Vista voice control
-
I thought this[^] was interesting. It essentially says that if you have enabled voice control, then sound coming out of the speakers and being picked up by the mic could control the pc (uac permitting). Imagine a "virus" being distributed as a podcast! "Hello, welcome to my podcast. Format C:, Yes I'm sure" :)
ChrisB ChrisDoesDev[^]
Have to say I prefer your repost. I would never have read Brad's link as security generally doesn't interest me and his post had no info that would make me follow the link.
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
I don't see it happening, at least not until it becomes pointless.
-
David Wulff wrote:
Surely if you have a keyboard attached to your PC then you have exactly the same level of risk?
Surely only if you're onsite. The example given in the link is having someone at the other end of a webcam. You wander off to find something, and come back to find that they've been using their voice to control your pc. (Launch remote support or similar maybe? - perhaps I'm getting carried away) I'm beginning to imagine "youths" (yoofs) running into internet cafe's and shouting "Shutdown" as a modern day prank.:-D
ChrisB ChrisDoesDev[^]
In order to present a problem, you will need to: a) disable all of Windows' inbuilt security features, i.e. UAC, and b) configure the system for voice recognition and train it for your attackers voice. I don't see that as any different from having someone physically at your PC from a risk position -- people have to take responsibility for their own actions, you can't blame everything on someone else.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milk -
In order to present a problem, you will need to: a) disable all of Windows' inbuilt security features, i.e. UAC, and b) configure the system for voice recognition and train it for your attackers voice. I don't see that as any different from having someone physically at your PC from a risk position -- people have to take responsibility for their own actions, you can't blame everything on someone else.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milkDavid Wulff wrote:
people have to take responsibility for their own actions, you can't blame everything on someone else.
I quite agree, but I can imagine my dad (for example, or any other non techie) turning on voice control (because he's used to telling his secretary what to do, and the computer is just a version of that:) ), and being left vulnerable to this flaw without realising. You can only take responsibility for your actions if you are aware of the consequences. If there was a suitable warning when turning it on, then fair enough.
David Wulff wrote:
b) configure the system for voice recognition and train it for your attackers voice.
How long is it going to be before someone figures out the right generic vocal tones (rather than actual voice commands) to perform actions on a pc. Now that you can have sound auto playing when you visit a web page, there's all sorts of dodgy stuff you could do. As an aside, I'm now imagining the fun you could have with a colleages computer. 5 mins access to their computer and you could train it to shutdown everytime you ask them if they want a coffee. :)
ChrisB ChrisDoesDev[^]
-
Have to say I prefer your repost. I would never have read Brad's link as security generally doesn't interest me and his post had no info that would make me follow the link.
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
I don't see it happening, at least not until it becomes pointless.
-
Well fine then, have you opinion.
Brad Australian - Christian Graus on "Best books for VBscript" A big thick one, so you can whack yourself on the head with it.
I'm just picking on you. ;)
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
I don't see it happening, at least not until it becomes pointless.
-
I'm just picking on you. ;)
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
I don't see it happening, at least not until it becomes pointless.
-
Somehow I may just recover
Brad Australian - Christian Graus on "Best books for VBscript" A big thick one, so you can whack yourself on the head with it.
Sure you will, you're an Aussie, I could throw anything at you and you'd recover. Part of being an Aussie I reckon.
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
I don't see it happening, at least not until it becomes pointless.
-
Sure you will, you're an Aussie, I could throw anything at you and you'd recover. Part of being an Aussie I reckon.
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
I don't see it happening, at least not until it becomes pointless.
-
David Wulff wrote:
people have to take responsibility for their own actions, you can't blame everything on someone else.
I quite agree, but I can imagine my dad (for example, or any other non techie) turning on voice control (because he's used to telling his secretary what to do, and the computer is just a version of that:) ), and being left vulnerable to this flaw without realising. You can only take responsibility for your actions if you are aware of the consequences. If there was a suitable warning when turning it on, then fair enough.
David Wulff wrote:
b) configure the system for voice recognition and train it for your attackers voice.
How long is it going to be before someone figures out the right generic vocal tones (rather than actual voice commands) to perform actions on a pc. Now that you can have sound auto playing when you visit a web page, there's all sorts of dodgy stuff you could do. As an aside, I'm now imagining the fun you could have with a colleages computer. 5 mins access to their computer and you could train it to shutdown everytime you ask them if they want a coffee. :)
ChrisB ChrisDoesDev[^]
Just nitpicking here, but there is no 'Shutdown' command. I just tried it on my machine to see what the fuss is about and I can't get it to shutdown from the menu either. The closest I've got is 'start, click run, delete that, shutdown space forward-slash s, enter'. You can do it with the mousegrid too, but only if the start button is in the lower left corner. This is fun.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milk -
Just nitpicking here, but there is no 'Shutdown' command. I just tried it on my machine to see what the fuss is about and I can't get it to shutdown from the menu either. The closest I've got is 'start, click run, delete that, shutdown space forward-slash s, enter'. You can do it with the mousegrid too, but only if the start button is in the lower left corner. This is fun.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milkDavid Wulff wrote:
there is no 'Shutdown' command.
Can't you stick that in a batch file and associate it with a voice command? (part of the 5 mins with the colleagues computer). I've just pulled the hard drives out of my vista box, so I can't experiment at the moment. I was more hypothesising than basing my ideas on fact.
David Wulff wrote:
This is fun.
:-D
ChrisB ChrisDoesDev[^]
-
David Wulff wrote:
there is no 'Shutdown' command.
Can't you stick that in a batch file and associate it with a voice command? (part of the 5 mins with the colleagues computer). I've just pulled the hard drives out of my vista box, so I can't experiment at the moment. I was more hypothesising than basing my ideas on fact.
David Wulff wrote:
This is fun.
:-D
ChrisB ChrisDoesDev[^]
You can use a number grid too. -- modified at 8:55 Thursday 1st February, 2007 Only the number for the shutdown popup is not fixed, it varies depending on how many items are on your start menu list.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milk -
I thought this[^] was interesting. It essentially says that if you have enabled voice control, then sound coming out of the speakers and being picked up by the mic could control the pc (uac permitting). Imagine a "virus" being distributed as a podcast! "Hello, welcome to my podcast. Format C:, Yes I'm sure" :)
ChrisB ChrisDoesDev[^]
Hi Chris, Its easy to see your interest in the idea and I had fun thinking about it too. :) I do have a problem with that article; it was sensationalist garbage. It's good to see everyone here (and many who posted in response) know how to take it. Why not take it a step further? I'm going to write up an article suggesting to remove the phones next to peoples' desks. Someone might call and give them bad instructions. We can call it the "command recognition audio proxy speech vulnerability" or just the CRAPS vulnerability. :-D Ed
-
In order to present a problem, you will need to: a) disable all of Windows' inbuilt security features, i.e. UAC, and b) configure the system for voice recognition and train it for your attackers voice. I don't see that as any different from having someone physically at your PC from a risk position -- people have to take responsibility for their own actions, you can't blame everything on someone else.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milkDavid Wulff wrote:
b) configure the system for voice recognition and train it for your attackers voice.
Do you really still have to do this on Vista? My telephone has voice dialling/commands with no training - you just set your chosen language and speak any name in the address book! And it works very well - as well as the old version where you had to store a sample of you speaking any name you wanted voice reognition for. Rich
-
I thought this[^] was interesting. It essentially says that if you have enabled voice control, then sound coming out of the speakers and being picked up by the mic could control the pc (uac permitting). Imagine a "virus" being distributed as a podcast! "Hello, welcome to my podcast. Format C:, Yes I'm sure" :)
ChrisB ChrisDoesDev[^]
:laugh:
Chris Buckett wrote:
Hello, welcome to my podcast. Format C:,
Did you forget that drives that are in use can not be formatted?
Life is nothing but an individuals perception of an immortals dream. - ME
-
:laugh:
Chris Buckett wrote:
Hello, welcome to my podcast. Format C:,
Did you forget that drives that are in use can not be formatted?
Life is nothing but an individuals perception of an immortals dream. - ME
Antony Clements wrote:
Did you forget that drives that are in use can not be formatted?
Yes, I did forget, (but i was being a little facetious just to make the point :)).
ChrisB ChrisDoesDev[^]
-
In order to present a problem, you will need to: a) disable all of Windows' inbuilt security features, i.e. UAC, and b) configure the system for voice recognition and train it for your attackers voice. I don't see that as any different from having someone physically at your PC from a risk position -- people have to take responsibility for their own actions, you can't blame everything on someone else.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milkDavid Wulff wrote:
I don't see that as any different from having someone physically at your PC from a risk position -- people have to take responsibility for their own actions, you can't blame everything on someone else.
This is the difference between word recognition and voice recognition. I think that Microsoft would opt for the word recognition because it makes things easier to use for every user of that system.
Life is nothing but an individuals perception of an immortals dream. - ME
-
Hi Chris, Its easy to see your interest in the idea and I had fun thinking about it too. :) I do have a problem with that article; it was sensationalist garbage. It's good to see everyone here (and many who posted in response) know how to take it. Why not take it a step further? I'm going to write up an article suggesting to remove the phones next to peoples' desks. Someone might call and give them bad instructions. We can call it the "command recognition audio proxy speech vulnerability" or just the CRAPS vulnerability. :-D Ed
Ed Preston wrote:
sensationalist garbage
Oh yes, but behind most sensationalism there's usually a grain of truth.
Ed Preston wrote:
the CRAPS vulnerability
Something that goes along with the job description :-D? At my last job I was fortunate enough not to have a phone :) (still had msn and email though :()
ChrisB ChrisDoesDev[^]
-
Just nitpicking here, but there is no 'Shutdown' command. I just tried it on my machine to see what the fuss is about and I can't get it to shutdown from the menu either. The closest I've got is 'start, click run, delete that, shutdown space forward-slash s, enter'. You can do it with the mousegrid too, but only if the start button is in the lower left corner. This is fun.
Ðavid Wulff What kind of music should programmers listen to?
Join the Code Project Last.fm group | dwulff
I'm so gangsta I eat cereal without the milkDavid Wulff wrote:
Just nitpicking here, but there is no 'Shutdown' command.
There is actually a shutdown command line in every windows version to date. In XP it was called oddly enough, Shutdown. I'm not going to touch Vista for at lerast 6 months, probably closer to a year. But it still has a shutdown command line, it's just a matter of knowing what it is called. Shutdown from the start menu makes a remote call to this .EXE so it is entirely possible to write a snippet of code for example that runs in the background that will shut the system down when it hears a certain word. I have, just for the fun of it, a small .EXE that shells out the shutdown .EXE with an immediate forced shutdown without any warning of any kind.
Life is nothing but an individuals perception of an immortals dream. - ME
-
Antony Clements wrote:
Did you forget that drives that are in use can not be formatted?
Yes, I did forget, (but i was being a little facetious just to make the point :)).
ChrisB ChrisDoesDev[^]
Chris Buckett wrote:
Yes, I did forget, (but i was being a little facetious just to make the point ).
Never the less... it will still be a fun prank. :laugh:
Life is nothing but an individuals perception of an immortals dream. - ME
-
David Wulff wrote:
there is no 'Shutdown' command.
Can't you stick that in a batch file and associate it with a voice command? (part of the 5 mins with the colleagues computer). I've just pulled the hard drives out of my vista box, so I can't experiment at the moment. I was more hypothesising than basing my ideas on fact.
David Wulff wrote:
This is fun.
:-D
ChrisB ChrisDoesDev[^]
Removing your hard drives is one way to increase security, but isn't that going to the extreme? How do you get any work done?:laugh: