Microsoft Vista Takes Orders From Anyone Who Yells At It
from the listen-up dept
As Microsoft pushes Vista out the door, the company has a lot riding on the claim that the new operating system is significantly better than previous versions of Windows, in terms of security. While there have been some scattered reports of flaws, which is always to be expected, many feel that the company has made good progress in securing its system. One new vulnerability comes from the fact that Vista has voice recognition capabilities, and that the user can speak commands to the computer through a microphone. George Ou decided to test the question of whether a website could play an audio file containing spoken commands and commandeer the user’s computer. As it turns out, if the speech is clear enough, the computer will respond to commands that come out of its own speakers. The volume didn’t even need to be too high. It’s still not clear how much of a threat this really is. Many people won’t even have this capability activated, and if you stumble onto a website that starts barking orders to your computer, you might realize something odd is going on. But, as with many online threats, an attacker doesn’t need a high rate of success for a certain approach to be worthwhile. For Microsoft, it will probably be one of several security issues it will have to deal with down the road.
Comments on “Microsoft Vista Takes Orders From Anyone Who Yells At It”
Hopefully this will get the browsers to treat audio like pop-up ads, and request permission before playing them.
Re: Re:
Are you crazy?!?!? Censorship will kill us all!
That is the most hilarious vulnerability I’ve seen in quite a while.
Speech recognition
if it was voice recognition this would not be a problem. you mean the speech recognition. outside of that I have nothing relevant to add
Didn’t this test require him to Record his OWN voice for it to work ?
When they had someone else voice, Vista didn’t do anything.
Also is this any better then that Dragon software ?
WooT
I think I just invented the next wave of DRM installation. Have the song tell the computer to download it and install it.
Don’t like my drm content? How about a track on a CD taht just lists a whole bunch of websites?
Nothing like a song singing about yahoo.com. how many browser windows can one song open? It can be like a contest amongst artists!
this is the stupidest news article i have ever seen…
Re: Re:
Can I call home and when my answering machine picks up, tell my computer to shut itself off?
That’s cool. I hope the format command is not in the list of voice-activated ones.
“Please leave a message after the tone”
“FDISK!!”
what in hell
Who the hell needs voice recognition? I mean ok maybe for people who cannot use their hands and so on i can understand, but that should come as an accessory or something from microsoft if the user requests it to be installed. It shouldn’t be automatically installed for everyone. Its just kind of a waste of time, and disk space.
Re: what in hell
That is why it is not installed by default of course.
Vista voice recognition?
At this point in Vista’s ability to recognize voice commands, I don’t think I’d be too worried.
@what in hell, #7
Tell you what. You type and I’ll dictate into Dragon Naturally Speaking. Let’s see who gets more done.
Speech Recognition is not just for disabled persons, dweeb.
I agree that the feature should not be installed by default. But if it works well and I did not have to pay something over and above my Windows cost, I’ll be happy.
My guess is that if their computer said, “Bend over and drop your pants”, a large number of people would do it – and they’d remain in that position until the damn thing told them to stand up and get dressed. Then, when their significant other found them in that position, they’d blame Microsoft.
Oh come now...
You don’t see how it works? You just send out spam that promises “amazing tips” on how to master your computer’s voice recognition. You encourage the user to try each tip as they go. About 5 tips in, its game time! “Minimize all windows! Select Desktop. Select All. Delete. Ok! Open My Computer. C. Select All. Delete. Ok! Parent Directory. C. Properties. Format Drive. Ok!” If the marks is anything like that teacher convictor for not shutting down spyware ads, then Vista users are doomed.
@A non-slave IT guy:
You really think slower than you speak? You must be boring as hell to listen to. Personally, I can’t imagine anyone calling themselves an “IT guy” that cant’ type faster than they talk. Especially since revisions and changes to text is incredibly fast and easy with a keyboard, especially once you get beyond standard text and into programming (which you MUST do, IT guy).
Tell you what, YOU dictate into Dragon Naturally Speaking and I’ll write a Rails app. We’ll see who gets more done.
And voice command isn’t installed OR activated by default. So really, this security “exploit” is less of a threat than dumb users ever will be.
You can’t issue shell commands through it, you can only open and close windows, do very basic tasks. If exploited…inconvenient? Yeah. A “threat”? Hardly. It’s not like someone could use it to issue, let alone CREATE malware on a remote system.
Re: Re:
I normally speak about 3-400 words per minute, if you can type that fast you deserve a medal, but you have no place telling someone else that they aren’t an “IT guy” because they can’t beat the world record for typing speed.
Re: Settle down now...
I can’t imagine anyone calling themselves an “IT guy” that cant’ type faster than they talk
Some of the best programmers I know are NOT touch-typists. Perhaps that is because they think more and type less.
I have been using Voice Recognition on and off since OS2 Warp. The only reason that I don’t use it today is that the IT support folks won’t let me install it. Since I don’t write large amounts of prose, it’s not a big deal.
Also programming is not a task that lends itself to VR as well as, say, creative writing.
So you’re both right. Just because VR is not suitable for your particular application does not mean that it has no use.
Voice Commands
I had a Laptop running CoPilot with a GPS antenna sitting on my passenger seat along with the radio turned on. I was standing outside the drivers side of the car stretching during a break from the roadtrip when the radio played some song that cause the CoPilot software to respond, “1,130 miles to Daytona”.
No one in the car but a conversation was in process!
Some things just can't be improved upon...
“There’s always the anecdote about a company that was giving a demonstration of speech recognition in MS-DOS…”
“sit boo boo sit,good dog” woof!
the recursive clapper
I have always wondered if a TV show with an applause soundtrack could cause “the clapper” to turn off the TV. I think this is a corollary to my earlier curiosity.
speech command
Look, folks, my wife isn’t much of a computer person, even if I am a geek. Her favorite saying is that once she can just speak to her computer to tell it what she wants to do, then she’ll use if herself and not bug me to download her email.
I don’t think she’s alone. I can think of a lot of things I’d like to be able to just speak the commands for without slowing myself down by having to type or use the mouse. Sure, at a certain level of working on the innards of a box you’ll need to start typing, but 99% of a user’s day could be made much more productive by good speech recognition. (Yeah the guy above is right, there is a world of diff between speech recognition and voice recognition!)
And I think computers will someday be commanded much more by voice than keyboard. Voice is definitely a biometric, and combined with other biometrics, can be a good security system.
Other uses
Something to consider is that this system understands windows commands. I saw a demo (YouTube) where a guy was doing stuff in Flash and instead of wasting screen real estate with a toolbar and having to mouse over to it again and again to change tools he was using the voice commands “pen” “select all” “convert to symbol”… AND the workspace was bigger because he didn’t need the toolbar. I thought that was a good use for voice instead of just a replacement memo dictation taker.
Commercials
How about using the technology to make tv commercials pipe down?
downloader
if the technology was integrated with IE well enough, then you could use it to download a file. If this was in the middle of a list of commands, which would have the effect of you trying to mute the computer, then you could get some malware without noticing.
THe Speech recognition should have a feed from the sound card or if it added up the input to the sound card itself, and subtracted that from the audio-in, then they could reduce interference from music as well, which woul dbe a good thing.
THe idea of talking into the command prompt might not be a bad one, but I would personnaly like you to have to have to start it with a parameter (typed) to allow voice recognition the only problem would be pronouncing some of the codes. A good API would be nice, so that you can say any menu item name, and it is selected, as well as activating all the inbuilt keyboard shortcuts (so you just say “Help”)
LoL:
“My Computer”
“Enter”
“AllYOURBASEAREBELONGTOUS”
“Enter”
LoL, it’s like an IWIN button for computer hackarz.