[ale] webcam privacy concerns / flash settings

[John Pilman]

I always liked the approach taken by Balok in Star Trek.  But then, he
was defeated by the Corbomite Maneuver.

Actually, thanks for the post, My laptop has a camera that I don't
use, but I don't know if anyone else is using it.
...John

On Wed, Oct 5, 2011 at 1:29 AM, Ron Frazier
<atllinuxenthinfo at c3energy.com> wrote:
> Hi Guys,
>
> I'm going to post some experiences I've been having with Windows
> regarding webcam privacy.  I'm posting it here for two reasons.  1) Some
> of you dual boot like I do or have exposure to Windows either by
> necessity or choice for whatever reason, and 2) some of it could apply
> to Linux.  I'm posting it just in case someone reading it may avoid some
> of the hell I've been going through.  If anyone wants to, they can
> address how to deal with similar issues in Linux.
>
> Webcam privacy
>
> As many of you know, many new notebook computers come with a built in
> webcam and a microphone.  This is handy if you're doing video
> conferencing, but can also be a dangerous way to invade your privacy.
> There have been occurrences of viruses which secretly turn on the web
> cam and mic and send a record of whatever you're doing to the cracker.
> I believe there have also been occurrences of websites which do the same
> thing with java and / or flash.  Most people, including myself, don't
> want total strangers spying on them while they use their computers.
> There was also a lawsuit where technicians of a school system had
> installed spy software on the schools pc's prior to giving them to the
> students.  It was an official action, presumably to help find the
> laptops if they were stolen.  However, the staff was using it to spy on
> the students without authorization while the students were in their own
> homes.
>
> So I decided to A) find out if the camera and mic were active, and B)
> disable them.  Note that these components cannot be physically removed
> or disconnected easily.  I first had to see if my notebook even has a
> mic.  After 20 minutes studying the manual, and trying to figure out
> which parts of it applied, I determined that my machine has both a
> webcam (which was obvious) and a mic (which was not obvious).  Finally,
> I found a tiny pinhole in the front bezel, which is the mic.  They may
> not always be visible though.  To see if the mic was working, I loaded
> up Windows sound recorder.  Even before starting a capture, I could see
> the volume graph fluctuating as I made some noise around the machine.
> So, I've got a hot mic.  Then, to check the camera, I loaded up the
> camera utility that came with the machine.  Sure enough, my mugshot pops
> up on the screen.  The colors were all wrong, but that's another matter.
>
> At that point, I decided I wanted to permanently (unless I reinstall
> something) disable these things.  If I want a mic, I'll plug in a
> headset; and if I want a camera, I'll plug one in.  I went to the
> Windows device manager and looked for the mic.  Couldn't find it.  I
> then opened the sound control panel and went to the recording tab.
> There I found the mic device and told the system to delete it.  I don't
> remember the exact command.  I then rebooted and restarted the sound
> recorder.  It immediately gives an error message that there is no
> recording device found, which is just what I wanted.  So far, so good.
>
> I went back to the device manager and found a USB Webcam.  I selected
> the device and told Windows to disable the driver.  I then rebooted and
> started the camera app again.  BOOM.  There I am on the screen again.
> Darn it.  I went back to device manager and told the system to DELETE
> the driver.  Rebooted.  Started the camera app.  BOOM.  There I am
> again!  My image is now upside down, and the colors are wrong still, but
> it's there!  The point being, you can't turn off the stinking camera.
> Nothing I could do from a software point of view would stop the camera
> from working.  Being the clever engineer that I am, I headed to the
> pantry and pulled out a roll of Gorilla Tape.  It's thick, strong, and
> black.  I sliced off a 1/2" x 1" piece of tape and affixed it right over
> the top of the camera lens.  I made sure that I positioned it in such a
> way that I could still see the LED light which is supposed to come on if
> the camera is active.  Now, I can activate the camera app and see
> nothing at all, even though the camera is on, which is just what I
> want.  Even if I shine a flashlight on it, all I see is a dim blob of
> light, so the tape is working nicely.  And that is how you can control a
> very high tech device with a very low tech device.  Note that covering
> up the mic with tape won't really stop it's function though.
>
> Now you may or may not want to tape your camera.  So, assuming you don't
> have a virus or secret spyware on your system, here's how to stop flash
> from accessing your camera and mic without your permission.  I use both
> the tape as well as these settings.  I don't know for sure if Java can
> access the camera and mic.  But, if it can, the only way I know to stop
> it is to uninstall Java.  I'll probably uninstall Java on my sister's
> machine and Dad's machine to reduce the other security concerns
> associated with it.  I don't think they need it anyway.
>
> Some of you might say, don't use flash, but for my purposes, I don't
> find that practical.  I have flash on both Windows and Linux.  If you're
> running flash on Linux, this applies to you.
>
> Flash settings are controlled through an online app on the Adobe /
> Macromedia website.  Assuming you have flash installed, go to the site
> below to access the Flash settings manager.  If using something like
> Noscript in Firefox, you'll have to trust adobe.com and macromedia.com.
> Here's are the addresses:
>
> You can check the version of flash on your system here:
> http://www.adobe.com/software/flash/about/
> They've been ramping the versions quite often lately.  As of this
> moment, the current one is 11.0.1.152.
>
> Here is the settings manager.
>
> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
>
> Note, you can right click a flash object in Windows IE and click
> settings and a settings widget will pop up, however, you don't get all
> the settings.  I would use the website.  I'm only going to mention the
> mic and camera settings here, but I would recommend checking all the
> flash settings here to make sure your're not allowing flash cookies, old
> security, flash storage, and flash peer to peer networking, if you wish
> to really keep your shields high, as I do.  I can elaborate on those
> procedures if desired.  Note that if you delete flash, these settings
> may be erased.  If you update flash, they SHOULD stay there, but I check
> them whenever I do an update.
>
> Once you load the settings page, you will see some links at the left.
>
> Click Global Privacy Settings Panel.
>
> There are two buttons.  One says Always Deny - which automatically
> rejects any request from a flash app to access your camera and mic.
> This is the one I choose.  The other says Always Ask - which,
> presumably, will ask you every time a flash app wants access to your
> camera and mic.
>
> There is a bug in the settings manager, whereby it sometimes doesn't
> accept the settings.  This screen has no status indicator to show how
> it's set, so I do the following to make sure it's set.
>
> Click Always Deny and then confirm the action.  Do this 3 times.  Click
> Global Privacy Settings Panel again.
> Click Always Deny and then confirm the action.  Do this 3 times.  Click
> Global Privacy Settings Panel again.  (Yes I meant to write that twice.)
>
> Now click Website Privacy Settings Panel.
>
> This is where you can override the default settings.  You should see a
> list of sites you've visited which activated flash.  The list may be
> quite long.  If you want all sites to follow your new policy, click
> Delete All Sites to remove everything from the list.  All future sites
> you visit will, by default, use the settings you set in the prior step.
> Let's say that now I go to skype.com, and I DO want to allow access to
> the camera and mic.  After loading skype.com in the web browser, open a
> new tab and go back to the settings manager and click on the Website
> Privacy Settings Panel.  You should now see skype.com in the list.  It
> will have a symbol by it which indicates the settings for that site.  If
> you clicked Always Deny in the prior step, as I did, there should be a
> red circle with a white horizontal line through it.  This means that
> skype.com will always be denied access to the camera and mic and it
> won't ask you.  Every new site that activates flash will get an entry in
> this box with the same symbol.
>
> To allow skype.com to access the camera, click on its name in this box.
> Once you click the site name, some radio buttons above will light up.
> There, you can select Always Deny, Always Allow, or Always Ask
> permissions for THIS site only to access your camera and mic.  In this
> case, you could click Always Ask or Always Allow.  Note that you cannot
> set Always Allow from the Global settings screen.  This setting should
> take effect immediately.  But, you can click on the Website Privacy
> Settings Panel link again to refresh the page and see if it saved the
> settings.
>
> Using these settings, you can tightly control access to the camera and
> mic for non malicious websites.  A malicious site may be able to bypass
> these features.  A virus or spyware won't be using flash probably but
> will be talking to your hardware directly - hence the Gorilla Tape and
> deleted mic driver in my case.
>
> Later I'm going to share 2 days worth of application install hell
> experiences caused by DEP (Data Execution Protection).  Too tired of
> typing now.  This other topic applies to Windows, Linux, and Mac.
>
>  From Wikipedia:
>
> http://en.wikipedia.org/wiki/Data_Execution_Prevention
>
> Data Execution Prevention (DEP) is a security feature included in modern
> operating systems. It is known to be available in Linux, Mac OS X, and
> Microsoft Windows operating systems and is intended to prevent an
> application or service from executing code from a non-executable memory
> region. This helps prevent certain exploits that store code via a buffer
> overflow, for example.[1] DEP runs in two modes: hardware-enforced DEP
> for CPUs that can mark memory pages as nonexecutable, and
> software-enforced DEP with a limited prevention for CPUs that do not
> have hardware support. Software-enforced DEP does not protect from
> execution of code in data pages, but instead from another type of attack
> (SEH overwrite).
>
> DEP was introduced on Linux in 2000, on Windows in 2004 with Windows XP
> Service Pack 2,[2] while Apple introduced DEP in 2006.[1]
>
> More later.
>
> Sincerely,
>
> Ron
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new messages very quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O)   Leave a message.
> linuxdude AT c3energy.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>