[ale] webcam privacy concerns / flash settings
Ron Frazier
atllinuxenthinfo at c3energy.com
Wed Oct 5 15:32:30 EDT 2011
Hi Mike,
comments in line below
On 10/5/2011 12:34 PM, Michael B. Trausch wrote:
> On Wed, Oct 05, 2011 at 01:29:53AM -0400, Ron Frazier wrote:
>
>> Hi Guys,
>>
>> I'm going to post some experiences I've been having with Windows
>> regarding webcam privacy. I'm posting it here for two reasons. 1)
>> Some of you dual boot like I do or have exposure to Windows either
>> by necessity or choice for whatever reason, and 2) some of it could
>> apply to Linux. I'm posting it just in case someone reading it may
>> avoid some of the hell I've been going through. If anyone wants to,
>> they can address how to deal with similar issues in Linux.
>>
> I don't know about everyone else, but I have one simple rule that
> keeps me safe: I don't go anywhere on the Internet that I am not
> familiar with on my production system. For that matter, if I have
> some reason to distrust a site, or even if the site just doesn't
> "feel" right, I don't go there again.
>
>
I agree with that type of conservative philosophy. I use Noscript in
Firefox, and don't trust any site for scripting unless I have reason to
believe it's credible. Avoiding known shady sites is a good idea on any
OS. One neat thing with Noscript is that you can temporarily trust a
site that you may only visit once. When you restart, that permission
goes away. That way your white list doesn't keep growing and growing.
One problem is that sometimes, you can't know where the danger is.
Let's say you like to go to the New York times website. Normally,
that's trustworthy and safe, and perhaps you run scripting and flash.
The problem comes into play if the site is hacked, and becomes malicious
without your knowledge, or without the owners' knowledge. Another way
this can happen is that third party data streams, like ads, become
contaminated. This actually happened to the New York Times not too long
ago, and some people got trojans on their systems by visiting the site.
Now, I might even be subject to that with scripting and flash enabled.
Hopefully, other security measures I take will contain the potential
damage. At least they won't be watching me on the camera. On occasion,
I clear out my Noscript white list, then just retrust the sites that I
need that are broken, like my bank, for example.
> But, if you feel that flirting with danger is up your alley, and you
> don't want Flash to access your Web cam, either compile your kernel
> without V4L(2) drivers, or compile your Web cam driver as a module,
> blacklist it, and ensure that it is rmmod'ed when not in otherwise
> legitimate use.
>
>
I'm sure that's a valid procedure. I don't know how to do that, but I
could learn. However, my Dad never will. If I had to, I could talk him
through the security procedures I mentioned before on the phone. Better
yet, I just set his system to be secure before he uses it. Then, if he
ever needs a camera, or needs something that reduces security, we can
address that.
> Ron, you give me many reasons to go right on loving my OS of choice.
> Total control and simplicity. I don't have to do any right-clicking,
> hokey-pokey song and dance, grueling incantations or any other such
> voodoo. I don't even have to touch my mouse! :-)
>
>
I understand. Everybody has different preferences. I'm not trying to
convert anyone, just acknowledging the fact that I and many people use
both systems. Windows is a tool. Linux is a tool. I'm not married to
either, and I use both. There are some times when Windows can do things
for me that Linux cannot, and there are times when Linux can do things
for me that Windows cannot. I try to keep both sides of my dual boot
fence functionally equivalent, so I can do any task from either system.
I'm able to do that about 90% - 95% of the time. Having two systems on
each PC has the nice side effect that, if one is infected or crashes, I
can boot into the other as a backup and keep doing most of what I'm used
to doing. Also, the Linux side can read the data from the Windows side,
although not the other way around. Personally, I prefer to use the
mouse even when I'm in Linux. I can certainly work my way around a
command line. I'm a good typist, and I've had years of precursor
experience in DOS years ago. (I know the Linux terminal window is more
powerful than DOS.) In many cases, I can poke through the menus of the
GUI and figure out how to do something faster the first time than it
would be to figure out how to do it from the command line. Now,
granted, I might be able to do it faster from the command line the
second time.
>> Later I'm going to share 2 days worth of application install hell
>> experiences caused by DEP (Data Execution Protection). Too tired of
>> typing now. This other topic applies to Windows, Linux, and Mac.
>>
> NX has been used on many operating systems for quite some time.
>
> If you are having issues with it, then that would indicate a problem
> with the quality of your operating system or the software itself. If
> it's free software, see if it can't be improved; otherwise, report the
> problems and be done with it.
>
> NX is the name of the bit that is used in the page table, called "No
> eXecute". DEP is the Microsoft name for the technology.
>
>
>> From Wikipedia:
>>
>> http://en.wikipedia.org/wiki/Data_Execution_Prevention
>>
>> Data Execution Prevention (DEP) is a security feature included in
>> modern operating systems. It is known to be available in Linux, Mac
>> OS X, and Microsoft Windows operating systems and is intended to
>> prevent an application or service from executing code from a
>> non-executable memory region. This helps prevent certain exploits
>> that store code via a buffer overflow, for example.[1] DEP runs in
>> two modes: hardware-enforced DEP for CPUs that can mark memory pages
>> as nonexecutable, and software-enforced DEP with a limited
>> prevention for CPUs that do not have hardware
>> support. Software-enforced DEP does not protect from execution of
>> code in data pages, but instead from another type of attack (SEH
>> overwrite).
>>
>> DEP was introduced on Linux in 2000, on Windows in 2004 with Windows
>> XP Service Pack 2,[2] while Apple introduced DEP in 2006.[1]
>>
>
That Wikipedia article mentions the term NX, I just didn't think about
typing it.
> It is definitely old enough---even on OS X---to be something that
> everyone should've adapted to by now.
>
> I wonder if there is a public wall of shame type thing on the Internet
> where applications and libraries that don't play nicely with things
> like NX are listed...
>
That would be cool.
> Interestingly enough, before support for NX was built into hardware on
> x86-64 systems, OpenBSD (or maybe it was NetBSD, I don't recall at the
> moment) introduced a software implementation of a similar security
> feature, called W^X; pages could be writable but not executable, or
> the inverse could be true.
>
> Even Android supports it on the ARM hardware that it runs on. :)
>
> As far as I'm aware these days, there are no more programs that rely
> on dynamic recompilation in order to get their jobs done, because
> dynamic recompilation and NX are mutually incompatible with each
> other. Those are the only types of programs that I can think of that
> actually need such protection to be disabled, and there is no longer a
> reason to use such programs, so all programs should, in theory, work
> today with such protection enabled.
>
> --- Mike
>
I'm going to save most of my comments on DEP / NX for another post. I
just haven't had time to type it up yet. I agree, by this point, you
should never have to disable DEP / NX. Things should just work. For
now, I'll just say that the Java Installer was one application that was
giving me hell. I had DEP set to all on all the time in Windows 7. The
installer would just immediately crash. It was driving me insane.
Assuming the OS functions are working right, you'd think the Sun /
Oracle programmers would have a handle on this. Having said that, the
Windows default is DEP / NX for only Windows programs, so there probably
aren't many users which have the thing set like I do. I have not had a
problem in Linux as of yet, but I also haven't tinkered with the NX
settings in Linux. I'll provide more details as soon as I get a chance
to type it up.
Sincerely,
Ron
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list