Vista Speech Recognition Exploit

I saw that George Ou is reporting a remote exploit in Vista based on it Speech Control functionality, wherein a malicious sound file (for example, on a web page) can trigger arbitrary commands.

For a second, I couldn’t believe no one had thought of this exploit before – and then I remembered this old chestnut dating back to at least 1997:

At a recent Sacramento PC User’s Group meeting, a company was demonstrating its latest speech-recognition software. A representative from the company was just about ready to start the demonstration and asked everyone in the room to quiet down.

Just then someone in the back of the room yelled, “Format C: Return.”

Someone else chimed in: “Yes, Return!”

Unfortunately, the software worked.

Barcode Recognition in Flash

As part of my new year, I’ve decided to start putting more code out there earlier. I have a tendency to build projects in private, trying to get things perfect before I reveal them publicly. The end result is that I have a lot of code gathering dust in the corners of my hard drive. No more. That’s why I’m going to post one of the mini-projects I’ve been working on for the last little while: a Flash-based barcode recognition library.

I know what you’re thinking: Why the heck would anyone want to build a Flash-based barcode recognition library? Why not try the demo yourself and see! 😉

Click here to see a larger version of this imageThe idea is simple: allow use of a commodity webcam as a barcode reader, thus allowing users to efficiently input physical items into web-based applications. Using digital cameras as a cheap alternative to traditional barcode scanners isn’t an original idea – Delicious Library uses iSight to allow its users to input their CDs, DVDs, and other media into a personal media library. Unfortunately, that particular application is a heavy application that’s only available on the Mac – what I want to do is build a simple way to provide that same kind of functionality in platform independent web-based applications.

Think of the web applications that could benefit from quick and efficient input from physical items that carry a barcode – cataloging items you own or consume to drive recommendations on sites like AllConsuming or Shelfari (or any number of other similar sites), tracking your personal property for insurance purposes, or easily selling or trading large numbers of goods on eBay, Lala, or Swaptree. And of course, I’m sure there are some other applications that I haven’t even considered.

I built the original library in Java as a proof of concept, more to figure out how best to reliably extract a barcode from an image. I knew it had to be fairly straightforward as there are a number of SDKs available on the web to perform image-based barcode recognition, but I was uncertain if a commodity webcam was up to the job. I used the cheapest webcam I could find ($20 at Best-Buy) to make sure I had something that would work with even the worst hardware.

Once I had the basic algorithm for scanning an image and extracting an EAN-13 barcode, I ported the code to Flash 9 in an evening (ActionScript approximates Java). Flash was an obvious choice for a couple reasons:

  1. Cross-platform browser support: Flash has strong support across all platforms, operates in all web browsers, and is readily integrated with web-based applications. While the same is also generally true of Java, Flash is more widely deployed and is lighter weight.
  2. Native camera access: Flash provides a native API for accessing video cameras, as well as native support for manipulating bitmap and video data.
  3. Mobile support: While not strictly required, the ability to deploy this technology on mobile devices in the future would be a nice bonus. Again, not an especially original idea – Japanese cell phones have native QR barcode recognition capabilities – but a nice bonus nonetheless.

The core library is in a functioning state, with a couple of caveats:

  • EAN-13 only: The current code only decodes EAN-13 barcodes, a superset of UPC typically used to represent barcodes on books, CDs, DVDs, and other boxed goods sold by retailers. While the framework is in place to support other symbologies, I haven’t yet implemented any code to decode other symbologies as EAN-13 covers the majority of barcodes that I believe to be of interest for a consumer-oriented web applications. I also have a funny feeling that there are still some nuances of EAN-13 that I haven’t implemented correctly, so those issues will need to be addressed.
  • No fixed focus cameras currently work: Decoding a barcode with the current code requires a fairly high quality image that clearly resolves the separation between the bars and spaces in a barcode. A webcam shooting in 640×480 resolution is sufficient, provided the barcode is put close to the camera. The challenge here is that in order to get the clarity required, you need a webcam whose focal length is adjustable. Currently, webcams with a fixed focal length, such as the Logitech QuickCam Communicate STX or those built into the latest MacBook Pro and Sony VAIO laptops, can’t be adjusted to render a crisp image when the object is placed close to the camera. This is somewhat ironic given that webcams with manual focus, such as the Logitech QuickCam Chat, are generally very cheap.

The second shortcoming is the most problematic – we can only expect embedded webcams to become the norm. I’m not clear if recognizing a barcode from these types of cameras is possible – Delicious Library claims that it can work with the built-in cameras on MacBooks, but I’ve not had an opportunity to confirm it myself.

This brings me to my questions for the technologists out there:

  • Does Delicious Library work with MacBooks? If so, I’d love to see some video of it in action. It would also be great if someone can point me in the direction of possible approaches to solve the fixed focus problem. This will also be useful if I’m going to be able to get this working on mobile devices in the future, as they also use fixed focus lenses (although at the rate their resolution is increasing, that problem may go away pretty soon).
  • Does this work for you? I’ve put together a simple proof of concept Flash application that you can use to try the library out for yourself. Grab a book and hold its barcode close to your webcam with a steady hand; the application will pop up an alert showing the decoded barcode. Give it a try and comment here to let me know if you’re able to get it to work for you, and what webcam you’re using.
  • Wanna build something with this? Come on, you know you do. I’m looking to see if people are interested in building an application to use this – are you interested? Drop me a line here.

Ah, The Nanny State

Ashley came down with a horrible head cold today, so I headed out early to try and grab her some Sudafed. No, not Sudafed PE (which doesn’t work), Sudafed. Not only were all the pharmacies closed at 8am, no one at either Longs or Safeway apparently has the authority to allow you to purchase Sudafed, despite the fact that it’s a non-perscription drug. The reason? Federal legislation that requires you to show ID to purchase drugs containing pseudoephedrine, all in the name of reducing the illicit production of crystal meth.

Sigh, I am getting sick of the Nanny State.

Product Management Top Ten

I’ve been asked on a number of occasions by various friends to provide them with some guidance on how to be a good product manager. While I can’t claim to have complete knowledge after only three years in the role, I thought now would be a good time to summarize some of what I’ve learned:

  1. Write things down. If you don’t, you’ll forget the facts or mis-remember them. I recommend that you use a note-taking tool to keep all your customer interactions, meetings, and thoughts organized in one place.
  2. Quantify your decisions, or at least back them up with data. The fastest way to drive to a decision/resolution is to eliminate or minimize the conjecture. Identify what you don’t know, takes steps to get the data you need, and for everything that you can’t get data, call out your assumptions.
  3. Clear a path for others. Share your data and findings – this reduces the organizational duplication of effort and allows the company to build a comprehensive picture of its environment, customers, etc. It also helps build your credibility.
  4. Ignore the technology. Rather that focusing on the feature a customer needs, define the problem the customer needs solved. Focus on the pain that will cause the customer to part with their money.
  5. Learn to write in short, succinct statements. Your value to the organization is primarily derived from your ability to distill large amounts of data into discrete, easily understood units.
  6. Practice presenting. While knowing or understanding the market is important, it’s irrelevant if you can’t explain your thoughts, position, knowledge to others in the organization in a clear and confident manner.
  7. Define and automate processes. The primary purpose of a company is to build order from chaos – without well-defined processes in place, it will be very difficult to build a well-oiled machine.
  8. Circulate. You should know people in every corner of the company or of material importance to the company, not just Products and Engineering. Go talk to customers, sales, support. They know more than you about the problems of the product and the problems that need to be solved.
  9. Be credible. Know what you’re talking about – but also know when you’re out of your depth and need to consult with others for information. Be forthright when you need to gather additional information to respond to a query rather than trying to “wing it”.
  10. Be responsive. Nothing builds credibility like being responsive to queries and requests for assistance from other departments. It also establishes you as the authority for what’s happening in the market, the product, etc. If you’re responsive, people will naturally come to you to not only ask for help, but also make themselves available when you need assistance.

If you need more advice on honing your Product Management skills, I also highly recommend taking one of Pragmatic Marketing’s excellent courses.

Exporting iTunes Playlists to Tivo

This is a little thing that’s been bugging me since we got our TiVo a while back, but I never got around to solving it – exporting my music playlists from iTunes to TiVo. TiVo’s jukebox interface is simply horrendous, so playlists are an absolute must, unless you like scrolling through pages of your music collection. iTunes makes matters worse in that it doesn’t allow you to export M3U-formatted playlists, the format TiVo requires.

Sigh. A little shell scripting and awk is all that’s required to resolve this problem in short order. Here’s an awk script called m3u-ify.awk to convert an iTunes playlist (exported as plaintext) to an M3U playlist:


BEGIN {
FS = "\t"
print "#EXTM3U"
}
{
if (match($27, /\.mp3/))
{
time = $8
name = $27
location = $27

# Figure out the location from the absolute location
# that iTunes exports. Note that we remove the '- ' from
# the location, which iTunes seems to add erroneously.
# Using 'sub' is not ideal, but gensub seems flakey in
# my version of gawk, otherwise I'd use the following:
# location = gensub(/D:\\Music\\\(.*\\.*\\[0-9]*\) -\(.*\)\.mp3/, "\\1\\2", "g", location)
sub(/D:\\Music\\/, "", location)
sub(/ - /, " ", location)

# Find the name of the song - this regex is giving
# me problems in Cygwin with gawk, so I coded an
# alternate way to get to the normalized song name
# name = gensub(/D:\\Music\\.*\\.*\\[0-9]* - \(.*\)\.mp3/, "\\1", "g", name)
sub(/D:\\Music\\.*\\.*\\/, "", name)
sub(/\.mp3/, "", name)
sub(/[0-9]* - /, "", name)

print "#EXTINF:"time","name
print location
}
}

Note that my music collection is located in D:\Music (which needs to be stripped out of the file location to create the M3U file) – you will have to alter this script if to the location of your iTunes music folder.

To use the script, you’ll need awk installed on your machine (for those of you using Windows, you might try grabbing a copy of Cygwin) . To convert a playlist to M3U:

  1. Select a playlist in iTunes, export it as a text-formatted playlist (input.txt) to a folder containing the above script
  2. Open a shell prompt, go to the folder where you saved the text-formatted playlist
  3. Run awk -f m3u-ify.awk input.txt > output.m3u

You’ll now have an M3U-formatted version of your playlist. If you really want to be fancy, export all your playlists at once, and then generate a batch shell script to process them all at once by running ls -1 *.txt |sed -e 's/\(.*\)\.txt/awk -f m3u-ify.awk \"\1.txt\" > \"\1.m3u\" /g'>batch.sh. This will generate a shell script called batch.sh that will process all the text playlists in once go.

Note: I point TiVo Desktop to my iTunes folder directly – I’m not sure if this affects file location specified in the M3U or not. Your mileage may vary.

Ironic Pipe Bomber

Someone has apparently been leaving pipe bombs in random parks around Livermore. I can’t help but be amazed when the local news interviews people in Livermore and they say things like “I can’t believe this would happen here, it’s such a quiet peaceful community!”

Uh, Livermore? As in the home of Lawrence Livermore National Labs? The cornerstone of the US nuclear weapons program since 1952? Does anyone else see this as slightly ironic?