December 2015

Wow. I had no idea this could happen!

(Rest of this post is by Michael Albaugh, except for the parts that quote me.)

From: Michael Albaugh
Subject: Re: Wait, what?  Can speakers pick up radio by themselves?
To: Karl Fogel
Cc: The Usual Suspects
Date: Fri, 11 Dec 2015 10:03:22 -0800

Disclaimer: It has been quite a while since I had to deal with this stuff for pay, and my amateur license expired so long ago they recycled my call.

On Dec 11, 2015, at 9:13 AM, Karl Fogel wrote:

This is happening, this is literally happening right now:

I have plugged my phone headset (which double as my desk headphones) into my computer speakers. This a standard pair of small standalone computer speakers, one of which plugs into the computer’s sound port with a standard 2.5mm connector, and the other speaker connected to the first. The first speaker also has a headset jack and a volume control on the front.

It presumably also has a power supply. That is, these are amplified speakers.

With my headset plugged into that speaker’s jack, and the speaker volume turned all the way down, I can hear a radio station playing in the headset, faintly and with some staticy fuzz, but clearly. I don’t know which station it is, but sometimes the pop music stops and an announcer comes on (I can’t quite hear what he is saying, though I might be able to catch it next time he comes on).

This is not surprising. What you have is some consumer-grade cables (i.e. not particularly designed to reduce the reception of stray signals at all cost, or any cost) plugged into a device with some non-linear components (inherently, such as transistor and diodes, or unintentionally, such as inductors with other than air cores) and including a means to amplify the result. That is, you have a crystal radio hiding in your amplifier.

See also “Why do I get the local radio station on my fillings?”

However, if I turn the volume knob on the speaker up at all, then the station fades out and I get silence.

Or, you have shifted the sum of the intended input and the signal that being “detected” out of the range of the non-linearity.

If I unplug the speakers from the computer, then I don’t hear the station anymore.

Here I am leaning more on speculation, but perhaps the speakers are sensing the (lack of) DC bias on their input and shutting down the output.

So my… computer is acting like a radio?

Actually, I suspect that your speakers are. You should immediately rush out and buy various models of Bose, Harmon Kardon, and Beats by Apple speakers and repeats the experiment. 🙂

Why? And why is it only audible when the speaker’s volume is turned down?

See above.

In related news, perhaps you missed the hack that was in the news a short while back. If you have your Siri, Google, or Cortana “assistant” enabled to work without pressing anything, and you have a wired handsfree header plugged into your phone, then someone can inject audio into your phone and say “Siri, post all my photos to Instagram”. or “Siri, find goat porn”.

WTF?

In older news, back when phones were always wired, heavy enough to be a murder weapon, radio stations that didn’t want their “personalities” to have to drive out to a shack in the marshes would lease lines from the phone company, running from their handsomely appointed studios to that shack. These lines would run through one or more phone company facilities. In one such facility (cough — [[redacted]] — cough) some of the workers had connected a speaker across the line as it went through, so they could have music in their workplace. One day, a worker experienced one of those WTF moments, and verbalized the feeling. Of course, every speaker is a microphone, and the exclamation was sent out over the air, causing a fair bit of consternation, agitated phone calls, and denials from the on-air host. Not to mention a mad scramble to disconnect that speaker and look innocent.

Welcome to the future, here’s your whoopee Cushion

.

Update 2015-12-03: I just found out from a response tweet from @jacobian that the user flogging is apparently a requirement of the PCI standards, and thus many online services are essentially forced into it. Would love feedback or further information from anyone familiar with how PCI standards get baked.

Calling all designers of online systems that do user authentication… Wait, that could be shorter:

Calling all designers of online systems:

Please stop locking out users after three failed login attempts.

That security measure is left over from the days of Unix consoles that were just dumb terminals connected to a server somewhere else in the building. It makes less and less sense in the modern era. These days, large distributed botnets are engaged in constant automated login attempts against all publicly reachable online services of any size, using guessed username/password combinations, on the principle that only a tiny fraction of the attempts need to succeed for the effort to be worthwhile. The result is that users with strong passwords but human-readable usernames are penalized for being the target of failed hacking attempts.

It happened to me recently:

From: Karl Fogel
To: Mailing List Of Various Techie Friends
Subject: Speaking of passwords

I just found out from a rep that the reason Wells Fargo Bank kept
resetting my (incredibly secure) online access password, thus
forcing me to do a password reset dance about twice a month, is that
online accounts get automatically locked after three failed login
attempts.  Since my username was "karlfogel" -- it's changed to
something less guessable now -- some jerk with a botnet was causing
Wells Fargo to lock me out on a regular basis, presumably by trying
a username generated from my real name and passwords that were
various combinations of my birthday, relative's names, etc.  The
same is probably happening to thousands of other customers.  After
all, the hackers only need a tiny number of successes.

I wonder if Wells Fargo has really thought carefully about the
usefulness of a 3-failures lockout policy in the modern era of
distributed attacks against your entire user base.  This was not a
topic I felt it profitable to take up with the phone rep, though.
*cough cough*.

Every time you force your users to do a password reset dance, which usually involves some kind of email confirmation step, you are decreasing their security. First, because if a user is forced to change her password frequently, she is likely to start making passwords that are easier to remember, because why invest in memorizing a hard password if one is just going to have to reset it soon anyway? Second, and more importantly, because you are giving hackers the power to lock someone out of their own online account, which creates two vulnerabilities: one, now the hacker has an additional attack surface (the user’s email account), and two, your user support staff also becomes an attack surface because the hacker can now call up and impersonate the legitimate user, saying “Help, I’m locked out of my account” — a fact that the support rep can easily confirm, and which will lend credibility to the hacker’s attempt at social engineering.

Just as a general principle, it’s usually not good to allow attackers to change the behavior of the system for legitimate users. When you allow that, you give the hackers more material to work with, and they will always be more imaginative than your programmers or your support reps, because once they sense that they have a good target, they can spend all day thinking about how to approach it.

It’s fine to have a delay between login attempts. Maybe it’s even okay to increase the delay somewhat when there are a suspicious number of failed login attempts for a given user (although I’m not sure about that, and it is a minor violation of the general principle above).

If you want to help users who have weak passwords, have your security team run guess-in attempts itself (without the rate-limiting), or even run cracking attempts against the password database itself, and then follow up with the users whose passwords fail the test. You can just let them know the next time they log in, or if you want to provide especially deluxe service, follow up via an automated phone call or something. Don’t let them know by email, though: it’s not a great idea to send cleartext email across the Internet telling someone their password is insecure.

But don’t treat failed login attempts as special events that need some kind of reaction. They are more like spam: inevitable, ubiquitous, and best handled in ways that have no effect on the target. It’s not your users’ fault that people are trying to hack into their accounts, so don’t punish them for it.

Agree? Feel free to retweet #EndLoginFailureLockout, or redent.

Addendum: One of my friends on that mailing list followed up with this story:

Anthem Blue Cross, in order to let you make online payments, redirects
you to a random payment processing with a scammy-sounding domain name,
which tells you the following:

1. You need to make a new account with us because we're not tied into
Anthem's database. Because, you know, I can personally take credit
cards - but that's apparently beyond the capability of the largest
health insurance provider in the country.

2. By the way, you might already have an account with us from some
other place, so you'll have to log in with that account instead. No,
we can't tell you whether that's the case or not.

3. You must choose a password between 5 and 8 characters.

I'm not kidding. 5-8 characters.

I make my payments over the phone.

Software Freedom Conservancy logo

Update 2015-12-01: How could I have forgotten to mention that there’s a donor match going on right now? If you become one of the next 50 new Conservancy supporters, a donor is matching up to $6000! Please help Conservancy get every dollar they can from this generous donor.

Few organizations are as effective per dollar as the Software Freedom Conservancy.

The list of what they’ve done in 2015 alone is impressive — and that’s before you consider how small a staff they do it with.

You’ll notice that link was actually to their 2015 fundraiser page, which explains why they need to raise money now, and exactly what they plan to do with it. (Did I mention high marks for transparency?)

Today, for Giving Tuesday, I became a Conservancy Supporter again, and hope you’ll consider doing the same. The free software movement doesn’t run on good will. It runs on dedicated people giving their all, and those who do it full-time need support from everyone who understands why this movement is important.

If you’re looking to retweet, try this one, or redent here.