I know this thread will probably get politicized, but I see nothing wrong (or necessarily hypocritical; he's law enforcement, not IC) with his advice here.
It's not a bad thing to do, it's just hypocritical of him to value his own privacy but tell everyone else they need to give up theirs and let the FBI and NSA have access to everything they want to keep private.
Why would you be concerned about the FBI or the NSA knowing about the content of your digital communiques if you have nothing to hide? Even the most ardent supporter of personal freedoms will admit that the government observing you over a network is the same as taking pictures of you with a telephoto lens on a busy street. The truth is the same: there are too many people and you aren't special enough to deserve personal surveillance.
What the NSA is doing right now, and what the FBI would like access to, is in no way similar to taking pictures of you on a busy street.
What the NSA has is every intersection wired up with cameras, recording 24 hours a day, and all of it indexed with facial recognition and license plate readers.
No organization should have that much information or reach at their fingertips, no matter how virtuous the mission or the people working there.
> Even the most ardent supporter of personal freedoms will admit that the government observing you over a network is the same as taking pictures of you with a telephoto lens on a busy street.
Is it? If i'm having a 1 to 1 conversation with someone online then that is a private conversation. There monitoring my traffic is more like opening the letters I would be sending that person.
More fundamentally though, the meat space public/private divide does not map at all to the cyber space one, all analogies and laws to apply one to the other are flawed.
Are we really still building a brick wall between "nothing to hide" and "prefer to keep personal"? I'm asking this as far away from the legal and moral realms as possible; do people just not even deserve the basic benefit of having aspects of their day-to-day kept to themselves, even if it might not be inherently and/or objectively wrong?
Because that's the question I hear being begged when the "you have nothing to hide" counterpoint is brought up. You've got nothing to hide, so let me just look anyway. Sure it's none of my business, and I have no actionable legal right to it, but it's not illegal so why don't you want me to see it?
Oh please. They can probably harvest the lot. It'll be some algorithm that deems you worthy or otherwise or gets you on an "of interest" list. Let's keep "personal surveillance" for '50s spy movies and Banksy murals.
More generally, what about the chilling effect on legal and legitimate conversation?
It'll be some algorithm that deems you worthy or otherwise or gets you on an "of interest" list.
...or your association with "Occupy" or some other political protest movement that someone in power disagrees with, or that your wife bullied some politician's wife for two weeks in school, or that your interfering neighbour with a petty dislike of how you landscape your garden works as a government clerk and can access your data.
There are many reasons why some individual might want to know private things about some other individual. When individuals with some tiny (or vast) power want to wield it over anyone else, especially when they can do it with little oversight, it's very tempting.
That "the government" has access to my private information does not mean it's blind and faceless. It's made up of people with complex motivations.
The reason why we don't give broad general search powers to the government (or at least, in theory don't give the government broad general search powers) is because the government can prosecute people, and given enough information they can find a reason to prosecute anyone. Which then fully opens the floodgates to selective prosecution: anyone who's disliked by someone in power will simply be prosecuted and likely convicted and jailed, because everyone will have done something that an all-seeing government can prosecute for.
Cardinal Richelieu is alleged to have said that, given seven lines written by the most honest of men, he could find something in them to create a capital offense and have the man hanged. I'd rather not live in a society where anyone has that kind of power.
Perhaps he's not concerned about the FBI and NSA viewing him in the buff (seems to be a recurring theme here - am I the only person who uses his computer fully clothed?) but rather the Russians/Chinese/enemy.
He might be wrong (about wanting to able to snoop), but it isn't hypocritical. He is saying protect yourself from illegal hacking by bad actors, but submit to legal snooping by the government. Again, he might be wrong about wanting various legal means to snoop on people, but not hypocritical.
Typical mind fallacy here, I think. I don't imagine the directory of the FBI gives one whit about "privacy." Instead, picture them spending all day thinking about "national security." Citizens have to tell the government everything—because doing so enhances national security. The government must not reveal anything to its citizens—because doing so would compromise national security. Pretty straightforward.
From a user perspective it is hard to know whether the webcam LED is software controlled. If it is software controlled, e.g. by the webcam driver, it is prone to manipulation and could remain off while the webcam is recording.
Of course, there are many cameras that do not even have an activity indiator (LED), e.g. stand-alone cameras, or simply your phone front and back camera. I find it a good habit to cover all cameras, regardless of wether they have an indicator.
In addition to the attacks that others have mentioned here, I've also heard folks comment previously on the possibility of turning on the camera very briefly, just long enough for a single still shot. If it was done fast enough, the brief flicker of the LED might not be noticeable.
(Like you, I had always assumed that the power for the webcam was literally in series with the LED, so that disabling the LED would render the camera inoperable. That seemed like the obvious way to do it if you wanted to provide a truly reliable signal. But evidently that's not the case.)
Perhaps you mean in parallel. An LED is driven by 20 mA, whereas a camera requires more like 200 mA, so it's not feasible to wire them in series - either the LED will burn out or the camera won't power up.
Yeah, I was pretty sure I was being a little sloppy by using the term "series" (for shame, physics prof, for shame!), but I was hoping to evoke the general sense of "if current doesn't flow through the LED for any reason, the camera can't turn on." Honestly, I'm not 100% certain offhand of a way to wire that (which is why I didn't want to be specific earlier, despite using a specific term: shoulda added some weasel words :) ). Do the LED and the camera run off of the same voltage? (If not, then parallel wiring won't work, either.)
Maybe you could add a capacitor to keep the LED going for a bit longer after the power cuts. The power off dimming might be aesthetically pleasing too.
>I had always assumed that the power for the webcam was literally in series with the LED
If I were tasked with making a webcam circuit, I'd make sure the light and the sensor were always powered together. So I (naively) assumed that's how everyone would do it.
This is what I find ridiculous. Is there any real value in NOT hardwiring the camera power to the LED? Consumers should demand that the camera light not be under software control and that it always reflect the true power state of the camera. Something similar should be done with the microphone. There is no excuse for a situation where I have to put tape on my camera.
> There is no excuse for a situation where I have to put tape on my camera.
And yet, we happen to live in a world where practically no customer has the needed expertise to verify for themselves if the LED reflects the true state of the camera or not, and if they had it they'd not care any less. A world where corporations misuse technology to betray customer's confidence and break the law, and when those get caught, get away with no more than a slap in the hand (as in the VW emission control hack case).
So, what are you going to do about it? Throw a tantrum because you exist in Earth instead of Heaven, or work out a solution that you can implement yourself without need of consensus from the ignorant masses or permission from their corrupt leadership?
Yes, LEDs are just connected by gpio. It is cheaper than doing something like parallel or serial led connections (i.e. on the power wire) since the chips come with a few extra gpio balls.
From all they ways I can be spied, the webcam is the one that concerns me the least.
At the end, all they will see is a bearded man staring to the front. May they be able to see me naked? Well, probably, but I honestly don't think that they will make a lot of money by selling my naked pictures... My wife tells me that I still look good, but I suspect that she is being nice to me.
What would scare more is that they manage to capture what is on my screen, or install a keylogger, or activate the microphones to hear my conversations, or that they access my hard disks and steal data, including my private keys.
Hey, but putting a sticker on your webcam is a way to show how 1337 your are!
I prefer not to have to bother removing stickers every time I want to do a Skype call.
In fairness, you can still capture conversations from a webcam if your mark is speaking right in front of it, regardless of whether microphones are on.
This was an interesting thing to see when it came out and keep people aware what is possible. Maybe there is even more possible using this technique.
But Nevertheless activating one of the many microphones around (mobile phones, phones, laptops, "echo" like devices, speech controlled televison) would concern me much more then.
The saying is "attacks only get better". Its likely that more can be done with less pixels but more software.
But hardware can also get better. Surely the next-gen of laptops have depth-sensing cameras too? Its becoming an integral part of game console motion detection, and normal smartphones will have them too e.g. hype I found by googling: https://3dprint.com/117809/depth-sensing-phone-cameras/
Pretty cool. But I'll eat my hat if a regular webcam can pick up enough detail in regular lighting to do this. Plus 90% of the time the webcam will capture a users chest and the wall behind them, hardly useful for visual microphones.
The range of the human voice goes from 85hz to 255 Hz, and that means a webcam should record at about 500hz to be able to capture enough information to reconstruct voice with good quality.
Because webcams record at 60hz (max), they can only capture enough data to reconstruct sound at 30hz, way below the human voice range.
Webcams record faster than 60 Hz. Sound perturbs the recorded image every scanline, not just every frame. The techniques that reconstruct audio from video do it by looking not frame by frame, but line by line. 60 Hz times 720 vertical resolution is 43200 Hz and way more than enough data.
This, unless you are going to open up every device around you and physically isolate all audio recording equipment, I fail to see how covering your webcam is much more than security theatre?
It's not strictly about security. Some people like to close their curtains at night not because they think it makes them safer, but because that level of exhibitionism seems weird to them. It's the same principle.
I know that what the webcam captures is probably the least important thing a hacker can get but I do it because it is visible.
Protecting your privacy should NOT be weird and a sticker over your webcam is a very visible way of showing that to the public. When people ask why I do it, its a good opportunity to educate them on the capabilities of the US government, other nation-state actors, and hackers in general. If they don't believe me and haven't heard of Snowden its simple to show them images of Zuckerberg, the FBI director, and other in tech with taped over webcams to convince them.
John Oliver also did a special last year that showed that a lot of people don't really care about the government getting most of their personal information on their computer. But when they think that the government is getting naked pictures of them and their family they're a lot more interested and upset. Bringing up the fact that the government can see them nude in conversation scares a lot more people and they are more inclined to become more privacy conscious.
If you use one of the bookmark post-it notes, it makes it easy to remove the sticker and put it back when you're done with your video conversation.
"Security theater" is an established term, but usually refers to useless security measures implemented by organizations (companies or governments) to soothe the public (their employees/citizens/guests), rather than to actions of individuals onto themselves.
That webcam might have a microphone. Your laptop has one too. Neither have a little LED to tell if they're on (the one on most cameras isn't hard wired to the sensor. You can sometimes turn it off in the drivers). There's a microphone in your phone, in your tablet, your PS4 controller, your land line (why do you still have one of those?!), that USB gaming headset you left plugged in, your fitbit, your overpriced voice activated IoT refrigerator (Your out of milk; here are some Amazon ads for milk), and your watch.
The potential to listen to audio on unpatched, compromised devices, is a huge attack vector! And yet we tape up cameras.
I suspect most people who currently tape over their camera would do the same for their microphone if it was as easy. But there's no easy, quick way to do it that allows to re-enable it when needed.
Of interesting note: ThinkPads have (had?) independent mute, volume and microphone buttons with LEDs to indicate volume or microphone muting. It's clearly at least partially software or driver driven, because with Windows 10 microphone muting is no longer functional.
The warm and fuzzy feeling that discovery gave me is why my daily driver is still on Win7 since I almost always have both audio directions muted.
There's a difference between "I can turn this off as long as the driver is properly installed and has not been hacked" and "I can't turn this off." While the second statement is abstractly true for both, the bar for some software silently and invisibly turning on the microphone is quite a bit higher if it also requires replacing or hacking the audio hardware drivers.
The warm and fuzzy feeling should have gone away immediately upon discovering that it was not a hardware mute, but instead a software-defined feature... no?
I mean, if you can turn the LED off through software, it's really no better than the little menu bar icon that every other laptop has. If it were done all in hardware, that would be cool.
MSI laptops too. They have an Fn+Fkey, but when you use it, it disconnects the camera from the USB bus. It disappears from your device listings in lsusb/linux, or device manager on windows.
Please spell it out for me. Seems being 0001 1001 years old hasn't opened up my mind to such basic concepts.
Also, what about the front camera on my phone?
I don't use a laptop if I can avoid it. My personal workstation is right across from my bed, and it's powered 24/7 since it's acting as a file-server and game-server.
Given how everything is angled, I suppose a webcam infiltrator would have a perfect view of me sleeping.
I sympathize with your goals of raising awareness, but I think it is in general a bad idea to teach security measures which are only for show. If education is your goal, don't you risk teaching people the wrong threat model?
It's not. I do the same thing. And it works better then I expected. People do this in my office too now and thy come back with questions regarding security that go further then this. This happens also because they are being asked why they do this. It makes them think. They ask themselves why they put tape on their cam but "hide" their crappy passwords under the keyboard and so on.
Am I the only one to receive disarming responses when trying to educate anybody over this matter? The vast majority of people (and when I say "vast majority" I mean everybody but two or three people tops, so far) I tried to explain things to don't care. All they have to say are things like "Where is your tinfoil hat?", "This is conspiracy theory", "If they want to spy us there's nothing we can do" and the never old "I have nothing to fear because I have nothing to hide."
Even when you provide material from authoritative sources you still risk being told "Bullshit, go figure who wrote this".
My laptop is black and I keep a piece of black electrical tape over it so it's mostly unnoticeable if you aren't close enough. I do this to avoid giving explanations because from my experience it is pointless.
"I have nothing to fear because I have nothing to hide."
The best comeback to this is usually asking if they have drapes/shades for their windows at home. I think I read that in a CCC guide to talking about privacy/security somewhere.
At least that has lead to somewhat interesting discussions and the occasional moment of "you might have a point".
> If you use one of the bookmark post-it notes, it makes it easy to remove the sticker and put it back when you're done with your video conversation.
My mother learned to do this from the IT Security team at her company. And I learned to do that from her. It simply never occurred to me that the Facetime camera, hidden on the MBP, can be turned on at anytime without the status light being activated. I keep a small box of those post-its in my go bag and share them liberally.
Ditto this. I use the EFF webcam stickers. Probably nobody cares about watching my bearded face staring at a computer, true. To me though, it's a visible and constant reminder to keep privacy/security in the front of my mind.
GitLab is a remote only company with 100+ team members. Most of my calls are with video, the nonverbal language adds to the conversation for me. It's not 90% but I prefer video to audio if possible.
I worked for a remote company and I recall only having my camera enabled for the first week or so. After that it was off pretty much permanently. I didn't notice a difference with it on or off. It didn't seem to matter and everyone else did more or less the same thing.
You're displaying a common trope I see sometimes with security:
> "because this particular thing does affect me personally, it doesn't matter. And because it doesn't matter to me it doesn't matter at all"
Blackmailing people with pictures taken from webcams is not theoretical. It happens[0] and it's good advice to tape up your cam. It may not affect you personally, but it may affect your wife, daughter, or sister in a much more sinister way. Believe it or not this kind of thing can ruin someone's life.
You don't know SO rage until you get a case of a small, inconsequential problem which is of vital importance to you. After heaps of searching someone else has posted the same issue on SO. Then reposted a while later with "Don't worry, fixed".
That's just a bot someone made. It scrapes SO, constructs a model of question text and generates new questions from the model. Then, after a random number of days it posts that "Don't worry, fixed" you've seen.
Oops. Thanks. I had a fear I was just missing a joke, but I have seen bots used on forums for no immediately obvious/spammy reason and I've also seen people genuinely imagine strange motives for relatively explicable things.
This is probably one of the reasons jokes are very much discouraged on HN. They pollute the conversation and add confusion. I too didn't notice that it was meant to be a joke.
It's a joke. I thought it was obvious, I'd have laughed if someone else had made it and I didn't think it's polluting anything, not tucked away in this side-thread-ish.
I've been using React for my last few projects (not by choice) and have found this a lot. Maybe because its newer, maybe because it doesn't play nice with other front-end things. SO rage indeed.
What is the point of this comment? Even if you had some way to know (EDIT: which you (https://news.ycombinator.com/item?id=12506075) point out is the case), why should it matter, especially since no-one else in this thread seems to have brought up gender?
If society wasn't so prudish about naked bodies, it'd be less of a problem. It's one of those shoot the hostage situations. We could defuse a lot of our concerns if we'd relax our self imposed constraints and it would give us more time to worry about the things which matter more.
It's not only pics of people staring into a screen.
There was a case about 5-6 years ago when a guy recorded and streamed his secretly gay roomate having sex in the dorm. The gay roomate committed suicide later.
Work computers can be taken home or to business trips where things can happen in the hotel after the deal is struck.
I'm not naked when I'm using the computer. When I am naked my laptop is closed and most likely in my bag. I guess a lot of people keep their laptop open on their nightstand or something?
As someone who was profiled and eventually experienced an attempted-blackmailed by a company in India (employer details gained among other things) - everything seems inconsequential ("I've done nothing wrong"), until it is used, abused (and lies added to) to threaten you.
It doesn't matter whether things are true or not. What matters is, when someone gains details about you, the story and lies they can spin. The cost, distress, and difficulty in trying to resolve and take control of the story can be incredible.
> experienced an attempted-blackmailed by a company in India
Is this a well-known thing? I haven't heard of it before. Is there some sort of common pattern that such attacks follow? (E.g. most phishing attacks seem to be categorizable, following a number of set patterns, because the people who do them basically try to run the same attack against a lot of people at once to get one or two victims. Is this similar, or is it a matter of individual targeting?)
I know someone whose camera and microphone were taken over. A window showed on her computer where the person watching her chatted with her and told her things that he only knew because he was watching her. It scared her to death and made her cry.
Beyond blackmail, it is probably close to the psychological equivalent of a stranger just suddenly appearing in your home watching you.
I think that every electronic camera and mic device should have a hard switch/button that physically disables both the camera and mic. Having to use tape or a cover does not keep you from being spied on; it only eliminates the visual spying. The attacker can still listen.
Hardly. You put your phone on the desk and it's going to show the ceiling. In contrast to this, people do all kinds of weird things in front of laptops. I've even heard once of someone who allegedly masturbated (!) in front of a laptop. Of course, that must have been an extreme outlier ...
This should definitely be a concern, but I feel like most people don't even realize that anything like that could happen. There is lots a news about webcams, baby monitors, etc. being hacked, but barely any warnings about making sure you keep your phone protected and secure, too.
Remote code execution on a cell phone is thousands of times harder than a PC. If you have a RCE for the newest iOS software then there's people who are ready to pay you millions.
An up-to-date Nexus or iPhone is about the most secure thing you own.
Not trying to be flippant, but just pull the USB cable out. Just takes a second, even if it's plugged into the back of your computer (I do it all the time with my keyboard if I'm working on my laptop that day).
A hypothetical, ruthless hacker manages to install malware on a person's computer. Hell they could target certain zip codes. All the information is on the Internet. Hell, they could get a picture of your home. (By the way, Google will blure out you home, if you ask. It tends to reappear, although they claim its permanent. If your house has been sold recently, a thief/criminal has easy access to interior layout through Zillow, and the like.)
They watch you through your cams. A lot can be deduced with that information--valuable information that could be sold.
Maybe I've watched too many movies, or crime shows, but I just picture certain questions being asked, "Does the home look like its worth robbing?" "Are there hostages we could take?" "What times do they leave, we need to install our cams because they might find our malware?" "Do they have a safe, or do they seem like they have money/valuables in the house, bedroom?" "Are they doing anything illegial themselfs?" They could develop psychological profiles for people?
I hate to think like this, but certain people think nothing of doing some horrid crimes. A hacker overseas gains some valuable information, and makes a phone call to the Triads, or Russian mob? Your life becomes a statistic.
It sounds far fetched, but just what if? (And am I going to cover my cams? No, because I don't have a life, and I'm poor.)
But that at least requires some human investment of time and movement. Someone has to case your house and sit there for however long it takes, risking discovery, boredom, opportunity cost, etc.
Wholesale information theft is another level. Someone in a different state or country has access not only to me, but potentially hundreds of people's details, without ever leaving their home. And then they can leverage a whole community that is doing the same. This is how "The Fappening" occurred. This sort of crowdsourced stalking would be impossible pre-internet.
Surely it's at least as much human effort to compromise a specific webcam, identify the house it's tied to, monitor it extensively, and then rob/assault the owners?
Obviously there are other reasons to worry about webcam access, but "they could spy on me to set up a robbery" is exceedingly low on my list since it just recreates a pattern that doesn't involve a computer.
I think it's more about the mass dissemination of that information. We've seen how easy it is to "Dox" someone without much information. One person might not be able to glean much, but what happens if 4Chan gets a hold of that data and has decided they don't like me?
Knowing your neighbors doesn't hurt, either. I like to think that if my neighbors noticed something untoward happening at my house, they would sound the alert.
This is all true, but wouldn't somebody who has the technical skills to pull this all of, be able to pull in a legal income far in excess of what burglary is likely to yield?
A lot of trojans are like off-the-shelf kits that anyone can grab. The technical skills amount to convincing someone to run an executable (email, malicious USB keys, poorly managed advertising networks, etc) and then clicking a few buttons in a GUI to connect to them and do what you will.
For the slightly more technical, you've got frameworks like metasploit which can perform network attacks, but even that is getting much more like a kit these days. Port scan for services, fingerprint them, check database for known vulnerabilities, automatically attempt to exploit known vulnerabilities, deploy payload (the trojan).
> A typical drug dealer would make more money working at McDonald's, so why don't they?
I think a substantial share of those drug dealers who aren't working formal-economy jobs as well are also drug addicts that would not be able to keep such jobs particularly well even if they weren't drug dealers, and/or convicts that wouldn't be likely to be offered such jobs if they chose to pursue them.
Plus I don't buy the "Doesn't affect me"-angle. In general, people abusing vectors like this are dang smart (or know someone who knows someone who's smart. doesn't matter). There's a reason why my webcam isn't plugged in unless I explicitly use it.
What about recognizing keys, credit card details or important information in letters on the desk? Some simple image recognition for these, and a large dragnet-style attack with this seems quite lucrative from a minute or two of thought.
I don't think he was saying that it's not important at all. His point was that there are plenty more security risks that deserve more attention.
In particular, he was calling attention to all the people that cover up their camera and proudly exclaim "Done! Safe at last", while oblivious to all the other hacks and malware that could already be infecting their computer.
Maybe it's just me, but I didn't take away that the commenter felt it is unimportant and he humourously explained why. He also explained that the other things were of greater concern.
More importantly, there's the fact that the level of access required to take over a webcam implies the ability to do all sorts of other things.
What I took away was that if his system was compromised, an open webcam wouldn't likely be the chosen vector for ruining his life.
When the FBI interrogate, they have people whose expertise is to use your entire body language including facial expressions, etc... to gather information.
Giving an attacker the ability to monitor your body language while they have full control of your computer is extremely dangerous as they have established a closed loop to interact with you without your consent or knowledge.
As the FBI also excell in this kind of subversive intelligence gathering, it figures they would be wary of being on the other end of it. An example is if a chinese, Russian, corporate spy had them on the other end without their knowledge.
Edit: Another topic is the issue of criminals who use extortion. This is far more common than you likely realize or aware of. Where we are the criminals and intelligence saboteurs/spies are alot more sophisticated, and use computer hacks as part of their planning to extort and blackmail their targets.
>May they be able to see me naked? Well, probably, but I honestly don't think that they will make a lot of money by selling my naked pictures...
We all do weird things or at least act slightly differently when we feel alone (being naked is one of those). Your records can be easily used to put a little pressure on you to do something little, not big. Why do you think you're so important to FBI CIA KGB? Regular fraudster will send you your photos and say that your boss/wife/friend will see it, and though there is 'nothing really wrong' on these, you'll pay or feel unprotected, or your party will.
That said, far too many people do have personally secret behavior like cheating, gambling, smoking, jerking off (oops, said it), having sex, private speech, strange comments that can be abused out of context (e.g. n-word while playing role in gta:sa). So many ways to get f-ed up.
That's what typically happens for people who have no grasp of data. They understand what a camera is, that it takes pictures and that they don't want something to be able to take pictures of them at any given time. They do not understand the whole clusterfuck of data that's drawn about them from every other service and how it can be put together to reconstruct details about them that they do not want others to know about.
The other issue with the webcam taping is that it is becoming less and less of a viable way to even keep yourself from being video recorded. For example, what about the cameras on your smart phone?
If we aren't there already, the direction of technology seems to me to be: "cameras all around, everywhere, 360 degrees all the time." Ubiquitus video/audio recording and real time processing.
So what are we left with in terms of privacy? I believe we can only hope to control how data is used in this aggregate sense to some extent or other. If even that.
> Ubiquitus video/audio recording and real time processing. ... So what are we left with in terms of privacy?
A new sense of what privacy is. It is increasingly rare that someone should have a sense of privacy or anonymity while in a public place.
It's reasonable to worry about government abuse of power from monopoly access to the full aggregation of surveillance data (even if that data was not originally intended as surveillance). Many people advocate for damming the flood of data, but this is futile. A more effective solution is to end the monopoly of access -- public aggregation of surveillance data. Twitch for everything.
Don't worry quite yet. Wait until we all have wearable cameras.
I think you've created a strawman here. It's about risk assessment and ease of implementation. Taping the webcam is easy to do, effective and easy to undo. It protects against a real, not theoretical attack. It has meaningful value. Not using Windows 10 might also have meaningful value and protect against real, not theoretical attacks, but would be difficult to do or undo.
I could also point out that you are more likely to slip in your shower and injure yourself than get struck by lightning, but I expect there are more people who know how to stay safe in a lightning storm than who have non-slip mats in their shower. You're also far more likely to get injured or killed driving your own car, but I expect many people avoid public transit out of fear, lack of convenience , etc.
No question our assessment of risk is poor, but that doesn't mean we shouldn't take what steps will fit into our lives.
I mean, I think it's a worthwhile comment even granting this. When people are worrying about the computer scare of the moment, they tend not to realize that the threat surface is so massive that they're certainly, inevitably vulnerable somewhere.
No security habit short of Ludditism was going to keep people safe from Heartbleed. And it does feel a little on the nose for Comey to be pushing a security 'story' that's conveniently removed from crucial steps like "update your software regularly". I was irritated to see him describe that as "caring about people's personal security" when his stance on all other tech topics is to make people give up security for access.
None of which makes taping up a webcam wrong, of course. It's easy, it's nontechnical, and it eliminates a whole (very real) class of threat at a single stroke. That's actually pretty good, and webcam spying/blackmail certainly does happen.
In fairness, however, he wasn't "pushing the story". Indeed the irony is pointed out during the story.
I work at a public library and occasionally teach computer classes. In one we cover security, but it's infuriatingly difficult. When you're working with people who have trouble with the mouse, or even with basic literacy (I mean reading literacy, not computer), it's hard to explain "attack surfaces" or "the cloud". It usually comes down to:
1. Understand the difference between identity and security.
2. Update your software regularly.
3. Use different passwords for different services and write them down (the number of people who don't know their password because they have email on their phone is... too high).
4. Be aware of who you are giving information to and why. Do they need that information? Is what they are offering worth providing it.
It's gotten to the point where I only feel totally comfortable using machines I've hardened myself.
My hardened laptop is an older Thinkpad laptop with LibreBoot to replace the BIOS, microphone and speakers and camera disconnected internally, removed the wireless cards, encrypted the partitions, and use Whonix as the OS. I've password protected the BIOS and it's set to boot only from the hard drive and I've also epoxied the screw heads in place as well as put globs of epoxy over all the ports other than USB in order to protect against hardware devices that can access memory through DMA vulnerabilities.
It was mostly an exercise in "how secure can I get". I'm not sure what else is possible.
If someone manufactured and sold a more modern hardened laptop, I would be interested in buying it.
I'd rather use my closed source safe operating system like Windows instead of having open source stuff with hearthbleed like stuff open for every hacker, thanks.
You might be interested in something like ORWL[1], which is arguably the most secure consumer PC I've ever heard of. It has tamper-resistant features, full disk encryption, and a secure co-processor which does things like disable the USB data paths when the system locks.
Admittedly, though, it's not a laptop.
As far as laptops go, the librem 13[2], with Qubes OS and coreboot would be a pretty good bet.
If you haven't already, definitely take a look at Qubes OS[3]. It offers security by compartmentalizing different workspaces in different vm's managed by Xen so, in theory, even a kernel exploit isn't getting very far into the system.
"People who say they don't care about privacy because they have nothing to hide are like people who say they don't care about free speech because they have nothing to say."
If you're so concerned about having your webcam subverted, it seems like the first step would be to insist on a hardware LED that can't be subverted in firmware. If nothing else, it would serve as a canary, indicating that your machine has been thoroughly compromised.
In terms of electronics it is fairly trivial and it can be inspected by eye (or microscope) if the manufacturer decides to not encapsulate everything on a chip (which presumably would be the point of such a feature).
Just have the only positive voltage rail going to the camera be the same one that is directly powering the LED. The firmware will be turning this rail on and off, hence turning the camera and the LED on and off simultaneously.
Even if it was, most of the time when people are taking surveillance webcam photos (a hacker or a person trying to recover their stolen laptop) you can take the picture so quickly that they probably won't see the light.
Have you a source for that? My experience of laptop webcams is that they need at least a second or two after power on to initialize the camera. That'd be pretty noticeable if you're using the machine, at least.
Specifically around the 18:00 mark. Also he does provide source examples that you can ruin your computer with if you want.
He gets into a lot of it, but shows quite a few examples including what I'm talking about. The people that he catches aren't necessarily savvy, but he does talk about taking pictures fast enough for the light not to be visible.
If it was on my radar I would much rather have an LED for microphone active (laptop and phone) than webcam - precisely because I can put a sticker on webcam.
If the LED were simply wired in series somehow with the mic power supply I imagine it would be easier to tell. The problem with the Mac LED indicator was that it was controlled by a microcontroller that was ultimately accessible via user land. It's harder to surreptitiously bypass a simple electrical circuit.
This is like the coal burning power plant telling you to make sure to sort your recyclables into appropriate containers, to make the environment cleaner.
Also people enjoy and feel good about accomplishing small things. Putting a sticker on your laptop is a small easy task. Do it and they feel more "secure" in an instant.
I guess this is just as good place as any to bring this up. In current OS X, you cannot disable your mic. You can turn down the input volume, but never disable. All malware needs to do is raise the input volume and it can listen to you to its hearts content.
Just look around on the internet, you'll find the same thing. I researched this a few weeks ago and was amazed.
You basically have to disable the audio driver in OSX to disable it, and doing that, means you can't play audio at all. And even that isn't enough, it technically can be hijacked at an even lower level.
The webcam cover up is interesting to me because it's the only "weird privacy thing" I've seen regular, non-technical people do. A good amount of people at my university, most of which use social media liberally and don't care about encryption, cover their camera up.
It actually seems less weird to me in a university setting. Most university students live in small quarters, so they're more likely to have a computer in front of them while they're nude, using drugs, having private conversations or doing other private things.
They're also around lots of new people of varying levels of maturity who could have a decent chance of getting physical or network access to their computer, much more than neighbors in the rest of the world.
A creepy stalker or blackmailer spying on a university student through a webcam sadly doesn't seem that farfetched, especially for women.
It's not weird at all. Women should definitely always do that, because they use their laptop everywhere, e.g. in bed, and there are plenty of viruses and trojans that activate the webcam for sextortion and stalking purposes.
A web cam resembles an eye staring at you all the time. This makes people feel weird, like something is staring at them. The threat to privacy is right in their face and on a gut level.
That's the reason so many people cover them even when they won't take other basic online privacy precautions.
Also just in general, people understand what a camera does. It's much harder to understand the implications of abstract "data" going off onto the internet.
I keep mine covered because I work remotely a lot and I don't want to accidentally shirtless video chat someone from bed when I meant to make a different type of call.
Just saw the prescreening of snowden movie with online live event with movie cast and snowden post movie, and this was exactly what was depicted in the movie and in the event talk.
That tape cannot be thwarted by any remote attacker, legally warranted or not. It's perfect, unbreakable security from webcam visuals being exfiltrated, exactly the security features that Comey says we shouldn't be allowed to have for our data.
"What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity."
I use a MacBook Pro as my daily driver, but I recently purchased a Lenovo ThinkPad to play around with. Sometimes I forget how awesome it is to have a repairable and modular computer.
I didn't want the webcam or microphone in the ThinkPad… so I took 30 minutes and removed it. Easy as that.
Well,to be fair you could just open the MacBook Pro and unplug the ribbon for the webcam. iFixit will have instructions. Removing it entirely granted is another matter, involving opening the screen, but you'd have to do the same on any modern laptop with an integrated camera wouldn't you?
It's pretty sad that he used the word "authority" in this sentence: You do that so that people who don’t have authority don’t look at you. I think that’s a good thing.”
I think you're being a bit quick to judge people here…
Having an integrated camera is obviously a lot easier to deal with, logistically, than lugging along an external USB camera.
I think a lot of the people here would love to have hardware-level kill switches for their video camera. And mic. And WiFi. (I would; I used to own a Thinkpad with a hardware kill switch for WiFi. It was useful, even aside from the privacy benefits.)
I think you're neglecting a key detail: alternatives are hardly even on the shelves, and NO ONE QUESTIONS IT.
> Oh, well, that's just
supply and demand, of
course!
> Everyone just WANTS an
always on internet connection!
> Why would anyone ever remove
the battery from their
cell phone???
> It's more cost effective
to build the device
like that. Common sense!
> Everyone wants a unique
identifier, GPS and 911
service. It's safer!
Yup, no one would ever want things any other way. It's silly to question why the invisible hand of the market works as it does.
The really amazing part about the downvotes here, is that HN is unable to reconcile the realities of mass surveillance that tend to conflict with profit motives, and yet the collective overtone of HN professes itself to be a bastion of progressive futurist space exploring tranhumanism. Few seem to notice the cognitive dissonance.
Sort of a cruel prank. Those in the best position to release the yoke, are only motivated to tighten it.
I would trust a physical sliding camera cover a lot more than some internal "trust us, the hardware kill switch works" kind of production.
Although, I suppose if they were lying about such a thing it would become obvious quite quickly when someone takes it apart, and the PR shitstorm would be popcorn-tastic.
I experimented a bit with an Apple laptop microphone, and it took 2 layers of electrical tape to block the mic. There doesn't appear to be any way to block an iPhone mic without blocking the speaker, too, and I'm not confident that it could be blocked at all.
This is the day and age of removing headphone jacks to make a phone slimmer, taking away your disk drive, etc. Most companies care more about aesthetics than functionality at this point.
Some older laptops did have physical on/off switches for the wifi card (this was prior to the advent of a camera in every laptop). The old Dell D820 was one such laptop. That was likely not the only one.
Gradually they were dropped from newer models because the manufacturers saw no sales changes due to the presence/absence of the switches (i.e., not enough purchasers refused to buy the "new" laptop because it dropped the physical on/off switch, which is the only feedback the makers truly understand and pay attention towards).
And dropping the physical switch saved the manufacturer a small amount on each laptop, which when multiplied across the numbers built was either a nice profit increase or a small price reduction (or likely a little of both).
306 comments
[ 3.0 ms ] story [ 256 ms ] threadWhat the NSA is doing right now, and what the FBI would like access to, is in no way similar to taking pictures of you on a busy street.
What the NSA has is every intersection wired up with cameras, recording 24 hours a day, and all of it indexed with facial recognition and license plate readers.
No organization should have that much information or reach at their fingertips, no matter how virtuous the mission or the people working there.
Is it? If i'm having a 1 to 1 conversation with someone online then that is a private conversation. There monitoring my traffic is more like opening the letters I would be sending that person.
More fundamentally though, the meat space public/private divide does not map at all to the cyber space one, all analogies and laws to apply one to the other are flawed.
Because that's the question I hear being begged when the "you have nothing to hide" counterpoint is brought up. You've got nothing to hide, so let me just look anyway. Sure it's none of my business, and I have no actionable legal right to it, but it's not illegal so why don't you want me to see it?
Oh please. They can probably harvest the lot. It'll be some algorithm that deems you worthy or otherwise or gets you on an "of interest" list. Let's keep "personal surveillance" for '50s spy movies and Banksy murals.
More generally, what about the chilling effect on legal and legitimate conversation?
...or your association with "Occupy" or some other political protest movement that someone in power disagrees with, or that your wife bullied some politician's wife for two weeks in school, or that your interfering neighbour with a petty dislike of how you landscape your garden works as a government clerk and can access your data.
There are many reasons why some individual might want to know private things about some other individual. When individuals with some tiny (or vast) power want to wield it over anyone else, especially when they can do it with little oversight, it's very tempting.
That "the government" has access to my private information does not mean it's blind and faceless. It's made up of people with complex motivations.
The reason why we don't give broad general search powers to the government (or at least, in theory don't give the government broad general search powers) is because the government can prosecute people, and given enough information they can find a reason to prosecute anyone. Which then fully opens the floodgates to selective prosecution: anyone who's disliked by someone in power will simply be prosecuted and likely convicted and jailed, because everyone will have done something that an all-seeing government can prosecute for.
Cardinal Richelieu is alleged to have said that, given seven lines written by the most honest of men, he could find something in them to create a capital offense and have the man hanged. I'd rather not live in a society where anyone has that kind of power.
Our government is full of hypocrites.
Does she? Her tech platform seemed pretty supportive of Apple's stance on encryption: http://appleinsider.com/articles/16/06/29/hillary-clintons-t...
[1] https://www.cia.gov/about-cia/eo12333.html#1.7
Of course, there are many cameras that do not even have an activity indiator (LED), e.g. stand-alone cameras, or simply your phone front and back camera. I find it a good habit to cover all cameras, regardless of wether they have an indicator.
(Like you, I had always assumed that the power for the webcam was literally in series with the LED, so that disabling the LED would render the camera inoperable. That seemed like the obvious way to do it if you wanted to provide a truly reliable signal. But evidently that's not the case.)
If I were tasked with making a webcam circuit, I'd make sure the light and the sensor were always powered together. So I (naively) assumed that's how everyone would do it.
And yet, we happen to live in a world where practically no customer has the needed expertise to verify for themselves if the LED reflects the true state of the camera or not, and if they had it they'd not care any less. A world where corporations misuse technology to betray customer's confidence and break the law, and when those get caught, get away with no more than a slap in the hand (as in the VW emission control hack case).
So, what are you going to do about it? Throw a tantrum because you exist in Earth instead of Heaven, or work out a solution that you can implement yourself without need of consensus from the ignorant masses or permission from their corrupt leadership?
At the end, all they will see is a bearded man staring to the front. May they be able to see me naked? Well, probably, but I honestly don't think that they will make a lot of money by selling my naked pictures... My wife tells me that I still look good, but I suspect that she is being nice to me.
What would scare more is that they manage to capture what is on my screen, or install a keylogger, or activate the microphones to hear my conversations, or that they access my hard disks and steal data, including my private keys.
Hey, but putting a sticker on your webcam is a way to show how 1337 your are!
I prefer not to have to bother removing stickers every time I want to do a Skype call.
But Nevertheless activating one of the many microphones around (mobile phones, phones, laptops, "echo" like devices, speech controlled televison) would concern me much more then.
But hardware can also get better. Surely the next-gen of laptops have depth-sensing cameras too? Its becoming an integral part of game console motion detection, and normal smartphones will have them too e.g. hype I found by googling: https://3dprint.com/117809/depth-sensing-phone-cameras/
Because webcams record at 60hz (max), they can only capture enough data to reconstruct sound at 30hz, way below the human voice range.
Bash isn't pretty but it does work.
Protecting your privacy should NOT be weird and a sticker over your webcam is a very visible way of showing that to the public. When people ask why I do it, its a good opportunity to educate them on the capabilities of the US government, other nation-state actors, and hackers in general. If they don't believe me and haven't heard of Snowden its simple to show them images of Zuckerberg, the FBI director, and other in tech with taped over webcams to convince them.
John Oliver also did a special last year that showed that a lot of people don't really care about the government getting most of their personal information on their computer. But when they think that the government is getting naked pictures of them and their family they're a lot more interested and upset. Bringing up the fact that the government can see them nude in conversation scares a lot more people and they are more inclined to become more privacy conscious.
If you use one of the bookmark post-it notes, it makes it easy to remove the sticker and put it back when you're done with your video conversation.
Maybe something like 'security theatre'.
The potential to listen to audio on unpatched, compromised devices, is a huge attack vector! And yet we tape up cameras.
Worked like a charm.
The warm and fuzzy feeling that discovery gave me is why my daily driver is still on Win7 since I almost always have both audio directions muted.
The fact that Windows10 breaks it surely suggests it's a software feature?
There's a difference between "I can turn this off as long as the driver is properly installed and has not been hacked" and "I can't turn this off." While the second statement is abstractly true for both, the bar for some software silently and invisibly turning on the microphone is quite a bit higher if it also requires replacing or hacking the audio hardware drivers.
I mean, if you can turn the LED off through software, it's really no better than the little menu bar icon that every other laptop has. If it were done all in hardware, that would be cool.
When I'm done using my laptop I close it.
Personally, I only use my laptop when I am away from my office. And my office happens to be my bedroom.
Given how everything is angled, I suppose a webcam infiltrator would have a perfect view of me sleeping.
It is creating general awareness.
Am I the only one to receive disarming responses when trying to educate anybody over this matter? The vast majority of people (and when I say "vast majority" I mean everybody but two or three people tops, so far) I tried to explain things to don't care. All they have to say are things like "Where is your tinfoil hat?", "This is conspiracy theory", "If they want to spy us there's nothing we can do" and the never old "I have nothing to fear because I have nothing to hide."
Even when you provide material from authoritative sources you still risk being told "Bullshit, go figure who wrote this".
My laptop is black and I keep a piece of black electrical tape over it so it's mostly unnoticeable if you aren't close enough. I do this to avoid giving explanations because from my experience it is pointless.
The best comeback to this is usually asking if they have drapes/shades for their windows at home. I think I read that in a CCC guide to talking about privacy/security somewhere. At least that has lead to somewhat interesting discussions and the occasional moment of "you might have a point".
Cool. Now, can I have your wallet/purse? Also, get naked. I want to see what you're hiding under your clothes.
And you can forward your medical record, along with your business emails to me as well.
Because you have nothing to hide....
My mother learned to do this from the IT Security team at her company. And I learned to do that from her. It simply never occurred to me that the Facetime camera, hidden on the MBP, can be turned on at anytime without the status light being activated. I keep a small box of those post-its in my go bag and share them liberally.
I do lots of calls, but I've never seen a good reason to use video except perhaps with one's SO.
> "because this particular thing does affect me personally, it doesn't matter. And because it doesn't matter to me it doesn't matter at all"
Blackmailing people with pictures taken from webcams is not theoretical. It happens[0] and it's good advice to tape up your cam. It may not affect you personally, but it may affect your wife, daughter, or sister in a much more sinister way. Believe it or not this kind of thing can ruin someone's life.
[0] http://www.computerweekly.com/news/2240209018/US-teen-hacker...
This is all that I hate about stackoverflow.
What he's describing is something that also happened (with far greater, more rage-inducing frequency) on tech forums before SO existed.
What is the point of this comment? Even if you had some way to know (EDIT: which you (https://news.ycombinator.com/item?id=12506075) point out is the case), why should it matter, especially since no-one else in this thread seems to have brought up gender?
This was a little bit more.
How can one blackmail a person with webcam pictures where the person just stares into a screen?
If you mean NSFW pics I don't think they're done with a computer's webcam cam. Nowadays, people use phones for that use case.
There was a case about 5-6 years ago when a guy recorded and streamed his secretly gay roomate having sex in the dorm. The gay roomate committed suicide later.
Work computers can be taken home or to business trips where things can happen in the hotel after the deal is struck.
Serious question: what happens when a deal is struck? They go out to drink? They go back to their hotels? They have sex with their coworkers?
As someone who was profiled and eventually experienced an attempted-blackmailed by a company in India (employer details gained among other things) - everything seems inconsequential ("I've done nothing wrong"), until it is used, abused (and lies added to) to threaten you.
It doesn't matter whether things are true or not. What matters is, when someone gains details about you, the story and lies they can spin. The cost, distress, and difficulty in trying to resolve and take control of the story can be incredible.
Your personal details should remain just that.
Don't be complacent.
Is this a well-known thing? I haven't heard of it before. Is there some sort of common pattern that such attacks follow? (E.g. most phishing attacks seem to be categorizable, following a number of set patterns, because the people who do them basically try to run the same attack against a lot of people at once to get one or two victims. Is this similar, or is it a matter of individual targeting?)
Beyond blackmail, it is probably close to the psychological equivalent of a stranger just suddenly appearing in your home watching you.
I think that every electronic camera and mic device should have a hard switch/button that physically disables both the camera and mic. Having to use tape or a cover does not keep you from being spied on; it only eliminates the visual spying. The attacker can still listen.
An up-to-date Nexus or iPhone is about the most secure thing you own.
A hypothetical, ruthless hacker manages to install malware on a person's computer. Hell they could target certain zip codes. All the information is on the Internet. Hell, they could get a picture of your home. (By the way, Google will blure out you home, if you ask. It tends to reappear, although they claim its permanent. If your house has been sold recently, a thief/criminal has easy access to interior layout through Zillow, and the like.)
They watch you through your cams. A lot can be deduced with that information--valuable information that could be sold.
Maybe I've watched too many movies, or crime shows, but I just picture certain questions being asked, "Does the home look like its worth robbing?" "Are there hostages we could take?" "What times do they leave, we need to install our cams because they might find our malware?" "Do they have a safe, or do they seem like they have money/valuables in the house, bedroom?" "Are they doing anything illegial themselfs?" They could develop psychological profiles for people?
I hate to think like this, but certain people think nothing of doing some horrid crimes. A hacker overseas gains some valuable information, and makes a phone call to the Triads, or Russian mob? Your life becomes a statistic.
It sounds far fetched, but just what if? (And am I going to cover my cams? No, because I don't have a life, and I'm poor.)
the only real solution to this is good insurance and good luck.
Wholesale information theft is another level. Someone in a different state or country has access not only to me, but potentially hundreds of people's details, without ever leaving their home. And then they can leverage a whole community that is doing the same. This is how "The Fappening" occurred. This sort of crowdsourced stalking would be impossible pre-internet.
Obviously there are other reasons to worry about webcam access, but "they could spy on me to set up a robbery" is exceedingly low on my list since it just recreates a pattern that doesn't involve a computer.
For the slightly more technical, you've got frameworks like metasploit which can perform network attacks, but even that is getting much more like a kit these days. Port scan for services, fingerprint them, check database for known vulnerabilities, automatically attempt to exploit known vulnerabilities, deploy payload (the trojan).
Once you've been convicted of something, or even arrested really, you have few legal options to support yourself.
I think a substantial share of those drug dealers who aren't working formal-economy jobs as well are also drug addicts that would not be able to keep such jobs particularly well even if they weren't drug dealers, and/or convicts that wouldn't be likely to be offered such jobs if they chose to pursue them.
What about recognizing keys, credit card details or important information in letters on the desk? Some simple image recognition for these, and a large dragnet-style attack with this seems quite lucrative from a minute or two of thought.
In particular, he was calling attention to all the people that cover up their camera and proudly exclaim "Done! Safe at last", while oblivious to all the other hacks and malware that could already be infecting their computer.
More importantly, there's the fact that the level of access required to take over a webcam implies the ability to do all sorts of other things.
What I took away was that if his system was compromised, an open webcam wouldn't likely be the chosen vector for ruining his life.
Giving an attacker the ability to monitor your body language while they have full control of your computer is extremely dangerous as they have established a closed loop to interact with you without your consent or knowledge.
As the FBI also excell in this kind of subversive intelligence gathering, it figures they would be wary of being on the other end of it. An example is if a chinese, Russian, corporate spy had them on the other end without their knowledge.
Edit: Another topic is the issue of criminals who use extortion. This is far more common than you likely realize or aware of. Where we are the criminals and intelligence saboteurs/spies are alot more sophisticated, and use computer hacks as part of their planning to extort and blackmail their targets.
We all do weird things or at least act slightly differently when we feel alone (being naked is one of those). Your records can be easily used to put a little pressure on you to do something little, not big. Why do you think you're so important to FBI CIA KGB? Regular fraudster will send you your photos and say that your boss/wife/friend will see it, and though there is 'nothing really wrong' on these, you'll pay or feel unprotected, or your party will.
That said, far too many people do have personally secret behavior like cheating, gambling, smoking, jerking off (oops, said it), having sex, private speech, strange comments that can be abused out of context (e.g. n-word while playing role in gta:sa). So many ways to get f-ed up.
2. Use DropBox
3. Use Skype
4. Use Google services, always logged in
5. Use Windows 10
6. Use Google Chrome
7. Tape webcam ¯\_(ツ)_/¯
If we aren't there already, the direction of technology seems to me to be: "cameras all around, everywhere, 360 degrees all the time." Ubiquitus video/audio recording and real time processing.
So what are we left with in terms of privacy? I believe we can only hope to control how data is used in this aggregate sense to some extent or other. If even that.
A new sense of what privacy is. It is increasingly rare that someone should have a sense of privacy or anonymity while in a public place.
It's reasonable to worry about government abuse of power from monopoly access to the full aggregation of surveillance data (even if that data was not originally intended as surveillance). Many people advocate for damming the flood of data, but this is futile. A more effective solution is to end the monopoly of access -- public aggregation of surveillance data. Twitch for everything.
Don't worry quite yet. Wait until we all have wearable cameras.
I could also point out that you are more likely to slip in your shower and injure yourself than get struck by lightning, but I expect there are more people who know how to stay safe in a lightning storm than who have non-slip mats in their shower. You're also far more likely to get injured or killed driving your own car, but I expect many people avoid public transit out of fear, lack of convenience , etc.
No question our assessment of risk is poor, but that doesn't mean we shouldn't take what steps will fit into our lives.
No security habit short of Ludditism was going to keep people safe from Heartbleed. And it does feel a little on the nose for Comey to be pushing a security 'story' that's conveniently removed from crucial steps like "update your software regularly". I was irritated to see him describe that as "caring about people's personal security" when his stance on all other tech topics is to make people give up security for access.
None of which makes taping up a webcam wrong, of course. It's easy, it's nontechnical, and it eliminates a whole (very real) class of threat at a single stroke. That's actually pretty good, and webcam spying/blackmail certainly does happen.
I work at a public library and occasionally teach computer classes. In one we cover security, but it's infuriatingly difficult. When you're working with people who have trouble with the mouse, or even with basic literacy (I mean reading literacy, not computer), it's hard to explain "attack surfaces" or "the cloud". It usually comes down to:
1. Understand the difference between identity and security. 2. Update your software regularly. 3. Use different passwords for different services and write them down (the number of people who don't know their password because they have email on their phone is... too high). 4. Be aware of who you are giving information to and why. Do they need that information? Is what they are offering worth providing it.
It's hard to cover much more than that.
My hardened laptop is an older Thinkpad laptop with LibreBoot to replace the BIOS, microphone and speakers and camera disconnected internally, removed the wireless cards, encrypted the partitions, and use Whonix as the OS. I've password protected the BIOS and it's set to boot only from the hard drive and I've also epoxied the screw heads in place as well as put globs of epoxy over all the ports other than USB in order to protect against hardware devices that can access memory through DMA vulnerabilities.
It was mostly an exercise in "how secure can I get". I'm not sure what else is possible.
If someone manufactured and sold a more modern hardened laptop, I would be interested in buying it.
Admittedly, though, it's not a laptop.
As far as laptops go, the librem 13[2], with Qubes OS and coreboot would be a pretty good bet.
If you haven't already, definitely take a look at Qubes OS[3]. It offers security by compartmentalizing different workspaces in different vm's managed by Xen so, in theory, even a kernel exploit isn't getting very far into the system.
[1] https://www.crowdsupply.com/design-shift/orwl [2] https://puri.sm/librem-13/ [3] https://www.qubes-os.org
I solve that by never talking to anyone ;)
I'm thinking you might shell out a few bucks to keep someone from posting pics of you doing something embarrassing while naked.
Spoiler alert: It is.
- Edward Snowden
Just have the only positive voltage rail going to the camera be the same one that is directly powering the LED. The firmware will be turning this rail on and off, hence turning the camera and the LED on and off simultaneously.
Convince the firmware to use a lower voltage, one that doesn't hit the breakover voltage on the LED but still powers the camera.
Strobe the line, get snapshots without the LED doing more than very faintly glowing.
Your second idea is even more scary and realistic.
https://www.youtube.com/watch?v=Tyel1gfSjl4
Specifically around the 18:00 mark. Also he does provide source examples that you can ruin your computer with if you want.
He gets into a lot of it, but shows quite a few examples including what I'm talking about. The people that he catches aren't necessarily savvy, but he does talk about taking pictures fast enough for the light not to be visible.
Better still a hardware switch.
https://puri.sm/librem-13
https://jscholarship.library.jhu.edu/bitstream/handle/1774.2...
Also people enjoy and feel good about accomplishing small things. Putting a sticker on your laptop is a small easy task. Do it and they feel more "secure" in an instant.
And its worse with your iPhone.
You basically have to disable the audio driver in OSX to disable it, and doing that, means you can't play audio at all. And even that isn't enough, it technically can be hijacked at an even lower level.
They're also around lots of new people of varying levels of maturity who could have a decent chance of getting physical or network access to their computer, much more than neighbors in the rest of the world.
A creepy stalker or blackmailer spying on a university student through a webcam sadly doesn't seem that farfetched, especially for women.
A web cam resembles an eye staring at you all the time. This makes people feel weird, like something is staring at them. The threat to privacy is right in their face and on a gut level.
That's the reason so many people cover them even when they won't take other basic online privacy precautions.
- Encryption is our webcam tape.
That tape cannot be thwarted by any remote attacker, legally warranted or not. It's perfect, unbreakable security from webcam visuals being exfiltrated, exactly the security features that Comey says we shouldn't be allowed to have for our data.
~ Philip Zimmermann, "Why I wrote PGP"
https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html
I didn't want the webcam or microphone in the ThinkPad… so I took 30 minutes and removed it. Easy as that.
What about the part where we stop buying devices that we have seeemingly no hope of control over?
What about that?
Is boycott a word too strong?
Gee, you're right.
We should all just give up, and accept that what we're sold, is that which we must buy.
Having an integrated camera is obviously a lot easier to deal with, logistically, than lugging along an external USB camera.
I think a lot of the people here would love to have hardware-level kill switches for their video camera. And mic. And WiFi. (I would; I used to own a Thinkpad with a hardware kill switch for WiFi. It was useful, even aside from the privacy benefits.)
Sort of a cruel prank. Those in the best position to release the yoke, are only motivated to tighten it.
Although, I suppose if they were lying about such a thing it would become obvious quite quickly when someone takes it apart, and the PR shitstorm would be popcorn-tastic.
[0] https://preyproject.com
https://puri.sm/librem-13
Gradually they were dropped from newer models because the manufacturers saw no sales changes due to the presence/absence of the switches (i.e., not enough purchasers refused to buy the "new" laptop because it dropped the physical on/off switch, which is the only feedback the makers truly understand and pay attention towards).
And dropping the physical switch saved the manufacturer a small amount on each laptop, which when multiplied across the numbers built was either a nice profit increase or a small price reduction (or likely a little of both).