Substantial discussion:

https://news.ycombinator.com/item?id=6927905 (tau.ac.il) (92 comments)

Other submissions:

https://news.ycombinator.com/item?id=6940827 (theregister.co.uk)

https://news.ycombinator.com/item?id=6938536 (dailymail.co.uk)

https://news.ycombinator.com/item?id=6935289 (tau.ac.il)

https://news.ycombinator.com/item?id=6933255 (slashdot.org)

https://news.ycombinator.com/item?id=6932445 (slideshare.net)

I love that Shamir keeps doing work that makes people say "... this can't be true!"

Once again, this is a reminder that any adversary that has physical access to your box can extract all your secrets, and there's almost nothing you can do about it.

For defending against acoustic attacks when encrypting/decrypting/typing in your password, play loud music. I recommend "What does the fox say?" by Ylvis since it has a wide range of powerful frequencies.

(There are other types of physical attacks than acoustic attacks, so this is more tongue in cheek than a real defense mechanism.)

Interesting. Reminds me of the times long ago when pocket calculators were a new thing and I was also owning an AM/FM radio and held it close to the calculators to listen to what they were "doing". You would hear a lot more in the radio than the bit of whining and buzzing that you can hear acoustically from nowaday's computers.

So, I was wondering, what about the FM radio built into many (if not most) mobile phones? Connected my earbuds (they also function as antenna), turned on the phone loudspeaker, laid the earbud cable over my laptop, tuned the FM radio to some frequency where there is no radio station (thus statics playing), and voilà, I can clearly hear correlation between noise and activity. Even when I'm placing my earbuds/phone a foot away from the laptop I can still clearly hear when I'm opening some new window. The sounds are not as 'colorful' as they were on an AM radio when listening to calculators, but I'd wager a guess that it's better than an acoustic attack.

So much for thinking that making acoustic noise like playing music would dwarf the attack vector "mobile phone".

PS: what might prevent this attack is that on some (most?) phones the output of the FM radio can't be captured directly. It could be played through the speaker and recorded through the mic, though. The attack as carried out by Genkin/Shamir/Tromer is sending tons of encrypted emails and would probably arouse suspicion anyway if the computer was attended, thus this indirection may not pose a problem.

Once again Shamir puts out a bombastic paper where they tested against one device in a controlled environment and doesn't release a software or a proof that it works.

If this were real there would be a "submit your recording" or an opensource library for others to try.

The physics of this don't work.

If they did work the experiment should be documented in a way that there could be peer review. If you can't repeat it, it isn't valid.

I lost lots of Karma the last time I mentioned this, but I kind of don't care. These kinds of fake "hacks" are only designed to create fear, and keep people from working on real security issues while creating a reputation based on falsehoods for the author.

Looks like a security patch to GnuPG 1.x has already been released that addresses this and GnuPG 2.x is not vulnerable to this hack according to this article. http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/00033...

How long does the full encryption of a say, typical email (kilobyte of plain text or so) takes? It shouldn't be that much long, in the range of a few milliseconds, or a few dozen samples of a microphone (44,100hz max).

What i can't understand is how you can compress a whole RSA decryption key, which is say 4096 bits, into space SMALLER than itself (source data from microphone with 16 bits per sample, mono, at 44,100 hz, will take 6ms to accumulate 4096 bits - for sure encryption of a short email will take less!). So it sounds like a hoax.

Obviously the key can't be 'comperssed' because it's ramdom data with a high quality of randomness. And you cannot pull it out of SMALLER amount of data recorded by the microphone in the time it takes to make an encryption. That is, if anything happening within the processor can make acoustic noise loud enough for microphone to detect, which i really doubt.

I believe this even less than air-powered cars, or cold fusion.

This could have been prevented. Oblivious Turing Machines: http://stackoverflow.com/questions/14847080/how-does-an-obli...

One has to wonder do proper sound proof case like Fractal Design that are lined with foam inside can thwart the attack.

I just don't believe this is reproducible... seems fake.