[ale] webcam privacy concerns / flash settings
Ron Frazier
atllinuxenthinfo at c3energy.com
Wed Oct 5 11:36:32 EDT 2011
Hi John,
You're welcome. I always hope the info I post will help someone.
That WAS a good episode of Star Trek.
Under NORMAL conditions, ie no malicious websites in action and no
spyware and no viruses and properly set flash settings, nobody should be
using your camera and mic without your permission and knowledge. As I
said before, I'm not too sure what Java can do with this type of
hardware. However, much of what I'm trying to prevent is problems in
potential abnormal conditions. My computer has a small LED light next
to the camera. That's supposed to light up when the camera is on.
There is no indicator for the mic. I don't know if the LED would
necessarily light under abnormal conditions. Fortunately, tape is a
cross platform device.
If you disable your camera and mic by means other than tape, which is
obvious after the fact, make yourself a note in some conspicuous place.
That way, when you try to do a legitimate video conference or recording,
you'll remember - YES I disabled that, before you go through days of
troubleshooting.
Sincerely,
Ron
On 10/5/2011 6:48 AM, John Pilman wrote:
> I always liked the approach taken by Balok in Star Trek. But then, he
> was defeated by the Corbomite Maneuver.
>
> Actually, thanks for the post, My laptop has a camera that I don't
> use, but I don't know if anyone else is using it.
> ...John
>
> On Wed, Oct 5, 2011 at 1:29 AM, Ron Frazier
> <atllinuxenthinfo at c3energy.com> wrote:
>
>> Hi Guys,
>>
>> I'm going to post some experiences I've been having with Windows
>> regarding webcam privacy. I'm posting it here for two reasons. 1) Some
>> of you dual boot like I do or have exposure to Windows either by
>> necessity or choice for whatever reason, and 2) some of it could apply
>> to Linux. I'm posting it just in case someone reading it may avoid some
>> of the hell I've been going through. If anyone wants to, they can
>> address how to deal with similar issues in Linux.
>>
>> Webcam privacy
>>
>> As many of you know, many new notebook computers come with a built in
>> webcam and a microphone. This is handy if you're doing video
>> conferencing, but can also be a dangerous way to invade your privacy.
>> There have been occurrences of viruses which secretly turn on the web
>> cam and mic and send a record of whatever you're doing to the cracker.
>> I believe there have also been occurrences of websites which do the same
>> thing with java and / or flash. Most people, including myself, don't
>> want total strangers spying on them while they use their computers.
>> There was also a lawsuit where technicians of a school system had
>> installed spy software on the schools pc's prior to giving them to the
>> students. It was an official action, presumably to help find the
>> laptops if they were stolen. However, the staff was using it to spy on
>> the students without authorization while the students were in their own
>> homes.
>>
>> So I decided to A) find out if the camera and mic were active, and B)
>> disable them. Note that these components cannot be physically removed
>> or disconnected easily. I first had to see if my notebook even has a
>> mic. After 20 minutes studying the manual, and trying to figure out
>> which parts of it applied, I determined that my machine has both a
>> webcam (which was obvious) and a mic (which was not obvious). Finally,
>> I found a tiny pinhole in the front bezel, which is the mic. They may
>> not always be visible though. To see if the mic was working, I loaded
>> up Windows sound recorder. Even before starting a capture, I could see
>> the volume graph fluctuating as I made some noise around the machine.
>> So, I've got a hot mic. Then, to check the camera, I loaded up the
>> camera utility that came with the machine. Sure enough, my mugshot pops
>> up on the screen. The colors were all wrong, but that's another matter.
>>
>> At that point, I decided I wanted to permanently (unless I reinstall
>> something) disable these things. If I want a mic, I'll plug in a
>> headset; and if I want a camera, I'll plug one in. I went to the
>> Windows device manager and looked for the mic. Couldn't find it. I
>> then opened the sound control panel and went to the recording tab.
>> There I found the mic device and told the system to delete it. I don't
>> remember the exact command. I then rebooted and restarted the sound
>> recorder. It immediately gives an error message that there is no
>> recording device found, which is just what I wanted. So far, so good.
>>
>> I went back to the device manager and found a USB Webcam. I selected
>> the device and told Windows to disable the driver. I then rebooted and
>> started the camera app again. BOOM. There I am on the screen again.
>> Darn it. I went back to device manager and told the system to DELETE
>> the driver. Rebooted. Started the camera app. BOOM. There I am
>> again! My image is now upside down, and the colors are wrong still, but
>> it's there! The point being, you can't turn off the stinking camera.
>> Nothing I could do from a software point of view would stop the camera
>> from working. Being the clever engineer that I am, I headed to the
>> pantry and pulled out a roll of Gorilla Tape. It's thick, strong, and
>> black. I sliced off a 1/2" x 1" piece of tape and affixed it right over
>> the top of the camera lens. I made sure that I positioned it in such a
>> way that I could still see the LED light which is supposed to come on if
>> the camera is active. Now, I can activate the camera app and see
>> nothing at all, even though the camera is on, which is just what I
>> want. Even if I shine a flashlight on it, all I see is a dim blob of
>> light, so the tape is working nicely. And that is how you can control a
>> very high tech device with a very low tech device. Note that covering
>> up the mic with tape won't really stop it's function though.
>>
>> Now you may or may not want to tape your camera. So, assuming you don't
>> have a virus or secret spyware on your system, here's how to stop flash
>> from accessing your camera and mic without your permission. I use both
>> the tape as well as these settings. I don't know for sure if Java can
>> access the camera and mic. But, if it can, the only way I know to stop
>> it is to uninstall Java. I'll probably uninstall Java on my sister's
>> machine and Dad's machine to reduce the other security concerns
>> associated with it. I don't think they need it anyway.
>>
>> Some of you might say, don't use flash, but for my purposes, I don't
>> find that practical. I have flash on both Windows and Linux. If you're
>> running flash on Linux, this applies to you.
>>
>> Flash settings are controlled through an online app on the Adobe /
>> Macromedia website. Assuming you have flash installed, go to the site
>> below to access the Flash settings manager. If using something like
>> Noscript in Firefox, you'll have to trust adobe.com and macromedia.com.
>> Here's are the addresses:
>>
>> You can check the version of flash on your system here:
>> http://www.adobe.com/software/flash/about/
>> They've been ramping the versions quite often lately. As of this
>> moment, the current one is 11.0.1.152.
>>
>> Here is the settings manager.
>>
>> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
>>
>> Note, you can right click a flash object in Windows IE and click
>> settings and a settings widget will pop up, however, you don't get all
>> the settings. I would use the website. I'm only going to mention the
>> mic and camera settings here, but I would recommend checking all the
>> flash settings here to make sure your're not allowing flash cookies, old
>> security, flash storage, and flash peer to peer networking, if you wish
>> to really keep your shields high, as I do. I can elaborate on those
>> procedures if desired. Note that if you delete flash, these settings
>> may be erased. If you update flash, they SHOULD stay there, but I check
>> them whenever I do an update.
>>
>> Once you load the settings page, you will see some links at the left.
>>
>> Click Global Privacy Settings Panel.
>>
>> There are two buttons. One says Always Deny - which automatically
>> rejects any request from a flash app to access your camera and mic.
>> This is the one I choose. The other says Always Ask - which,
>> presumably, will ask you every time a flash app wants access to your
>> camera and mic.
>>
>> There is a bug in the settings manager, whereby it sometimes doesn't
>> accept the settings. This screen has no status indicator to show how
>> it's set, so I do the following to make sure it's set.
>>
>> Click Always Deny and then confirm the action. Do this 3 times. Click
>> Global Privacy Settings Panel again.
>> Click Always Deny and then confirm the action. Do this 3 times. Click
>> Global Privacy Settings Panel again. (Yes I meant to write that twice.)
>>
>> Now click Website Privacy Settings Panel.
>>
>> This is where you can override the default settings. You should see a
>> list of sites you've visited which activated flash. The list may be
>> quite long. If you want all sites to follow your new policy, click
>> Delete All Sites to remove everything from the list. All future sites
>> you visit will, by default, use the settings you set in the prior step.
>> Let's say that now I go to skype.com, and I DO want to allow access to
>> the camera and mic. After loading skype.com in the web browser, open a
>> new tab and go back to the settings manager and click on the Website
>> Privacy Settings Panel. You should now see skype.com in the list. It
>> will have a symbol by it which indicates the settings for that site. If
>> you clicked Always Deny in the prior step, as I did, there should be a
>> red circle with a white horizontal line through it. This means that
>> skype.com will always be denied access to the camera and mic and it
>> won't ask you. Every new site that activates flash will get an entry in
>> this box with the same symbol.
>>
>> To allow skype.com to access the camera, click on its name in this box.
>> Once you click the site name, some radio buttons above will light up.
>> There, you can select Always Deny, Always Allow, or Always Ask
>> permissions for THIS site only to access your camera and mic. In this
>> case, you could click Always Ask or Always Allow. Note that you cannot
>> set Always Allow from the Global settings screen. This setting should
>> take effect immediately. But, you can click on the Website Privacy
>> Settings Panel link again to refresh the page and see if it saved the
>> settings.
>>
>> Using these settings, you can tightly control access to the camera and
>> mic for non malicious websites. A malicious site may be able to bypass
>> these features. A virus or spyware won't be using flash probably but
>> will be talking to your hardware directly - hence the Gorilla Tape and
>> deleted mic driver in my case.
>>
>> Later I'm going to share 2 days worth of application install hell
>> experiences caused by DEP (Data Execution Protection). Too tired of
>> typing now. This other topic applies to Windows, Linux, and Mac.
>>
>> From Wikipedia:
>>
>> http://en.wikipedia.org/wiki/Data_Execution_Prevention
>>
>> Data Execution Prevention (DEP) is a security feature included in modern
>> operating systems. It is known to be available in Linux, Mac OS X, and
>> Microsoft Windows operating systems and is intended to prevent an
>> application or service from executing code from a non-executable memory
>> region. This helps prevent certain exploits that store code via a buffer
>> overflow, for example.[1] DEP runs in two modes: hardware-enforced DEP
>> for CPUs that can mark memory pages as nonexecutable, and
>> software-enforced DEP with a limited prevention for CPUs that do not
>> have hardware support. Software-enforced DEP does not protect from
>> execution of code in data pages, but instead from another type of attack
>> (SEH overwrite).
>>
>> DEP was introduced on Linux in 2000, on Windows in 2004 with Windows XP
>> Service Pack 2,[2] while Apple introduced DEP in 2006.[1]
>>
>> More later.
>>
>> Sincerely,
>>
>> Ron
>>
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list