Dailydave mailing list archives
Re: Vista speach recognition
From: "Dave Aitel" <dave.aitel () gmail com>
Date: Fri, 2 Feb 2007 08:45:24 -0500
This thread is now dead. It's terrible publicity for Microsoft, since it's the exact thing they don't want to say. "Our uninspired OS has vulnerabilities the OS X people already fixed". Essentially it overrides the Microsoft marketing message since there's nothing tangible about Vista Ultimate to sell. "Search", "Voice", "Security" are the "three killer features", but as John Stewart said when he interviewed Bill Gates "Is this just about how we interact with computers or do they DO anything new?" People in America like to name things as the opposite of what they are. "The Patriot Act", "The War on Terror", "Vista Ultimate", "Digital Rights Management" etc. Vista isn't the last OS you're ever going to buy, so why name it like it is? That was a rhetorical question, for all the non-exploit-writing people out there who feel the need to say something on a mailing list to get their name in their own inbox. The point is the name makes it sound really cool, but anyone who's used it is like "eh?". It's better than XP, but Ubuntu is better than both of them, so whatever. Anyways, this is about as bad as it's going to get for Vista. Nobody is going to publicly announce vulnerabilities for it. Instead, they'll sell them and/or use them. Atlas shrugged a long time ago and the security industry is just now noticing. -dave On 2/2/07, George Ou <george_ou () lanarchitect net> wrote:
Here's the round up on news coverage on this flaw. http://blogs.techrepublic.com.com/Ou/?p=420 http://blogs.zdnet.com/Ou/?p=420 "The fundamental problem here is that Microsoft "extended" speech to be able to control the Operating System and Applications without considering the full security implications. If Microsoft had merely assigned a user-defined password with an automatic lockout after a certain amount of idle time, it would have made the generic attack impossible but they failed do that. So I'm asking Microsoft to reconsider their stance that "there is little if any need to worry" and implement some sort of safety mechanism rather than relying on the user to be self vigilant. It doesn't matter that there aren't that many people using this feature; Microsoft should fix it if they're going to offer it and market it as a key Vista advantage. Since Microsoft is promoting Voice recognition for healthcare, we should consider the safety of patient health records. At present time, Vista Speech Recognition wakes up to the command "start listening". How hard would it be for Microsoft to make that a user-definable phrase or word? For example: A user would pick "Zelda" as the word to wake speech mode while someone else picks "439" as their wake word. How hard would it be for Microsoft to implement a wake timeout so that Speech Recognition would sleep after 5 minutes idle? How hard would it be for Microsoft to implement their excellent echo cancellation algorithm in Windows Messenger for Speech Recognition? I don't believe this is too much to ask." I want to thank the SANS Institute guys for "getting it". Coming from them, that means something to me. I'm also running a poll at the end asking if Microsoft should patch this with a pass phrase and echo cancellation. George Ou _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vista speach recognition, (continued)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition dan (Jan 31)
- Re: Vista speach recognition Curt Wilson (Jan 31)
- Re: Vista speach recognition dan (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Message not available
- Re: Vista speach recognition George Ou (Feb 01)
- Re: Vista speach recognition Sebastian Krahmer (Feb 01)
- Message not available
- Re: Vista speach recognition George Ou (Feb 02)
- Re: Vista speach recognition Sebastian Krahmer (Feb 02)
- Re: Vista speach recognition Dave Aitel (Feb 02)
- Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition dan (Jan 30)
- Re: Vista speach recognition Sebastian Krahmer (Jan 31)
- Re: Vista speach recognition George Ou (Jan 31)