaining. Anyway, one of the guys made an interesting point.

They were in the room when a guy typed in his password, they could see the keyboard or anything. Anyway, the mounty said that each key sounds slightly different. Anyway, after playing with the keyboard a few minutes he was able to guess it within a few tries.

Granted, the show as as fictitious as they come: "Canadians have computers!?!?" But it made some sense and afterwords I started playing with my keyboard I too realized most of them sounded slightly different.

However, I don't have "the ear" for such things (ie, I can't tell what phone number was pressed by the tone." I wonder if someone with a good enough ear can use this too their advantage though. Perhaps someone blind who's trained his ears well enough.

Then again, it's probably just a load.

Re:Due South

[elmo13]

I saw that episode! He remembered the tune the keys made. He tried some part of the tune, but then said something like "maybe it wsa the verse, not the chorus" + it worked. Someone should google it. That would be fun.

Increase da peace. Dont feed da geese.

Re:Due South

[WillAffleckUW]

Granted, the show as as fictitious as they come: "Canadians have computers!?!?" But it made some sense and afterwords I started playing with my keyboard I too realized most of them sounded slightly different.

Canadians invented telecommunications sattelites and are more wired with broadband than the US is, and have more computers per capita than the US does.

That plus the RCMP doesn't just use teakettles to steam open the mail anymore ... even with CSIS, the Mounties are sometimes attached to investigations where keyboard cracking skills are useful.

Re:Due South

[SamSim]

What Fraser doesn't do in that episode, which this system does do, is test out all the keys to find out what sound they make.

Re:Due South

[kannibal_klown]

and have more computers per capita than the US does.

I realize, no Canadian bashing coming from here.

I'm just laughing because I'm remembering an episode.

The mounty is sitting in a police department and says something along the lines of "A virus took down our government's PC's" or something like that.

Everyone around him stopped and his chief said something like "Canadians have computeres!?!?" (and they weren't kidding).

Watching that scene was one of the few moments in my life where I actually spit out my drink.

Trying to make email SEEM insecure...

[crovira]

The USPS if facing a real problem with phones, teletypes, email and IM. Now that people are option for web payment methods, the volume of mail is dropping. Direct deposits and direct payment/debit cards are further cutting into their revenue stream.

They can't ass-u-me that they get at least five pieces of mail going in both directions.

If digital forms of communications can't be cracked except by 'social engineering', they are going to further disappear. (Of course I still get 'snail' mail spam.)

But how dependant are we now on the USPS for any communications? I'd bet very little.

A quick idea that just popped into my noggin:

[NeuroManson]

If you have the time to do it, why not just analyze the residual fingerprint oils left behind on the keys? The oldest oils would differ from the newer oils, and could essentially be used to backtrack any password.

Re:A quick idea that just popped into my noggin:

[Ph33r+th3+g(O)at]

This would be more likely to work if the keyboard is only used for typing passwords :).

Re:A quick idea that just popped into my noggin:

Maybe while we're waiting around for the target to log into his computer, touch none of the other keys, and immediately leave, we can get to work on a teleporter to remotely swap out his keyboard before he comes back. Oh, and bonus! We can beam his original keyboard right into the fingerprint oil age analysis machine (with millisecond accuracy so that we can truly "backtrack" his password) that we'll also invent.

Re:A quick idea that just popped into my noggin:

[slashflood]

Could you PLEASE stop posting at slashdot??? Nobody cares about your trolling, really. Grow up first. Whats your point anyway? Are you a little script kiddy or what? 'Ph33r the3 g(O)at'? What's wrong with you, you piece of shit? Look at your howling posts - most of the are trolls. You're really a dumb-ass. Go home to your mummy, lil kid.

Re:A quick idea that just popped into my noggin:

[Ph33r+th3+g(O)at]

I'm posting this at 2 to piss you off. Please go fuck yourself, you budding little network Nazi, you, and after you're done, see someone about your anger issues.

Re:A quick idea that just popped into my noggin:

[slashflood]

I'm posting this at 2 to piss you off. Please go fuck yourself, you budding little network Nazi, you, and after you're done, see someone about your anger issues.

Funny, that almost all of your posts are either troll or flamebait, where most of mine are interesting, funny or insightful (+5).

Just go home.

What time is it?

Re:A quick idea that just popped into my noggin:

[Ph33r+th3+g(O)at]

You're not looking back in the history far enough. And you're obviously karma whoring, while I'm obviously not, yet we both post at 2. What does that say about you?

TEMPEST

[truckaxle]

Why would you bother with keyboard acoustic attacks, when you could use a TEMPEST attack?

Re:TEMPEST

[mikek2]

Apart from the fact that this is electromechanical rather than electronic, this *is* TEMPEST. I had a fair amount of TEMPEST training waaaay back in my military days (those damn 90's); I found it to be one of most the fascinating things I ever learned. Good site for an introduction

Why all the trouble?

[j!mmy+v.]

They didn't have to go to all that trouble; my password's taped to my display.

"Gosh!"

"Click Click Bloody Click Click Pancakes!"

[EggMan2000]

This might be slightly off-topic, but our IT department recently got new Dell PCs and these keys are so loud and clicky. And not the good clicky, a bad, cheap sounding clicky that agrevates me.

finally

[flynt]

For once, not having a password is a good idea.

meh, NSA been using these for years

[f0dder]

oops.. was that out loud?

Another argument for complex passwords

[akad0nric0]

My understanding from reading the paper is that this approach is only effective for english-language words. Using complex passwords (special characters, numbers, etc.) seems like it would significantly reduce the effectiveness of this attack. A nice follow-up to this paper would be applying the research to analyze how this would impact password guessing in situations with complex passwords.

Sometimes, old tricks are the best tricks!

Re:Another argument for complex passwords

[cbiffle]

Yes and no...

If the keyboard is only used for typing passwords, then yes, you probably win.

However, if (like most computer users) you type your password a few times a day, in between large periods of typing text -- you lose.

A listener can analyze the rest of the text for known digraphs, etc., and then use that frequency information to crack the hard bits (your password). Sure, they might only be able to narrow it down to a hundred or so possibilities, but that's better than brute force.

CORRECTION!!!

[kannibal_klown]

Meant to say "they couldn't see the keyboard or anything."

but can they

decipher kramer's typing in murphy brown's office?

JeffK Speak Ruins This

[eno2001]

From the article: ...and the word "the" is much more common than "xprld".

JeffK speak suins this assumption since we all know that "the" is properly spelled "teh" accodring to JeffK. I challenge these guys to be able to decode what someone is typing when they are being "leet" like JeffK.

Re:JeffK Speak Ruins This

[yRabbit]

p00rly dun hax0r sp33k r00-1nz 1t 3van m0hr!!11onetyonetwo

oar mispealing al ur werdz vary baldy lyk thiz

otr typignae liaeke theaois woauld praobaeylee scrawoo it auhp

Unless they can figure things out letter by letter...

Windows On Screen Keyboard

[Hoi+Polloi]

If you use Windows you can also use osk.exe (On Screen Keyboard) to enter your password, this will allow you to bypass the keyboard completely. This also assumes that you have taken precautions against TEMPEST and CRT diffuse visible light monitoring.

Re:Windows On Screen Keyboard

I have a response to both the threat of someone looking over my shoulder while I type my password and the threat of someone recording the sound of my keystrokes: I keep a small keyboard up my ass - no light enters or escapes and whatever sounds escape aren't keystrokes, if you know what I mean.

I can't really claim my solution solves the first problem since nobody's stood close enough to look over my shoulder since I've implemented this solution.

Re:Windows On Screen Keyboard

[Hoi+Polloi]

You'd have to be able to fit your hold hand up there at the same time though. Finally, a practical use for fisting.

Re:Windows On Screen Keyboard

[chicago_bulls]

hahahahaha

that was hilarious.

Re:Windows On Screen Keyboard

[yRabbit]

Ah, then what you need is a camera/recorder, not a microphone. :)

Good thing hackers don't have flash MP3

[WillAffleckUW]

like my voice-recording MP3 player/recorder with 256MB RAM - although they sell them in the GB range now ...

So when some music-listening person "forgets" their MP3 player next to your desk, you've been social-engineered.

Friends don't let friends become compromised.

-

Re:Now it's time to say goodbye, to all our compan

[twobturtle]

That doesn't mean much, I have hummed that tune no matter what password I'm typing in. Sometimes, I'll do that even when I post. That doesn't that we aren't stupid, it just means that his password wasn't necessarily mickeymouse just because he timed his keypresses that way, and my password is not trogdor.

Bad typing protects the password

So it might be actually useful if you use the backspace and del keys a lot.

Am sure the software is not intelligent enough to handle corrections while typing.

Re:Bad typing protects the password

[TheSkepticalOptimist]

It would probably identify these keys easily enough, remember that it deduces the key pressed by the sound. It would be easy enough to write the algorithm to take into consideration any key pressed.

I.e.

typing password

a b c "hit backspace"

if the software knows the backspace key was pressed because the sound of it is in the suspected position of the backspace key then the algorithm would decide your left with:

a b

One way to defeat this is to tap the key without actually pressing it which mimics the sound but would be more difficult to deduce that you actually didn't complete the keystroke.

Secondly, if you don't know what keyboard the user is using, it would throw off the software. I.e. I use the natural keyboard, keys are spaced and oriented differently so their positions are not inline with most rectangular keyboards.

Re:Bad typing protects the password

[Guysmiley777]

Or what about:

a b c "shift+home" x z "backspace" y z

You can delete text with more than just backspace.

I don't think a natural (freak of nature maybe heh heh) keyboard would throw this off though. They don't CARE what your keyboard layout is like, just the sound of keys being typed. The keys could be arranged in a square grid, it wouldn't matter.

The implication...

[RingDev]

The implication here is NOT passwords. It's key logging with out running a key logger. Theoretically I could "accidentally" leave my PDA on my boss's desc after a meeting and have it record a gig or two of his typing. come back a while later, grab the PDA, download the audio, run it through a machine learner, and viola! All of his correspondence. Even better, I could just run it over the wireless network and get a constant stream of his typing.

-Rick

Side-channel attacks are not new

[Mathinker]

Many, many crypto papers are based on "side-channel"
attacks like this one. These attacks are common and hard to overcome by design.

I remember reading a comment at Bruce Schneier's blog that that when the AES competition was running, the NIST did not consider papers using side-channel attacks because the consensus was that no matter what algorithm would be chosen, it would be vulnerable to various side-channel attacks.

Browsing the FA, I don't see any new material other than instead of learning to identify the keys from recording them being pressed one-by-one, the attack automatically calculates the sound-to-key correspondance using sounds of typing text from a known low-entropy source (like English language, or C code).

Two easy ways to defeat it:

[MattyDK23]

1. Use uppercase characters in your passwords (Can the AI determine if a user is a moron and types all lowercase, like "i love jesus" versus "I love Darwin"?)

2. Use numbers and special characters in your passwords.

Of course, we all do this...right?

I just deduced a password from this article

[digitaldc]

it is 'password' It works about 25% of the time.

article transcript

http://www.freedom-to-tinker.com/?p=893
Acoustic Snooping on Typed Information
Friday September 9, 2005 by Edward W. Felten

Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed. The idea is that different keys tend to make slightly different sounds, and although you don't know in advance which keys make which sounds, you can use machine learning to figure that out, assuming that the person is mostly typing English text. (Presumably it would work for other languages too.)

Asonov and Agrawal had a similar result previously, but they had to assume (unrealistically) that you started out with a recording of the person typing a known training text on the target keyboard. The new method eliminates that requirement, and so appears to be viable in practice.

The algorithm works in three basic stages. First, it isolates the sound of each individual keystroke. Second, it takes all of the recorded keystrokes and puts them into about fifty categories, where the keystrokes within each category sound very similar. Third, it uses fancy machine learning methods to recover the sequence of characters typed, under the assumption that the sequence has the statistical characteristics of English text.

The third stage is the hardest one. You start out with the keystrokes put into categories, so that the sequence of keystrokes has been reduced a sequence of category-identifiers -- something like this:

35, 12, 8, 14, 17, 35, 6, 44, ...

(This means that the first keystroke is in category 35, the second is in category 12, and so on. Remember that keystrokes in the same category sound alike.) At this point you assume that each key on the keyboard usually (but not always) generates a particular category, but you don't know which key generates which category. Sometimes two keys will tend to generate the same category, so that you can't tell them apart except by context. And some keystrokes generate a category that doesn't seem to match the character in the original text, because the key happened to sound different that time, or because the categorization algorithm isn't perfect, or because the typist made a mistake and typed a garbbge charaacter.

The only advantage you have is that English text has persistent regularities. For example, the two-letter sequence "th" is much more common that "rq", and the word "the" is much more common than "xprld". This turns out to be enough for modern machine learning methods to do the job, despite the difficulties I described in the previous paragraph. The recovered text gets about 95% of the characters right, and about 90% of the words. It's quite readable.

[Exercise for geeky readers: Assume that there is a one-to-one mapping between characters and categories, and that each character in the (unknown) input text is translated infallibly into the corresponding category. Assume also that the input is typical English text. Given the output category-sequence, how would you recover the input text? About how long would the input have to be to make this feasible?]

If the user typed a password, that can be recovered too. Although passwords don't have the same statistical properties as ordinary text (unless they're chosen badly), this doesn't pose a problem as long as the password-typing is accompanied by enough English-typing. The algorithm doesn't always recover the exact password, but it can come up with a short list of possible passwords, and the real password is almost always on this list.

This is yet another reminder of how much computer security depends on controlling physical access to the computer. We've always known that anybody who can open up a computer and work on it with tools can control what it does. Results like this new one show that getting close to a machine with sensors (such as microp

That's IT!

[Beatbyte]

"NO MORE KEYBOARDS!" -PHB

Re:Use ASCII numerics, or pound the keyboard at lo

[mblase]

But then it occurs to be that you could type the ALT+Numeric equivalent of your password characters, just to throw off the bad guys. You know, ALT+100 = "d", etc. Or, just bang the drum slowly when entering the password - loud, thumpy keystrokes. Or put the keyboard in your lap momentarily to alter the acoustic signature.

Or, just type in a random character or two and delete it right afterward. Or--this is a good way to confuse keystroke loggers too--type in part of your login, then part of your password, then delete a character or two of either field, and repeat until you're done.

Of course, it's often easier just to wear a tinfoil hat.

Alert Chris Rock!

[deft]

He warned us about these damn crackers always messing us.

Re:Now it's time to say goodbye, to all our compan

[Chocolate+Teapot]

Well actually, that WAS his password. Mind you, having called that guy an idiot, I have to confess that the reason I posted as Anonymous Coward was not to try to protect the identity of the aforementioned sysop. I had actually forgotten my /. password. I couldn''t even remember the tune.

Extending this to 3 mircophones

[hcob$]

would probably jump the percentage much higher since then you could accoustically triangulate where the sound came from. Just a thought....

Readline

[Al+Dimond]

I imagine this type of thing could pick out Backspace quite well... but what of the readline keys? Could it figure out if you typed the middle of your password, ^a, the beginning, ^e, the end?

Unfortunately not all password fields accept these characters. Password fields in Firefox/Linux with gtk keybindings set to "emacs" allows this... however, if I open up a terminal and try to "su" to another user, that prompt doesn't work (although it does recognize backspace, as we all know).

Simple solution

[Gordo_1]

Pound every key in your password at the same tempo with your thumb, randomly adding junk characters followed by appropriate backspaces. Also, throw some ASCII 3 digit equivalents in there for even more secure password fun. Cackle at the screen in sheer glee and scoff at anyone who dares question your sanity.

It's way more useful for English text.

[Elwood+P+Dowd]

They use statistical analysis based on English words to match sounds to letters. Once they've done that, there are still keys that are indistinguishable by audio. So the awesome part is that they don't need a training text, but it's way more useful for bugging communications than for stealing passwords.

The FBI almost never has to bother brute-forcing encryption. They just bug your keyboard. Now they don't necessarily need to put a device physically inside your keyboard.

Don't panic

[ezweave]

While it is an interesting topic, controlled conditions are required for this to work correctly.

They use a deterministic method to find the next probable character for a given sequence. Deterministic in that if I type 't' and then type 'h' and there are only so many combinations available after that (this is the Markov chain part). Er basically a sort of decision coverage. That is used with the spell check dictionaries they mention for English text recognition. It is interesting too that they are using a neural network (though appropriate) to recognize the patterns. But because they did not make their own, the details are a bit brief.

The problem I see is that the password detection is not flushed out enough and based upon what they state, it is not as powerful as it sounds. The deterministic method won't work for all passwords (as they typically are not English). Their "analysis" is basically a speed up on a dictionary hack (it helps to know the size of the password from the keystrokes), eliminating possibilities by way of possible patterns. But what about special characters, does a shift+key sound that different? Mixed cases, etc? And the deterministic approach does not work if the password is random AND the network has to be trained for THAT persons typing style and keyboard. Is that likely?

I would be more worried about Van Eck Phreaking.

Re:Don't panic

[hammeredpeon]

i'm not sure about that.

say they have the mic going for a long time, recording your keys. they'll eventually find out pauses and sounds that go with each key, and after hearing that you entered one of your usernames, the next word is *probably* the password. not necessarily, but i'd bet a lot more often than not.

Re:Don't panic

[fzhou]

The method *does* work for random password recognition. The spelling and language model are used only for _training_ the recognizer and recognizing English text. Passwords are recognized with the acoustic recognizer only. As the paper says, the password recognition results are obtained with completely random passwords.

Cal and Security

[FooGoo]

No wonder they can't protect their databases http://www.computerworld.com/databasetopics/data/s tory/0,10801,96900,00.html they spend their time doing earthshattering research such as this.

How stuff works

Were I work as a tech. dude (or tech monkey if you like) if a person misstype password 3 times, the terminal or computer that were used is banned, from the network, until I or anohtere tech monkey unban it.

One of oure family frindes were on a visit in USA (pentagon or ohter place) many many year's ago, and asked why they dident use computers yet.
Reply:
They were affraid that people will be abel to see what were on the monitors, based on the glow bounching off walls and faces.
Now try to make some software that can do that, that will be nice.

Phone eavesdropping

[jbum]

A prior paper by Asonov and Agrawal is also fascinating reading.

I assumed when I first heard about this that hi-fidelity microphones were employed, however, the researchers used cheap PC mics. In addition,
they speculate that eavesdropping over the phone is possible:

Another observation that can be made from the experiments is that higher frequencies are generally less informative. Of particular interest is the 300-3400 Hz interval telephone audio band. The relatively good ADCS for this interval in our experiments suggests that eavesdropping on
the clicks over the phone [...] is potentially possible.

people are boring

[crashelite]

ooo sound and keyboards always go together like piano keyboads i bet those are easy to find passwords with... or what about my roll out keyboard its letters dont make noise so my speakers click for the keyboard... that would be really hard to crack hu? using a 2k wav file that plays the same sound (except for delete it plays it backwards) and also last time i checked if u hit a key really hard it makes a different sound (on regular keyboards) so if u hit A really hard it makes a diff sound than if u lightly tap A... oh well people must be running outta stuff to reasearch now of days so they turn to meaningless crap like "i can guess ur password all i need is a micophone and a sound analyzer and then ur keyboard and i can get it only after you type it in once..it may take about 75 times but i will guess it"

Re:Use ASCII numerics, or pound the keyboard at lo

[Davgeary]

Man, it took a long time before the inevitable Dvorak comment showed up. I expected it to be the second or third post. You guys must be slipping!

Dave

It can't work for me...

[cyberbrown]

I write /whois and /away much more often than my passwords.
Yes, I'm IRC addicted...

Not so daft...

[F1Rumors]

Actually, this is not new: and not even impractical.

The technology is available to produce a high resolution recording of the key strokes from a considerable distance, provided there is a glass window on a room. Laser technology is used to pick up the vibrations from the glass as a resolution that will astound.

Even if you are aware that you are being evesdropped and attempt to obfuscate the sound by using shift or caps locks keys, be aware that the key makes sounds both on being depressed and released - and the better the keyboard, the more defined [hence identifiable] the clicks are!

I've done some cryptography in my day, and can tell you that the probability of identifying they keys associated with their sounds goes up very quickly, provided the listener can make a couple of basic assumptions: language being the most basic, though awareness of non-standard keyboard layout would be another [US/UK keyboards have a number of symbols relocated; non-English keyboards have extra characters and relocation]. Like all crypto problems, the more data you have, the better your image of what's taking place, and the better you can identify the underlying data.

The bottom line is, there's more than one way to kill a cat than skinning it & the same applies to passwords: keystroke scanning trojans are only one route; a determined opponent will definitely crack your password if they are prepared to spend the time & money to do so.

ho hum.

And now let's check in on the FBI...

[halcyon1234]

... in their "Audio-Based Password Cracking Lab".

Here we see Agent Small and Agent Geoffries working on a real, live Password Hacking "Evesdrop Machine". If they can just hear enough of the nefarious criminal's activities, the can garner all of his secrets.

AS: Okay, we're getting something.
EM: *click click clickity click*
AG: What was that?
AS: It sounded like a URL. He must be going to a website. The machine will try to crack the URL.
EM: *click*
AG: That was a mouse click, wasn't it?
AS: Yup, not very helpful.
EM: *thump thump thump thump*
AG: What's that?
AS: It sounds like a hard and regular pounding of something. I can't quite make it out.
AG: Hey, the machine's got the url. www.ultimatepron....
EM: *thump thump thumpthumpthump...spalsh*
AG&AS: Ewwww!

Assumes a perfect typist

[scottennis]

From the paper:

"The current attack does not take into account special keys such as Shift, Control, Backspace and Capslock."

Different keyboards and different typing styles probably also play a factor in the ability to extract the text patterns.

"Don't type angry!"

Re:But get this

[notthe9]

An iPod nano up his ass? There are worse things... one would barely feel it. Damn, they're small...

Re:Now it's time to say goodbye, to all our compan

[Ashe+Tyrael]

or for that classic british bad comedy...
A-L-E-X-E-I-S-A-Y-L-E

Easy workaround

[ValuJet]

Remove all the keys on your keyboard then put them back on at random!

hardware keylogger

[E8086]

If someone can get a recording device close enough to clearly pick up every keystroke I'd be more concerned about them attaching a logger to my keyboard. How many people, including yourself, do you know who accually check the keyboard before using the a computer, everywhere, home, office, public access(including internet cafe), school computer lab, someone else's. I'd say very few if any. With all the usb devices in use, someone plugging in a device in the back of a computer may be assumed to be plugging in their USB drive. No one would suspect their attaching a keylogger to steal other people's account info.

Re:hardware keylogger

[LuckyStarr]

suppose someone gained non-root access (by help of crappy software or somehow else) to your linux-laptop and your sound-device is chmod 777. he/she then can use the sound recorded by your built in microphone to hear you type your root password.

pretty far fetched, but you asked for it. ;-)

Re:hardware keylogger

[Darth_brooks]

Even more sci-fi but not as far fetched is the idea of using a laser to measure the vibrations bouncing off of a pane of glass and converting that to sound. You can capture sound with greater sensitivty than a microphone, and from much farther away.

As for brute force lockouts, simply capture the sound of someone logging to the point where you've got a greater certainty of what the password is. Things like repeated characters and the shift key being turned on to denote a special character will become even more apparent over time. If you're patient enough, you can even figure out password expiration.

Patience is a virtue.

And, on a still night..

[swdunlop]

You can hear the incessant tapping of a vi user's escape key a mile away.

Re:And, on a still night..

[value_added]

You can hear the incessant tapping of a vi user's escape key a mile away.

Beautiful, isn't it? Relaxed, rhythmic and almost elegant. Close your eyes, and it's like listening to a light rain falling. Compare that with the punctuated outbursts and clumsy too-many-notes style of that "other" camp, and it's like music.

Windows users, on the other hand, could easily be distinguished by an atonal and shizophrenic clatter interrupted by awkward and erratic periods of emptiness during which they take their hands of their keyboard to grope for an arrow key, and then stumble their way back home, mistyping along the way.

nh (eom)

[Mateo_LeFou]

nh

We're a Go on operation All Ears!

[E++99]

I can just see the FBI breaking into my house to put a bug near my keyboard, and then sitting in a van outside my house for a couple days analysing the sound of my keystrokes with their software -- and not having noticed that my password is on a stick-note on my monitor.

Re:We're a Go on operation All Ears!

[karmatic]

Actually, if your computer is near a window, it might be easier to just use a laser on the window, and measure the reflection. They could get your password without ever entering the room at all.

Batman Did This!

I distinctly remember Batman pulling this same stunt, with a sound recording of someone typing on a typewriter, on the old Batman TV series back in the 1960's.

How about...

[jeweekes]

I just place a delete key in the middle of my password. No-one expects that and it throws them off when you type passe - word

Reverse Engineering - New Voice Command

[cloneofsnake]

Instead of just speaking in English, we can "sound" it out... *tap tap tack* *tap tack tack* (My 6 digit password.)

Bah.

[SoupIsGood+Food]

Only 20 tries on average, eh? Anyone who needs more than three tries to log into my systems needs to call the IT helpdesk to unlock their account. If it's a sensitive system, they need to have their manager call in for them. Game, set and match.

Allowing brute-force attacks is stupid, although not quite as stupid as scaremongering about loud typists.

SoupIsGood Food

Oh great...

[Bent+Mind]

Oh great. Now in addition to having a 20-charactor password, composed of completely random letters, numbers, and miscellaneous punctuation, that changes every day, and an LCD monitor with DVI interface, I also have to enclose my workstation in a sound-proof booth? Hmm, wait, that might not be so bad.

A case for mouse click passwords

Some bank portals (at least mine has) have adopted a 'clickable keyboard' interface for entering passwords. This method is safe from key loggers and key recorders.

Of course, over the shoulder snooping was never easier.

Re:Use ASCII numerics, or pound the keyboard at lo

[RAMMS+EIN]

``Or, don't worry. I mean, realistically, what are the odds of this crack actually happening in the non-ultra-spooky world?''

Congratulations, you've just upped my university campus to ultra-spooky status.

Seriously, these attacks are pretty old and have been used successfully in the past. Now that the word is out, I can only assume it's going to be more common.

Of course, the good old packet sniffer does its job, too. Easy to thwart, but most people don't bother.

Re:RT*F*A

[bracher]

Or, if you're not going to read the article, at the very least read the F*ing blurb on slashdot:

The article details that their methods did not require a 'training text' in order to calibrate the conversion algorithm as has been used previously.

My Keyboard Does Not Make Any Noise

[VaderPi]

I use a FingerWorks TouchStream, so my typing is completely silent.

I have heard something like this before...

[lecter,hannibal_md]

I remember a guy named DataWar talking about this somewhere around 6-7 years ago on the old phreak.org message board. He was saying that each key makes has its own characteristic [no pun intended] sound. It is an interesting concept though...

Garbbge

[Mundocani]

From the article: "And some keystrokes generate a category that doesn't seem to match the character in the original text, because the key happened to sound different that time, or because the categorization algorithm isn't perfect, or because the typist made a mistake and typed a garbbge charaacter."

So did anyone else notice the irony/coincidence that garbage was typed incorrectly in the statement above?

Easily defeated?

Just consciously pause for a bit between keystrokes when typing passwords?

Re:Use ASCII numerics, or pound the keyboard at lo

[Psykechan]

Sorry about not posting sooner, I post when I can.

The sad thing is that my post is absolutely true. I do use Dvorak and am not a good typist.

What makes it even worse is when the layout is changed on me. Mac OS (Panther) doesn't even show what the current layout is when resuming and Windows XP shows "EN" for Qwerty and "EN" for Dvorak. Very helpful indeed. At least with the Mac it alternates between a "DV" and an American flag on the menubar.

Then again, the flag only has 9 stars and 11 stripes. Meh, nothing is perfect.

correction: doug is no student...

[joebeone]

Doug Tygar is a professor, not a student.

This technique was known in 1956

The Btitish were doing this in 1956. "1956 British intelligence breaks ciphers of Egyptian Hagelin machine(London) by detecting clatters through phone bug in Operation Engulf." http://cryptome.org/tempest-time.htm Of course, this new paper shows how to automate and speed it up a lot!

Re:Use ASCII numerics, or pound the keyboard at lo

[bleckywelcky]

Corporate espionage? People don't talk about it much today, but it's just as alive and kicking as it has been for the last 40/50/60 years.

Hackers with earphones

[springbokgeek]

Any people standing around with a microphone pointed at my employees keyboards will be shot onsite.... hold on isn't it just quicker to take a peek, if you are close enough to hear, you must be close enough to SEE1

Re:Hackers with earphones

[Vegeta99]

Pardon me, sir, but the point just flew over your head and took out your attic window.

10-minute recording. Microphones are even easier to hide than video cameras.

Re:Another old fashioned way to get passwords w au

[jerkychew]

I was just thinking exactly that.

I was reading this article when a user called because he couldn't get into his website that we host. The first thing I did was log into our server's control panel while I had him on the phone. If this method of eavesdropping was powerful enough to detect keystrokes over the phone, that would be a very scary premise.

a correction: not exactly three students...

Doug Tygar, one of the authors of this paper, is actually a professor at UC with joint appointments in the UC Berkeley CS department and School of Information Management and Systems. Besides his academic work, he also served as an expert witness in cases regarding SSL patents, Napster, and Kazaa. He's hardly a student like the summary claims. The other two authors are PhD students in UC Berkeley's CS program.

You think it's funny

[Gadgetfreak]

but I've been standing in line at the ATM and heard more than one person mumble their PIN as they punched it in.

It's a good thing I'm a nice guy. The only thing between me and cash were my morals. But I suppose that's the case most of the time in society.

Re:You think it's funny

Some drunk guy in front of me in Georgetown left his card in the machine. I put it in the cup of the next homeless guy I encountered.

I still hope that the karma from that incident doesn't wind up biting me in the ass.

Re:You think it's funny

[maelstrom]

Am I missing something? AFAIK, access to the ATM requires both something you have (the card) and something you know (the pin). You would still have had to steal the card to access his cash, correct?

RTFA

[p3d0]

The whole point is that they use smart algorithms to learn what sounds your particular keyboard makes.

Beware of Stevie Wonder

[srobert]

FTA "..it uses fancy machine learning methods to recover the sequence of characters typed.."

Is that like that Fancy Book Learnin'?

Seriously, this makes me think twice about typing my password in the presence of a blind person.

Uh... Why?

[p3d0]

What part of their method makes it inapplicable to hunt-'n'-peck typists?

PURE s*

Some inventions have no significance outside the lab and audio key logging is one of them. Unless reinventing the wheel all the time is your duty.

In other news, |\|@$@ explains why a return to the moon will take some time.

Keyboard Sound Aids Password Cracking

[BrianTung]

A couple of decades ago I spent a couple of summers working on implementing a relaxation algorithm to solve the same kind of problem in a different arena: font-independent OCR. Internal pattern matching was used to sort the characters into equivalence classes, and then a relaxation algorithm, fed with digram and trigram frequences, was used to solve the "cryptogram" for the letters. I wonder what method they're using these days...

Re:Keyboard Sound Aids Password Cracking

[BrianTung]

Actually, I wonder if you can defeat this crack by shifting your hands by one key just for the password. It won't work if the sounds are entirely dependent on the keys, but my intuitive guess is that they aren't, and that the finger you use to press the keys also matters.

MI5 / GCHQ did this in 1956

[Richard+Lamont]

This technique was used by MI5 and GCHQ as long ago as 1956. It was developed by Peter Wright, a former assistant director-general of MI5, and used to get the rotor wheel settings for a Hagelin crypto machine in the Egyptian embassy in London. The microphone was in a bugged telephone 2 feet away. He described the operation in his 1987 book, 'Spycatcher'.

Inconsistency

The easiest solution: don't be consistent
just have a different person type in your password everyday. that'll really screw 'em up.

Re:Use ASCII numerics, or pound the keyboard at lo

[ki4iib]

Actually, it's biometrics and smartcards WAY before you get to the ultra-spooky world. For instance:

- At my county EOC
- Your friendly USAF Recruiter's office (check his laptop; his ID will probably be stuck in a smartcard reader in there).

Re:Use ASCII numerics, or pound the keyboard at lo

[blinksilver]

how about something simpler, like a different keyboard layout. Make up your own and really throw them off.

Not afraid

[kers]

I always play loud music and often misspell stuff since I'm drunk all of the time.

Re:Use ASCII numerics, or pound the keyboard at lo

[ScentCone]

Actually, it's biometrics and smartcards WAY before you get to the ultra-spooky world.

Well, sure. I guess my point is that by the time we're talking about targets that would attract sophisticated, unorthodox cracking (such as audio cracking of keystrokes), you're already dealing with other security measures that are going to make that specific technique pretty much useless.

"The Computers Have Ears"!?

How about...

"The Computer Wore Ear Muffs"?

Antivirus- antikeylogger

[AntiCopyrightRadical]

I assumed that anti-virus software would look for any program that monitors all keystrokes an alert the user.
If this is the case, it might not notify the user every time a program tries to monitor the microphone.
(though perhaps it should)

Passwords are obsolete

[marcybots]

Isnt it time that computer security experts just give up on the idea of passwords? Instead of trying to get users to use ever increasingly complex passwords they can never remember why dont we just invent a new system of security? Its obvious the password paradigm of computer security is not very effective, and we should move beyond it and start reaching for new ideas instead of fixing a flawed old one.

Re:Passwords are obsolete

[FhnuZoag]

Got a bright idea? Maybe we should just glue the user to the computer.

Re:Passwords are obsolete

[WuphonsReach]

I'd suggest that you start reading up on 1-factor, 2-factor and 3-factor authentication systems. (Bruce's books cover this as do a bunch of security texts from the 70s and 80s.)

A 3-factor authentication system is:

1) Something you know (passwords, PINs)
2) Something you are (biometrics)
3) Something you have (tokens, keys, ID card)

This has been discussed since at least 1990 (my earliest brush with the concept) and probably at least 10+ years prior to that. If you rely on a single factor (passwords), your security is going to be relatively weak. If you use 2 factors, your security gets better but your costs go up. Three factors, your security goes up a bit more but your costs also go up again.

The big problem with #2 and #3 is that of standardization. Any system that interacts with the user can implement #1 (PINs/passwords). No extra cost required other then CPU and developer time. But to implement #2 and #3 requires hardware that isn't present on every system. Worse, the companies who have developed #2/#3 authentication hardware use extremely proprietary systems where you can't use fingerprint reader X and have it work with company Y's security system.

(It's not quite that bad anymore. There probably are some common inter-op standards now, but then you get into the issues of it only works with a particular O/S. Or, the hardware isn't under your control and you don't trust, such as a customer communicating with your website.)

The next step in large-scale security is probably going to be #1 (passwords, pins) combined with #3 (smart tokens or a card of security numbers). That moves us up to 2-factor authentication for cases where 1-factor authentication isn't good enough. Biometrics (#2) are probably only going to work in situations where you have control over all of the hardware used in the authentication process.

I'll even go out on the limb further and would not be surprised if Intuit works with banks to get a 2-factor system up and running. They would have the advantage that they could get multiple banks on board at the same time. It could even be marketed as a competitive advantage. (The precendent for this line of thought would be the process of getting online banking started back in the mid-90s. Used to be tricky to get online banking up and running, now it's almost taken for granted.)

CSIS will defintely use this one

You don't need malware or spyware to be able to listen to key strokes. There are ways of listening to any volume of noise from up to a half kilometer away even through walls. CSIS will almost certainly use this or something like it for black ops.

i call bullshit

[petermgreen]

got a source for that? i was under the impression that when a (traditional analog fixed wire) phone is on hook the mike and speaker are physically disconnected from the line.

Re:i call bullshit

[HermanAB]

Analogue phones can be recorded even when on hook. Digital phone systems have special codes to allow the spooks to listen in. I've been in the phone recording industry for a few years and in a big Telco before that. So, if you were wondering how I know that - I used to design and build the stuff...

This is an old tecnique.

Peter Wright was in British Intelligence for nearly 25 years and was a deputy director of MI5. His tell all book 'Spy Catcher', details how they used microphones to capture the sounds of typewriters and encoding machines to read the cleartext as it was entered or typed. THis was in the 60's!!!

Just think what the Intelligence groups can do now.

Re:Use ASCII numerics, or pound the keyboard at lo

[bar-agent]

I use Dvorak too, but it won't make a difference. This technique does not depend on keystroke timing, it classifies keys based on their sound and guesses which letter each key-sound means based on English usage stats.

One thing that would work is to switch to a different layout when you enter your password and switch back when done. But you can't type an extended sequence of English in the alternate layout, else they'd be able to decipher it the same way.

Malware? How about human-engineering?

[MickLinux]

Malware nothing.

All the attacker has to do is call you on his recording phone (okay, tape recorder tied to the phone line), and convince you to type him a letter and email it to him.

Record the sound, match the sounds to the words of the letter, and bingo. He has your email password, and more if you logged on to type the email.

And yes, that doesn't require the use of a long amount of text, or their machine learning.

Human engineering takes a tech job, and makes it dismally simple.

Rate the above plus 5 informative!

n/t

Berkeley

[Grievre]

Sheesh, I mean we're famous enough...

Well..

[andreyw]

So much for my 15 year-old IBM Model-M (http://en.wikipedia.org/wiki/IBM_Model_M_Keyboard ). :-).

I still am proud if it, disregarding this basic hey-I-hacked-an-audio-subtitution-cypher. Certainly not losing any sleep over this. In the mean time, I can hear the keys even through the sound of trance pumping in my headphones.

Van Eck Phreaking?

[ManyLostPackets]

Hmmm, not quite Van Eck Phreaking ...but close

(refresher)

**cough** obligatory

[ManyLostPackets]

obligatory refresher

Workarounds.

[edunbar93]

I like to foil this effort by pressing "^U" a lot when I type my passwrod.

That is, for the passwords that aren't public keys...

Re:Use ASCII numerics, or pound the keyboard at lo

[ki4iib]

Ohh, I see. Yes, quite logical.

Schools, ironically, are the one place that I'd expect this not to be true. There are a -lot- of bored student crackers out there.

Uh, no...

[shachart]

Spyware listening to your neighboring cucible's occupant trying to get her password, now - that's useful for some groups

Re:Use ASCII numerics, or pound the keyboard at lo

[ScentCone]

Schools, ironically, are the one place that I'd expect this not to be true. There are a -lot- of bored student crackers out there.

Alas, true. I'd actually be surprised if most schools aren't at least considering (if not already implementing) some sort of smart-card system for access to their networks. There's a lot at stake on a large campus system - but it does take a lot of cash to do it right. Of course, not as much cash as digging out of the lawsuits that can come from some of what happens when students abuse those networks (or each other, etc., through those networks). Good old just-a-password security is eventually going to be a quaint memory anyhow. At least anywhere that it counts. There will always be some twit that just won't be happy until he's cracked into his dorm-mate's laptop, but that guy is probably snooping through people's backpacks, too. It's a shame that people smart enough to rig up something like RF- or audio-based cracking (just because they're bored) don't have something more constructive into which they can pour all that energy and intellect. Some things never change, though!

Keys that play sound

[Murgalon]

Well, what about a simple application that plays a sound on each keypress. The pitch of the sound could be adjusted slightly every few minutes or so just to add to the confusion and keep it interesting for the user. The application might even become so popular that you can sell it to Hollywood Sound Engineers for use in movie computers when our hero has to type in the password.

Whew!

[eno2001]

Then that must mean coders are safe since most of them can't spell worth a damn unless they are coding. ;P

Re:Malware? How about human-engineering?

[walstib]

Yup, better yet may be to call the NOC and convince them to log into a router because you are seeing "strange problems". Record them typing, you will know the sound of the keystrokes for ssh YourRouterHere.com and can then derive the password.

two words:

[adamgolding]

onscreen. keyboard.