[ale] webcam privacy concerns / flash settings

Michael B. Trausch mike at trausch.us
Wed Oct 5 12:34:12 EDT 2011 

On Wed, Oct 05, 2011 at 01:29:53AM -0400, Ron Frazier wrote:
> Hi Guys,
>
> I'm going to post some experiences I've been having with Windows
> regarding webcam privacy.  I'm posting it here for two reasons.  1)
> Some of you dual boot like I do or have exposure to Windows either
> by necessity or choice for whatever reason, and 2) some of it could
> apply to Linux.  I'm posting it just in case someone reading it may
> avoid some of the hell I've been going through.  If anyone wants to,
> they can address how to deal with similar issues in Linux.

I don't know about everyone else, but I have one simple rule that
keeps me safe: I don't go anywhere on the Internet that I am not
familiar with on my production system.  For that matter, if I have
some reason to distrust a site, or even if the site just doesn't
"feel" right, I don't go there again.

But, if you feel that flirting with danger is up your alley, and you
don't want Flash to access your Web cam, either compile your kernel
without V4L(2) drivers, or compile your Web cam driver as a module,
blacklist it, and ensure that it is rmmod'ed when not in otherwise
legitimate use.

Ron, you give me many reasons to go right on loving my OS of choice.
Total control and simplicity.  I don't have to do any right-clicking,
hokey-pokey song and dance, grueling incantations or any other such
voodoo.  I don't even have to touch my mouse!  :-)

> Later I'm going to share 2 days worth of application install hell
> experiences caused by DEP (Data Execution Protection).  Too tired of
> typing now.  This other topic applies to Windows, Linux, and Mac.

NX has been used on many operating systems for quite some time.

If you are having issues with it, then that would indicate a problem
with the quality of your operating system or the software itself.  If
it's free software, see if it can't be improved; otherwise, report the
problems and be done with it.

NX is the name of the bit that is used in the page table, called "No
eXecute".  DEP is the Microsoft name for the technology.

>  From Wikipedia:
>
> http://en.wikipedia.org/wiki/Data_Execution_Prevention
>
> Data Execution Prevention (DEP) is a security feature included in
> modern operating systems. It is known to be available in Linux, Mac
> OS X, and Microsoft Windows operating systems and is intended to
> prevent an application or service from executing code from a
> non-executable memory region. This helps prevent certain exploits
> that store code via a buffer overflow, for example.[1] DEP runs in
> two modes: hardware-enforced DEP for CPUs that can mark memory pages
> as nonexecutable, and software-enforced DEP with a limited
> prevention for CPUs that do not have hardware
> support. Software-enforced DEP does not protect from execution of
> code in data pages, but instead from another type of attack (SEH
> overwrite).
>
> DEP was introduced on Linux in 2000, on Windows in 2004 with Windows
> XP Service Pack 2,[2] while Apple introduced DEP in 2006.[1]

It is definitely old enough---even on OS X---to be something that
everyone should've adapted to by now.

I wonder if there is a public wall of shame type thing on the Internet
where applications and libraries that don't play nicely with things
like NX are listed...

Interestingly enough, before support for NX was built into hardware on
x86-64 systems, OpenBSD (or maybe it was NetBSD, I don't recall at the
moment) introduced a software implementation of a similar security
feature, called W^X; pages could be writable but not executable, or
the inverse could be true.

Even Android supports it on the ARM hardware that it runs on.  :)

As far as I'm aware these days, there are no more programs that rely
on dynamic recompilation in order to get their jobs done, because
dynamic recompilation and NX are mutually incompatible with each
other.  Those are the only types of programs that I can think of that
actually need such protection to be disabled, and there is no longer a
reason to use such programs, so all programs should, in theory, work
today with such protection enabled.

     --- Mike

More information about the Ale mailing list