Slashdot Mirror


User: 99BottlesOfBeerInMyF

99BottlesOfBeerInMyF's activity in the archive.

Stories
0
Comments
10,115
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,115

  1. Re:The Report on Scientists Offered Cash to Dispute Climate Study · · Score: 4, Insightful

    Whether the money is tied to the result implicitly o explicitly doesn't really matter.

    It matters if the result is tied to money at all. Any research that starts with a conclusion which it tries to find proof for is not following the scientific method and is not science. If some government grant was worded such that is is contingent upon proving some conclusion, that is not science either. To my knowledge this is the only case where funding was offered for research starting with a result. I've seen other cases where companies paid for research, but reserved the right to publish the results or not, and then buried science that disagreed with their predetermined opinion, but I don't know of any other attempt to so openly buy an unscientific study and pass it off as science.

  2. Re:The Report on Scientists Offered Cash to Dispute Climate Study · · Score: 5, Insightful

    And the climate scientists who created this report aren't idealogically motivated? I'm sure some are. Some probably aren't. And scientists who respond to the $10,000 bounty may or may not be motivated. Frankly, I don't care about motivations. If you put out a bounty for an open source project, no one gets upset. Why should this be any different?

    The scientific method relies upon hypothesis and testing, then publishing and interpreting the results of that testing and it is reviewed by peers. If you are only paid when the results of your testing indicate a particular item, which may or may not be true, you have direct motivation to break the scientific process. Your analogy involving open source bounties is different. Say someone offers a bounty to find security holes in product X. That is paying people to do research and find some hole, and there are always going to be holes. It is not paying them to prove a specific hole exists (result), which would be undermining the scientific method. In the case of global warming, you're starting with an answer "global warming is not man made" (result) and trying to find a reason. Sure there are lots of potential reasons why this might be the case, but none of them are science because you did not follow the scientific method. They are also a lot likely to be correct answers for the same reason. With a bounty on security holes in some project you're looking to find something, but not provide evidence for whether holes exist or not, simply to find any that you can. Whether or not a given hole exists and is exploitable can still be a scientific process.

    Let the scientists try to do the research.

    Part of the failing of the US education system is that people refer to researchers or engineers or technologists as scientists, when in truth a scientist is someone who uses the scientific method. The reason for this misapplication is because science comes up with lots of useful solutions and thus has a lot of credibility. The fact is, tis lobbying group is not offering to pay scientists, because the offer precludes people acting in that role form participating.

  3. Re:Quite nice on Mac Developer Mulls Zero-day Security Response · · Score: 3, Insightful

    Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

    Do tell, how slow is Apple to fix known security issues? My coworkers have submitted two security bugs to Apple that I know about. Both were local rather than remote, thus posed little risk to the average user. Both were fixed within a few weeks and credited the person who found them. In at least one instance of a more serious security issue Apple turned a fix around in 9 days from disclosure, which is bloody fast or a full dev/qa cycle at any real software company. So you do have some reason for believing Apple is slow to respond to real security concerns, don't you? I'm a bit less inclined to just assume you're right and a little more interested in some citations.

  4. Re:Microsoftie on Microsoft Tops Corporate-Reputation Survey · · Score: 1

    Look, I'm not going to waste my time going through all this again. The concept of monopolies is not that hard and all your questions are easily answered by about 5 minutes worth of research. Bundling and tying is illegal when one item is from a monopolized market and another is from a separate, pre-exiting market. The market for helmets is separate from the market for motorcycles. The market for speedometers is a subset of the market for motorcycles, unless it is a replacement part. No one sold motorcycle speedometers before there was a market for motorcycles. I'm sure you'll find some way to argue against that point, but it is not because you're an idiot that can't understand the concept. It is because you're a stubborn fool who does not want to understand the concept so they are intentionally being obtuse. If you sat down with an open mind and ten minutes and a economics book, you could understand monopolies and our laws and the reason for them. You, however, already have an opinion and you are not interested in learning or understanding. You're interested in trying to justify that opinion no matter what.

    Have fun with that. I'm not wasting any more of my time explaining the entire concept in detail when I've already done so in previous threads for different articles. I'm not even reading the rest of your post. Have fun with your irrational beliefs you try to support with logic, instead of opinions formed from a logical consideration of the facts. It is sad that our educational system has so failed to teach logic, to the point that it is a way to justify belief, instead of make decisions or form opinions.

  5. Re:A Whole Decade of Nothing on Remote Exploit of Vista Speech Control · · Score: 1

    Even if you fixed this problem and were able to effectively remove the outgoing audio from the incoming this would still be an exploit for any computer near the computer making the sounds.

    I don't think using voice recognition in a location where your computer can hear other people's computers would work anyway. I mean, if you have 20 people all within hearing range of each other all using voice commands, the resulting clamor would likely make performance uncertain and drive everyone insane with the constant babbling. I just don't see this as a problem. I have an office and maybe four people can hear me if I talk in it. If I take a phone call on my cell, I go to a conference room so as not to disturb anyone. Using voice recognition and and talking all day where other people can hear would be annoying as all hell and very rude. Finally, if I'm in a cube, I'm not likely to be very far from my computer in the first place. The keyboard is a faster, more accurate input mechanism for commands. Voice recognized commands are great for when I'm doing something else with my hands, or don't want to get up from the couch. That is not a cubicle type situation.

  6. Re:Unnecessary. on Mac Developer Mulls Zero-day Security Response · · Score: 1

    These are reasonable concerns and it shows that Apple is worrying about the bottom line more than the customer.

    One of the reasons OS X will have better security than any Windows release for the foreseeable future is that Apple's bottom line is directly tied to the satisfaction of their customers. If the average OS X user starts to have problems because of worms, they switch to something else and Apple loses money. There is very little locking people in. You can even just install a new OS on the Mac. Most applications on OS X run on Linux or Windows as well. Most file formats are open and portable. They rely almost entirely on open standards, so the only real incentive to not switch when you buy your next computer, is being happy with the mac you have.

    This being the case, if current levels of security become a problem for users, Apple has direct, financial motivation to fix it. Moreover, since Apple can anticipate that could be an issue in the future and since they are not idiots, they already have several security improvements in the works, including MAC and application signing frameworks. Now look at Windows. If security is a problem for users (which it has been for years) what happens? Very little. MS has little motivation as they know most of their customers have no other choice. They are locked in by file formats, applications, closed protocols, and simply by the fact that most users can't get anything else from the local Walmart. As a result, they do very little to actually solve the security problem and instead capitalize upon the market for malware detection. This benefits Apple, in that it provides a big, shiny target to attract malware writers.

    You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

    Bullshit. The MoAB is quite simply an attempt to profit by making a name, from a couple of disreputable and unethical "researchers." It has nothing to do with Apple's "deceitful practices" whatever you think those are. It is a couple of guys trying to cash in on publicity at the expense of both Apple and the the users. In my experience Apple has always been professional and responsive to security issues and bugs, and progressive in mitigating potential malware. They aren't on the cutting edge of security, but they are ahead of the curve.

  7. Re:This is not a "move on Apple's part" on Mac Developer Mulls Zero-day Security Response · · Score: 2, Insightful

    What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now.

    I've heard claims that Apple is not responsive enough before, but never any real support for those claims. They've certainly been fast enough in responding to security bugs we sent them. It would always be nice if they were faster. If they had 1000 people waiting by the phone to instantly work on any security issues that came up, and rolled them out in hours on an unstable branch, well that would be cool. I don't think it is practical though. I'd rather 980 of those people were working full time on new features instead. So how fast is fast enough? I think the measure is, does Apple solve security problems fast enough that the risk to the average user remains negligible. That is to say, do they fix bugs before worms exploiting those vulnerabilities, or widespread viruses are put in the wild? So far, they certainly seem to have done so.

    There is another piece to this puzzle as well. In normal practice a researcher finds a bug, reports it to Apple, waits a few weeks, and if they don't hear back or feel Apple is not responding, they publish it to pressure Apple. If Apple is unresponsive regularly, they might shorten that time or disclose immediately. On Apple's part, when they find out about a bug they reproduce it, find the cause, fix it, test the fix, and then publish the fix.

    What is the best way to break this process and slow it down, increasing the possibility of a worm without doing anything illegal outright? Well, you can publish bugs immediately, without giving Apple a chance to fix them, then they will be vulnerable for the whole dev/qa cycle. What if, instead of publishing them immediately you intentionally spaced them out and published one every few days? Then a normal dev/QA cycle would have to commit to skipping some of them or wait an entire month before starting the QA cycle. That would be about as good a way to maximize the window for exploitation as possible. Now take a look at the month of Apple bugs, with their lack of prior notification and their intentionally spaced publication. Gee, what a coincidence.

    I'm all for Apple improving security and doing more internal audits. I'd be happy if they openly placed a bounty on security related bugs reported to them. I'd be even more happy if they implemented widespread mandatory access controls built into the OS, and open signing framework for trust determination, and a free software repository/registration/update service managed by Apple.

    That said, I find their security responses to date, to be perfectly acceptable and I think the MoAB is sensationalist crap, run by very unethical people out to make a name for themselves without regard to the well-being of end users. They are wholly irresponsible and given that they have twice now been caught illegally using vulnerabilities they discovered, prior to publication, I hope they spend 6 months wearing little, electronic, ankle bracelets.

  8. Re:Weird definition of Neutrality on Net Neutrality and BitTorrent - No More Throttling? · · Score: 1

    Hmmmm. so, using your logic it would be OK under net-neutrality for Verizon to degrade SIP packets in favor of IAX2 packets. Oh, and by the way, Verizon uses IAX2 for their VoIP service so therefore if you're using someone else's SIP based service you're SOL. They're not discriminating against any 'person' as you so eloquently put in your message, just a protocol.

    I already addressed that, but I think you missed it. Lets go back to our analogy. I have a caucasian employee and a african american employee. It is illegal to discriminate based upon race. Suppose I, instead decide to fire all employees with brown eyes. That in itself is not illegal, since it is not an illegal form of discrimination, but if a lawyer can convince a court my purpose in so doing was to get rid of african american employees, I'm still losing the case. Likewise, if you set up a policy to remove a given profile of traffic that matches a competitor's service, if a jury can be convinced that this is an attempt to stop a competitor, instead of there being a valid reason for prioritizing one type of voice traffic over another, then I still lose the case.

    With regard to the above, it is also a technologically solvable problem. Encrypt all traffic and the network operator doesn't know what type of traffic it is... and we should all be moving that way in any case. So basically, using protocols to discriminate against people is still forbidden, provided intent can be shown, or reasonably believed by a jury. Discriminating against protocols for valid, technical reasons (VoIP suffers more from lag than bittorrent) should not be illegal, or we just stepped back 10 years with regard to traffic engineering. Net neutrality laws need to stop discrimination against specific people, by any means, but not against specific traffic types when those do not correlate to specific people or groups of people in a meaningful way. Net neutrality is to stop Verizon from discriminating against competitors and from gouging service providers via extortion. It is not supposed to make it impossible to use quality assurance to make sure phone calls over the internet are fast enough, even if it means Web pages load more slowly.

  9. Re:They don't even bother. on Net Neutrality and BitTorrent - No More Throttling? · · Score: 1

    I'm not really sure that the ISPs care that much about what protocol is generating the traffic, they just care that you're using more than your "unadvertised allotment," which is ironic given that they advertise it as unlimited service.

    Large, customer edge ISPs like Comcast can view excessive traffic users by application, but the tools they generally use for traffic shaping are directed more to find overall usage. For the most part, they pay more attention to network subsets than individual hosts anyway. I suspect you could use excessive bandwidth without being shut down provided your neighbors sent less than normal traffic.

  10. Re:Weird definition of Neutrality on Net Neutrality and BitTorrent - No More Throttling? · · Score: 1

    Read the bill!! An ISP may not block, impair, degrade, discriminate against or interfere with the ability of any person to utilize their broadband service to access, use, send, receive, or offer lawful content, applications, or services over broadband networks, including the Internet. Therefore, if my traffic, which is 100% bittorrent is in any way degraded from your traffic, which is 100% VOIP, our ISP is performing an illegal action.

    I disagree with your interpretation. If you're sending 100% bittorrent and I'm sending 100% HTTP and the ISP is giving bittorrent lower priority, that is not discriminating against a person, since they are applying the measure to everyone who happens to use a protocol. Now if you can prove their intention is to discriminate against a specific person, you might have a case, but I think you're misinterpreting. According to the law, if I have two employees, one caucasian and one african american, it is illegal to discriminate based upon race. If the african american refuses to do any work and fire them for that, I've not broken the law. the fact that they are african american just can't be the reason for the dismissal. Likewise, as I read what you have written above, the reason for the downgraded service is the type of traffic, but any given person can use any type of traffic, so if that just happens to correlate, they are still in the clear.

    I'm no legal expert, but I'm highly doubtful of your interpretation.

  11. Survey on Survey Indicates ID Theft May Be Diminishing · · Score: 3, Insightful

    We sent a survey out by e-mail asking people for their name, phone number, credit card number, SSN, mother's maiden name, and asking if they had their identity stolen in the last year. 99% of those who responded with all the info, said they hadn't, while 80% of all responses said, "I'm not falling for that again." From this we conclude only 1% of people on average have been victims of identity theft.

    ...or that could be their methodology. It is hard to say since they do not seem to have published it, effectively making this study useless marketing. That makes sense given who paid for it.

  12. Re:This may be a dumb question, but... on Net Neutrality and BitTorrent - No More Throttling? · · Score: 3, Interesting

    Using QoS on bittorrent is akin to my phone company telling me what I can discuss on the phone. In the end it should only matter how much bandwidth you use.

    This isn't so, in general. QoS restricts traffic by type. So throttling bittorrent and prioritizing Web traffic is more like making sure regular voice on phones has priority over text messages, where that speed is less critical. The basic idea of QoS as it was initially conceived was to insure VoIP and video conferences did not lag, at the expense of a Web page loading a little more slowly or a bittorrent downloading a bit more slowly yet. This can be misused, say by degrading service on the ports used for one type of VoIP, and not on another, when your competitor offers their service on the one you're degrading. In general, however, encrypting packets makes this less important.

    What is a real concern and needs to be addressed by net neutrality legislation is assigning quality of service that is different for the same traffic type, but for a different origin. Assume everyone moves to strongly encrypted packets and network operators have no idea what is in a given packet. That still doesn't stop them from assigning higher priority to packets that originate from their own VoIP servers and low priority to packets transiting their network from an origin that hosts their competitor's VoIP service. Worse yet, it does not stop some network operator who has no relationship with anyone but peering networks from going to Google and telling them all packets originating from Google's IPs are going to be set to a a lower priority than packets coming from MSN and Yahoo, unless Google is willing to pay an extra fee, and then going and doing the same thing to MSN, then Yahoo. Net neutrality with regard to who, rather than what, is a lot more important, in my opinion, than this focus on traffic types. I fear it is being overlooked in the discussion of this topic in the news and what that bodes for the resultant litigation.

  13. Re:This may be a dumb question, but... on Net Neutrality and BitTorrent - No More Throttling? · · Score: 2, Interesting

    My two cents says that it's none of my ISPs business what my packets contain. It may be their business how much bandwidth I use -- but it shouldn't matter if that bandwidth is VoIP, bittorrent, HTTP or a VPN. 100GB is 100GB regardless of what protocol generated the traffic.

    Agreed, but net neutrality is about something more important than the type of traffic, it is the source of traffic. Large network operators have an interest in throttling traffic types, especially if they offer a VoIP service using one protocol and you're using another. They don't, however, need to know what is in your packets if they know the originating AS happens to be their competitor. They can just degrade all the packets to and from that AS that match the profile to insure their own offering is more reliable. They can threaten to slow traffic to any given web service and not their competitor unless that service provider pays up. In my opinion, stopping that is the important part of net neutrality, more so than packet contents, since we can and should all be moving to ubiquitous encryption anyway.

  14. Re:Here's an idea on Net Neutrality and BitTorrent - No More Throttling? · · Score: 4, Interesting

    How about before the ISPs even think of throttling down BitTorrent or any other type of traffic - they make even a casual effort to throttle back the 95% of email that is spam?

    Why? Spam doesn't take up a significantly large portion of internet traffic and is a lot harder to separate out of the mix, than bittorrent. Even zombies performing DDoS attacks don't generally make up much of the overall internet traffic, although the spikes they create are problematic.

    In reality, a number of large network operators don't want network neutrality. They want the opportunity to offer services and make sure competitors are unable to compete. They want to shake down companies individually by threatening to degrade their service and not their competitor's. They care about money; no hypocrisy there.

  15. Re:This may be a dumb question, but... on Net Neutrality and BitTorrent - No More Throttling? · · Score: 1

    Classifying network traffic based only on the port went out the window well over 5 years ago when modern packet shapers came to the market which were able to analyze the very contents of packets and classify them based on the type of service they contained rather than the port they used.

    This is true to some degree, but only for smaller links. Even random sampling of packets within larger links in order to analyze the traffic is really, really expensive. For the most part traffic engineering and shaping within large networks, like tier 1 ISPs, still relies primarily upon protocol and port, with some matching for ephemeral(negotiation) ports and data channel ports. Very little large scale shaping relies upon deeper packet inspection.

  16. Weird definition of Neutrality on Net Neutrality and BitTorrent - No More Throttling? · · Score: 1

    All the net neutrality stuff I saw was aimed at keeping companies from discriminating based upon the source of traffic, not the type. What does it matter if you throttle or shape or prioritize bittorrent traffic (or traffic on any given port) so long as you apply it equally to all traffic in your network. The idea is to keep network operators from extorting some customers or degrading some service offered by a competitor. So long as they treat all bittorrent traffic the same how are they not being neutral?

  17. Re:The Real Agenda of this Article? on Remote Exploit of Vista Speech Control · · Score: 1

    I'd name mine HAL, but that might cause even worse trouble.

    Amusingly enough my old computer had the audio command, "computer shutdown" aliased to play a sound byte, "I'm afraid that's something I cannot allow to happen, dave" from the movie. Inevitably someone would be smart ass and try it while we were hanging out. The only real problem I had was that the speech recognition would mistake a lot of different commands for "start mozilla" for some reason, and on a 66Mhz machine with 16 meg of ram, that took a minute and a half.

  18. Re:The Real Agenda of this Article? on Remote Exploit of Vista Speech Control · · Score: 1

    Except that it will never match.

    Then the exploit won't work either, so you have no problem.

    Think of it this way:

    1. Process audio to speakers and try to recognize commands.
    2. Make a list of commands as they appear.
    3. Process audio coming in microphone and try to recognize commands.
    4. Compare commands in the two lists, if they match, drop them, otherwise execute.

    For instance, the mic may not pick up any of the low frequencies due to location of a subwoofer, quality of speakers, sound absorbers (carpet, etc.). So in order to match the output to the input, you need to allow for these factors and by the time that you give yourself enough of a margin, you've in effect taken out all functionality.

    I takes much, much, much less than a second for any effective reflection of sound to occur in a normal setting where the sound is still going to recognizable to the mic.

    Sure, it's fun to bash MS here on slashdot. Just don't let reality get it the way.

    Reality? MS's solution doesn't even have the basic security feature my Mac OS 7 box did over a decade ago. They deserve a good thrashing for this, even if it is not a serious security issue for most people.

  19. Re:It is the general Linux Comunity fault. on 10 Years of Pushing For Linux — and Giving Up · · Score: 2, Insightful

    This is the customer not caring about fault, and only caring about getting things working.

    True. If you want things to work you can use Linux and other vendors except Microsoft, or you can use Microsoft and no other vendors. If you use both MS, will break things. The problem is when someone complains that Linux is unworkable because they can't work with a particular MS proprietary thing. That is what the statement above mentioned. Just because it is a customer doesn't make their assertion any more correct.

  20. Re:It is the general Linux Comunity fault. on 10 Years of Pushing For Linux — and Giving Up · · Score: 1

    But let's face the truth. Beyond running as a server of some sort where it does one thing and does it will, Linux just stinks and most of the community doesn't want to admit there is a problem and let alone fix it.

    The problems described are almost all problems with Microsoft products, not Linux. You can't get Exchange working with Linux? Really? Considering MS intentionally tries to make sure that is the case and has lost two criminal cases to that effect, this is not surprising. What is surprising is that anyone would assume you can use Linux and Exchange. Now try setting up an environment with no MS components and using Linux for all the tasks and see how it works. Gee when you don't have someone sabotaging compatibility, you don't have the same problems. What a surprise.

    Now I'll be the first to admit Linux has some real problems on the desktop. I'm very vocal about taking people who deny Linux's deficiencies to task, especially when they blame users or simply don't know enough about other OS's to know what they're talking about. The thing you have to understand is Linux is not Windows and is not a drop in replacement. The development, deployment, and support is drastically different and optimized for different markets. If you want to use Linux in the enterprise, it can certainly be done, you just have to do it all the way and deploy is pervasively with real deployment and support from a reputable company. You also have to be willing to pay for these services. Linux saves money in the long term, but trying to be a cheapskate and getting a Windows guy to try to roll out a deployment is moronic.

    This attitude has limited Linux's growth. Let's face it, Companies actually want to migrate to Linux and get off all the problems with Microsoft but they are not going to go 10 years back in technology and loose[sic] features they come to enjoy.

    What features do you lose by moving to an all Linux environment instead of an all Windows one? No seriously, I'm curious.

    So if they can't run all their old apps there is a loss in information...

    Information is data. Applications are a means to access data. You don't need the same applications to access the same data, you just need a loss less transition path. Build this into a migration strategy. Keeping old application available during a migration is a great idea, but designing an architecture to run Windows apps on Linux is absurd in the long term.

    We need more developers for Linux and Linux applications who openly say Linux Sucks, that way we can get better tools especially for business use.

    No, we need more customers for Linux that say Linux sucks and are willing to pay to change that. No one else really know the customer's needs. The whole concept of Linux is all the players contribute what they need and the end result is cheaper for everyone.

    But right now the majority of the OSS developers are like Linux is Coolest and most noble system on earth.

    Right now most Linux developers are developing Linux for a server environment. They know it isn't perfect for that, but they are also constantly making it better and is is already better than most of what else is available. The people you refer to are the zealots. They are a small, vocal minority sold on the ideals of Linux, but who don't know a lot about the practical aspects. Linux makes a poor desktop system for many users, but most developers don't care because that is not their use for it.

  21. Re:This puts a grin on my face. on Teen Accuses Record Companies of Collusion · · Score: 1

    I'll consider donating to the ACLU when they stop paying to defend terrorists. I'm not having my money spent on that shit.

    You link to Fox News as a source? I'm pretty sure Fox "News" stopped being a credible source in February of 2003 when they went to court in Florida and argued that they have no legal responsibility to not intentionally lie to their viewers and should be allowed to fire employees (Jane Akre) that won't go on air and say things that everyone in the room knows are factually incorrect. Fox is right, they don't have a legal obligation to tell the truth, but why anyone would ever believe anything they ever said again baffles me. They aren't news, and they don't even pretend to be telling the truth. Anyone who references them as a source demolishes their credibility. In future please link to reputable sources.

  22. Re:A Whole Decade of Nothing on Remote Exploit of Vista Speech Control · · Score: 1

    I can offer you this meta-rule, though: If it were so easy, it would already have been done. Many things that I see people posting on Slashdot about "Why don't they just do this thing?" are covered by this rule.

    It's entirely possible this has been done. I haven't used voice recognition software in many, many years. Theoretically it is possible, and it was needed a decade ago. I don't think your rule applies to Microsoft, by the way. They frequently ignore the state of the art in an industry, especially where security and usability are concerned, and just go ahead an made a 1.0 version that is useless crap. This could easily be one of these cases. It is also possible that since voice recognition is useful for three areas (control method, authentication, and dictation) and noise cancellation is mostly important for the first one, that no research has really gone into this, like many other areas of OS research. If there is only one company that can bring their OS to market, and they don't research an area, it probably doesn't get done.

  23. Re:The Real Agenda of this Article? on Remote Exploit of Vista Speech Control · · Score: 1

    I would assume that most people would call their computer "Computer" and you could still exploit.

    Make naming the computer part of the install process and provide no default. This is useful for other things as well.

    ...basically you are talking about echo cancellation. That seems plausible to me, and on modern computers the hit on peformance would be fairly low. Do you know of any packages which incoporate this?

    My experience with voice recognition was ages ago. I wrote an article in the 90s saying this was a must have feature to make voice recognition workable, and I'm sure someone else must have realized the same thing by now. Maybe the commercial dictation software uses this by now? I don't know.

  24. Re:A Whole Decade of Nothing on Remote Exploit of Vista Speech Control · · Score: 1

    The sound that is output by the computer sounds similar to us when re-received through the mic and played back, but to the computer it's a totally alien waveform. A lot of distortion happens between when the computer sends a digital signal to the sound card and when it receives an analog signal from your microphone - so basically, the computer may know what it's playing, but it has very little idea how it'll sound when it reaches the mic.

    If the computer can predict how various phonetics will sound coming from me, it should be able to filter phonetics from someone else issuing commands with reasonable tolerance. It should either fail to recognize the voice from the exploit, or be able to filter the voice from the exploit, one way or another. More generically, I've used noise cancellation technologies and they certainly can filter 75% of a musical performance or some-such, which is enough to greatly improve the accuracy of identifying the remaining input and probably make this exploit fail.

    Of course, the obvious low-tech solution to this issue is to wear headphones, as people in recording studios have for decades.

    If I'm wearing headphones (which I hate doing) I'm in front of my computer. If I'm in front of my computer, I'll type it as that is faster and more accurate.

    A simpler solution to mitigate the problem is to require the user to address the computer specifically. On Star Trek they say, "computer, what time is it." On my ancient Mac OS 7 box I issued the exact same command until I changed the string "computer" to be the hostname, which was more specific. If you say, "Bob, what time is it." Your computer can answer and it doesn't accidentally open a bunch of Web pages when you answer the phone (unless someone called "Bob" called you). When an exploit writer is embedding a malicious command, he doesn't know my computer's name and the chances it will execute right after I say the computer's name, but while I'm not making it unrecognizable by saying some other command, is pretty small.

  25. Re:The Real Agenda of this Article? on Remote Exploit of Vista Speech Control · · Score: 4, Informative

    All voice recognition software, no matter what platform, would suffer from this supposed "exploit". So why this article on Vista specifically?

    This is untrue. Speech recognition software can be made to filter out anything coming in the mic that matches something going out the speaker channel. More simply, you can simply require all commands be preceded with an arbitrary word (like the computer's name). Call you computer "George" and then issue the command "George, kill dash nine star dot star." As opposed to "kill dash nine star dot star." Since the exploit writer won't know to include "George" their exploit fails almost all the time. This was a feature of MacOS 7, more than a decade ago, as I mentioned elsewhere.

    Also, if the voice recognition software is trained for a specific user's voice, the chances of an exploit are reduced.

    Depending upon the tolerance, this is entirely possible, but I don't see it as being as important or versatile as the other two methods I listed above. MS should have learned from the example of others.