lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 2 Feb 2007 12:15:20 -0500
From: "James Matthews" <nytrokiss@...il.com>
To: "Thierry Zoller" <Thierry@...ler.lu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vista Speech recognition

This is great!

On 2/2/07, Thierry Zoller <Thierry@...ler.lu> wrote:
>
> ---------------------------------------------------------------
> Posting of your message titled "Re[2]: [Dailydave] Vista speach
> recognition"  has been rejected by the list moderator.
> The moderator gave the following reason for rejecting
> your request: "No reason given"
> ---------------------------------------------------------------
>
> Dear George,
>
> With all due respect, I think you are crying wolf a tad bit too much.
> Speech recognition is inherently unreliable, (btw remember the
> presentation
> they gave?). Since you deem the problem as remotely exploitable,let's
> ignore
> for one that I have to actively browse to a website and as such be
> physically
> in front of the PC and assume we use XSS to zombie the browser and play
> the
> audio 5 minutes later.  Then we assume there is not too much background
> noise, assume the audio level is ok, assume the microphone is on,
> assume Speech recognition is used, assume audio is on, and so forth.
>
> Too many assumption to make it a real risk for me remotely, sorry. That's
> my personal opinion. Is is a vulnerability ? Yes. Is it likely to work
> 100% like a good crafted exploit? No
>
> GO> So
> GO> I'm asking Microsoft to reconsider their stance that "there is little
> if any
> GO> need to worry" and implement some sort of safety mechanism rather than
> GO> relying on the user to be self vigilant.  It doesn't matter that there
> GO> aren't that many people using this feature; Microsoft should fix it if
> GO> they're going to offer it and market it as a key Vista advantage.
> I have not read they don't plan to, it's just that .. well they don't
> consider it an emergency, and I can understand. The thing is they have
> a different scale than you, the next wormable exploit is something
> they worry about, an exploit that immediately might compromise a system
> is something I think they rate as Important, this thing is exploitable
> only if X+n conditions are met, if x+n assumptions are made. I don't
> say it's not a problem, I say the probability of it being a problem
> for a defined person is low to very low.
>
> GO> Since
> GO> Microsoft is promoting Voice recognition for healthcare, we should
> consider
> GO> the safety of patient health records.
> [X] Hysteria
>
> GO> At present time, Vista Speech Recognition wakes up to the command
> "start
> GO> listening".  How hard would it be for Microsoft to make that a
> GO> user-definable phrase or word?  For example: A user would pick "Zelda"
> as
> GO> the word to wake speech mode while someone else picks "439" as their
> wake
> GO> word.  How hard would it be for Microsoft to implement a wake timeout
> so
> GO> that Speech Recognition would sleep after 5 minutes idle?
> I haven't seen any mention that they don't plan to do so, maybe I have
> not read everything. My opinion: they will implement this, BUT hopefully
> make it an option.
>
> GO> I'm also running a poll at the end asking if Microsoft should patch
> this
> GO> with a pass phrase and echo cancellation.
> Why would that make sense? People will vote  for a fix.
>
>
> --
> http://secdev.zoller.lu
> Thierry Zoller
> Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.goldwatches.com
http://www.wazoozle.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ