Re: Vista speach recognition

["Dave Aitel" <dave.aitel () gmail com>]

This thread is now dead. It's terrible publicity for Microsoft, since it's
the exact thing they don't want to say. "Our uninspired OS has
vulnerabilities the OS X people already fixed". Essentially it overrides the
Microsoft marketing message since there's nothing tangible about Vista
Ultimate to sell. "Search", "Voice", "Security" are the "three killer
features", but as John Stewart said when he interviewed Bill Gates "Is this
just about how we interact with computers or do they DO anything new?"
People in America like to name things as the opposite of what they are. "The
Patriot Act", "The War on Terror", "Vista Ultimate", "Digital Rights
Management" etc. Vista isn't the last OS you're ever going to buy, so why
name it like it is? That was a rhetorical question, for all the
non-exploit-writing people out there who feel the need to say something on a
mailing list to get their name in their own inbox. The point is the name
makes it sound really cool, but anyone who's used it is like "eh?". It's
better than XP, but Ubuntu is better than both of them, so whatever.

Anyways, this is about as bad as it's going to get for Vista. Nobody is
going to publicly announce vulnerabilities for it. Instead, they'll sell
them and/or use them. Atlas shrugged a long time ago and the security
industry is just now noticing.

-dave




On 2/2/07, George Ou <george_ou () lanarchitect net> wrote:
> Here's the round up on news coverage on this flaw.
> http://blogs.techrepublic.com.com/Ou/?p=420
> http://blogs.zdnet.com/Ou/?p=420
>
> "The fundamental problem here is that Microsoft "extended" speech to be
> able
> to control the Operating System and Applications without considering the
> full security implications.  If Microsoft had merely assigned a
> user-defined
> password with an automatic lockout after a certain amount of idle time, it
> would have made the generic attack impossible but they failed do that.  So
> I'm asking Microsoft to reconsider their stance that "there is little if
> any
> need to worry" and implement some sort of safety mechanism rather than
> relying on the user to be self vigilant.  It doesn't matter that there
> aren't that many people using this feature; Microsoft should fix it if
> they're going to offer it and market it as a key Vista advantage.  Since
> Microsoft is promoting Voice recognition for healthcare, we should
> consider
> the safety of patient health records.
>
> At present time, Vista Speech Recognition wakes up to the command "start
> listening".  How hard would it be for Microsoft to make that a
> user-definable phrase or word?  For example: A user would pick "Zelda" as
> the word to wake speech mode while someone else picks "439" as their wake
> word.  How hard would it be for Microsoft to implement a wake timeout so
> that Speech Recognition would sleep after 5 minutes idle?  How hard would
> it
> be for Microsoft to implement their excellent echo cancellation algorithm
> in
> Windows Messenger for Speech Recognition?  I don't believe this is too
> much
> to ask."
>
>
> I want to thank the SANS Institute guys for "getting it".  Coming from
> them,
> that means something to me.
>
>
> I'm also running a poll at the end asking if Microsoft should patch this
> with a pass phrase and echo cancellation.
>
>
>
> George Ou
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave