
Website with 1000s of live baby monitors, web cams and CCTV feeds has shut down - BillFranklin
http://m.bbc.com/news/technology-30176359
======
shittyanalogy
_" An analogy best describing this would be just because someone leaves their
window open it does not give permission for an unauthorized individual to set
up a camera outside their window and broadcast the feed worldwide,"_

That's a terrible analogy. These webcams are accessible publicly on the web
with no security. A better analogy would be, it's like leaving your window
open, and your window location can be indexed by google, and your window can
simultaneously be viewed by anyone around the world in their underwear. And in
some cases they can pan, rotate, and zoom your window.

 _" If we can take one lesson away from this experience, it is that default
passwords do not provide protection from the threats that exist in the modern
world."_

No, if we take away one lesson from this experience it's that the person
exposing the serious issue can sometimes recieve the most criticism. Nothing
is better, just back to being hidden.

~~~
grecy
> _" An analogy best describing this would be just because someone leaves
> their window open it does not give permission for an unauthorized individual
> to set up a camera outside their window and broadcast the feed worldwide,"_

Actually, I'm pretty sure it does.

I'm a photographer, so I'm constantly following discussions and lawsuits about
it. Anything that can be photographed (or videoed) while the operator is
standing on public space is fair game. I can absolutely take photos and video
of the front of your house while standing on the road. If you happen to have
your window down, that's your problem not mine.

~~~
grecy
Downvotes because I'm wrong (legally speaking) or because you don't like the
implications if I'm right?

[https://www.aclu.org/kyr-photo](https://www.aclu.org/kyr-photo)

opening paragraph:

"Taking photographs of things that are plainly visible from public spaces is a
constitutional right "

------
kcorbitt
> Last week it was showing video feeds from more than 250 countries

I may be very confused, but Wikipedia only lists 206 sovereign states (193
full UN member states)[0]. Even with border disputes 250 seems like a very
inflated number. Is there some other common definition of "country" I'm not
aware of, or did this article just fail to perform basic fact-checking on the
claims?

[0]
[http://en.wikipedia.org/wiki/List_of_sovereign_states](http://en.wikipedia.org/wiki/List_of_sovereign_states)

~~~
philwelch
"Country" is an ambiguous term that's not always synonymous with "sovereign
state". For instance, British people tend to think Wales, England, and
Scotland are three countries.

------
tshadwell
I was amazed when I was watching BBC News and this came on. I remember Google
dorking webcams when I was 12 and the BBC were playing it up like some
prodigal hacker had tapped into the matrix to produce these webcams or
something.

~~~
_sword
Oh man when I was in the range of 12 - 14 I loved watching these webcams to
get small glimpses into other peoples' lives around the world. I still have
vivid memories of watching street vendors in Japan, fishing boats docking and
leaving somewhere in Asia, and the sun rising over beautiful mountains
somewhere in Europe during an early spring. It was mesmerizing to peer through
these virtual windows into locations half a world away.

~~~
MrJagil
How do you do this? The article is very sparse on technicalities...

~~~
TazeTSchnitzel
Google the right phrases, mostly.

------
xaitv
> An analogy best describing this would be just because someone leaves their
> window open it does not give permission for an unauthorized individual to
> set up a camera outside their window and broadcast the feed worldwide

I think a better analogy would be someone putting up a tv screen on the side
of their house showing a camera feed of the inside of the house, with a sign
that asks people "Don't look at this TV"

~~~
corobo
Better than that is the exact same but without the "Don't look at this TV"
sign. There's just a TV there and the curious are going to be curious

------
insomniasexx
I used to be part of a forum that had a massive list of the default login and
unprotected cams. There were maybe 10k-20k per document, maybe 5 or 6
documents. As far as I could tell, all were working cams but 99% of the time
there was nothing happening. Either they were too dark to see much, pointed at
a front door, or showing rooms with no one in them. I personally never saw any
movement on any of the cams except for a sleeping puppy.

On the rare occasion someone found a not-empty cam, there would be screencaps
immediately. It was like crowdsourced voyeurism before crowdsourcing was a
thing. The best one was a guy who was using the camera to monitor his weed
grow op. Apparently, according to more knowledgable users on this forum, he
was using the lights inefficiently. It sparked a massive debate on the
intricacies of grow lights and that's when the thread died.

It was creepy but far less creepy or exciting than I imagined when I first
stumbled upon the thread. Still, change your passwords people.

------
tsemple
I while ago I bought a webcam, plugged it in and entered my wifi password. I
little bit later I realized that it had reconfigured my router and was
broadcasting to the internet. Wow, I'm all for easy to install, but that's
crazy. I couldn't believe that my router was configurable automatically
without entering the password. I fixed my router, but you have to be pretty
tech savvy to understand that your cheap baby cam is broadcasting pictures
from inside your house to the entire world by default.

~~~
ssharp
I wanted to get a video baby monitor for my twins, but gave absolutely no
thought into getting an internet-connected one. I just didn't see the benefit
and it seemed super creepy having the camera accessible over the internet.

Now, after about two months, I realize that I hardly ever use the video
feature and the audio is almost always enough. I guess we'll see if I change
my mind as the babies get a little older, but I'd rather have my $250 back and
just have gotten a simple audio monitor.

------
joshstrange
> If we can take one lesson away from this experience, it is that default
> passwords do not provide protection from the threats that exist in the
> modern world.

No shit.... Also this article covers what not to make your password which I
think is misleading... This isn't about a hacker guessing easy passwords it's
about people setting up these devices and not changed the DEFAULT
user/password which is easy to find (or guess: user/user, admin/admin,
root/root, user/root, etc).

------
jostmey
Funny that everyone is upset by this. When it comes to government
surveillance, a lot of people don't seem to care.

~~~
singold
Maybe this is a good example of why is not a good idea for our goverments to
have irrestricted access to everything, because this kind of people would have
access too.

------
zimbatm
If you need to video feed for experiments just search for "inurl:axis-
cgi/jpg/image.cgi" on google.

------
Nux
The site may be gone, but not the problem.

------
digitalgravy
What, and there's no other website that does this? No one thought to look at
[https://www.shodan.io/](https://www.shodan.io/) ?

~~~
werid
In this case, the website showed webcams which were protected by passwords,
but they were using default ones.

I don't think shodan does that.

------
Someone1234
The "expert" is still suggesting special characters instead of full sentences?
Sigh.

~~~
freehunter
I blame Active Directory and the "use strong password" which focuses on
special characters and not entropy.

~~~
drzaiusapelord
Meh, that's a GPO setting. Don't turn it on if you don't like it. Bill Gates
isn't holding a gun to your head here. Hell, its not even turned on by
default!

AD can handle long passphrases. Granted, its cryptography only considers the
first 14 characters, but I've read case studies where shops have moved away
from complexity to minimum 14 characters and suddenly things like password
resets become a thing of the past. Turns out its easier for humans to process
"mydogsnameismrmittens" vs "M1tt3ns"

I've tried long passphrases in embedded devices like cameras and routers. Most
of the time they can't handle it. Don't knock AD as being the bad guy here. Go
after the nightmarish cockup that defines the security of consumer embedded
world.

~~~
freehunter
I understand it's not actually the fault of that particular setting, it's the
fault of the admins using it as a set-it-and-forget-it action. Specially my
experience lies in PCI audits, where PCI DSS requirement 8.5.11 says to use
passwords containing both numeric and alphabetic characters. 8.5.10 requires a
password length of 7 characters. When you need to meet PCI standard, are you
going to set your password policy by hand or just turn on AD's default secure
password policy? The password policy which is terrible, but meets PCI
requirements and makes the boss happy?

And even if you make a policy that meets PCI requirements, I've been in many-a
PCI audit where the auditor doesn't want to move past the password policy
section if you don't use AD's 'strong password' feature. Because it takes a
bit of time and effort to explain your password policy without that little
checkbox.

It's not Microsoft's fault that everyone uses their strong password checkbox.
But Microsoft could move into the 21st century and make sure that what they
label as 'strong passwords' actually meet the criteria of being strong
passwords.

------
el_duderino
This all stemmed from Gizomodo's original posting of it:
[http://gizmodo.com/a-creepy-website-is-streaming-
from-73-000...](http://gizmodo.com/a-creepy-website-is-streaming-
from-73-000-private-secur-1655653510)

I'm glad it's been shut down.

~~~
13
The website linking to it going away hasn't made the content go away. The
public just won't be aware of it now.

------
missing_cipher
If anyone is interested, there was good Defcon talk about camera "security" a
while back:
[https://www.youtube.com/watch?v=B8DjTcANBx0](https://www.youtube.com/watch?v=B8DjTcANBx0)

------
digital-rubber
Attention for this particular issue is nice. But all these reports are not
going to reach the actual user.

I don't see anybody making such a big fuss when people don't close the
curtains in their home at night (or even during the day). Sure you can see who
is peeking into your house, but technically is it much different then a
insecure/unconfigured webcam?

~~~
k-mcgrady
>> "But all these reports are not going to reach the actual user."

I think it might. It was one of the top headlines on the evening news in the
UK and the main message was to users - change your password. How many acted on
that I don't know but the reports certainly got out to regular people.

~~~
digital-rubber
It's been on the news here to, i didn't see any drop in the number of cams
online from my country.

