Am I the only one
Who thinks this exploit would be more fun if used to subtly compromise the AR view through the glasses and turn fugly people pretty, milk into beer etc etc.
A security flaw discovered in Google Glass ultimately allowed miscreants to eavesdrop on the wearer's wireless internet connection - using just a QR code. Mobile security firm Lookout discovered that the techno goggles automatically processed QR codes present anywhere in photographs captured by the built-in camera. The …
All together now, one more time: Glasses do not make an "AR view". They do not fully superimpose over your entire vision. You get a screen in the upper-right portion of your visual field, where the display device sits. It is not physically capable of changing the things you see around you; it could only display a modified version in one small portion of your vision.
All together now, one more time: Glasses do not make an "AR view". They do not fully superimpose over your entire vision. You get a screen in the upper-right portion of your visual field, where the display device sits. It is not physically capable of changing the things you see around you; it could only display a modified version in one small portion of your vision.
This is true now, but it may not always be so.
In several SciFi stories, a robot or android gets "pwn3d" simply by looking at some picture, or listening to some sound. I always said to myself "who in their right mind would design a system that would treat untrusted input from the environment as executable instructions?"
I remember thinking that people who thought that looking at a picture on their PC could lead to being infected by a virus... [what?] .. but Microsoft managed to make that possible.
Plenty of image-rendering libraries have had vulnerabilities that could be triggered by malicious input.1 Obviously that's exacerbated when said library is executing with excessive privilege (unavoidable on platforms with no separation of privilege, and the norm on Windows systems until UAC came along), but troublesome even without it. Microsoft is hardly the only culprit.
The simple fact of the matter is that untrustworthy input shouldn't be trusted.
1Integer overflow bugs in C code were particularly common.
who in their right mind would design a system that would treat untrusted input from the environment as executable instructions?
By this criterion a large number of programmers are not in their right minds. Of course that seems entirely plausible.
But the real problem is not so much explicitly treating untrusted input as executable - it's not handling untrusted input safely in the first place. There are far too many avenues by which malicious input can lead to arbitrary code execution, elevation of privilege, etc, even if the system doesn't treat it as executable. At least since the publication of "Smashing the Stack for Fun and Profit" (1996), if not since the Morris Worm (1988), there's been no excuse for any software developer to be ignorant of the dangers of malicious input. No excuse whatsoever.
This post has been deleted by its author
anyone else ever read Snow Crash
Strangely, no. According to Stephenson, you're the only person who's ever read it.
(Of course the mimesis in Snow Crash went the other way initially - Stephenson named the novel after his term for a failure mode on the original Mac, where garbage would be written to video memory. In other words, the novel was inspired by system failure due to mishandling incorrect input, rather than the other way around. It's a problem that goes back to the earliest days of automatic computing.)
As others have already pointed out, the real problem is that a simple QR code can reconfigure Glass in the first place.
So now you have to acknowledge that you want to access a QR code before it is scanned. How will you be able to know when you can or cannot trust a given code?
Ok, so they probably will have something like the "permissions" on App Store: "This QR Code wants access to your firmware, friends list, bank details, and sexual history. Proceed?" Once (if) Glass goes mainstream, it's going to end up in the hands (or on the temples) of the same class of user who just clicks on "Ok" whenever any dialogue box pops up.
This is going to be fun...
"grok"
Bleh.
Bad enough when this piece of sixties hipsterspeek crops up in human conversation, but to credit equipment with "groking" when the word one would normally use is "recognize" is going too far.
Next up: Why you and your friends should eat your Googlespex when these wonders of technology inevitably die.
"The word "grok" has specific blahdribbledrool etc"
And you think I am unaware of this because...?
I also know where "cyberspace" comes from, though *everyone* knows you shouldn't use that one now.
A shame we don't still have AOL to make "grok" geek-unfriendly due to over-use by the hoi-poloi.
Bleh!
@DAM - I'm with Stevie on this (in intent if not in form). I've never heard anyone use 'grok' in an actual conversation (I decline to add the suitably impressive number of years in the biz because I don't want to trigger a Jake-quake - use your imagination).
I couldn't imagine using it outside of a Heinlein riff, it would sound like a forced attempt to be cool.
That's 'hoi-poloi' not 'the hoi-poloi', the 'the' is implied.
It's "hoi polloi", no hyphen, two l's (rough-breathing, omicron, iota, space, pi, omicron, lambda, lambda, omicron, iota). And the "the" isn't implied; it's explicit. "hoi" is the Greek definite article, masculine plural nominative.
But thanks for playing.
I quite like it, but not for the reasons those who use it think. Let's just look at what Heinlein has to say about it:
....and it means as little to us (because of our Earthling assumptions) as color means to a blind man.
Or, in other words, a human using it is the exact equivalent of a five year old saying "fuck". They think it sounds big and clever, but actually have no comprehension of the real meaning.
Fairly recently we had a story about miscreants sticking their own QR codes over the real ones on advertising hoardings, to send mug punters to their bent site.
I opined at the time that, as you have no idea where a QR code goes or what it does until your device interprets it, if you have your device configured to action such without first showing what it's about to do and asking for confirmation you are low-hanging fruit and bloody asking for it.
I thought that was bleedin' obvious, but it appears that either it isn't or Google are too stupid to spot it.