Archive for January 4, 2023

Wednesday, January 4, 2023

EarSpy: Eavesdropping Using Motion Sensors

Ahmed Tanvir Mahdad et al. (PDF via Bruce Schneier):

We explore recent trends in smartphone manufacturers that include extra/powerful speakers in place of small ear speakers, and demonstrate the feasibility of using motion sensors to capture such tiny speech vibrations. We investigate the impacts of these new ear speakers on built-in motion sensors and examine the potential to elicit private speech information from the minute vibrations. Our designed system EarSpy can successfully detect word regions, time, and frequency domain features and generate a spectrogram for each word region. We train and test the extracted data using classical machine learning algorithms and convolutional neural networks. We found up to 98.66% accuracy in gender detection, 92.6% detection in speaker detection, and 56.42% detection in digit detection (which is 5X more significant than the random selection (10%)).


Southwest Airlines and Technical Debt

John Gruber:

From what I’ve gathered, Southwest’s problem this week is a combination of an outdated scheduling system and their generally high efficiency. They keep roughly 90 percent of their planes in service all day every day, but that means when something unexpected happens — like this past week’s weather across the country — the entire system is susceptible to falling apart. They now effectively need to “reboot”, and that might take an entire week. In normal times, Southwest is better than its competitors because they operate differently; now those differences have grounded most of their fleet. They cancelled a staggering 2,600 flights yesterday, 2,400 today, and 2,300 (and counting) for tomorrow. And keep in mind that part of Southwest’s efficiency is that their flights generally fly full — that adds up to over 300,000 stranded passengers per day this week.

Zeynep Tufekci (via Tina Fetner):

It’s been an open secret within Southwest for some time, and a shameful one, that the company desperately needed to modernize its scheduling systems. Software shortcomings contributed to previous, smaller-scale meltdowns, and Southwest unions had repeatedly warned about the software. Without more government regulation and oversight and greater accountability, we may see more fiascos like this one, which most likely stranded hundreds of thousands of Southwest passengers — perhaps more than a million — over Christmas week. And not just for a single company, as the problem is widespread across many industries.


Throughout the past year, the flight attendants’ union picketed in front of various airports as part of their contract negotiations. One protest sign the demonstrators carried? A placard declaring, “Another victim of SWA’s outdated technology,” with a graphic showing a stuck software progress bar. In September, they put the same sign lamenting the company’s outdated technology on the side of a truck and drove it in circles around Love Field (Southwest’s core airport) in Dallas, as well as the nearby Southwest headquarters. In March in an open letter to the company, the union even placed updating the creaking scheduling technology above its demands for increased pay.

Others have blamed Southwest’s point-to-point route system as being inherently fragile, although this is disputed.

When I talk about technical debt, many people point to the Y2K scare, which seems to offer a perfect example. […] Obviously, that wasn’t going to work in the new millennium, when confusions between 1905 and 2005 could have caused programs to glitch or crash on an epic scale.

But that didn’t happen, and some people may believe that the implication is that technical debt is not a big deal. But the reason we made it through Y2K intact is that we didn’t ignore the problem. The U.S. government and businesses spent a staggering $100 billion to fix the underlying problem in a massive, multiyear effort.


For example, after the 2017 Equifax breach, which exposed sensitive information from 143 million Americans because the company failed to institute a routine security update to its software, it agreed to pay a penalty of at least $575 million to the Federal Trade Commission. That may sound like a lot, but it was just a few dollars per affected customer and a mere 15 percent of the company’s revenue in 2018, the year after the hack.

Indeed, I ended up with about $5 from Equifax, which is typical, instead of the predicted $125.


Advanced Phishing Attack

George Burke (via John Scott-Railton):

Got a pop up on both my iPhone & Apple Watch about password reset. I didn’t take action. Then received call from 1-800-MY-APPLE.


“There has been strange Apple ID login attempt activity from a MacBook device located in Sacramento. Can you verify that this login attempt was you?”

“No, that wasn’t me.”

“OK. There may be someone trying to access your account. I’ll place a temp hold while I investigate.”

“…Sir, let me send you a code to your number on file ending in xxxx”


“When you receive it, let me know. This will allow me to block further unauthorized access…. Did you receive it?

David Kopec:

I posted my car for sale on @facebook this morning, and within 10 minutes I had two scammers. First they ask for your phone number to call you. You give it to them and they say they’re sending a code to confirm you’re real. It’s a Google verification code. Report it, obviously.


Update (2023-01-05): Mike Rundle:

Just received multiple “A password reset request was sent from a device at the location shown below.” Mac notifications, but the map was blank. Then received it on my iPhone. THEN got a very convincing phone call from this contact pretending it was Apple.