At the end, all they will see is a bearded man staring to the front. May they be able to see me naked? Well, probably, but I honestly don't think that they will make a lot of money by selling my naked pictures... My wife tells me that I still look good, but I suspect that she is being nice to me.
What would scare more is that they manage to capture what is on my screen, or install a keylogger, or activate the microphones to hear my conversations, or that they access my hard disks and steal data, including my private keys.
Hey, but putting a sticker on your webcam is a way to show how 1337 your are!
I prefer not to have to bother removing stickers every time I want to do a Skype call.
> "because this particular thing does affect me personally, it doesn't matter. And because it doesn't matter to me it doesn't matter at all"
Blackmailing people with pictures taken from webcams is not theoretical. It happens and it's good advice to tape up your cam. It may not affect you personally, but it may affect your wife, daughter, or sister in a much more sinister way. Believe it or not this kind of thing can ruin someone's life.
Beyond blackmail, it is probably close to the psychological equivalent of a stranger just suddenly appearing in your home watching you.
I think that every electronic camera and mic device should have a hard switch/button that physically disables both the camera and mic. Having to use tape or a cover does not keep you from being spied on; it only eliminates the visual spying. The attacker can still listen.
An up-to-date Nexus or iPhone is about the most secure thing you own.
This is all that I hate about stackoverflow.
What he's describing is something that also happened (with far greater, more rage-inducing frequency) on tech forums before SO existed.
What about recognizing keys, credit card details or important information in letters on the desk? Some simple image recognition for these, and a large dragnet-style attack with this seems quite lucrative from a minute or two of thought.
This was a little bit more.
What is the point of this comment? Even if you had some way to know (EDIT: which you (https://news.ycombinator.com/item?id=12506075) point out is the case), why should it matter, especially since no-one else in this thread seems to have brought up gender?
In particular, he was calling attention to all the people that cover up their camera and proudly exclaim "Done! Safe at last", while oblivious to all the other hacks and malware that could already be infecting their computer.
More importantly, there's the fact that the level of access required to take over a webcam implies the ability to do all sorts of other things.
What I took away was that if his system was compromised, an open webcam wouldn't likely be the chosen vector for ruining his life.
As someone who was profiled and eventually experienced an attempted-blackmailed by a company in India (employer details gained among other things) - everything seems inconsequential ("I've done nothing wrong"), until it is used, abused (and lies added to) to threaten you.
It doesn't matter whether things are true or not. What matters is, when someone gains details about you, the story and lies they can spin. The cost, distress, and difficulty in trying to resolve and take control of the story can be incredible.
Your personal details should remain just that.
Don't be complacent.
Is this a well-known thing? I haven't heard of it before. Is there some sort of common pattern that such attacks follow? (E.g. most phishing attacks seem to be categorizable, following a number of set patterns, because the people who do them basically try to run the same attack against a lot of people at once to get one or two victims. Is this similar, or is it a matter of individual targeting?)
A hypothetical, ruthless hacker manages to install malware on a person's computer. Hell they could target certain zip codes. All the information is on the Internet. Hell, they could get a picture of your home. (By the way, Google will blure out you home, if you ask. It tends to reappear, although they claim its permanent. If your house has been sold recently, a thief/criminal has easy access to interior layout through Zillow, and the like.)
They watch you through your cams. A lot can be deduced with that information--valuable information that could be sold.
Maybe I've watched too many movies, or crime shows, but I just picture certain questions being asked, "Does the home look like its worth robbing?" "Are there hostages we could take?" "What times do they leave, we need to install our cams because they might find our malware?" "Do they have a safe, or do they seem like they have money/valuables in the house, bedroom?" "Are they doing anything illegial themselfs?" They could develop psychological profiles for people?
I hate to think like this, but certain people think nothing of doing some horrid crimes. A hacker overseas gains some valuable information, and makes a phone call to the Triads, or Russian mob? Your life becomes a statistic.
It sounds far fetched, but just what if? (And am I going to cover my cams? No, because I don't have a life, and I'm poor.)
the only real solution to this is good insurance and good luck.
Wholesale information theft is another level. Someone in a different state or country has access not only to me, but potentially hundreds of people's details, without ever leaving their home. And then they can leverage a whole community that is doing the same. This is how "The Fappening" occurred. This sort of crowdsourced stalking would be impossible pre-internet.
Obviously there are other reasons to worry about webcam access, but "they could spy on me to set up a robbery" is exceedingly low on my list since it just recreates a pattern that doesn't involve a computer.
For the slightly more technical, you've got frameworks like metasploit which can perform network attacks, but even that is getting much more like a kit these days. Port scan for services, fingerprint them, check database for known vulnerabilities, automatically attempt to exploit known vulnerabilities, deploy payload (the trojan).
Once you've been convicted of something, or even arrested really, you have few legal options to support yourself.
I think a substantial share of those drug dealers who aren't working formal-economy jobs as well are also drug addicts that would not be able to keep such jobs particularly well even if they weren't drug dealers, and/or convicts that wouldn't be likely to be offered such jobs if they chose to pursue them.
How can one blackmail a person with webcam pictures where the person just stares into a screen?
If you mean NSFW pics I don't think they're done with a computer's webcam cam. Nowadays, people use phones for that use case.
There was a case about 5-6 years ago when a guy recorded and streamed his secretly gay roomate having sex in the dorm. The gay roomate committed suicide later.
Work computers can be taken home or to business trips where things can happen in the hotel after the deal is struck.
Serious question: what happens when a deal is struck? They go out to drink? They go back to their hotels? They have sex with their coworkers?
Protecting your privacy should NOT be weird and a sticker over your webcam is a very visible way of showing that to the public. When people ask why I do it, its a good opportunity to educate them on the capabilities of the US government, other nation-state actors, and hackers in general. If they don't believe me and haven't heard of Snowden its simple to show them images of Zuckerberg, the FBI director, and other in tech with taped over webcams to convince them.
John Oliver also did a special last year that showed that a lot of people don't really care about the government getting most of their personal information on their computer. But when they think that the government is getting naked pictures of them and their family they're a lot more interested and upset. Bringing up the fact that the government can see them nude in conversation scares a lot more people and they are more inclined to become more privacy conscious.
If you use one of the bookmark post-it notes, it makes it easy to remove the sticker and put it back when you're done with your video conversation.
Am I the only one to receive disarming responses when trying to educate anybody over this matter? The vast majority of people (and when I say "vast majority" I mean everybody but two or three people tops, so far) I tried to explain things to don't care. All they have to say are things like "Where is your tinfoil hat?", "This is conspiracy theory", "If they want to spy us there's nothing we can do" and the never old "I have nothing to fear because I have nothing to hide."
Even when you provide material from authoritative sources you still risk being told "Bullshit, go figure who wrote this".
My laptop is black and I keep a piece of black electrical tape over it so it's mostly unnoticeable if you aren't close enough. I do this to avoid giving explanations because from my experience it is pointless.
The best comeback to this is usually asking if they have drapes/shades for their windows at home. I think I read that in a CCC guide to talking about privacy/security somewhere.
At least that has lead to somewhat interesting discussions and the occasional moment of "you might have a point".
Cool. Now, can I have your wallet/purse? Also, get naked. I want to see what you're hiding under your clothes.
And you can forward your medical record, along with your business emails to me as well.
Because you have nothing to hide....
Maybe something like 'security theatre'.
The potential to listen to audio on unpatched, compromised devices, is a huge attack vector! And yet we tape up cameras.
Worked like a charm.
The warm and fuzzy feeling that discovery gave me is why my daily driver is still on Win7 since I almost always have both audio directions muted.
I mean, if you can turn the LED off through software, it's really no better than the little menu bar icon that every other laptop has. If it were done all in hardware, that would be cool.
The fact that Windows10 breaks it surely suggests it's a software feature?
There's a difference between "I can turn this off as long as the driver is properly installed and has not been hacked" and "I can't turn this off." While the second statement is abstractly true for both, the bar for some software silently and invisibly turning on the microphone is quite a bit higher if it also requires replacing or hacking the audio hardware drivers.
When I'm done using my laptop I close it.
Given how everything is angled, I suppose a webcam infiltrator would have a perfect view of me sleeping.
Personally, I only use my laptop when I am away from my office. And my office happens to be my bedroom.
My mother learned to do this from the IT Security team at her company. And I learned to do that from her. It simply never occurred to me that the Facetime camera, hidden on the MBP, can be turned on at anytime without the status light being activated. I keep a small box of those post-its in my go bag and share them liberally.
It is creating general awareness.
Bash isn't pretty but it does work.
My hardened laptop is an older Thinkpad laptop with LibreBoot to replace the BIOS, microphone and speakers and camera disconnected internally, removed the wireless cards, encrypted the partitions, and use Whonix as the OS. I've password protected the BIOS and it's set to boot only from the hard drive and I've also epoxied the screw heads in place as well as put globs of epoxy over all the ports other than USB in order to protect against hardware devices that can access memory through DMA vulnerabilities.
It was mostly an exercise in "how secure can I get". I'm not sure what else is possible.
If someone manufactured and sold a more modern hardened laptop, I would be interested in buying it.
Admittedly, though, it's not a laptop.
As far as laptops go, the librem 13, with Qubes OS and coreboot would be a pretty good bet.
If you haven't already, definitely take a look at Qubes OS. It offers security by compartmentalizing different workspaces in different vm's managed by Xen so, in theory, even a kernel exploit isn't getting very far into the system.
2. Use DropBox
3. Use Skype
4. Use Google services, always logged in
5. Use Windows 10
6. Use Google Chrome
7. Tape webcam ¯\_(ツ)_/¯
I could also point out that you are more likely to slip in your shower and injure yourself than get struck by lightning, but I expect there are more people who know how to stay safe in a lightning storm than who have non-slip mats in their shower. You're also far more likely to get injured or killed driving your own car, but I expect many people avoid public transit out of fear, lack of convenience , etc.
No question our assessment of risk is poor, but that doesn't mean we shouldn't take what steps will fit into our lives.
No security habit short of Ludditism was going to keep people safe from Heartbleed. And it does feel a little on the nose for Comey to be pushing a security 'story' that's conveniently removed from crucial steps like "update your software regularly". I was irritated to see him describe that as "caring about people's personal security" when his stance on all other tech topics is to make people give up security for access.
None of which makes taping up a webcam wrong, of course. It's easy, it's nontechnical, and it eliminates a whole (very real) class of threat at a single stroke. That's actually pretty good, and webcam spying/blackmail certainly does happen.
I work at a public library and occasionally teach computer classes. In one we cover security, but it's infuriatingly difficult. When you're working with people who have trouble with the mouse, or even with basic literacy (I mean reading literacy, not computer), it's hard to explain "attack surfaces" or "the cloud". It usually comes down to:
1. Understand the difference between identity and security.
2. Update your software regularly.
3. Use different passwords for different services and write them down (the number of people who don't know their password because they have email on their phone is... too high).
4. Be aware of who you are giving information to and why. Do they need that information? Is what they are offering worth providing it.
It's hard to cover much more than that.
If we aren't there already, the direction of technology seems to me to be: "cameras all around, everywhere, 360 degrees all the time." Ubiquitus video/audio recording and real time processing.
So what are we left with in terms of privacy? I believe we can only hope to control how data is used in this aggregate sense to some extent or other. If even that.
A new sense of what privacy is. It is increasingly rare that someone should have a sense of privacy or anonymity while in a public place.
It's reasonable to worry about government abuse of power from monopoly access to the full aggregation of surveillance data (even if that data was not originally intended as surveillance). Many people advocate for damming the flood of data, but this is futile. A more effective solution is to end the monopoly of access -- public aggregation of surveillance data. Twitch for everything.
Don't worry quite yet. Wait until we all have wearable cameras.
We all do weird things or at least act slightly differently when we feel alone (being naked is one of those). Your records can be easily used to put a little pressure on you to do something little, not big. Why do you think you're so important to FBI CIA KGB? Regular fraudster will send you your photos and say that your boss/wife/friend will see it, and though there is 'nothing really wrong' on these, you'll pay or feel unprotected, or your party will.
That said, far too many people do have personally secret behavior like cheating, gambling, smoking, jerking off (oops, said it), having sex, private speech, strange comments that can be abused out of context (e.g. n-word while playing role in gta:sa). So many ways to get f-ed up.
But hardware can also get better. Surely the next-gen of laptops have depth-sensing cameras too? Its becoming an integral part of game console motion detection, and normal smartphones will have them too e.g. hype I found by googling: https://3dprint.com/117809/depth-sensing-phone-cameras/
But Nevertheless activating one of the many microphones around (mobile phones, phones, laptops, "echo" like devices, speech controlled televison) would concern me much more then.
Because webcams record at 60hz (max), they can only capture enough data to reconstruct sound at 30hz, way below the human voice range.
I do lots of calls, but I've never seen a good reason to use video except perhaps with one's SO.
Giving an attacker the ability to monitor your body language while they have full control of your computer is extremely dangerous as they have established a closed loop to interact with you without your consent or knowledge.
As the FBI also excell in this kind of subversive intelligence gathering, it figures they would be wary of being on the other end of it. An example is if a chinese, Russian, corporate spy had them on the other end without their knowledge.
Edit: Another topic is the issue of criminals who use extortion. This is far more common than you likely realize or aware of. Where we are the criminals and intelligence saboteurs/spies are alot more sophisticated, and use computer hacks as part of their planning to extort and blackmail their targets.
I solve that by never talking to anyone ;)
I'm thinking you might shell out a few bucks to keep someone from posting pics of you doing something embarrassing while naked.
- Edward Snowden
Spoiler alert: It is.
In my opinion hardware should be designed so that the camera LED lamp should always be lit if the camera is used. If there is a malfunction with the LED, then the camera should also not work.
Also there should be a hardware LED for when the microphone is being used which should work in the same fashion for laptops with built-in microphones.
In the webcam drivers I have looked at the LED is controlled independently of capturing, although drivers do enable the LED when the camera is used. This essentially means that hackers can record and disable the lamp.
I've been considering hacking together some piece of software that will continuously use the camera (/dev/video) in order to block it for other applications, and have it fail with visible alerts if unable to block the camera.
Not sure if the same thing can be achieved for the audio recording devices due to multiplexing.
Many would argue that this is the more flawed design.
It is probably worse to have an unreliable indicator light than it is to not have any indicator light at all.
That would only inform the user that the camera is on, and that isn't good enough. If the user is paying active attention to the computer then they can take action, but if they're not then they can't - noticing an LED has switched on when you're busy doing something else in the same room is quite unlikely. Even if you're actively using the computer you could miss it if you're focused on a task.
A hardware switch that disables the camera or a lens cover that blocks it entirely (eg tape) are the only safe options.
All a light does is inform you that the camera is active. That is not a defence. It doesn't tell you that you've been hacked because an attacker might not access the camera (a mic and data are still accessible), and the camera light might activate if you haven't been hacked (eg any piece of software that you're using might result in the camera activating regardless of whether you want it to or not) which would lead to many false positives and as a consequence people would ignore the light.
A light is only information, and any amount of information won't stop an attack. Information is only available after you've been attacked, so you haven't stopped or mitigated the problem. A hardware solution that stops people accessing the camera mitigates the result of an attack before it happens. That's why it's much better. You just have to remember that blocking the camera only stops attacks that use the camera. You still need to be diligent about other attack surfaces.
If you just block the camera you won't know that your computer is being hacked. The piece of tape isn't going to stop the hacker from doing much. Knowing my computer is hacked is far more important than stopping the attackers from seeing me.
If you have a false positive that is also very concerning and should be dealt with. At the very least I can put a piece of tape over the camera after the light turns on, if I believe it's a false positive.
At which point it's already too late - the hacker has had access to your camera for some period of time, until you notice the light. If you're interested in stopping people seeing you then you've failed. Putting a hardware block on the camera (eg tape) before you're hacked means that the hacker won't ever get access to your camera to see you.
The hardware block is about stopping people accessing your camera. It has no effect on anything else.
Regardless of what you do with your camera you still have to defend against other ways you can be hacked.
Yeah for like 10 seconds. Who cares? The problem with webcams is they can spy on you for days and weeks on end, and record your sensitive conversations.
"Hey Siri" works on desktop devices: https://9to5mac.com/2016/07/15/how-to-enable-hands-free-hey-...
"Okay Google" was removed from desktop: http://www.theverge.com/2015/10/16/9553051/ok-google-removed...
I think that having the mic light always on when you enable voice activation, would go a long way to showing consumers the risks of it. It makes it visually obvious that you are being recorded.
That's the whole point.
When you go to Skype you have to flip it before audio/video works - and then once the webcam is no longer "in use" it flips the hardware switch so that it can't be triggered (as the user is not going to want to re-trigger it, nor is likely to remember to do so)
Your average computer has a lot of LEDs active anytime it's plugged into the wall (let alone running) - what protection will yet another LED offer to your average consumer?
One needs to ask why is the head of the FBI telling you this? Cui bono?
This is a red herring.
The FBI has no interest in filming you through your webcam.
They want to listen to your microphone, watch your screen, get the keys you've typed, see the websites you've visited, read the emails you've sent.
Watch you on video? Nah. This is a red herring.
That is the reason the head of the FBI tells you to cover your webcam.
I wish the The Last Psychiatrist would come back.
You took a pretty huge jump from that to the FBI listening to your mic.
Better still a hardware switch.
Just have the only positive voltage rail going to the camera be the same one that is directly powering the LED. The firmware will be turning this rail on and off, hence turning the camera and the LED on and off simultaneously.
Convince the firmware to use a lower voltage, one that doesn't hit the breakover voltage on the LED but still powers the camera.
Strobe the line, get snapshots without the LED doing more than very faintly glowing.
Your second idea is even more scary and realistic.
Specifically around the 18:00 mark. Also he does provide source examples that you can ruin your computer with if you want.
He gets into a lot of it, but shows quite a few examples including what I'm talking about. The people that he catches aren't necessarily savvy, but he does talk about taking pictures fast enough for the light not to be visible.
- Encryption is our webcam tape.
That tape cannot be thwarted by any remote attacker, legally warranted or not. It's perfect, unbreakable security from webcam visuals being exfiltrated, exactly the security features that Comey says we shouldn't be allowed to have for our data.
~ Philip Zimmermann, "Why I wrote PGP"
Our government is full of hypocrites.
Does she? Her tech platform seemed pretty supportive of Apple's stance on encryption: http://appleinsider.com/articles/16/06/29/hillary-clintons-t...
Because that's the question I hear being begged when the "you have nothing to hide" counterpoint is brought up. You've got nothing to hide, so let me just look anyway. Sure it's none of my business, and I have no actionable legal right to it, but it's not illegal so why don't you want me to see it?
The reason why we don't give broad general search powers to the government (or at least, in theory don't give the government broad general search powers) is because the government can prosecute people, and given enough information they can find a reason to prosecute anyone. Which then fully opens the floodgates to selective prosecution: anyone who's disliked by someone in power will simply be prosecuted and likely convicted and jailed, because everyone will have done something that an all-seeing government can prosecute for.
Cardinal Richelieu is alleged to have said that, given seven lines written by the most honest of men, he could find something in them to create a capital offense and have the man hanged. I'd rather not live in a society where anyone has that kind of power.
What the NSA is doing right now, and what the FBI would like access to, is in no way similar to taking pictures of you on a busy street.
What the NSA has is every intersection wired up with cameras, recording 24 hours a day, and all of it indexed with facial recognition and license plate readers.
No organization should have that much information or reach at their fingertips, no matter how virtuous the mission or the people working there.
Is it? If i'm having a 1 to 1 conversation with someone online then that is a private conversation. There monitoring my traffic is more like opening the letters I would be sending that person.
More fundamentally though, the meat space public/private divide does not map at all to the cyber space one, all analogies and laws to apply one to the other are flawed.
Oh please. They can probably harvest the lot. It'll be some algorithm that deems you worthy or otherwise or gets you on an "of interest" list. Let's keep "personal surveillance" for '50s spy movies and Banksy murals.
More generally, what about the chilling effect on legal and legitimate conversation?
...or your association with "Occupy" or some other political protest movement that someone in power disagrees with, or that your wife bullied some politician's wife for two weeks in school, or that your interfering neighbour with a petty dislike of how you landscape your garden works as a government clerk and can access your data.
There are many reasons why some individual might want to know private things about some other individual. When individuals with some tiny (or vast) power want to wield it over anyone else, especially when they can do it with little oversight, it's very tempting.
That "the government" has access to my private information does not mean it's blind and faceless. It's made up of people with complex motivations.
They're also around lots of new people of varying levels of maturity who could have a decent chance of getting physical or network access to their computer, much more than neighbors in the rest of the world.
A creepy stalker or blackmailer spying on a university student through a webcam sadly doesn't seem that farfetched, especially for women.
A web cam resembles an eye staring at you all the time. This makes people feel weird, like something is staring at them. The threat to privacy is right in their face and on a gut level.
That's the reason so many people cover them even when they won't take other basic online privacy precautions.
Also people enjoy and feel good about accomplishing small things. Putting a sticker on your laptop is a small easy task. Do it and they feel more "secure" in an instant.
Why manufacturers still haven't introduced this is beyond me.
Expense and lack of demand.
Some older laptops used to feature hardware kill switches for the wifi (this was prior to the advent of a camera in every laptop). The old Dell D820 model was one such laptop. Eventually they were dropped all around because from the makers point of view, the presence of the switch had no effect on the sales of the laptops.
Anything you add to the BOM (Bill of Materials) for the device raises the final net cost, and there is still enough competition in the laptop/phone space that keeping the costs down is necessary to compete. Additionally, twenty-five cents per unit does not sound like much, until of course you multiply that by 10+ million units built (where a twenty-five cents difference per unit amounts to $2.5+ million difference in the end). So if having the switch or not having the switch made no difference in sales, the maker could either raise their profit, or lower their price (or more likely split the difference) by dropping the switches.
The lack of demand is that not enough purchasers are telling manufacturers they want hardware on/off switches (the purchasers do this by buying only laptops with them, and by not buying laptops without them [which may be difficult to bootstrap now, given that almost no laptop has a hardware on/off switch anymore]).
I want a switch that physically cuts power to a device, but no... :(
And its worse with your iPhone.
You basically have to disable the audio driver in OSX to disable it, and doing that, means you can't play audio at all. And even that isn't enough, it technically can be hijacked at an even lower level.
I didn't want the webcam or microphone in the ThinkPad… so I took 30 minutes and removed it. Easy as that.
The software included relies on the users protect the web interface. Obviously, this is the vulnerability. Especially with things like default passwords.
Here's an article about it:
A lot of these cameras are controllable and have speakers.
People now do live video streams of pranking people through this means.
So privacy as a social good may not be the primary perspective and it often devolves into how this affects readers personally rather than the society they live in or side tracks into technology nuances.
Technology is enabling new negative possibilities but it does not follow that technologists can make a difference. There is no ethical code of conduct. Like everyone else they are another cog in the wheel and software engineers may not have an interest or priority on privacy, social and political issues.
There are a large number of folks working in the nsa, gchq, google, facebook, palantir, hardware vendors and elsewhere actively enabling this.
Like technology itself politics, liberty, privacy and the evolution of modern system from the time of feudalism requires interest and priority. From this perspective the need to tape up your webcam may have completely different ramnifications.
Let's say that your computer has been completely 'pwned', and that you are currently reading an article with an ad for Cow Porn, or whatever, on the right hand hand side of the site. The hacker can write some code to check what your eyes, and eyebrows, did when you looked at the ad. If it peaked your interest, the hacker can maliciously add more 'Cow Porn' ads to sites you visit - via swapping out the regular ones.
Now one day you get curious and click on it, and boom they take a screen shot and try to blackmail you.
This is obviously quite outlandish but think about purposefully planting posts, lets say on reddit, by switching out posts. They then look at your head movements, and, or, eye movements then boom, you're added to some list that you wouldn't have be added to if it weren't for your eye movements.
And yet, we happen to live in a world where practically no customer has the needed expertise to verify for themselves if the LED reflects the true state of the camera or not, and if they had it they'd not care any less. A world where corporations misuse technology to betray customer's confidence and break the law, and when those get caught, get away with no more than a slap in the hand (as in the VW emission control hack case).
So, what are you going to do about it? Throw a tantrum because you exist in Earth instead of Heaven, or work out a solution that you can implement yourself without need of consensus from the ignorant masses or permission from their corrupt leadership?
(Like you, I had always assumed that the power for the webcam was literally in series with the LED, so that disabling the LED would render the camera inoperable. That seemed like the obvious way to do it if you wanted to provide a truly reliable signal. But evidently that's not the case.)
If I were tasked with making a webcam circuit, I'd make sure the light and the sensor were always powered together. So I (naively) assumed that's how everyone would do it.
Of course, there are many cameras that do not even have an activity indiator (LED), e.g. stand-alone cameras, or simply your phone front and back camera. I find it a good habit to cover all cameras, regardless of wether they have an indicator.