Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows

Remote Exploit of Vista Speech Control 372

An anonymous reader writes "George Ou writes in his blog that he found a remote exploit for the new and shiny Vista Speech Control. Specifically, websites playing soundfiles can trigger arbitrary commands. Ou reports that Microsoft confirmed the bug and suggested as workarounds that either 'A user can turn off their computer speakers and/or microphone'; or, 'If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition, and restart their computer.' Well, who didn't see that coming?"
This discussion has been archived. No new comments can be posted.

Remote Exploit of Vista Speech Control

Comments Filter:
  • Microsoft cautioned everyone not to play the song "Hit Me Baby One More Time" by Britney Spears on or near your computer while the mic is on.

    Several lawsuits already involve brutal crimes by computers against annoying young teeny bopper women. Although we can't act like we didn't see this coming, tension has been steadily rising [theonion.com].
    • by kannibal_klown ( 531544 ) on Thursday February 01, 2007 @12:06PM (#17844150)
      Worse yet!!!

      One of the computer geeks at the Pentagon better not be watching any Star Trek episodes.

      Computer. Initiate self destruct sequence. Authorization 1A 2B 3C
    • I'd be more worried about watching episodes of Dr Who online when the cybermen are involved.."delete..delete..delete".

      There's also a joke about talking too loud near your computer to a colleague named Colin who's asked you which of several designs for a new brochure you prefer - but I can't be bothered to set the scene:

      "Format C, Colin"

       
    • Don't play the audio file that repeats "Buy v1gr1a! Buy v1gr1a!..."
    • by joshetc ( 955226 ) on Thursday February 01, 2007 @12:34PM (#17844746)

      Microsoft cautioned everyone not to play the song "Hit Me Baby One More Time" by Britney Spears on or near your computer while the mic is on.

      Several lawsuits already involve brutal crimes by computers against annoying young teeny bopper women. Although we can't act like we didn't see this coming, tension has been steadily rising [theonion.com].
      You should see what happened to the guy who played the Nirvana song "Rape Me".
  • by ehaggis ( 879721 ) on Thursday February 01, 2007 @12:00PM (#17844026) Homepage Journal
    Is that a remote exploit?
  • by kahei ( 466208 ) on Thursday February 01, 2007 @12:00PM (#17844030) Homepage

    Taking a computer that obeys audio instructions, and playing it some audio instructions, is more of a 'duh' than an 'exploit'. But this problem is a very Good Thing. It can only mean:

    -- EITHER people stop yakking on about voice computing, which has been the Way Of The Future since about 1935 or something
    -- OR pressure is exerted on web designers to NOT make sites that start making noise the moment the page appears!

    Either of these, but especially the latter, would be a big win. So here's to you, Mr. Exploit Finding Man!

    • by just_another_sean ( 919159 ) on Thursday February 01, 2007 @12:05PM (#17844110) Journal
      So here's to you, Mr. Exploit Finding Man!

      Now there's a Bud commercial I'd like to hear.
      • by Lanoitarus ( 732808 ) on Thursday February 01, 2007 @02:34PM (#17847250)
        Bud Light Presents...
        Real American Heroes (reaaalllll american heroooessss...)
        Today we salute you, Mr Computer Software Exploit Finder (computer software exploit fii-inder)
        While others are wasting away their lives drinking, dating, and and having fun, you're hunched over a screen, plowing through code.(hunch plow hunchie plow)
        You may not have seen the sun in days, but thats ok- you do this for the greater good.(greaaater goooo-ooodd)
        Only YOU could realize that a carefully crafted web favorites icon [microsoft.com] could potentially bring the world to its knees.(Down on its kneeee--eesss)
        So crack open an Ice Cold Bud Light, Oh Overload of Overflow, because without you, CmdrTaco would have to get a real job.
      • by jgc7 ( 910200 ) on Thursday February 01, 2007 @02:37PM (#17847322) Homepage
        PC: Hi I'm a PC
        Mac: and I'm a Mac
        PC: I have a cool new feature called voice control.
        Mac: That is stupid. I have the Time-Machine which let's you recover old documents. Let's say you accidently delete the documents folder
        PC: Okay
        Mac: To get you documents back, all you have to do is slide the time machine back one minute.
        PC: Sounds cool, but cant you just get the documents out of the trash?
        Mac: Yes, but it works even if you accidentally empty the recycle bin
        • PC: Hi I'm a PC
          Mac: and I'm a Mac
          PC: I have a cool new feature called voice control.
          Mac: That is stupid. I've had secure voice control for years
          PC: Yes, but with your primitive voice control, the statements had to be in the right format, see?
          Mac: OK, but that's why we call it secure. The user has to select a keyword that will trigger the commands.
          PC: ... Mac: I hope he has his XP install CD handy....
        • Or... (Score:4, Funny)

          by Greyfox ( 87712 ) on Thursday February 01, 2007 @04:04PM (#17848904) Homepage Journal
          PC: Hi! I'm a PC!
          Mac: And I'm a Mac!
          PC: I have a cool new feature called Voice Control!
          Mac: FORMAT C!
        • by curunir ( 98273 ) * on Thursday February 01, 2007 @05:52PM (#17850724) Homepage Journal
          Better yet, the next Mac ad could make light of this exploit.

          PC: Hi, I'm a PC.
          Mac: and I'm a Mac.
          PC: Now that I run vista, I can accept voice commands!
          Mac: Wow, that sounds cool. But what if someone tells you to punch yourself in the face?
                    PC punches self in the face and nose begins to bleed
          PC: Ouch, that hurt!
          Mac: I'm sorry PC, I didn't realize that just telling you to do something like "poke yourself in the eye"...
                  PC pokes finger into his eye
          Mac: ...or "begin sneezing incesantly"...
                  PC starts to uncontrollably sneeze, the blood from his nose splattering everywhere
          Mac: ...would make you actually do it.
          PC: groan I'm sorry if I splattered on you.
          Mac: That's ok PC, I'm pretty immune to viruses, so I think I'll be alright.
    • the probelm his, the exploiters/hackers will do this kind of thing even if told not to. Makes me think of the "_required" input names in cold-fusion forms *shudder*.

      No, what we need is browsers that will let us force-mute things. What needs this more than anything else? Flash Player., since I think most browser has a "no audio" option anyway.
      • by VertigoAce ( 257771 ) on Thursday February 01, 2007 @12:39PM (#17844848)
        The audio mixer in Vista is no longer based on different audio types (MIDI, CD Audio, WAV, etc). Instead, there is a volume slider and mute button for each application that makes sounds. So you can mute IE, AIM (those annoying video ads), and Windows itself, while still playing your music in WinAmp or WMP.
        • Re: (Score:3, Interesting)

          The audio mixer in Vista is no longer based on different audio types (MIDI, CD Audio, WAV, etc). Instead, there is a volume slider and mute button for each application that makes sounds. So you can mute IE, AIM (those annoying video ads), and Windows itself, while still playing your music in WinAmp or WMP.

          If that's true, then that's awesome. I remember a couple years ago reading a story on slashdot about various experimental usability projects going on at Microsoft and this was one of them. I think they e

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Even so, with Vista's new software audio stack, this is inexcusable. It should have been trivial to compare the input and output signals and filter out most of this automatically.
    • by gstoddart ( 321705 ) on Thursday February 01, 2007 @12:15PM (#17844326) Homepage

      -- EITHER people stop yakking on about voice computing, which has been the Way Of The Future since about 1935 or something
      -- OR pressure is exerted on web designers to NOT make sites that start making noise the moment the page appears!
      Or, we make browsers so they don't run every damned audio file, flash frigging plugin, executable, movie, or whatever that the idiot who made the site thinks I should hear/see/play with/click/download/execute or whatever.

      There has never been any sound from a webpage that didn't make me want to immediately beat the person who wrote it with his own leg. I don't want to listen to your stupid MIDI file of whatever the fsck you think is cool on your web page.

      There was never any good reason to embed sounds in web pages unless you have to click a button to specifically play it.

      Cheers
    • Probably the best thing to do is to program the computer to recognize the speaker by their voice pattern, and only respond to commands from "registered" speakers. Note that this is not the same thing as training a speech recognition system in that you aren't teaching the computer to understand your words. Instead you are teaching the computer to distinguish your voice from others.
    • by spellraiser ( 764337 ) on Thursday February 01, 2007 @12:44PM (#17844956) Journal

      An exploit is, by definition, a successful manipulation of a bug/omission/hole/whatever in a computer system to make it perform something that it was not designed to do. Usually this term is only applied when said action is harmful or potentially harmful.

      What is being described here is the possibility of controlling the voice recognition system in Vista remotely to make it perform potentially harmful tasks. Furthermore, this functionality is not something that said system was designed to do; it was only designed to accept commands via microphone.

      Therefore, what is being described here is an exploit.

      Q.E.D.

  • by knightmad ( 931578 ) on Thursday February 01, 2007 @12:00PM (#17844038)
    c:> Dear aunt, let's set so double the killer delete select all: Command not found
  • by Thansal ( 999464 ) on Thursday February 01, 2007 @12:01PM (#17844048)
    If you computer starts spitting out voice commands, just create another sound that will interupt it.

    Admitedly all I can think of is the Dilbert cartoon with Wally getting ticked at Dilbert having voice driven software.
  • Bug? (Score:4, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday February 01, 2007 @12:01PM (#17844052) Homepage Journal
    I wouldn't call it a bug. I'd call it a very bad idea to use a microphone without a switch for voice recognition. Your television could theoretically do things on your computer. Does that sound like a possibility you want to entertain? Get a mic with a switch, or get rooted.
  • by ksalter ( 1009029 ) on Thursday February 01, 2007 @12:02PM (#17844066)
    All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically? What is the real agenda here? Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced.
    • by Thansal ( 999464 )
      If I remember, a large point is that the vista one does NOT need training (this is not actualy all that new, there have been voice recognition things that don't need training for a little while now).

      After all, training voice recognition software is long, tedius, and often pointless. The best thing I ever did with one was intentionaly training it horribly (readign something else instead of the text they gave me), and then seeing what would happen. (It wasn't all that interesting in all honesty)
    • by Bertie ( 87778 )
      Well, speaker verification is more than 99% reliable if you first get the user to say specific utterances a number of time so that you can build up a model of their voice patterns (such as ask them to count from one to ten three times or so). But most of this stuff's speaker-independent.

      Anyway, the problem's not with the recogniser so much as how Microsoft's integrated it into the OS. You'd think they would have learned by now, but it seems they're still putting the user's convenience before sensible secu
    • Re: (Score:3, Insightful)

      by shark72 ( 702619 )

      "All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically? What is the real agenda here? Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced."

      Yup, this is an old one. There's an apocryphal tale of a user group meeting from long ago of a vendor demonstrating voice-control software and a smart aleck in the back of the room yelling "DEL *.*!" (or whatever th

    • by 99BottlesOfBeerInMyF ( 813746 ) on Thursday February 01, 2007 @12:21PM (#17844446)

      All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically?

      This is untrue. Speech recognition software can be made to filter out anything coming in the mic that matches something going out the speaker channel. More simply, you can simply require all commands be preceded with an arbitrary word (like the computer's name). Call you computer "George" and then issue the command "George, kill dash nine star dot star." As opposed to "kill dash nine star dot star." Since the exploit writer won't know to include "George" their exploit fails almost all the time. This was a feature of MacOS 7, more than a decade ago, as I mentioned elsewhere.

      Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced.

      Depending upon the tolerance, this is entirely possible, but I don't see it as being as important or versatile as the other two methods I listed above. MS should have learned from the example of others.

    • by billcopc ( 196330 ) <vrillco@yahoo.com> on Thursday February 01, 2007 @12:31PM (#17844676) Homepage
      Voice control is fine, but having the computer react to its own output is ludicrous! You'd think Vista would be smart enough to recognize feedback... It's like having a retard talking into a mic that's hooked up to his own headphones.

      Bob: "Bob go jump off a bridge"
      Bob: "Who said that ?"
      Bob: "I said that. Now jump!"
      Bob: "Ok.. Aaaaaaaagh!"

      Stupid.
    • Re: (Score:3, Interesting)

      by xoyoyo ( 949672 )
      True, all speech recognition software *would* suffer from this exploit if the application designers hadn't thought about the likely scenarios in advance. I just checked the situation with my Mac, which comes with speech recognition built in (and has done since what, Mac OS 9?)

      Nothing destructive is enabled by default: the worst you can do on a Mac is log yourself out, but that will keep everything running as it was before.

      If you go to the Speech control panel you can, after putting your admin password in, e
    • Filtering? (Score:3, Informative)

      by phorm ( 591458 )
      No, actually it isn't really agendized.

      Ever used a program such as skype or other voice-chat software? Notice when you have speakers and microphone on, you generally don't hear your voice constantly repeating into echoes (if echo-cancel is on, of course). Notice that you don't with the speakerphone on your cell either? That's because the software/hardware is smart enough to take the audio output and subtract/prevent it from entering the audio input (avoiding feedback loops etc). If used properly with voic
  • Format (Score:3, Funny)

    by jlebrech ( 810586 ) on Thursday February 01, 2007 @12:05PM (#17844126) Homepage
    "Open Terminal For Matt See Yes Im sure Reice Tart!!"
  • by StressGuy ( 472374 ) on Thursday February 01, 2007 @12:05PM (#17844132)
    the phrase "Simon Says"
  • by 99BottlesOfBeerInMyF ( 813746 ) on Thursday February 01, 2007 @12:07PM (#17844170)

    More than ten years ago I was playing with the speech recognition software that shipped with MacOS 7 or something and I though being able to check my e-mail without getting out of bed was pretty cool. At the time I wrote something about the technology and predicted that speech activated commands would never take off until: 1, most audio people listened to was controlled by the computer, and 2, the computer was smart enough to filter out the sounds it was emitting before processing commands. At the time a lot of people listened to music from their computer and I imagine many still do. Why can't the computer ignore all that sound? It knows it is outputting it so why not filter it? It is sad that the same missing feature is still a problem, so many years later.

    • by xappax ( 876447 ) on Thursday February 01, 2007 @12:34PM (#17844744)
      Why can't the computer ignore all that sound? It knows it is outputting it so why not filter it?

      The sound that is output by the computer sounds similar to us when re-received through the mic and played back, but to the computer it's a totally alien waveform. A lot of distortion happens between when the computer sends a digital signal to the sound card and when it receives an analog signal from your microphone - so basically, the computer may know what it's playing, but it has very little idea how it'll sound when it reaches the mic.

      There are advanced filters and algorithms that can try to match and isolate particular patterns and "sounds" within a waveform, but they're not nearly as powerful as CSI would have us believe, and they also require far too much computing power to be run in realtime.

      Of course, the obvious low-tech solution to this issue is to wear headphones, as people in recording studios have for decades.
      • Re: (Score:3, Insightful)

        by fwr ( 69372 )
        I call bull. What about that "echo cancellation" feature you find on all the popular web cam software? What about all the collaboration software out there that has echo cancellation? The basic premise is that if you don't use headphones and instead the computer speakers then the mic will pick up the sounds that the computer is transmitting from the other side, and you'll get an echo. Saying that it requires far too much computing power is incorrect. While it probably won't make it totally disappear, it
      • If the computer thinks you're saying a command, it should disable output to the speakers. If I am talking to my computer then it should stop making its own noises. Otherwise, that's just rude.
    • by Jerf ( 17166 ) on Thursday February 01, 2007 @12:35PM (#17844768) Journal
      The easiest answer to this question is, try it.

      Most simple schemes people come up with to address this are perfectly doable with a free sound program. Play some music, record the area while you're playing the music, then try your great idea. Like, you might think you can start out with inverting the source file and feeding it into the recording with a delay and modified amplitude. If you're really curious about this problem, this is a better way to learn about the difficulties then reading people on the internet, as, in my experience, you're quite likely to be skeptical about the explanations anyhow. The best (and in some sense, only true) explanations involve a lot of math.

      I can offer you this meta-rule, though: If it were so easy, it would already have been done. Many things that I see people posting on Slashdot about "Why don't they just do this thing?" are covered by this rule.
  • suppose you write an executable that displays a simple image (let's assume everyone is thinking of goatse) and gives the executable a common title that the Voice Control may pick up; is this the new spam/spyware? Companies send out spyware that activate on common words that Vista picks up? Incidentally, initially I was reminded of Futurama: Farnsworth: "Shut up, friends. My Internet browser heard us saying the word "Fry" and it found a movie about Philip J. Fry for us. [The staff gather around.] It also
  • website sound: "All your base are belong to us"
    Vista: "Do you want to reformat your hard drive?"
    website sound: "All your base are belong to us"
    Vista: "Are you sure you want to reformat?"
    website sound: "All your base are belong to us"
    Vista: "Reformatting.........."

  • Shit... (Score:5, Funny)

    by thousandinone ( 918319 ) on Thursday February 01, 2007 @12:09PM (#17844202) Journal
    I just watched 2001: A Space Odyssey on my machine... this may be my last post.
  • by Ruprecht the Monkeyb ( 680597 ) * on Thursday February 01, 2007 @12:09PM (#17844204)
    Years ago when I worked in a shop that used OS/2 (one late version of which included speech recognition), we used to play pranks on each other all the time using that 'feature'. Things like changing a startup sound to be two minutes of silence followed by a verbal shutdown command, or changing confirmation prompt sounds to be 'cancel'. Good fun. The random 'select all / delete / yes' was the best, though.
  • by Bertie ( 87778 ) on Thursday February 01, 2007 @12:10PM (#17844222) Homepage
    I mean, look:

    "Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played."

    Yeah, nobody ever leaves their computer unattended.

    And of course, it would be completely impossible for a Trojan to pipe appropriate sounds directly to the input buffer of the sound hardware, thus negating the need for it to be played through your speakers at all. As we all know, Windows is completely watertight against that sort of thing.

    This raises an interesting possibility, though - what if you could confuse the recogniser itself into making false positives? You could, for example, persuade it to recognise silence as a command of your choosing.

    Best way round this is probably to prevent people doing potentially destructive operations via voice commands. But if this isn't suitable, you could employ clever confirmation strategies, like "If you're sure you want to delete c:\windows, please say the following words..." with the words in question being drawn from a dictionary. No malware could anticipate the sequence (although I suppose you could set the recogniser to work against itself, by playing the text-to-speech engine's own output back to it and triggering recognition).

    Hmm. Promises to be quite fun, this.
  • howto for Mac users (Score:5, Informative)

    by sootman ( 158191 ) on Thursday February 01, 2007 @12:11PM (#17844248) Homepage Journal
    to create malicious audio files with OS X (10.3 or later), fire up Terminal and use 'say':
    $ echo "format sea slash you" | say -o evil.aiff
    This makes your messages with a nice, clear, even voice--wouldn't want a bunch of 'um's and 'ah's borking up your exploit, now would you. :-)
    `man say` for more options.
  • by Zerth ( 26112 ) on Thursday February 01, 2007 @12:11PM (#17844260)
    If they don't prevent them from running arbitrary commands, you know 5 years in the future that every time term end comes around there will be some naked freshman running through the uni library/labs shouting "quit without saving! yes! reboot! yes! shutdown -h now!"
  • There are so many mitigating factors with this that a successful exploit of this "bug" is extremely unlikely.

    First of all, as was mentioned in the article, voice recognition cannot bypass User Account Control. So that immediately limits damage to the local profile.

    Second, the user would see all of this happening and would have to remain silent for this to work. It's not like a piece of code executing. The commands are not particularly speedy. They would see dialogs flashing, hear the commands being spoken,
    • All a website needs to do is set autorefresh and load the exploit page x minutes after the innocent page and only once.

      Many users open a web page and walk away.
  • Sailing, sailing over the format sea: /yes!
  • It was in Dilbert years ago. Can't remember which characters, but it had one showing the other their speech recognition system, and the other said what would happen if I said "DELETE ALL FILES"?
  • As my coworker said when I told him about this, "That's not hacking it's....yakking!"

    (Or yacking for those who prefer the alternate spelling)
  • Me and my friends have been waiting for this and joking about it since IBM Via Voice and Dragon Speak. A whole new era of IT pranks and cyberterrorisim awaits us. Imagine bursting into a room full of PCs and yelling

    "FORMAT DRIVE C! CONFIRM!".

    Instant fun.
    Makes me feel all soft and gooshy inside just thinking of it. :-)
  • by Gopal.V ( 532678 ) on Thursday February 01, 2007 @12:16PM (#17844346) Homepage Journal
    Userfriendly had predicted the fate of voice recognition six years ago - rm -rf / [userfriendly.org] and yet again ! [userfriendly.org].
  • Ok, I think the "exploit" is ridiculous, but what I do find interesting is how would it deal with UAC? If the commands ask the computer to do something dangerous, the system should prompt the user with the privilege elevation dialog which is on a separate secure desktop and so shouldn't react to anything but direct user input. Anybody tried that?
  • I for one welcome our new shout-format-c:\-across-the-room overlords.

    Man, now I can't wait for the wide business adoption of vista. That would be the beginning of a new era in the history of office spanking.

    • Man, now I can't wait for the wide business adoption of vista. That would be the beginning of a new era in the history of office spanking.
      And apparently, improper sexual conduct in a modern office would be deemed far worse than any attempt to format others c:\, so I'll just settle with "office pranking".
  • So, the "solution" is to turn of speakers and/or microphone. This is the same MS whose solution to a recent Office exploit was "don't use Office for a couple days."

    It's been said that the only secure computer is one that has been unplugged, encased in cement, and thrown in the ocean. I didn't know MS was planning to make this their official support policy. "Security flaws? No problem. Just DON'T USE IT AT ALL."

    Wow, they're good.
  • Shocked! (Score:3, Funny)

    by Andrei D ( 965217 ) on Thursday February 01, 2007 @12:21PM (#17844450)
    I am shocked! Damn you Bill, I really believed you when you said Vista is "dramatically more secure than any other operating system released". My world view is turned upside down now :(
  • by copponex ( 13876 ) on Thursday February 01, 2007 @12:24PM (#17844504) Homepage
    Find office with 10 or 15 stations with shiny new copies of Vista. Verify through other means that mics and voice commands are on. Run in, and yell as loud as you can the commands that will shut down the machines. Don't run out yet!

    Watch people panic at their keyboards. Listen to their gasps as the hard disk spins down and their monitors cut off, at which point they all stare at you. Wave. And then run.
  • Bah... (Score:5, Funny)

    by eno2001 ( 527078 ) on Thursday February 01, 2007 @12:49PM (#17845072) Homepage Journal
    I expect someone to come up with a site that says:

    "Start Internet Explorer"
    "Go aytch tee tee pee colon slash slash gee oh ay tee ess ee dot see ex"

    Brrr...
  • by davidwr ( 791652 ) on Thursday February 01, 2007 @12:52PM (#17845128) Homepage Journal
    Adrian responded [technet.com] to this on the Microsoft Security Response Blog.

    Issue regarding Windows Vista Speech Recognition

    Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.


    He goes on to list reasons why this is not a major issue. The first being that voice commands have to be turned on and configured for this to work.

    He ends with

    While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.

    I think he's right. If this was a serious problem, the MacOS and OS/2 "exploits" mentioned above would've received a lot more press. Still, I expect in a future version, the voice software will be smart enough to ignore the computer's own output.

    Personally, I don't like voice commands. They are necessary for users with certain impairments and useful for certain applications such as kiosks, but they are counterproductive in a shared-office environment and just plain weird on my desktop. Even on Star Trek - The Next Generation much of the computer input was via control consoles not voice.
  • Brilliant! (Score:3, Insightful)

    by Kozar_The_Malignant ( 738483 ) on Thursday February 01, 2007 @01:04PM (#17845314)
    The security advice is "A user can turn off their computer speakers..." before playing an audio file. We can also solve the problem of porn getting into our school network by unplugging the monitors. I didn't realize this security stuff was so easy.
  • Startup Sound (Score:5, Interesting)

    by EricJ2190 ( 1016652 ) <EricJ2190@@@gmail...com> on Thursday February 01, 2007 @01:15PM (#17845532) Homepage
    Now I see why Microsoft doesn't want you to change the Vista startup sound.
  • Prior art (Score:5, Funny)

    by hweimer ( 709734 ) on Thursday February 01, 2007 @01:18PM (#17845568) Homepage
    Time to quote a usenet classic [google.com]:

    Last year, out in California, at a PC users group, there was a demo of
    smart speech recognition software.

    Before the demonstrator could begin his demo, a voice called out from the
    audience:

    "Format c, return."
    "Yes, return."

    Damned short demo, it was.
  • by sprior ( 249994 ) on Thursday February 01, 2007 @01:18PM (#17845570) Homepage
    When your machine room starts doing a gregorian chant...
  • by virtigex ( 323685 ) on Thursday February 01, 2007 @01:31PM (#17845858)
    I have worked on both at Apple on PlainTalk and at MS Research on speech. When I was at Apple (around 1996) I poked my head into a co-worker's office who was testing PlainTalk and said loudly "Computer Shut Down". His computer then started shutting down. This "exploit" has been on the Mac since 1996 and nobody seems to have complained about it. I don't think it's a big deal.
  • by mattr ( 78516 ) <mattr@telebod y . com> on Thursday February 01, 2007 @02:25PM (#17847064) Homepage Journal
    Detection of whether a given sound is what was just emitted from the speaker may be very difficult, but it is relatively easy in terms of timing. So long as the system knows how much lag time is present in the system, it should be possible to disable detection of all sound that is being played at the same time (i.e. basically turn off the mic then). Nobody expects voice recognition to work when music or other sounds are playing, and the system, whether Vista or OS X, ought to be able to disable voice recognition instantaneously when sound output is generated.

    The problem of course is that the computer next to you might suffer from the exploit since it doesn't know what sound your computer is generating, though this might be diminished by subtracting other sound to some extent via sidepointing mics or even better by just refusing to do dangerous commands like format or delete via voice recognition in the first place. There are gray areas that probably make total safety impossible but some common sense things including disabling all recognition during sound generation from explorer and wmp sound like a good place to start.

Numeric stability is probably not all that important when you're guessing.

Working...