Loose clicks sink ships 小心驶得万年船

CLATTERING keyboards may seem the white noise of the modern age, but they betray more information than unwary typists realise. Simply by analysing audio recordings of keyboard clatter, computer scientists can now reconstruct an accurate transcript of what was typed—including passwords. And in contrast to many types of computer espionage, the process is simple, requiring only a cheap microphone and a desktop computer.
被视为现代社会背景噪音的区区键盘敲击声，却能泄露出不够警惕的打字者们所能意识到的更多的信息。现在，仅需对敲击键盘的音频记录作一个简单的分析，计算机科学家们便能精确地重现被键入的文本信息——包括密码。与其他形式的计算机间谍活动相比，这个过程相对较为简单，仅需一支便宜的麦克风和一台台式电脑。更多信息请访问：http://www.24en.com/

Such snooping is possible because each key produces a characteristic click, shaped by its position on the keyboard, the vigour and hand position of the typist, and the type of keyboard used. But past attempts to decipher keyboard sounds were only modestly successful, requiring a training session in which the computer matched a known transcript to an audio recording of each key being struck. Thus schooled, the software could still identify only 80% of the characters in a different transcript of the same typist on the same machine. Furthermore, each new typist or keyboard required a fresh transcript and training session, limiting the method’s appeal to would-be hackers.
这样的窥探之所以能够实现，是因为每一个键都有其独特的咔嚓声，此声由该键在键盘所处的位置、打字者的力度及其手的位置和所使用的键盘类型共同决定。过去对破译键盘声音的尝试成果有限，因为必须用一段已知的文本来“训练”计算机程序，以使计算机能够识别每个特定键盘的声音。然而以此方式训练过后，计算机程序仍仅能识别由相同的打字者用同一台电脑打出的不同文本中80%的字母。此外，更换一名打字员或者一个键盘就需要一个新的文本以及相应训练，大大降低了这种方法对黑客的吸引力。

Now, in a blow to acoustic security, Doug Tygar and his colleagues at the University of California, Berkeley, have published details of an approach that reaches 96% accuracy, even without a labelled training transcript. The new approach employs methods developed for speech-recognition software to group together all the similar-sounding keystrokes in a recording, generating an alphabet of clicks. The software tentatively assigns each click a letter based on its frequency, then tests the message created by this assignment using statistical models of the English language. For example, certain letters or words are more likely to occur together—if an unknown keystroke follows a “t”, it is much more likely to be an “h” than an “x”. Similarly, the words “for example” make likelier bedfellows than “fur example”. In a final refinement, the researchers employed a method many students would do well to deploy on term papers: automated spellchecking.
现在，在一波对声学安全的冲击中，道格•泰格同他在加利福利亚大学伯克利分校的同事们一起，发表了能将准确率提高到96%的新方法的详细资料，它甚至无需进行已知文本的训练。这一新的方法沿用了为语音识别软件研制的在录音中将所有发音类似的键击归类的办法，由此产生了一个字母的敲击声音表。这一软件尝试性地按频率指派给每一个点击一个字母，然后用英语语言统计模型测试这一指派所产生的信息。例如，一些字母或单词更容易同时出现——如果一次未知的键击跟随在“t”之后，那么它是“h” 的可能性就比是“x”大很多。同样的，“for example”（例如）就是比“fur example”（毛皮样本）更可能的一组搭配。在最后的改进中，研究者们使用了学生们在学期论文中运用得很好的方法：自动拼写检查。

By repeatedly revising unlikely or incorrect letter assignments, Dr Tygar’s software extracts sense from sonic chaos. That said, the method does have one limitation: in order to apply the language model, at least five minutes of the recorded typing had to be in standard English (though in principle any systematic language or alphabet would work). But once those requirements are met, the program can decode anything from epic prose to randomised, ten-character passwords.
通过反复地检查不太可能的或者不正确的字母搭配，泰格博士的软件从无序的音波中整理出了可理解的文句。不过上述的方法仍有一个缺陷：为了能应用上语言模型，在录制下来的打字声中至少要有五分钟的内容是标准英语（虽然从理论上讲任何系统的语言或者字母都行得通）。只要符合了这些要求，这一程序将破译一切键击内容，从散文体史诗到随机的十字符密码。

This sort of acoustic analysis might sound like the exclusive province of spies and spooks, but according to Dr Tygar, such attacks are not as esoteric as you might expect. He says it is quite simple to find the instructions needed to build a parabolic or laser microphone on the web. You could just point one from outside through an office window to make a recording. And as he points out, would-be eavesdroppers might not even need their own recording equipment, as laptop computers increasingly come equipped with built-in microphones that could be hijacked.
这一种类的声学分析听起来好像间谍和密探的独有领地，不过按照泰格博士的说法，这样的攻击并没有人们想象的那么深奥。他说，在网上寻找创建抛物型或者激光麦克风所需的操作指南是件非常容易的事情。你可以在办公室外放置一个此类麦克风以透过窗玻璃进行录音。正如他指出的那样，或许想要进行窃听的人甚至不必自己准备录音装置，因为越来越多的笔记本电脑已经配置了很容易被劫持的内置麦克风。

To protect against these sonic incursions, Dr Tygar suggests a simple remedy: turn up the radio. His computers were less successful at parsing recordings made in noisy rooms. Ultimately, though, more sophisticated recording arrays could overcome even background noise, rendering any typed text vulnerable. Dr Tygar therefore recommends that typed passwords be phased out, to be replaced with biometric checks or multiple types of authorisation that combine a password with some form of silent verification (clicking on a pre-chosen picture in a selection of images, for example). Loose lips may still sink ships, but for the moment it seems that an indiscreet keystroke can do just as much damage.
泰格博士为防范这种声音侵犯提出了一个简单的补救办法：打开你的收音机。他的计算机分析在嘈杂房间里制作的录音并不是很成功。然而最终，或许更为成熟的录音阵列甚至能克服背景噪音的干扰，使得任何的键入文本都变得不堪一击。泰格博士因此建议逐步淘汰键入式密码，代之以人体特征识别或者结合了其他静默识别形式的密码（例如用鼠标在给定的图像集里点击预选的图片）的多样化授权。嘴巴不牢仍然可能使得大船沉掉，但就目前来看，不警觉的键击同样可能带来相当的损害。