Mimsy Were the Borogoves

Hacks: Articles about programming in Python, Perl, PHP, and whatever else I happen to feel like hacking at.

Vista shout hack highlights Mac differences?

Jerry Stratton, March 1, 2007

Here’s one for the hack files that’s really a hack. I started following the Vista Not-a-Shout Hack news a couple of weeks ago because I wanted to see if Mac OS X was vulnerable to the same thing, since the Mac has had speech recognition for special commands for just about forever.

But the weird thing about this hack is how “unlikely” it is on Windows. Why, the computer would have to have speakers and a microphone installed! And the user would have to manually play the audio! This meme kept popping up as I was reading about the hack:

On Microsoft’s Security Response Center Blog, Adrian writes:

Additionally the system would need to have speakers and a microphone installed and turned on.

Paul F. Roberts on InfoWorld writes that the impact will be small, because:

Vista users would need to have the speech recognition feature enabled and have a microphone and speakers connected to their system.

Paul also doesn’t think that Windows web browsers can play audio:

Successful attackers would need to be physically present at the machine, or figure out a way to trick the computer’s owner to download and play an audio recording of the malicious commands.

Angela Gunn at ComputerWorld tries to write hers in coolspeak and ends up sounding like your grandfather trying to hit on a 12-year-old in MySpace, but offers the same lines inside the calmdown:

But the "shout hacking" vuln sounds less like something that ought to concern a reasonable manager (or user) and more like a one-person game of Twister. Let’s see: If speech recognition is enabled, and if the user has a mike and speakers hooked up, and if you can either get access to the machine or convince the user to play your audio file, and if you can do all this without anyone noticing a sufficiently loud “shout hack” in progress…

We can be certain that Angela does not try to hit on 12-year-olds on MySpace, because if she ever visited MySpace she’d know that modern web browsers actually do play audio without requiring the user to download them first.

Just thinking about the last time I visited MySpace, I’m beginning to think that browsers lacking support for audio is a great feature.

CyberNetNews writes:

A few things would have to be in line for an attacker to be able to do anything harmful. First, you’d have to have a microphone and speakers connected to your system. Remember, this is a verbal attack. And secondly, you’d also need speech recognition to be configured. The odds of this actually happening are probably very slim…

Scott M. Fulton at BetaNews writes that Microsoft recommends disconnecting their microphone and speakers:

Yesterday, Microsoft responded to Ou with a confirmation of the security hole’s existence, but noted that any exploit would be limited to users who “have a microphone and speakers connected to their system.” The company suggested that users could protect themselves from the exploit by disconnecting their microphone and speakers, or by simply not using speech recognition.

Right, I mean, who needs a microphone or speakers?

Yes, it’s technically true that, for this hack to work, the computer needs a microphone and speakers. It’s just as true that they would need a CPU and a power source. I’m assuming here that Windows computers don’t really come without basic functionality. Are these writers completely out of touch with what comes as a basic part of computer systems nowadays? Or are they just regurgitating Microsoft’s press release?

Another meme is that it’s unlikely because the user would hear it happening as long as they are at their computer. And if they’re not at their computer, why would it be on?

Because it’s not like people will use Vista for listening to iTunes over AppleTV, or use their computer to wake them up in the morning, or set Photoshop or a 3D application to work on a file while they take a shower.

I’d say that during my computer’s active time, I’m only at the computer, at most, 50% of the time. The rest of the time I’m letting POV-Ray render an image, listening to iTunes in another room, or laying in bed listening to iTunes wake me up in the morning. I don’t want to have to rush to my computer to… do what, exactly? Once the command is spoken, how do I stop it?

I understand that journalism today is a lot of copy and paste, but still, I’d expect better of people writing about computers on the very system they’re writing about.

Or are they all using Macs?

  1. <- Why Link Amazon?
  2. ETech 2007 ->