Chris X Edwards


Mobile 2 - Pros Of The Con

2016-12-04 12:37

I recently wrote about how horrified I am that people believe smartphones can enhance computer security. Not content to just refute that claim, I went on to state that I do not find smartphones compelling in general. Many people I encounter simply can’t accept this position. To save time in the future, I’m going to explain myself here. I will enumerate all of the reasons that I can think of that a smartphone might be appealing to me and yet why they ultimately fail to inspire me.

Coffle Chain
First of all, let us sane people all agree that if your job needs to be able to reach you while you’re using the toilet, that it is a bad job. I have a relatively good job. Second, the whole topic should be moot because whatever device an employer truly requires me to carry would be provided to me by my employer. That hasn’t happened to me yet which is a sign of how seriously my employer needs to contact me when I should not be contacted.

L’Heure Exacte
What a blunder Apple committed with that wristwatch stuff. Nobody wears a watch! People almost don’t even understand the concept. For professional reasons (server logs, ntpd administration, etc) I take knowing the accurate time very seriously. With sub-second accuracy, please. That is why I do wear a watch. My watch is solar powered and receives the NIST shortwave time beacon. Telling time is a good reason for a smartphone, but for me a smartphone is not good enough for telling time.

Eine Kleine Scheiß Musik Though I’ve long since cured myself, I underwent consumer brainwashing at the time of the Sony Walkman. To orient the young people, let’s just say that it was as big as the iPhone, literally and figuratively. With it, you could listen to cassette tapes anywhere! Wooo! Sounds kind of silly today, doesn’t it? Ahem. Yes it does. Most portable listening devices suffer from one of two problems. First are the bad ear buds that are dangerous to your hearing. (Seriously, if you listen to portable music, throw them away and buy some noise blocking ones. Do it now.) Second is the annoyance of other people’s music. It used to be that this was confined to close quarters, say riding the bus, and you’d hear music leaking out of someone’s aforementioned bad headphones necessarily turned up too loudly. Today the situation is substantially worse. With smartphones people don’t bother with headphones. Why suffer the hassle of that when you can also generously share your brilliant taste in fine music with everybody in a 50m radius? Of course your musical selections are so compelling that mangling the tone through tinny micro speakers won’t be a problem at all. That all too true story happened to me just yesterday when I was trying to read (a paper book) in the park. A similar feature of smartphones that I do not require is to let everyone in the theater know how important and popular I am.

ГЛОНАСС Navigation
Without a smartphone, I’ll get lost, right? No, usually not. I’m quite a confident navigator even in the absence of electricity. I actually have an ancient car GPS from the days when that was a thing and it still works fine. It’s in my car and I use it once every couple of years. It even runs Linux; I had an easier time customizing it than my Android phone.

Is satellite navigation on smartphones even ready? You may laugh and say, of course it is! But when I first checked into this back when GPS on phones seemed to be a thing, it turned out to be dependent on the availability of the cell phone service to download the satellite ephemeris data. I don’t know if that limitation still holds (which is unnerving because I’ve tried to find out) but when REI wants you to believe there are good reasons for purchasing a standalone GPS receiver, they say stuff like, "GPS units are not limited by your cell phone provider’s coverage area." Since I am well known to frequently visit the serious middle of nowhere, this is not a meaningless technicality. When my life depends on getting it right, I still use paper maps.

Victorian Cosplay Telephony
Even for making 19th century telephone calls smartphones are dreadful. The quality is a joke. Compare quality with sitting at a computer and using Hangouts or Skype. Or, for that matter, any ordinary telephone call ever made between 1930 and 1990 facilitated by the guys who brought us Unix. Since 90% of my phone calls are to asshat customer "service" situations which are too stupid to understand that email is a natural asynchronous medium, 90% of my call time is spent on hold. But even this is not improved with smartphones. "I’m sorry. I did not recognize. That input. Please enter. Your social security number. And. Your birthday in ISO8601 format to the rhythm of the William Tell Overture. Again." So you move the phone away from your face to do this and the phone is black. You shake it and shake it and whimper a bit at it. You can’t touch its black screen or the call will terminate. The display finally comes on and it basically is telling you that you’re involved in a telephone call. Gee thanks! You work passionately to evoke a usable antique telephone keypad from the wretched software while preserving the delicate connection into which you’ve invested half an hour on hold. And just when it comes up and just when you start humming the Lone Ranger tune, you hear a voice from another dimension, "I’m sorry. I did not recognize……" Using smartphones as telephones will only be viable when they are cheap enough to smash with a hammer every time this occurs. Sadly I predict this will happen before terrible smartphone (and customer service) interfaces go away.

La Chispa
My son and an alarming number of otherwise sensible adults who should know better have tried to sell me on mobile phones because they make such handy flashlights. I wish I were kidding but you know this is true. You know what else makes a good flashlight? A flashlight. When this is the killer app, I know something is wrong. Imagine if Microsoft had made their blue screen of death a white screen of death and called it a desk lamp.

As a strong proponent of autonomous cars, whenever I need to remind myself or others how important this topic is, I turn to Russian dashcam videos. As these are quite inspirational, I’ve been thinking of getting a dashcam and/or helmetcam, but can a smartphone serve the purpose? I remain unconvinced. Still, a smartphone’s greatest potential lies in bearing witness to the grand stupidity that is other drivers, who are by far my largest problem in life. On first principles it would seem that a dedicated photography system would be smarter. Economies of scale make that difficult to easily assess. All of the dashcams I’ve researched seemed shady and unreliable, just like smartphones.

Safety (Mine)
People point out that I could need to call someone in the case of an accident or emergency. Believe me, that’s on my mind. My odds of winding up dismembered under a Chevy Tahoe are orders of magnitude greater than those of normal people. Of course I’ve given this a lot of thought and even still, I just can’t feel that this risk is ameliorated enough by a mobile phone to outweigh the annoyances and costs. After all, the driver of the Tahoe will not only have a mobile phone, but will actually have it fully operational at the moment the emergency is created. That prediction does not have low odds. To suggest that I carry a mobile phone when I’m cycling is reasonable and intelligent but I still can’t be bothered. Hell, I can’t be bothered to replace missing handlebar tape but let’s not miss the point. I suggest to you that wearing a full face helmet when travelling by automobile is even more reasonable and intelligent, but you’re not even going to contemplate doing that. It’s undeniable that doing so would improve safety, yet we make implicit decisions all the time about safety involving low risk odds. Most people do not need to consciously think, "Hmm, should I spend the day in the backyard digging a nuclear fallout shelter?" Of course not. Despite undeniably improving safety, such a project is likely to be a pointless waste of time. That is how I feel about the hassle of mobile phones. I’m usually a fan of pessimistic planning (if I had a back yard and a shovel…hmmm). I would be much more likely to carry a phone for emergency use if the service was billed $1 a month and $50/min if you actually use it. If it also had a hand crank to power it, then I’d definitely have one in my car.

Safety (Yours)
The other side of this coin that people suggest to me is something like, what if your child/wife has an emergency at school/work? My answer is more practical than emotional — what the heck am I going to be able to do about it? If it’s not serious, well, Q.E.D.; if it is serious, call 911, not me! If there is such an emergency that can’t wait until I get home, would you say safety has been improved because I can take a call or text while driving home? Please don’t answer that because the answer is categorically no. The sad fact is that your world is less safe because of mobile phones and my world is much, much less safe because of them. I was extremely lucky to walk away from this mobile phone "experience".

carcrash1.jpg carcrash2.jpg

My car was politely sitting completely still on the freeway stuck in heavy traffic when it was thrown like a toy into the tailgate of a truck by a Chrysler 300 (note the distinctive grill print). All because some idiot had to read a text or make a call. The mental attention I need to defend myself from literal death by smartphones when I’m travelling by bicycle is more exhausting than the pedalling. Safety is harder for me to take seriously when considering mobile phones. (Reminds me of another issue.) Although it’s not in the same category as death, not getting to execute my planned amortization of that car pretty much exceeded my mobile communications budget for many years to come.

The Truth
Just like that other issue the reason to have a smartphone is not safety. It’s because you just like them. Smartphones are not the wildly invasive epidemic for any of the reasons I’ve listed. No. The fact is that when most people lovingly stroke their precious they are doing nothing more than normal stupid internet stuff. But I get it. I got it. I mean I got it long before the smartphone zombies did. I was seriously playing smartphone style casual games on a personal computer in the 1970s. Yes, I understand the appeal. Because those of us who used computers in those dark days faced such a negative caustic reaction from normal people, especially female normal people, I had to essentially trade away all prospects for a girlfriend. You thought today’s cell phone plans were expensive! I get it. Computers are amazing. Addictive. Empowering. A lifelong joy in my life.

I think the modern smartphone zombies are really discovering the computer itself more than the portability. Like I did 37 years ago. Normal people today carry around a stupid irritating computer. I dedicated my life to making computers not be stupid. I get it. It seems to me that 99% of what people do with their smartphones, I can do with an old junky desktop computer. And I do. And the other 1%?

Here’s the thing, since 1980, I’ve been sitting at a computer as much as possible, essentially all day, every day. Only a fool would seriously think I really need to be able to use a computer more often. I turn on my computer right when I get up and turn it off right before bed. I sit at it for astonishingly long unhealthy stretches. If I can tear myself away to work on not being so one dimensional, which I proudly have, the last thing I need is another computer to look at. When I’m on my bike, in my car, in the grocery store, walking across campus, hiking the back country, socializing, in bed, or sitting on the toilet, do I really need to still be using a computer? Are all the other times of my life not enough? I live next door to a library that I visit several times a week. Does anyone really think I need a smartphone when I take a break from my computer work to go to the library? I do see people in the library all the time, surrounded by books, staring at their phones. To me that is a huge irony. An unnecessary one.

Noscript No No

2016-12-02 22:12

About 10 years ago I started using the Noscript browser extension to block undesirable JavaScript. The problem was that it tends to block a lot more JavaScript than that and after a few years, I gave up on the constant attention it required. After my AWS attack I returned to it. I learned that if Noscript makes the internet not worthwhile, well, it’s not worthwhile. The internet is definitely a stinking cesspit of unsavory JavaScript, much of it coming from large search engine and social media companies.

Fortunately although Noscript is more obligatory than ever, I find that it is a bit easier to use. The web has sorted itself out into major players that are "doing no evil" and the ones just saying that. I find that for most sites I care about, only the primary domain name needs to be free to run code in your browser. Leaving the other ten sources of JavaScript banned usually just results in the ads and privacy invasions not working. I’ll look at ads, but I won’t run predatory advertising code. I feel that’s a fair compromise. In practice, this means I see essentially no ads whatsoever.

Every once in a while I need to enable a CDN or an auxiliary site to the main one, e.g., but overall, it’s quite manageable these days. I feel that Noscript takes an utterly hopeless situation and takes back quite a bit of control. I wholeheartedly recommend that everyone who uses a web browser use it.

I wish that could be the end of the post.

Unfortunately, I recently noticed something unnerving and I tested it conclusively today with version When I install the extension I find that it creates this file (yours may be slightly different).


This is actually a zip file (bloody hell). Inside the archive I find the file noscript.js which contains this configuration setting (breaks added for readability).

pref("noscript.default", "about:blank about:pocket-signup

What the hell is all that? To find out you can click on the Noscript icon, choose Options and then select the Whitelist tab. A new install of Noscript allows JavaScript from these sources by default! What a rotten sneaky trick. I’m pretty disappointed about that. Fortunately, it’s easy to clear those out. It’s just sad that even this extremely high quality tool designed to empower your authority and control over your browser is simultaneously designed to sell you out to Bank of America’s Latvia division or whatever that is.

Still, don’t forget — sad as that is, I wholeheartedly recommend everyone who uses a graphical browser install Noscript. The web is that bad.

Mobile Security Is An Oxymoron

2016-11-30 08:27

Ok, so I’m a very weird guy, I can see that. Mobile phones can be very handy, I can see that too. Combining those things it turns out that mobile phones are still pretty useless to me personally. That fact, I concede, is strange. I participate in less than a dozen actual telephone conversations a year even when including the hardwired telephone sitting in front of me on my desk at work. I can not remember a telephone call that would not have been better served in an email. Many of my telephone calls involve waiting on hold for dozens of minutes. Today, the fundamental advantage of telephones isn’t the frequency-clipped disembodied voice you can hear, it is that the rudeness and imposition of interrupting someone are usually overlooked. But not by me.

Ok, so unless you just like hearing the sound of other people’s voices nattering away while you’re in the grocery store, and I understand there are many such people, the whole 19th century telephony thing is not extremely compelling. But what about all the other great stuff? Throwing enraged birds into pigs? Everyone loves that, right? Nobody knows how to use a paper map any more so it’s not like it’s even optional, right? Everyone wants to know what their friends' lunch looked like and gleefully stalks Pintergramerbook to find out, right? I could go on and on, but, folks, I’m sorry, I’m as aware of the benefits of technology as anyone and I do not find smartphones compelling. Sorry.

I can confidently surmise that I had my Sharp Zaurus SL 6000 before you had a smart phone. That brilliant pocket computer highlights exactly why I find modern small computers so uninteresting. On the Zaurus I could easily open a terminal. It ran a proper Linux kernel and I had full root permissions. I could run a Python interpreter in the normal Linux way. I could install any Linux software, Vim for example, and write my own. I could tape it to my Roomba and steer with it over wifi SSH. I felt like I was in control. But Android revoked almost all of that control. Don’t talk to me about the nightmare of warranty-voiding freakish rooting hacks. The necessity of such tricks is exactly the problem.


Now we come to the elephant in the room. What happens to security when you use a networked system which is controllable by clever hacks and back door tricks, but impossible to control by authorized users using ordinary methods? It sucks. When I look at almost any security measure taken by the computing systems that I feel are safe enough to use, they are almost all invalid with modern phone operating systems. For example, why do package maintainers provide MD5 hashes of packages? So you can verify things came from a trusted source. With Android, you can’t verify anything of the kind, and you have no idea who is a trusted source. Or take a simple thing like user accounts. These are designed to restrict privileges so that if some software is acting in bad faith, it can be contained. Android has a disgustingly perverse privilege model that just mocks proper security. The only thing that user accounts seem to restrict with Android is the device’s legitimate owner.

Blah, blah, blah. Ok, ok. There are zillions of Windows users out there who obviously don’t care about terrible security and bizarre conflict-of-interest turf wars in their computers. Fine, fine. What is blowing my mind in the smartphone era are the Linux people. The acquiescence of the people who should know better is what really freaks me out.

The first iPhone I ever saw was being proudly shown off by a sysnet (systems and networking) professor, a guy who studies computer security at the highest level for a living. I remember the thought I had at the time which remains the same to this day, "Hmmm…and you’re ok with that?"

Distrust and caution are the parents of security.

— Benjamin Franklin

Security is hard. In the Linux world at least 50% of knowing roughly what you’re doing involves various security measures. With the advent of smartphones it seems like everyone took the opportunity to make a clean break with the truly onerous task of secure computing. By relinquishing control, even technical people seemed relieved to relinquish responsibility too. Another quick example — I asked the head computer security analyst at my university (largest employer in the 8th largest city in the USA) what he thought about phone security. His answer was, essentially, it’s bad. Very bad. Ridiculous bad. Sure. Whatever. So what does he do about it? Well, nothing special really. He mostly just assumes it’s insecure and behaves accordingly (lucky for him he’s a professional at that). And yet, he believes that his smartphone was responsible for his Amazon account being hacked (and if anyone should know that, it is he). How did that then change his behavior? Amazingly, not much! This is typical! People who know better stop caring for some reason. I don’t understand this. I haven’t been able to stop worrying and love this bomb. I have never been interested in using a computer as a computer that I can’t control with the full force of computer science. I don’t care what magic services it provides. If I don’t have at least theoretical control and it knows who I am, it creeps me out and I want nothing to do with it.

Obviously I have a lot to say about modern telephones, but at the same time, I don’t. I wish I could point to the smoking gun and say, ah, here is why you shouldn’t use this. But I am not an expert in these systems which are designed to prevent me from properly understanding them. I just know what I appreciate and trust about the Linux systems I do use, and I can’t see any similarity to the way smartphones are controlled. For the same reasons I (and people like Richard Stallman) boycotted Microsoft operating systems for almost 20 years now, I can’t accept Android. I feel vindicated that my 1999 assertion that the Linux kernel could be made usable by normal people was true, but at this point Android is worse than Windows. (Do I even need to point out that IOS is worse than Android?)

Ok, I don’t like telephones. I don’t like proprietary operating systems that exclude you from control, destroy your privacy, and prey on you at every opportunity. With all that baggage, in comes a new topic that is of particular importance to fancy computer people taking care with security: multi-factor authentication. Abbreviated as MFA or 2FA, this basically is about using your phone to add another layer of security to unrelated services. I think you can guess by now how I feel about that. I’m not impressed. I’m horrified.

But again, I’m not the head of some nation state’s hacking agency. Although I take a serious and diligent interest in security concepts, I don’t make a career of studying the dark corners of proprietary software. When I step out of the light of the non-proprietary, free software world, I am overwhelmed and terrified.

This post is just a starting point, a way to dump my rough misgivings along with some links to why someone might feel this way. Make of it what you will.

Phone Insecurity

MFA With Phones Is Bad

  • Can we agree that whoever has complete control over your device can completely subvert MFA? Please?

  • Given the history of large companies' security (Sony, LinkedIn, Home Depot, etc), if you give your phone number out to companies the odds are high that it will end up in the hands of criminals.

  • What happens if your phone is lost, stolen, out of batteries, left at home, etc. — MFA using that phone is worse than useless. MFA always suffers from the problem of what to do if the various components fail.

  • Why is a mobile phone considered an additional factor for multi-factor authentication, but email is not? This is absurd. For some of us anyway.

  • Is it multi-factor when someone uses their phone to access a service and then receives the MFA token on the same phone?

  • In my AWS attack they had me before I ever would have had a chance to register MFA. In theory, they’d have had my phone as well, compromising all other MFA schemes.

  • NIST is No Longer Recommending Two-Factor Authentication Using SMS. NIST Recommends SMS Two-Factor Authentication Deprecation.

  • Krebs talking about a phone based MFA scam.

  • Social Security security apparantly requires an insecure telephoneAnd rescinded!

  • This bizarre article argues for phone 2FA but do carefully check out the utterly insane contradictory section "Faking Two-Factor Authentication".

  • Dedicated MFA authentication devices seem like a reasonable idea. Using another computer, one which is likely to be insecure, does not.

Cell Network Attacks

SIM Card Attacks

Client OS/App Vulnerabilities/Malware

My Absurd Telephone

  • Providers and vendors sell tweaked versions of Android that may not properly implement security updates. My phone’s Android version is from 2011 though the phone says it’s up to date. What could go wrong?

  • "Settings → About Phone → System updates → Update Android" → "Your system is currently up to date."

  • "Settings → About Phone → Android Version" → "2.2.2"

  • Futex attack vulnerable on Android versions 4.0 through 4.3. So am I immune? Ha.

  • Linux is currently on kernel version 4.9. Here’s my "up-to-date" phone’s Linux kernel.

$ cat /proc/version
Linux version (jinyoung.chon@Sprint14) (gcc version 4.4.1
(Sourcery G++ Lite 2009q3-67) ) #1 Mon Mar 7 11:55:10 KST 2011
  • The last kernel was packaged on 23-Feb-2010 15:43. This means that when the vendor compiled this Linux kernel for their Android system, it was already a year old.

Why Your Zip Files Irk Me

2016-11-29 18:31

In the world of normal people, when a collection of files needs to be downloaded from the internet as a single entity the odds are good that these files will be packaged into a zip file. This is a shame.

The reason is that it lets people think that this is a good way to bundle files and it is not. It may be an adequate way and it may work fine. Linux and Mac people certainly have an unzip command at their disposal but the problem is more subtle than a simple ability to unpack it. The reason I know that zip is a bad idea is because I know of a better way. Of course I’m talking about the Unix way.

The problem of zip is that it packages up files and it compresses them (let’s ignore bizarre options like -n that may be able to suppress this default behavior). Why this is bad can be seen with two examples.

Imagine I had a collection of mp3s that I wanted to make available for download as a set. For these files zip will pointlessly "waste its time trying to compress them", to quote from the zip man page. The problem is that mp3 files are already compressed so that compressing them again when I package them makes little to no sense.

Here’s another example. Let’s say I had an enormous file containing an ASCII text SQL dump. I want to compress this because that will be very effective but there is no need for any kind of archive container. Yet if I zip the file, I will have to work with it as if it were a collection of one. Why should there be any accounting about possible other files when I know I just want to compress a single file? Have you ever purchased a single bag of snack food at a store and the cashier rings you up and asks if you’d like a bag? If anything like that ever happens to you, I hope you think the same thought I always do, "No thanks, it’s already got a bag." How many freaking bags do you need?

The Unix way tries to break down the fundamental operations into separate steps so that they can both be used if needed and not if not. Not only that, but this architecture allows one to change the parts if they are not suitable. The normal Unix way to bundle a collection of files into a single file is tar (my notes). Note that tar by default does not compress things. It can and often does, but the important functionality is aggregating files into a single manageable file. If you don’t like tar for some reason, there are other options. An even more ancient archiving system is cpio (Mac people also have it ready to go by default). This may seem like pointless ancient history, but the Linux distributions (e.g. Red Hat) still seem to think that cpio archives have advantages for making initial ram disks for OS booting. To really drive home the point that there really is more than one way to skin this cat, Unix has yet another very common archiving tool called ar (Macs also have this by default, see man ar). This is mostly used to package dynamic library object files, but nothing prevents you from rounding up your mp3s into an ar archive if you want. If your files are all the same exact size, which isn’t especially uncommon with many data sources, you can use a simple Unix cat to pack them and use the Unix split command to unpack.

The huge point here, is that the Unix way conceptually separates the archiving from the compression (even if they occur simultaneously). Unix has even more ways to compress things. The classic way is gzip (ready to go on Macs). This is not merely the GNU implementation of Zip, it is gzip, quite a different beast. First it does no multi-file aggregation. That is, quite properly, outside of its scope. With gzip you can specify exactly how you want the files compressed (--fast which is -1 or maybe --best which is -9, default is -6). But it’s a lot easier to figure out how to get what you want since there’s no archiving cruft to figure out.

But that’s the tip of the iceberg for compression. The real power comes from being able to pick and choose which compression program you want to use. There is an ancient compression system called, plainly, compress. I don’t have it on my Debian Linux system by default, but Macs do seem to naturally have it. The reason that it’s not so common today is that gzip can uncompress files reduced with compress but today there are just more effective compression algorithms. Chiefly is bzip2 (Mac, installed). This works very similarly to gzip with extra aggressive compression. The Linux kernel maintainers seem to prefer using the compression program xz (Mac ready). Another one is 7z. This one seems to appeal to Windows people. I find it slightly annoying because it can, like zip, archive files (but badly - doesn’t preserve file order), but Linux and Mac today have perfectly good 7z utilities by default and it has better compression than zip.

Not content with archiving and compressing zip also can encrypt the contents. Hopefully by now you’re understanding the problem. It’s better to apply a separate utility that specializes in encryption rather than take what zip threw together as an afterthought. Options for encryption include ccrypt, pgp/gpg, and mcrypt. My latest favorite way uses the universally available OpenSSL suite. All of these are documented in my crypto notes.

I’m writing this carefully because I often have a difficult time properly convincing people that the Unix way is correct. To further make the point, let me share an illustrative example of someone using the Unix way, but doing it wrong. Using zip would have been even more wrong, but take a look at this archive.

$ tar -tvzf chembl.tar.gz
0 2016-11-14 06:23 chembl/
9044737177 2016-11-14 04:09 chembl/chembl.sql
1001 2016-11-14 06:23 chembl/INSTALL

It’s ok. It’s a normal gzip compressed tar archive. It’s ok but it could be better. The problem is that there are two files, one tiny and one huge. Both are compressed with the archive. If I want to read the tiny INSTALL file, I will have to unpack the entire archive including the 9GB file.

The correct way would have been to have it set up like this.

$ tar -tvf chembl.tar
0 2016-11-14 06:23 chembl/
2030884202 2016-11-14 04:09 chembl/chembl.sql.gz
1001 2016-11-14 06:23 chembl/INSTALL

Packaged like this, the tiny file doesn’t even get compressed. Why should it be? Now when I extract the tar archive I’ll wind up with a 2GB file and the INSTALL file which I can then read. The files extracted from the archive will be about the same size as the archive. This kind of fine control can be very helpful when you’re pushing the limits of your hardware or piping large file trees between various processes and tunnelling them to various hosts. Obviously if you’re creating an archive for linear storage as on a back up tape, tar is ideal; its name comes from "tape archive".

I also feel that zip has aesthetic flaws. Sure, normal people with their little normal files just open a magical file manager window of the zip archive and they muddle through simple things fine. On such non-explicit systems I sometimes get confused about whether it really is unpacked or it just could be unpacked or what the heck is really going on. In fact even in Unix command line mode this is annoying. You can see what a zip archive contains with unzip -l and the special zipinfo command but I don’t think that zip proper, the main command, actually has a flag to just dump the archive’s contents (it’s not -l which is inconsistently --to-crlf).

Obviously you need to know how to handle zip files. They aren’t going away. Indeed, those master turd polishers known as Java programmers have something called jar (Java archive) as their main software distribution format and it is actually exactly a zip file with some proscribed contents. But please, if you’re going to package and/or compress and/or encrypt some files, please consider doing it properly.

Your Headphones Are Listening

2016-11-28 08:05

Although he was raised a good Linux boy, my son likes to use a variety of insecure operating systems to keep in touch with his bad-influence friends. Sometimes he leaves creepy chat programs running with a live mic while he is AFK. I’ll hear some faint high-pitched noises and realize it’s a gang of squeakers coming through his headphones and everything I say has, unbeknownst to me, been broadcast to their little party. Come on, I know normal people seem to welcome the Stasi, but having your private conversations piped to random adolescents? Am I the only one this bothers?

Being the curmudgeonly old man that I am, I have set up his computer so that I can now easily yank out the microphone plug on his headset. Even if my son isn’t around, I always do this if I’m going to power up that machine, even if I’m logging into my own account with a secure OS. My main desk computers very deliberately have no microphones. When my son leaves his iPhone lying around at night, I treat it just like James Bond treats a KBG planted surveillance listening device he finds. I have been known to wrap this noisome iPhone in conductive foil and then in a pillow.

Call me silly, but some privacy is important to me.

Today’s topic is this interesting question. If I notice a pair of headphones plugged into the microphone jack, would I worry about that? Obviously something is physically misconfigured, but would I flag a privacy threat based on that configuration? I think I would because I well know that microphones and speakers (including headphones) have very little structural difference and can be repurposed to do each other’s job. But that’s a weird hypothetical situation, right?

Turns out no. It turns out that certain Realtek audio chips have a feature (?) where the jacks can be reconfigured in software. This means that what you think of as the output jack can be reprogrammed as the input jack. Now, given the right malware, the situation could easily be as described above with the headphones plugged into the microphone jack. Of course, nothing would seem or even be misconfigured physically.

Can people listen in on ambient conversations in your room through an ordinary pair of headphones with a compromised computer containing this Realtek chipset? The answer, of course, is yes.

The computer I’m sitting at now has a pair of earbud headphones plugged in and lying face up on the desk. I hardly ever use them. I have the Intel 8 series chipset but I can’t really tell from the datasheet if retasking is supported. However, I think it’s best to assume so. Unlike the datasheet, this Intel HD Audio description of enhanced features is in plain English and says this.

Intel HD Audio also provides improvements that support better jack retasking. The computer can sense when a device is plugged into an audio jack, determine what kind of device it is, and change the port function if the device has been plugged into the wrong port. For example, if a microphone is plugged into a speaker jack, the computer will recognize the error and will be able to change the jack to function as a microphone jack. This is an important step in getting audio to a point where it "just works" — users won’t need to worry about getting the right device plugged into the right audio jack.

I actually have thought of cutting off the main body of a 3.5mm stereo plug and using it to short out the mic jack on my laptop with the hope of disabling the internal mic. But I can see that strategy has even more problems than I originally thought.

If you have accepted the built-in microphones in smartphones and laptops always listening to everything you say in the privacy of your living room or car, this news will probably not increase the stink of surveillance in your life by a noticeable amount. If however you have taken great pains to not let that stink permeate your life, this feature will smell pretty bad.


For older posts and RSS feed see the blog archives.
Chris X Edwards © 1999-2016