[ale] webcam privacy concerns / flash settings

[Ron Frazier]

Hi Guys,

I'm going to post some experiences I've been having with Windows 
regarding webcam privacy.  I'm posting it here for two reasons.  1) Some 
of you dual boot like I do or have exposure to Windows either by 
necessity or choice for whatever reason, and 2) some of it could apply 
to Linux.  I'm posting it just in case someone reading it may avoid some 
of the hell I've been going through.  If anyone wants to, they can 
address how to deal with similar issues in Linux.

Webcam privacy

As many of you know, many new notebook computers come with a built in 
webcam and a microphone.  This is handy if you're doing video 
conferencing, but can also be a dangerous way to invade your privacy.  
There have been occurrences of viruses which secretly turn on the web 
cam and mic and send a record of whatever you're doing to the cracker.  
I believe there have also been occurrences of websites which do the same 
thing with java and / or flash.  Most people, including myself, don't 
want total strangers spying on them while they use their computers.  
There was also a lawsuit where technicians of a school system had 
installed spy software on the schools pc's prior to giving them to the 
students.  It was an official action, presumably to help find the 
laptops if they were stolen.  However, the staff was using it to spy on 
the students without authorization while the students were in their own 
homes.

So I decided to A) find out if the camera and mic were active, and B) 
disable them.  Note that these components cannot be physically removed 
or disconnected easily.  I first had to see if my notebook even has a 
mic.  After 20 minutes studying the manual, and trying to figure out 
which parts of it applied, I determined that my machine has both a 
webcam (which was obvious) and a mic (which was not obvious).  Finally, 
I found a tiny pinhole in the front bezel, which is the mic.  They may 
not always be visible though.  To see if the mic was working, I loaded 
up Windows sound recorder.  Even before starting a capture, I could see 
the volume graph fluctuating as I made some noise around the machine.  
So, I've got a hot mic.  Then, to check the camera, I loaded up the 
camera utility that came with the machine.  Sure enough, my mugshot pops 
up on the screen.  The colors were all wrong, but that's another matter.

At that point, I decided I wanted to permanently (unless I reinstall 
something) disable these things.  If I want a mic, I'll plug in a 
headset; and if I want a camera, I'll plug one in.  I went to the 
Windows device manager and looked for the mic.  Couldn't find it.  I 
then opened the sound control panel and went to the recording tab.  
There I found the mic device and told the system to delete it.  I don't 
remember the exact command.  I then rebooted and restarted the sound 
recorder.  It immediately gives an error message that there is no 
recording device found, which is just what I wanted.  So far, so good.

I went back to the device manager and found a USB Webcam.  I selected 
the device and told Windows to disable the driver.  I then rebooted and 
started the camera app again.  BOOM.  There I am on the screen again.  
Darn it.  I went back to device manager and told the system to DELETE 
the driver.  Rebooted.  Started the camera app.  BOOM.  There I am 
again!  My image is now upside down, and the colors are wrong still, but 
it's there!  The point being, you can't turn off the stinking camera.  
Nothing I could do from a software point of view would stop the camera 
from working.  Being the clever engineer that I am, I headed to the 
pantry and pulled out a roll of Gorilla Tape.  It's thick, strong, and 
black.  I sliced off a 1/2" x 1" piece of tape and affixed it right over 
the top of the camera lens.  I made sure that I positioned it in such a 
way that I could still see the LED light which is supposed to come on if 
the camera is active.  Now, I can activate the camera app and see 
nothing at all, even though the camera is on, which is just what I 
want.  Even if I shine a flashlight on it, all I see is a dim blob of 
light, so the tape is working nicely.  And that is how you can control a 
very high tech device with a very low tech device.  Note that covering 
up the mic with tape won't really stop it's function though.

Now you may or may not want to tape your camera.  So, assuming you don't 
have a virus or secret spyware on your system, here's how to stop flash 
from accessing your camera and mic without your permission.  I use both 
the tape as well as these settings.  I don't know for sure if Java can 
access the camera and mic.  But, if it can, the only way I know to stop 
it is to uninstall Java.  I'll probably uninstall Java on my sister's 
machine and Dad's machine to reduce the other security concerns 
associated with it.  I don't think they need it anyway.

Some of you might say, don't use flash, but for my purposes, I don't 
find that practical.  I have flash on both Windows and Linux.  If you're 
running flash on Linux, this applies to you.

Flash settings are controlled through an online app on the Adobe / 
Macromedia website.  Assuming you have flash installed, go to the site 
below to access the Flash settings manager.  If using something like 
Noscript in Firefox, you'll have to trust adobe.com and macromedia.com.  
Here's are the addresses:

You can check the version of flash on your system here: 
http://www.adobe.com/software/flash/about/
They've been ramping the versions quite often lately.  As of this 
moment, the current one is 11.0.1.152.

Here is the settings manager.

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html

Note, you can right click a flash object in Windows IE and click 
settings and a settings widget will pop up, however, you don't get all 
the settings.  I would use the website.  I'm only going to mention the 
mic and camera settings here, but I would recommend checking all the 
flash settings here to make sure your're not allowing flash cookies, old 
security, flash storage, and flash peer to peer networking, if you wish 
to really keep your shields high, as I do.  I can elaborate on those 
procedures if desired.  Note that if you delete flash, these settings 
may be erased.  If you update flash, they SHOULD stay there, but I check 
them whenever I do an update.

Once you load the settings page, you will see some links at the left.

Click Global Privacy Settings Panel.

There are two buttons.  One says Always Deny - which automatically 
rejects any request from a flash app to access your camera and mic.  
This is the one I choose.  The other says Always Ask - which, 
presumably, will ask you every time a flash app wants access to your 
camera and mic.

There is a bug in the settings manager, whereby it sometimes doesn't 
accept the settings.  This screen has no status indicator to show how 
it's set, so I do the following to make sure it's set.

Click Always Deny and then confirm the action.  Do this 3 times.  Click 
Global Privacy Settings Panel again.
Click Always Deny and then confirm the action.  Do this 3 times.  Click 
Global Privacy Settings Panel again.  (Yes I meant to write that twice.)

Now click Website Privacy Settings Panel.

This is where you can override the default settings.  You should see a 
list of sites you've visited which activated flash.  The list may be 
quite long.  If you want all sites to follow your new policy, click 
Delete All Sites to remove everything from the list.  All future sites 
you visit will, by default, use the settings you set in the prior step.  
Let's say that now I go to skype.com, and I DO want to allow access to 
the camera and mic.  After loading skype.com in the web browser, open a 
new tab and go back to the settings manager and click on the Website 
Privacy Settings Panel.  You should now see skype.com in the list.  It 
will have a symbol by it which indicates the settings for that site.  If 
you clicked Always Deny in the prior step, as I did, there should be a 
red circle with a white horizontal line through it.  This means that 
skype.com will always be denied access to the camera and mic and it 
won't ask you.  Every new site that activates flash will get an entry in 
this box with the same symbol.

To allow skype.com to access the camera, click on its name in this box.  
Once you click the site name, some radio buttons above will light up.  
There, you can select Always Deny, Always Allow, or Always Ask 
permissions for THIS site only to access your camera and mic.  In this 
case, you could click Always Ask or Always Allow.  Note that you cannot 
set Always Allow from the Global settings screen.  This setting should 
take effect immediately.  But, you can click on the Website Privacy 
Settings Panel link again to refresh the page and see if it saved the 
settings.

Using these settings, you can tightly control access to the camera and 
mic for non malicious websites.  A malicious site may be able to bypass 
these features.  A virus or spyware won't be using flash probably but 
will be talking to your hardware directly - hence the Gorilla Tape and 
deleted mic driver in my case.

Later I'm going to share 2 days worth of application install hell 
experiences caused by DEP (Data Execution Protection).  Too tired of 
typing now.  This other topic applies to Windows, Linux, and Mac.

 From Wikipedia:

http://en.wikipedia.org/wiki/Data_Execution_Prevention

Data Execution Prevention (DEP) is a security feature included in modern 
operating systems. It is known to be available in Linux, Mac OS X, and 
Microsoft Windows operating systems and is intended to prevent an 
application or service from executing code from a non-executable memory 
region. This helps prevent certain exploits that store code via a buffer 
overflow, for example.[1] DEP runs in two modes: hardware-enforced DEP 
for CPUs that can mark memory pages as nonexecutable, and 
software-enforced DEP with a limited prevention for CPUs that do not 
have hardware support. Software-enforced DEP does not protect from 
execution of code in data pages, but instead from another type of attack 
(SEH overwrite).

DEP was introduced on Linux in 2000, on Windows in 2004 with Windows XP 
Service Pack 2,[2] while Apple introduced DEP in 2006.[1]

More later.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com