| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Feb 2007 16:23:24 +0100 From: Thierry Zoller <Thierry@...ler.lu> To: full-disclosure@...ts.grok.org.uk Subject: Re: Vista Speech recognition --------------------------------------------------------------- Posting of your message titled "Re[2]: [Dailydave] Vista speach recognition" has been rejected by the list moderator. The moderator gave the following reason for rejecting your request: "No reason given" --------------------------------------------------------------- Dear George, With all due respect, I think you are crying wolf a tad bit too much. Speech recognition is inherently unreliable, (btw remember the presentation they gave?). Since you deem the problem as remotely exploitable,let's ignore for one that I have to actively browse to a website and as such be physically in front of the PC and assume we use XSS to zombie the browser and play the audio 5 minutes later. Then we assume there is not too much background noise, assume the audio level is ok, assume the microphone is on, assume Speech recognition is used, assume audio is on, and so forth. Too many assumption to make it a real risk for me remotely, sorry. That's my personal opinion. Is is a vulnerability ? Yes. Is it likely to work 100% like a good crafted exploit? No GO> So GO> I'm asking Microsoft to reconsider their stance that "there is little if any GO> need to worry" and implement some sort of safety mechanism rather than GO> relying on the user to be self vigilant. It doesn't matter that there GO> aren't that many people using this feature; Microsoft should fix it if GO> they're going to offer it and market it as a key Vista advantage. I have not read they don't plan to, it's just that .. well they don't consider it an emergency, and I can understand. The thing is they have a different scale than you, the next wormable exploit is something they worry about, an exploit that immediately might compromise a system is something I think they rate as Important, this thing is exploitable only if X+n conditions are met, if x+n assumptions are made. I don't say it's not a problem, I say the probability of it being a problem for a defined person is low to very low. GO> Since GO> Microsoft is promoting Voice recognition for healthcare, we should consider GO> the safety of patient health records. [X] Hysteria GO> At present time, Vista Speech Recognition wakes up to the command "start GO> listening". How hard would it be for Microsoft to make that a GO> user-definable phrase or word? For example: A user would pick "Zelda" as GO> the word to wake speech mode while someone else picks "439" as their wake GO> word. How hard would it be for Microsoft to implement a wake timeout so GO> that Speech Recognition would sleep after 5 minutes idle? I haven't seen any mention that they don't plan to do so, maybe I have not read everything. My opinion: they will implement this, BUT hopefully make it an option. GO> I'm also running a poll at the end asking if Microsoft should patch this GO> with a pass phrase and echo cancellation. Why would that make sense? People will vote for a fix. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists