Slashdot Mirror
Remote Exploit of Vista Speech Control
An anonymous reader writes "George Ou writes in his blog that he found a remote exploit for the new and shiny Vista Speech Control. Specifically, websites playing soundfiles can trigger arbitrary commands. Ou reports that Microsoft confirmed the bug and suggested as workarounds that either 'A user can turn off their computer speakers and/or microphone'; or, 'If a user does run an audio file that attempts to execute commands on their system, they should close the Windows Media Player, turn off speech recognition, and restart their computer.' Well, who didn't see that coming?"
Microsoft cautioned everyone not to play the song "Hit Me Baby One More Time" by Britney Spears on or near your computer while the mic is on.
Several lawsuits already involve brutal crimes by computers against annoying young teeny bopper women. Although we can't act like we didn't see this coming, tension has been steadily rising.
My work here is dung.
Shout.
Sometimes you just can't come up, even if you try, with a better way to show how much something suck than to tell the public how you can fix it.
The Neck.
.
Is that a remote exploit?
One ring to bind them - should probably have more fiber and less rings in their diet.
Taking a computer that obeys audio instructions, and playing it some audio instructions, is more of a 'duh' than an 'exploit'. But this problem is a very Good Thing. It can only mean:
-- EITHER people stop yakking on about voice computing, which has been the Way Of The Future since about 1935 or something
-- OR pressure is exerted on web designers to NOT make sites that start making noise the moment the page appears!
Either of these, but especially the latter, would be a big win. So here's to you, Mr. Exploit Finding Man!
Whence? Hence. Whither? Thither.
c:> Dear aunt, let's set so double the killer delete select all: Command not found
If you computer starts spitting out voice commands, just create another sound that will interupt it.
Admitedly all I can think of is the Dilbert cartoon with Wally getting ticked at Dilbert having voice driven software.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
I wouldn't call it a bug. I'd call it a very bad idea to use a microphone without a switch for voice recognition. Your television could theoretically do things on your computer. Does that sound like a possibility you want to entertain? Get a mic with a switch, or get rooted.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically? What is the real agenda here? Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced.
I remember someone once announcing a voice controlled video player, and wondered what would happen when it played a video in which someone shouted "Stop!"
Microsoft's comments on the BBC site are poor. What microphone feedback? If it's not howling now it's not going to suddenly howl when someone tries this exploit. Clear dictation - but the attacker will make the dictation as clear as possible, and the consolation that the user will likely be in the room to hear it happening - what consolation is that?
A solution would be to use echo cancellation as used in phone systems to prevent output from the speaker being used on the microphone.
- Richard
"Open Terminal For Matt See Yes Im sure Reice Tart!!"
the phrase "Simon Says"
A goal is a dream with a deadline
Presuming the device drivers know what is being played, the system could try to detect that and mask it out if it comes back through the speakers. Or just disable speech recognition whenever audio is playing. An easy mute control for the browser would be nice as well. And, maybe security privileges even to play music? I'm sick of random websites that have to play ridiculous music when you visit them.
You can switch the speakers off, but what if the crackers' webcam can still see their lips moving?
[Isert space oddysey 2001 music here]
As for the "exploit" ... windows will cause your computer to explode if you douse it with gasoline and set it alight too. Should there be a warning label and slashdot story to point that out?
A good way to fix this would be to make the user hold down a button or buttons (like maybe WinKey+Space or both mouse buttons). Then it doesn't work without you meaning to put in a command.
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
I forsee an exponential rise in loud annoying web sites shouting commands :(
A n other reason (if more were needed) not to vi$tarize
we are all cosmic nuclear waste
More than ten years ago I was playing with the speech recognition software that shipped with MacOS 7 or something and I though being able to check my e-mail without getting out of bed was pretty cool. At the time I wrote something about the technology and predicted that speech activated commands would never take off until: 1, most audio people listened to was controlled by the computer, and 2, the computer was smart enough to filter out the sounds it was emitting before processing commands. At the time a lot of people listened to music from their computer and I imagine many still do. Why can't the computer ignore all that sound? It knows it is outputting it so why not filter it? It is sad that the same missing feature is still a problem, so many years later.
suppose you write an executable that displays a simple image (let's assume everyone is thinking of goatse) and gives the executable a common title that the Voice Control may pick up; is this the new spam/spyware? Companies send out spyware that activate on common words that Vista picks up? Incidentally, initially I was reminded of Futurama: Farnsworth: "Shut up, friends. My Internet browser heard us saying the word "Fry" and it found a movie about Philip J. Fry for us. [The staff gather around.] It also opened my calendar to Friday and ordered me some French fries."
I wonder how Apple goes around this problem...
The damn OS is playing the audio. The damn speech-rec software is doing echo cancellation. Vista should be testing its incoming audio to detect whether it matches any outgoing audio that Vista is playing. What an incredible load of bullshit.
The quality of MS security analysts working on Vista is revealed to be very dim by this explot. This kind of exploit and defect in the Vista multimedia architecture speaks very badly of the prospect for the next 5 years of MS operating systems. They're a plague.
--
make install -not war
website sound: "All your base are belong to us"
Vista: "Do you want to reformat your hard drive?"
website sound: "All your base are belong to us"
Vista: "Are you sure you want to reformat?"
website sound: "All your base are belong to us"
Vista: "Reformatting.........."
I just watched 2001: A Space Odyssey on my machine... this may be my last post.
Years ago when I worked in a shop that used OS/2 (one late version of which included speech recognition), we used to play pranks on each other all the time using that 'feature'. Things like changing a startup sound to be two minutes of silence followed by a verbal shutdown command, or changing confirmation prompt sounds to be 'cancel'. Good fun. The random 'select all / delete / yes' was the best, though.
The geek watching Andromeda. "Fire all missles"
Fight Spammers!
I mean, look:
"Microsoft has said that even if the machine was primed to accept voice commands it would be unlikely the user would not be in the room to hear the file with malicious instructions being played."
Yeah, nobody ever leaves their computer unattended.
And of course, it would be completely impossible for a Trojan to pipe appropriate sounds directly to the input buffer of the sound hardware, thus negating the need for it to be played through your speakers at all. As we all know, Windows is completely watertight against that sort of thing.
This raises an interesting possibility, though - what if you could confuse the recogniser itself into making false positives? You could, for example, persuade it to recognise silence as a command of your choosing.
Best way round this is probably to prevent people doing potentially destructive operations via voice commands. But if this isn't suitable, you could employ clever confirmation strategies, like "If you're sure you want to delete c:\windows, please say the following words..." with the words in question being drawn from a dictionary. No malware could anticipate the sequence (although I suppose you could set the recogniser to work against itself, by playing the text-to-speech engine's own output back to it and triggering recognition).
Hmm. Promises to be quite fun, this.
to create malicious audio files with OS X (10.3 or later), fire up Terminal and use 'say': :-)
$ echo "format sea slash you" | say -o evil.aiff
This makes your messages with a nice, clear, even voice--wouldn't want a bunch of 'um's and 'ah's borking up your exploit, now would you.
`man say` for more options.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
If they don't prevent them from running arbitrary commands, you know 5 years in the future that every time term end comes around there will be some naked freshman running through the uni library/labs shouting "quit without saving! yes! reboot! yes! shutdown -h now!"
There are so many mitigating factors with this that a successful exploit of this "bug" is extremely unlikely.
First of all, as was mentioned in the article, voice recognition cannot bypass User Account Control. So that immediately limits damage to the local profile.
Second, the user would see all of this happening and would have to remain silent for this to work. It's not like a piece of code executing. The commands are not particularly speedy. They would see dialogs flashing, hear the commands being spoken, and decide not to do anything about it. All it would take is the user saying something or turning down their speakers and it would likely be enough to stop things from proceeding.
The danger with this is extremely limited and unlikely. It certainly has some novelty value, though.
Sailing, sailing over the format sea: /yes!
stuff |
It was in Dilbert years ago. Can't remember which characters, but it had one showing the other their speech recognition system, and the other said what would happen if I said "DELETE ALL FILES"?
Fight Spammers!
As my coworker said when I told him about this, "That's not hacking it's....yakking!"
(Or yacking for those who prefer the alternate spelling)
Me and my friends have been waiting for this and joking about it since IBM Via Voice and Dragon Speak. A whole new era of IT pranks and cyberterrorisim awaits us. Imagine bursting into a room full of PCs and yelling
:-)
"FORMAT DRIVE C! CONFIRM!".
Instant fun.
Makes me feel all soft and gooshy inside just thinking of it.
We suffer more in our imagination than in reality. - Seneca
Userfriendly had predicted the fate of voice recognition six years ago - rm -rf / and yet again !.
Quidquid latine dictum sit, altum videtur
Ok, I think the "exploit" is ridiculous, but what I do find interesting is how would it deal with UAC? If the commands ask the computer to do something dangerous, the system should prompt the user with the privilege elevation dialog which is on a separate secure desktop and so shouldn't react to anything but direct user input. Anybody tried that?
Man, now I can't wait for the wide business adoption of vista. That would be the beginning of a new era in the history of office spanking.
Tyranny isn't the worst enemy of a democracy. Cynicism is.
So, the "solution" is to turn of speakers and/or microphone. This is the same MS whose solution to a recent Office exploit was "don't use Office for a couple days."
It's been said that the only secure computer is one that has been unplugged, encased in cement, and thrown in the ocean. I didn't know MS was planning to make this their official support policy. "Security flaws? No problem. Just DON'T USE IT AT ALL."
Wow, they're good.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
A:\Format C: /autotest
I imagine it's not quite so straightforward. You'd need to take into account room acoustics, hardware effects, generic ambient noises, or even other interfering sounds in the same room that could all interfere with a comparison of outgoing sound to incoming sound. It's very rare that you'd ever have a time where your outgoing sound file exactly matches one that is sensed coming from the speakers.
I am shocked! Damn you Bill, I really believed you when you said Vista is "dramatically more secure than any other operating system released". My world view is turned upside down now :(
We often refuse to accept an idea merely because the tone of voice in which it has been expressed is unsympathetic to us
Find office with 10 or 15 stations with shiny new copies of Vista. Verify through other means that mics and voice commands are on. Run in, and yell as loud as you can the commands that will shut down the machines. Don't run out yet!
Watch people panic at their keyboards. Listen to their gasps as the hard disk spins down and their monitors cut off, at which point they all stare at you. Wave. And then run.
If Windows came with a canister of gasoline and a lighter, then yes, there should.
It's a bit like with ActiveX: letting any website to execute arbitrary code in your machine is a bad idea, no matter what the underlaying OS. But only Windows does it by default.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
All a website needs to do is set autorefresh and load the exploit page x minutes after the innocent page and only once.
Many users open a web page and walk away.
MS Staffer: Yeah, uh, just hold your phone up to the microphone.
Customer: OK. Hold on.
MS Staffer: <whispers>erase all files.
Customer: Oh my god! I think it's getting worse...did you do something?
MS Staffer: Uh, no. By the way, you have a bad hard drive...you're going to need to call Dell tech support to resolve this issue. Thanks for calling and have a nice day.
*click*
MS Staffer: Hey Jack! How many calls do I have to handle a day to get that juicy bonus?
Having played around with the speech recognition in Vista, it is very easy to turn the speech recognition off when you are not using it. I don't remember the precise phrase, but you just say something like "stop listening". A kid in one of my classes had a Mac and used speech recognition on it. When he was using speech recognition we would shout different phrases in an attempt to shut his machine down, among other things. I think we only got it to shutdown once, most of the time it didn't work b/c we were too far away, or he turned that feature off. I've had the same experience with Vista. This sounds like FUD to me.....
Wouldn't you get feedback through your speakers before being able to do anything possibly damaging?
When all is said and done, nothing changes...
"Windows Speech Recognition was built using the latest Microsoft speech ... you are always in control;"
what a superb meme this is I just knew vi$ta would have an exploit, I just didn't realise there wouldn't be any programming involved "the meme is mightier than the code" hype it up & shout it out!
Sigh. Microsoft's bug is just mimicing OSX, which recently had the same problem.
The Month of Apple Bugs: showing all the ways Apple continues to innovate!
1. Expect keyword before commands
2. If voice pattern is unknown await confirmation via ui dialog
3. Don't execute voice commands while outputting sound
I had this all set up to test when the local walmart ad started playing on the TV.
As soon as the TV announced kid's pants were half off, Windows Media player came on playing the Michael Jackson MP3 Pretty Young Thing
An exploit is, by definition, a successful manipulation of a bug/omission/hole/whatever in a computer system to make it perform something that it was not designed to do. Usually this term is only applied when said action is harmful or potentially harmful.
What is being described here is the possibility of controlling the voice recognition system in Vista remotely to make it perform potentially harmful tasks. Furthermore, this functionality is not something that said system was designed to do; it was only designed to accept commands via microphone.
Therefore, what is being described here is an exploit.
Q.E.D.
I hear there's rumors on the Slashdots
Speech control is on by default? That shouldn't be. Quite aside from any internet-related remote exploit issue, it's going to create problems if there's more than one person in the room with the computer. Granted, most computers don't have a mic, so for them it won't be an issue, but still.
There's also the question of why we would want our web browsers to play sounds, but I think we've lost that batte.
Cut that out, or I will ship you to Norilsk in a box.
The Vista replies, "And I'm a PC."
I expect someone to come up with a site that says:
"Start Internet Explorer"
"Go aytch tee tee pee colon slash slash gee oh ay tee ess ee dot see ex"
Brrr...
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
This reminds me of a story I heard years ago about one of those smug, irritating Mac users who thought he was just so cool 'cause his computer did stupid little tricks like voice recognition. He had some sort of voice-command software installed on his Mac and he bragged about it (and other Mac things) to his fellow cube-dwellers constantly. At some point, though, someone figured out that one of the commands was "shut down," at which point his co-workers would regularly walk by his cubicle and yell "shut down!" at the computer, which would immediately and happily comply. Mac Boy uninstalled his voice-recognition software shortly thereafter.
Adrian responded to this on the Microsoft Security Response Blog.
Issue regarding Windows Vista Speech Recognition
Hey everyone this is Adrian and I am writing to try and clear up some concerns regarding a recently reported vulnerability in the Speech Recognition feature of Windows Vista. An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system.
He goes on to list reasons why this is not a major issue. The first being that voice commands have to be turned on and configured for this to work.
He ends with
While we are taking the reports seriously and investigating them accordingly I am confident in saying that there is little if any need to worry about the effects of this issue on your new Windows Vista installation.
I think he's right. If this was a serious problem, the MacOS and OS/2 "exploits" mentioned above would've received a lot more press. Still, I expect in a future version, the voice software will be smart enough to ignore the computer's own output.
Personally, I don't like voice commands. They are necessary for users with certain impairments and useful for certain applications such as kiosks, but they are counterproductive in a shared-office environment and just plain weird on my desktop. Even on Star Trek - The Next Generation much of the computer input was via control consoles not voice.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
All they need to do is disable audio commands (other than "stop" or "pause") whenever any sound is being played. That way - skype etc would continue to work normally (full duplex) and the speech recognition system wouldn't even be listening if a web page or MP3 or any other application was making noises.
Well. I'm sure that effects all nine of you who actually use speech control.
lol, this made my day :)
It's not necessary to restart the PC to turn off speech recognition - just say "stop listening" or click on the always visible recognition toolbar to turn the microphone off. It's also not on by default either, and only those interested in it will find it anyway. Not really an "exploit" that's actually exploitable.
How is this a Vista vulnerability? Any speech recognition program is vulnerable to this. Also, its vulnerable if somebody walks by and talks into your microphone. Or if you have the phone on speaker. Glad the release of Vista brought this kind of voice recognition vulnerability to the forefront.
...in a special press conference they held today. The whole conference video can be seen online here [microsoft.com]. (Note to Windows Vista users: turn off your microphone and speakers at the time 2:35 into the video where the spokesperson says "...this vulnerability can be used to execute dangerous commands, such as: "DELETE C:\*.* /S /Q /F" by playing special wave file...").
The security advice is "A user can turn off their computer speakers..." before playing an audio file. We can also solve the problem of porn getting into our school network by unplugging the monitors. I didn't realize this security stuff was so easy.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
I'm pretty ignorant of the science behind all this but I'm certain that DRM concerns are a big factor in why this exploit is even possible. I expected this DRM business to bite them in the ass, but I didn't expect it to bite them on day one. ouch.
In Vista no one can hear you scream, except for your computer which shuts down promptly.
All voice recognition software, no matter what platform, would suffer from this supposed "exploit".
Some time ago already, MacOS 9 used a voice recognition authentication to login (voiceprint passwords). Your mac recognized you. Such a exploit would not have worked.
This feature was dropped from OSX. But the principle remains. I'm not sure about identifying the user for all voice commands, but why not?
Animoog.org
Echo cancellation on a PC is very difficult. Many systems have slightly different sampling rates for output compared to input. A difference of hundredth of Hz is enough to screw them up. The computation is also nothing to ignore at high sampling rates, but that problem is secondary. The solution for most companies wanting to do echo cancelling on a PC is to use their own hardware for the sampling so that they can be in sync with the same clock. BTW, MS used to have an R&D project on PC based echo cancelling. They had no further description and no publications and I can't find the site anymore, so I don't know if it went anywhere. Now, a solution that ran the speech synthesis on the speaker output and the mic input could be used to correlate the two and prevent the 'exploit', but that is not echo cancellation. Code Master
The Code Master
Of rm -rf /
:P
I have a web site to make
Now I see why Microsoft doesn't want you to change the Vista startup sound.
"My name is Leenus Torvalts and I pronounce Leenux 'echo wy pipe format c colon slash you'"
Welcome to the Panopticon. Used to be a prison, now it's your home.
Time to quote a usenet classic:
Last year, out in California, at a PC users group, there was a demo of
smart speech recognition software.
Before the demonstrator could begin his demo, a voice called out from the
audience:
"Format c, return."
"Yes, return."
Damned short demo, it was.
OS Reviews: Free and Open Source Software
When your machine room starts doing a gregorian chant...
Am I the only one who thought "Nam-shub of Enki" when I read this?
My turnips listen for the soft cry of your love
No, actually it isn't really agendized.
Ever used a program such as skype or other voice-chat software? Notice when you have speakers and microphone on, you generally don't hear your voice constantly repeating into echoes (if echo-cancel is on, of course). Notice that you don't with the speakerphone on your cell either? That's because the software/hardware is smart enough to take the audio output and subtract/prevent it from entering the audio input (avoiding feedback loops etc). If used properly with voice-recognition software, it would defeat programs on a webpage from sending output to be re-picked up from your input system. Since MS assumedly has control over the audio subsystem of the operating system, it should be able to snag the master combined output and filter it in this way.
Now that doesn't preclude some annoying twit from walking by and telling your computer to do things it shouldn't. However, that issue could be prevented by engraining an element of "speaker recognition" (the person speaking, not the ones on your computer) to the machine. Further, it could require a user-defined prefix or suffix to the command, such as "Computer, earl grey tea, hot!" or "Open the doors, Hal!"
Eh. NeXTstep circa 93, had a product name "Simon Says" that did voice commands. Each commands started by "Simon":
"Simon Says
Lavin: I happen to be an amateur expert on the phenomenon of computer-to-human voice communication: I have an '84 Le Baron convertible. It was a luxury auto during that brief shining moment when cars talked to humans. It tells me, due to a faulty sensor, that my washer fluid is low every time I turn on the car. It also tells me, due to a faulty operator, that my seat belt is unfastened and that I have failed to turn my lights off.
On the surface, machines talking to operators have little to do with Simon Says, in which the user talks to the computer. Still, first-time visitors to both my computer and my car are always amused with this spoken communication. A steady diet of either, however, does not even remotely measure up to initial expectations.
Within ten minutes of using Simon Says to voice-control my NeXT, I thought it was the coolest thing ever invented. Within an hour, I had discovered that it was also the first decent macro generator for the platform, and I was even happier. Within three hours, I had an axe through my face from aggravated office neighbors not clued into the joys of loud, mono-tonous voice commands.
But where the talking car concept was totally discredited as a human-interface solution, dying a quick and merciful death, Simon Says is in fact genuinely useful over the long haul.
You start by training Simon with the words you want it to recognize. This involves many repetitions of these words. Since inflection matters in Simon's voice recognition and remembering exactly how you said, "Show Ruler," is next to impossible, you need to develop a consistent style to make the thing work.
Then you can choose which apps you want to have under some voice control. If you are like the rest of us, you'll go hog wild, training everything from PrintManager to BlastApp and all commands from "Insert Soft Hyphen" to "Make Spline."
If you do this, though, you'll quickly find out why applications have menus. A better strategy is to limit the number of trained words to a manageable list covering only key commands in key apps. Once you get the right mix, you'll find that using your voice is truly like having a third hand.
Amazingly enough, Simon also has a powerful macro generator built in. You can construct voice-command macros that will perform keystrokes or primitive mouse events, paste text, run UNIX commands, play a sound, send mail, or do a combination of the above. The resulting macros are so powerful that I wanted them available with keyboard equivalents in addition to voice control.
Like any 1.0 product I like, there are a large number of features I would add or fix. Since voice is a whole new means of interfacing with my computer, deficiencies are magnified. But none of this takes away from the fact that the voice-recognition engine is a thing of marvel. There's no doubt that I'll keep using Simon, though that should come as no surprise. I still drive the Le Baron."
Holy sh!t, am I that old ?
Yet another batch of truly astounding BS about Vista topped by a misleading headline. This is not a Vista-specific defect, this is a characteristic of voice commands (but granted, a very valid reason why it's an unreliable way to try to run a computer under many circumstances).
And more to the point, if I have a Mac with voice recognition software installed, is it somehow NOT prone to this?
There are several things wrong with Vista, but this isn't one of them. Are we all so hungry for security-related dirt about Vista that THIS is what constitutes "news for nerds" or "stuff that matters"? Good gravy.
It is pitch black. You are likely to be eaten by a grue.
I wonder if you could setup a sound to create a loop? Such as "play sound file 'play_sound_file.wav".
There have been a multitude of posts suggesting 'easy solutions' to this problem (most of which involve doing some sort of automagical signal processing on the signal received based on the audio being played out). Most of these suggestions just plain won't work. Why? Because every set of speakers is different, every room is different. Therefore, the signal will be mangled in some unknown (to the computer) way, before being received again.
The EASY solution? A voice password required before every voice command. The user sets a short phrase that they prefix voice commands with. Any commands lacking that prefix are ignored. Yes, it makes using voice slightly more inconvenient. On the up side, you can tell users they are giving their computer a name. Instead of 'open internet explorer', it is 'arglebargle, open internet explorer'.
====
Crudely Drawn Games
Considering the amount of swearing and other drivel that will be spoken in the vicinity of a Vista-infected computer, I'd think that turning off the mike is generally a very good idea. Not only because of voice commands, but also 'cause someone might just contact you through your IM and the first thing he hears is you cursing at him.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I have worked on both at Apple on PlainTalk and at MS Research on speech. When I was at Apple (around 1996) I poked my head into a co-worker's office who was testing PlainTalk and said loudly "Computer Shut Down". His computer then started shutting down. This "exploit" has been on the Mac since 1996 and nobody seems to have complained about it. I don't think it's a big deal.
Holy fuck... if you tell a computer to obey voice commands, IT DOES!!!
News at 11.
Seriously, what's next, breaking news about how you can record commands to tape and play them on the stereo as a "hackers remote exploit"?
Yes, I'll agree, it would be nice if voice rec software would filter out itself. But that doesn't seem to be mainstream yet. So just do what everyone does... and turn off voice rec.
If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
I can't wait to walk into computer labs at school and yell out "rm -rf /" and then walk away whistling.
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
"computer open http://goodbye-microsoft.com/"
Bob: "Bob go jump off a bridge"
Bob: "Who said that ?"
Bob: "I said that. Now jump!"
Bob: "Ok.. Aaaaaaaagh!"
I think we've found the reason why Silent Bob is silent!
Your posed denial of service: a button or foot pedal that mutes audio playback when depressed and unmutes audio playback when released. I seem to remember that amateur radio, CB radio, and mobile phones with the "nationwide walkie-talkie" feature have something similar.
If the computer thinks you're saying a command, it should disable output to the speakers. If I am talking to my computer then it should stop making its own noises. Otherwise, that's just rude.
It breaks my pluginses, my precious!
Detection of whether a given sound is what was just emitted from the speaker may be very difficult, but it is relatively easy in terms of timing. So long as the system knows how much lag time is present in the system, it should be possible to disable detection of all sound that is being played at the same time (i.e. basically turn off the mic then). Nobody expects voice recognition to work when music or other sounds are playing, and the system, whether Vista or OS X, ought to be able to disable voice recognition instantaneously when sound output is generated.
The problem of course is that the computer next to you might suffer from the exploit since it doesn't know what sound your computer is generating, though this might be diminished by subtracting other sound to some extent via sidepointing mics or even better by just refusing to do dangerous commands like format or delete via voice recognition in the first place. There are gray areas that probably make total safety impossible but some common sense things including disabling all recognition during sound generation from explorer and wmp sound like a good place to start.
I knew I kept the Cop-killer album around for a reason.
<sarcasm>Funny.</sarcasm> "Format" is pronounced FAW-maet,[1] accented on the first syllable, while "for Matt" is fuh-MAET, accented on the second. Any speech recognizer that can handle Mandarin or Cantonese can handle accent in English.
Reice TartI pronounced reice like "rice", which doesn't produce the "restart" you were going for. You get RAH-ees-t'haht, not rih-STAHT. If you're going to make an Anguish Languish joke, don't make it sofa king Wii Todd did.
[1] Ad-hoc respelling is used instead of International Phonetic Alphabet because Slashdot is configured to delete characters not on its whitelist for English orthography.
PC: Hi I'm a PC
Mac: and I'm a Mac
PC: I have a cool new feature called voice control.
Mac: That is stupid. I have the Time-Machine which let's you recover old documents. Let's say you accidently delete the documents folder
PC: Okay
Mac: To get you documents back, all you have to do is slide the time machine back one minute.
PC: Sounds cool, but cant you just get the documents out of the trash?
Mac: Yes, but it works even if you accidentally empty the recycle bin
70% of statistics are made up.
Actually, OS X is set up so you have a prerequisite phrase that you have to say before it will initiate any voice driven commands, and you can change it to whatever, so you can actually get your computer to respond to "Simon Says"!
I did it at one point just because I could, then turned it off because it was just something to play around with.
"There are 10 types of people in this world--Those that understand binary, and those that do not..."
That is why OS X has a "keyword" setting in the voice recognition system, using the "keyword" unlocks the voice commands and processes the following words as commands. By picking an unusual "keyword" you can insure the system does not run random commands based on surrounding noise, or a web page audio, like Vista deos.
BTW, the default option in OS X speech control only listens when a selected key is pressed, default is esc key.
The second option is "listen continously with keyword". The default word is "computer" but it is user selectable.
Apple actually thought about the usage of this before implementing the voice commands feature.
It just so happens that the Microphone is picking up commands played by the computer's own speakers.
IME with os9 and osx the speech could be disabled easily in 9 and fairly easily in X,
and was usually one of the first things I'd disable.
I don't want my computer talking to me, nor do I want to talk to it (at it, maybe, but not to).
Same functionality is built into XP, and I was only aware of it because of Xplite.
Just curious as to ways to kill this off w/o special tools you have to pay for.
In a former job, killing off speech, outlook, and some of the flotsam and jetsam of a fresh install
helped 2k/Xp run for months w/o reboots in a production environment.
I guesss that's why the big "meh" over Vista...more "stuff" we don't need/want/might not use
piled even higher than before and no way to remove/disable it (that I'm aware of).
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Voice stuff, just a gimmick. Like someone with working hands would need voice recognition. Learn to type people. Voice recognition will never replace the keyboard. I think the voice recognition in Windows XP is better. Sure, you have to train it, but then it only understands YOU which is just good security in my opinion. I can just imagine someone's kid saying 'format drive c' and then - POOF! Problem solved!
It was a funny joke. Your comment was completely, utterly, totally pointless.
Yes, accent matters. However, in a british accent for example:
1 - his joke works pretty well.
2 - "Wii Todd did" sounds *nothing* like retarded, assuming that's what you meant.
If you experience problems when using our flagship software, turn off computer and don't use it.
Problem solved.
This message brought to you by your ever richer Microsoft overlords.
PC: Hi I'm a PC ...
Mac: I hope he has his XP install CD handy....
Mac: and I'm a Mac
PC: I have a cool new feature called voice control.
Mac: That is stupid. I've had secure voice control for years
PC: Yes, but with your primitive voice control, the statements had to be in the right format, see?
Mac: OK, but that's why we call it secure. The user has to select a keyword that will trigger the commands.
PC:
PC: Hi! I'm a PC!
Mac: And I'm a Mac!
PC: I have a cool new feature called Voice Control!
Mac: FORMAT C!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This is like one of the most obvious exploits imaginable! How could they possibly have missed that?
My understanding is that after 9/11, the new Bud commercials changed "Real American Heroes" to "Real Men of Genius" to be a little more sensitive and not dilute the meaning of "hero". But this was a rumor I heard. Can anyone verify?
I only post comments when someone on the internet is wrong.
Program HIS machine to tell him what a fucking asshole he is and how stupid and incompetent his entire company is.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
From TFA:
"suggested as workarounds that... they should close the Windows Media Player, turn off speech recognition, and restart their computer"
Was meant to read:
"...and shutdown their computer, maybe even unplug it just to be sure"
And come on fellas, this is not an bug. It's a warming gift to our beloved exploit writers, now they don't even have to lift a finger to run exploits!
May also work on AmigaOS 1.2
;-)
Preventing this is really easy. Make the user record a word only they will know and only listen for commands after hearing the word or after a key is pressed. This would protect both against malicious web sites and against complete strangers yelling commands.
This Is The Voice Of The Mysterons...
Well, not much would have happend as Vista just says:
Access Denied as you do not have sufficient privileges.
You have to invoke this utility running in elevated mode.
I must say UAC is one of the best features of Vista...
One of the reasons speech recognition hasn't taken off is simply that it's incredibly embarrassing to be caught speaking to a machine. It also distracts others and talking with a clear voice is actually quite tiring in the long run.
With webcams becoming more and more ubiquitous, why not start work on lip-reading algorithms? Talk to the computer, but don't make a sound. You don't disturb anyone and you don't have to stress your vocal cords. Sure, it might be more difficult and more processor intensive to make it work, but since it's doable by (some, trained) people, it should eventually be doable by computers.
vista, with all of it's bugs, is porno for the QA tester in me...
So, what's next? Are they going to warn us that people on the other side of the room can also control your pc if they talk loud enough? (Would that even count as a remote exploit anyway?)
There was an episode where it was just Picard and the ship. Picard issued more than a few voice commands.
http://en.wikipedia.org/wiki/Real_Men_of_Genius
Here's a sample: The Wikipedia entry also lists websites where you can hear them at the bottom of the page's entry.
So lets say guy leaves his Vista machine on 24/7 for 'Instant On' internet access.
Evil dude calls guy when not home. Answering machine picks up, also playing sound outload in guy's house.
Evil Dude: "FORMAT SEE COLON (pause) YES"
two chances to initate exploit. Once during the call, and one when guy checks messages.
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
Defective by Design when it has nothing to do with DRM?
3 words "push to talk" the end.
this lesson back in the '90s? Remember when Apple Macs shipped with Voice Recognition, and everyone figured out that it was a lame-ass fad the novelty of which wore off after ten minutes. (A bit like the Wiimote, I guess).
Congratulations MS, you're truly the innovators.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Its pretty obvious this could happen...its voice recognition software. This isn't news so much as an invitation to make fun of Microsoft for the hundreth time. No, this isn't innovative, and no its not really a bug, so much as common sense. If you have a sound file loudly speaking commands over your speakers then naturally that may be picked up by your mic. If you can't figure that out then you probably shouldn't be using the software in the first place.
I would assume Microsoft has this turned off by default if they aren't completely retarded, because people are stupid, but I honestly wonder about that. By all means though, continue making jokes...but there are probably far worse things we could pick out than this. I still don't see why its being called a bug.
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - BenF
When you want to talk to another person you tend to turn towards them and speak, I expect people would behave the same way with a computer. Why don't hardware developers design computers with stereo mics that's a little apart like human ears, and use a little signal processing circuitry so the computer can work out if it's being spoken to or not? I don't know how feasible that is, but it sounds like a simple thing to do compared to getting software to learn a person's voice characteristics.
Also why do these app developers think that voice command *necessarily* need to consist of commands in plain English (or any other human language)? I really want some sort of plugin for my media player that'll allow simple commands to be entered by whistling, for example say I want it to play, instead of saying in a flat monotone voice 'computer, play' or something silly, I clap twice (to get the computer's attention), and whistle two notes a major third apart, another command can then be a fourth, a fifth etc (so the user doesn't need to have perfect pitch). That would be far more reliable as command input, the user won't sound like a wally, and easier(?) to implement in software.
Pls pls any talented developers here take this idea up!I'm not bitter that my request for a color printer got denied.
This way I won't work all day and accidently
DELETE...a...FILE!
Welcome to Wally-World.
Isn't it kind of obvious to look for sound matching the output signal of the computer and subtract it from the incoming speech recognition signal?
Like noise canceling headphones.
OK so you have to smoke a joint before entering the room and yelling the commands. Big deal.
Go hug some trees.
Have the playback system add a 'watermark' to outgoing audio.
Such as a 'chirp' above human hearing range several times a second, or a low frequency note, below human hearing range (Mythbusters already covered the 'brown' note.)
MP3 and other audio codecs remove a lot of frequencies from playback; the human ear dosn't notice the differance, but the waveform changes a lot. (for example, if a loud 2000 Hz tone is played at the same time as a quiet 1980 Hz tone you wouldn't notice the quieter tone, because your brain only handles so many signals at once.)
Combining the two principles, an audio playback system could detect the loudest frequency in a time interval, and pulse neighboring frequencys at a lower amplitude and high speed to transmit extra data, such as a DRM flag, or a 'disreguard voice input' flag.
Fairly obvious, and should be easy to implement with any understanding on modern audio codecs. with the advantage that one computer wouldn't trigger a second computers voice system, unless this filter was specifically disabled.
Vista is junk. Get a mac and forget about it.
Apple seems to have already had a solution to this problem:
If one were to turn on speech recognition in OS X, the default behavior is to listen only when a key (default is escape) is pressed. The other option is to listen continuously with a keyword (default is Computer, but can be changed to anything) that is either required before every command (default), optional, or 15 or 30 seconds after the last command. One would have to change two different settings to expose OS X to such an exploit as easily as Vista is.
The blackface/whiteface episode with Frank Gorshin in which the destruct sequence was used was on TVLand just last night, so I knew right off that "1A, 2B, 3C" wasn't quite right. The correct self-destruct sequence for the original Enterprise, according to Wikipedia, is Kirk: "1-1A," Spock: "1-1A-2B," Scott: "1B-2B-3," Kirk: "0-0-0-Destruct-0." The destruct-abort code was "1-2-3-Continuity."
One English grammar thought, regarding the phrase "Me and my friends" - when you think through the sentence, dropping the phrase "and my friends", you will note the awkward pronoun reference "Me have been waiting". To speak correctly you need to make the pronoun fit the voice - 1st person - which means you want to use "I have been waiting". To include your friends, while keeping the voice as 1st person, you would say "My friends and I have been waiting" or "I, along with my friends, have been waiting". If you wish to broaden the voice to the plural, you might say "We have been waiting for this, my friends and I, and"...
How important is all this? It isn't - as I said, you certainly communicate well. Thanks for the humor!
Couldn't the system simply have a filter that removes the wave signature of what it is outputting before processing input as a command?
Yes, it could. That's real similar to what a $20 pair of noise-cancelling headphones does.
That that is is that that that that is not is not.
and scream "COMPUTER! RUN FORMAT C: /Y" and shut down the whole place? :)