# Speaker Build

Friday, November 28, 2014

In December of 2002 (really, 2002, 12 years ago), I decided that the crappy former Sony self-amplified speakers with blown amplifiers that I had wired into my stereo as surround speakers really didn’t sound very good as they were, by then, 7 years old and the holes in the plastic housing where the adjustment knobs once protruded were covered by aging gaffers tape.

At least it was stylish black tape.

I saw on ebay a set of “Boston Acoustics” woofers and tweeters back in the time when ebay prices could be surprisingly good.  Boston Acoustics was a well-respected company at the time making fairly decent speakers.  36 woofers and 24 tweeters for 131 including shipping. About 100 lbs of drivers. And thus began the execution of a fun little project. ### Design Phase: 2003-2011 I didn’t have enough data to design speaker enclosures around them, but about a year later (in 2003), I found this site, which had a process for calculating standard speaker properties with instruments I have (frequency generator, oscilloscope, etc.) I used the weighted diaphragm method. WOOFER: PN 304-1150001-00 22 JUL 2000 80MM CONE DIA = 8CM FS = 58HZ RE = 3.04 OHMS QMS = 1.629 QES = 0.26 QTS = 0.224 CMS = 0.001222 VAS = 4.322 (LITERS) 264 CUBIC INCHES EBP = 177.8 NOMINAL COIL RESISTANCE @ 385HZ (MID LINEAR BAND) 3.19 OHMS NOMINAL COIL INDUCTANCE (@ 1KHZ) 0.448 MHENRY TWEETER: PN 304-050001-00 16 OCT 2000 35MM CONE DIA FS = 269HZ RE = 3.29 OHMS QMS = 5.66 QES = 1.838 QTS = 1.387 CMS = 0.0006 VAS = 0.0778 (LITERS) EBP = 86.7 NOMINAL COIL RESISTANCE @ 930HZ (MID LINEAR BAND) 3.471 OHMS NOMINAL COIL INDUCTANCE (@ 1KHZ) 0.153 MHENRY Awesome. I could specify a cross over and begin designing a cabinet. A few years went by… In January of 2009 I found a good crossover at AllElectronics. It was a half decent match and since it was designed for 8 ohm woofers, I could put two of my 4 ohm drivers in series and get to about the right impedance for better power handling (less risk of clipping at higher volumes and lower distortion as the driver travel is cut in half, split between the two). HTTP://WWW.ALLELECTRONICS.COM/MAKE-A-STORE/ITEM/XVR-21/2-WAY-CROSSOVER-INFINITY/1.HTML CROSS OVER FREQUENCY 3800HZ CROSSOVER LOW-PASS: 18DB, 8 OHM HIGH-PASS: 18DB, 4 OHM Eventually I got around to calculating the enclosure parameters. I’m not sure when I did that, but sometime between 2009 and 2011. I found a site with a nice script for calculating a vented enclosure with dual woofers, just like I wanted and got the following parameters: TARGET VOLUME 1.78 LITERS = 108 CUBIC INCHES DRIVER VOLUME (80MM) = 26.25 CUBIC INCHES = 0.43 LITERS CROSS OVER VOLUME = 2.93 CUBIC INCHES = 0.05 LITERS SUM = 0.91 LITERS 1" PVC PORT TUBE: OD = 2.68CM, ID = 2.1CM = 3.46 CM^2 PORT LENGTH = 10.48CM = 4.126" WIDTH = 12.613 = 4.829" HEIGHT = 20.408 = 7.82" DEPTH = 7.795 = 3" In 2011 I got around to designing the enclosure in CAD: There was no way to fit the crossover inside the enclosure as the drivers have massive, magnetically shielded drivers, so they got mounted on the outside. The speakers were designed for inside mounting (as opposed to flange mounting) so I opted to radius the opening to provide some horn-loading. I also, over the course of the project, bought some necessary tools to be prepared for eventually doing the work: a nice Hitachi plunge router and a set of cheap router bits to form the radii and hole saws of the right size for the drivers and PVC port tubes. ### Build Phase (2014) This fall, Oct 9 2014, everything was ready and the time was right. The drivers had aged just the appropriate 14 years since manufacture and were in the peak of their flavor. I started by cutting down some PVC tubes to make the speaker ports and converting some PVC caps into the tweeter enclosure. My first experiment with recycled shelf wood for the tweeter mounting plate failed: the walls got a bit thin and it was clear that decent plywood would make life easier. I used the shelf wood for the rest of the speaker: it was salvaged from my building, which was built in the 1930s and is probably almost 100 years old. The plywood came with the building as well, but was from the woodworker who owned it before me. I got to use my router after so many years of contemplation to shape the faceplates, fabricated from some fairly nice A-grade plywood I had lying around. Once I got the boxes glued up, I installed the wiring and soldered the drivers in. The wood parts were glued together with waterproof glue while the tweeters and plastic parts were installed with two component clear epoxy. The low frequency drivers had screw mounting holes, so I used those in case I have to replace them, you know, from cranking the tunage. I lightly sanded the wood to preserve the salvage wood character (actually no power sander and after 12 years, I wasn’t going to sand my way to clean wood by hand) then treated them with some polyurethane I found left behind by the woodworker that owned the building before I did. So that was at least 18 years old. At least. I supported the speakers over the edge of the table to align the drivers in the holes from below. The finished assembly looked more or less like I predicted: ### Testing The speakers sound objectively quite nice, but I was curious about the frequency response. To test them I used the pink noise generator in Audacity to generate 5.1 6 channel pink noise files which I copied over to the HTPC to play back through my amp. This introduces the amp’s frequency response, which is unlikely to be particularly good, and room characteristics, which are certainly not anechoic. Then I recorded the results per speaker on a 24/96 Tascam DR-2d recorder, which also introduces some frequency response issues, and imported the audio files back into Audacity (and the original pink noise file), plotted the spectrum with 65536 poles, and exported the text files into excel for analysis. Audacity’s pink noise looks like this: It’s pretty good – a bit off plan below 10 Hz and the random noise gets a bit wider as the frequency increases, but it is pretty much what it should be. First, I tested one of my vintage ADS L980 studio monitors. I bought my L980s in high school in about 1984 and have used them ever since. In college I blew a few drivers (you know, cranking tunage) but they were all replaced with OEM drivers at the Tweeter store (New England memories). They haven’t been used very hard since, but the testing process uncovered damage to one of my tweeters, which I fixed before proceeding. The ADS L980 has very solid response in the low frequency end with a nicely manufactured 12″ woofer and good high end with their fancy woven tweeter. A 3 way speaker, there are inevitably some complexities to the frequency response. I also tested my Klipsch KSC-C1 Center Channel speaker (purchased in 2002 on ebay for44.10) to see what that looked like:

It isn’t too bad, but clearly weaker in the low frequency, despite moderate sized dual woofers and with a bit of a spike in the high frequency that maybe is designed in for TV and is perhaps just an artifact of the horn loaded tweeter. It is a two way design and so has a fairly smooth frequency response in the mid-range, which is good for the voice program that a center speaker mostly carries.

And how about those new ones?

Well… not great, a little more variability than one would hope, and (of course) weak below about 100Hz.  I’m a little surprised the tweeters aren’t a little stronger over about 15kHz, though while that might have stood out to me in 1984, it doesn’t now.  Overall the response is quite good for relatively inexpensive drivers, the low frequency response, in particular, is far better than I expected given the small drivers.  The high frequency is a bit spiky, but quite acceptable sounding.

And they sound far, far better than the poor hacked apart Sony speakers they replaced.

#### Raw Data

The drawings I fabricated from and the raw data from my tests are in the files linked below:

Speaker Design Files (pdf)

Pink Noise Tests (xlsx)

Posted at 21:05:03 GMT-0700

Category: AudioFabricationHowTophototechnology

# SSL for Authentication Sucks

Wednesday, November 26, 2014

One of the most horrible mistakes made in the early days of the internet was to use SSL (an “HTTPS” connection) for both securing a connection with encryption and verifying that the server you reach matches the URL you entered.

Encryption is necessary so you can’t be spied on by anyone running wireshark on the same hotspot you’re on, something that happens all the time, every day, to everyone connecting to public wifi, which means just about everyone just about any time they take a wifi device out of the house.  It is pretty certain that you – you yourself – have thwarted cybercrime attempts thanks to SSL, not just once but perhaps dozens of times a day, depending on how often you go to Starbucks.

The second purpose, attempting to guarantee that the website you reached is served by the owner of the domain name as verified by some random company you’ve never heard of is an attempt to thwart so-called “Man in the Middle” (MITM) and DNS poisoning attacks.  While these are also fairly easy (especially the latter), they’re both relatively uncommon and the “fix” doesn’t work anyway.

In practice, the “fix” can be detrimental because it gives a false sense of security to that sliver of the population that knows enough to be aware that the browser bar ever shows a green lock or any other indicator of browser trust and not aware enough to realize that the indicator is a lie. It is beyond idiotic that our browsers make a big show of this charade of identity verification with great colorful warnings of non-compliance whenever detected to order to force everyone to pay off the cert mafia and join in the protection racket of pretending that their sites are verified.

I’ve written before why this is counterproductive, but the basic problems is that browsers ship with a set of “root” certificates1You can review a list of the certificates of trusted Certificate Authorities here. Note that the list includes state-agency certificates from countries with controversial human rights records. that they trust for no good reason at all except that there’s a massive payola racket and if you’re a certificate issuer with a distributed accepted CA certificate you can print money by charging people absurd fees for executing a script on your server which, at zero cost to the operator, “signs” their certificate request (oh please, please great cert authority sign my request) so that browsers will accept it without warning.  It isn’t like they actually have the owner of the site come in to their office, show ID, and verify they are who they say they are.  Nobody does that except CACert; which is a free service and, surprise, their root cert is not included in any shipping browser.

Users then will typically “trust” that the site they’re connecting to is actually the one they expected when they typed in a URL.  Except they didn’t type a URL, they clicked on a link and they really have no idea where there browser is going and will not read the URL in the browser bar anyway and bankomurica.com is just as valid as bankofamerica.com, so the typical user has no clue where the browser thinks it is going and a perfectly legit, valid cert can be presented for a confusing (or not really so much) URL.  Typosquatters and pranksters have exploited this very successfully and have proven beyond any doubt that pretending that a URL is an unambiguous identifier is foolish and so too, therefore, is proving that the connection between the browser and the URL hasn’t been hijacked.

Further, law enforcement in most countries require that service providers ensure that it is possible to surreptitiously intercept communications on the web: that is do the exact thing we’re sold that a “valid” certificate makes “impossible.” In practice they get what are called “lawful intercept” certificates which are a bit like fireman’s key that doesn’t compromise your security because only a fireman would ever, ever have one..  Countries change hands and so do these.  If you think you’re a state-level target and certificate signing has any value, you’re actually putting your life at risk.  This is an immense disservice because there will be some people at risk, under surveillance, who will actually pay attention to the green bar and think it means they are safe.  It does not.  They may die.  Really.

Commercial certs can cost thousands of dollars a year and they provide absolutely zero value to the site visitor except making the browser warnings go away so they can visit the site without dismissing meaningless and annoying warnings.  There is absolutely no additional value to the site operator for a commercial cert over a completely free self-signed cert except to make the browser warnings go away for their visitors.  The only entity that benefits from this is the certificate vendor from the fees they charge site operators and for the browser vendor for whatever fees are associated with including their certificates in the browser installer.  You, the internet user, just lose out because small sites don’t use encryption because they can’t afford certs or the hassle and so your security is compromised to make other people rich.

There are far better tools2The hierarchical security model that browsers currently use, referencing a certificate authority, does work well for top-down organizations like companies or the military (oddly, the US Military’s root certificates aren’t included in browsers).  In such a situation, it makes sense for a central authority to dictate what sources are trusted.  It just does not make sense in an unstructured public environment where the “authority” is unknown and their vouch means nothing.  that use a “Web Of Trust” model that was pioneered by PGP back in the early 1990s that actually does have some meaning and is used by CACert, meaning CACert certificates actually have some meaning when they indicate that the site you’re visiting is the one indicated by the URL, but since CACert doesn’t charge and therefore can’t afford to buy into the cert mafia, their root certs are not included in browsers, so you have to install it yourself.

The result is that a small website operator has four options:

• Give up on security and expose all the content that moves between their server and their visitors to anyone snooping or logging,
• Use a self-signed cert3If you’re running your own web services, for example a web-interface to your wifi router or a server or some other device with a web interface, it will probably use a self-signed cert and you’ve probably gotten used to clicking through the warnings, which at least diminishes the blackmail value of the browser warnings as people get used to ignoring them.  Installing certificates in Firefox is pretty easy.  It is a major hassle in Chrome or IE (because Chrome, awesome work Google, great job, uses IE’s certificate store, at least on Windows). Self-signed certs are used everywhere in IT management, almost all web-interfaced equipment uses them.   IBM has a fairly concise description of how to install the certs.  Firefox wins.  to encrypt traffic that will generate all sorts of browser warnings for their visitors in an attempt to extort money from them,
• Use one of the free SSL certificate services that become increasingly annoying to keep up to date and provide absolutely zero authentication value but will encrypt traffic without generating warnings,
• Use CACert and ask users to be smart enough to install the CACert root certificate and thus actually encrypt and reasonably securely prove ownership.

And, of course, agitate for rationality: Perspectives and the CACert root should ship with every browser install.

Footnotes

↑1 You can review a list of the certificates of trusted Certificate Authorities here. Note that the list includes state-agency certificates from countries with controversial human rights records. The hierarchical security model that browsers currently use, referencing a certificate authority, does work well for top-down organizations like companies or the military (oddly, the US Military’s root certificates aren’t included in browsers).  In such a situation, it makes sense for a central authority to dictate what sources are trusted.  It just does not make sense in an unstructured public environment where the “authority” is unknown and their vouch means nothing. If you’re running your own web services, for example a web-interface to your wifi router or a server or some other device with a web interface, it will probably use a self-signed cert and you’ve probably gotten used to clicking through the warnings, which at least diminishes the blackmail value of the browser warnings as people get used to ignoring them.  Installing certificates in Firefox is pretty easy.  It is a major hassle in Chrome or IE (because Chrome, awesome work Google, great job, uses IE’s certificate store, at least on Windows). Self-signed certs are used everywhere in IT management, almost all web-interfaced equipment uses them.   IBM has a fairly concise description of how to install the certs.  Firefox wins.
Posted at 15:50:20 GMT-0700

Category: technology