45 comments

[ 4.9 ms ] story [ 104 ms ] thread
What, and there's no other website that does this? No one thought to look at https://www.shodan.io/ ?
In this case, the website showed webcams which were protected by passwords, but they were using default ones.

I don't think shodan does that.

This all stemmed from Gizomodo's original posting of it: http://gizmodo.com/a-creepy-website-is-streaming-from-73-000...

I'm glad it's been shut down.

Why are you glad it was shut down? Were you hoping to make a competing site?
The website linking to it going away hasn't made the content go away. The public just won't be aware of it now.
Makes no difference. All it takes is Shodan and a bit of scripting knowledge and your competitor is a weekend away.
The site may be gone, but not the problem.
The "expert" is still suggesting special characters instead of full sentences? Sigh.
I blame Active Directory and the "use strong password" which focuses on special characters and not entropy.
Agreed.

AD's password rule enforcement is almost completely inflexible[0] and originates from 1980s US Government requirements they incorporated to get some certification.

It is completely inappropriate in 2014 and don't even get me started on how convoluted Microsoft make adding 2 factor to NT login (i.e. use our expensive convoluted solution or nothing, no RFC 6238 you can just slot in).

[0] http://technet.microsoft.com/en-us/library/cc875814.aspx

Meh, that's a GPO setting. Don't turn it on if you don't like it. Bill Gates isn't holding a gun to your head here. Hell, its not even turned on by default!

AD can handle long passphrases. Granted, its cryptography only considers the first 14 characters, but I've read case studies where shops have moved away from complexity to minimum 14 characters and suddenly things like password resets become a thing of the past. Turns out its easier for humans to process "mydogsnameismrmittens" vs "M1tt3ns"

I've tried long passphrases in embedded devices like cameras and routers. Most of the time they can't handle it. Don't knock AD as being the bad guy here. Go after the nightmarish cockup that defines the security of consumer embedded world.

I understand it's not actually the fault of that particular setting, it's the fault of the admins using it as a set-it-and-forget-it action. Specially my experience lies in PCI audits, where PCI DSS requirement 8.5.11 says to use passwords containing both numeric and alphabetic characters. 8.5.10 requires a password length of 7 characters. When you need to meet PCI standard, are you going to set your password policy by hand or just turn on AD's default secure password policy? The password policy which is terrible, but meets PCI requirements and makes the boss happy?

And even if you make a policy that meets PCI requirements, I've been in many-a PCI audit where the auditor doesn't want to move past the password policy section if you don't use AD's 'strong password' feature. Because it takes a bit of time and effort to explain your password policy without that little checkbox.

It's not Microsoft's fault that everyone uses their strong password checkbox. But Microsoft could move into the 21st century and make sure that what they label as 'strong passwords' actually meet the criteria of being strong passwords.

What's worse IMO is that he says:

> use some form of secure password vault on your phone [instead of writing them down]

Writing passwords on a piece of paper and keeping that paper in your wallet makes it impossible for a remote hacker to obtain your passwords from you. It is only against very powerful adversaries like the government or a targeted attack where this becomes a weakness.

Compare this with storing your passwords in "some form of secure password vault".

1. A remote hack targeting thousands of people at once from the comfort of ones own home is now possible, any weakness in the vault can now be exploited en mass.

2. Instead of trusting that you can keep you wallet secure, you now need to:

  a. Trust the manufacturer of the phone

  b. Trust the supplier of nearly every IC to the manufacturer of the phone.

  c. Trust the author of the baseband processor blob (Broadcom).

  d. Trust the Android operating system

  e. Trust the modifications to the Android operating system on your device.

  f. Trust Google play services (which has root access to android).

  g. Trust that Google will not use it's privileged position in your phone to grab your passwords on behalf of any three letter agency.

  h. Trust the author of the password vault
3. To make the password vault any more effective than paper in your wallet, you need to encrypt the vault with a strong pass-phrase, and you are back to square one again.

4. The chances are that the average Joe that reads that and chooses to use "some form of secure password vault" will choose a bad one.

The only reason to use a "password vault" if for convenience once you have too many passwords to write on a small piece of paper in your wallet or if you face a adversary where you expect them to be able to steal your wallet. In which case just memorize some 100 bit diceware passwords which is surprisingly easy.

> The only reason to use a "password vault" if for convenience once you have too many passwords to write on a small piece of paper in your wallet

Isn't this true for most people? Paying my bills and utilities alone requires nearly a dozen passwords: bank, rent, electricity, gas, water, internet access, phone bill, health insurance, renters' insurance, car insurance.

To be fair, yes. I personally use Lastpass although I am not totally satisfied with it because it has not been audited and is not open source. What the "expert" was effectively telling people was to search "secure password vault" and choose the first result.
I was amazed when I was watching BBC News and this came on. I remember Google dorking webcams when I was 12 and the BBC were playing it up like some prodigal hacker had tapped into the matrix to produce these webcams or something.
Oh man when I was in the range of 12 - 14 I loved watching these webcams to get small glimpses into other peoples' lives around the world. I still have vivid memories of watching street vendors in Japan, fishing boats docking and leaving somewhere in Asia, and the sun rising over beautiful mountains somewhere in Europe during an early spring. It was mesmerizing to peer through these virtual windows into locations half a world away.
How do you do this? The article is very sparse on technicalities...
> Last week it was showing video feeds from more than 250 countries

I may be very confused, but Wikipedia only lists 206 sovereign states (193 full UN member states)[0]. Even with border disputes 250 seems like a very inflated number. Is there some other common definition of "country" I'm not aware of, or did this article just fail to perform basic fact-checking on the claims?

[0] http://en.wikipedia.org/wiki/List_of_sovereign_states

"Country" is an ambiguous term that's not always synonymous with "sovereign state". For instance, British people tend to think Wales, England, and Scotland are three countries.
> An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide

I think a better analogy would be someone putting up a tv screen on the side of their house showing a camera feed of the inside of the house, with a sign that asks people "Don't look at this TV"

Better than that is the exact same but without the "Don't look at this TV" sign. There's just a TV there and the curious are going to be curious
If you need to video feed for experiments just search for "inurl:axis-cgi/jpg/image.cgi" on google.
I while ago I bought a webcam, plugged it in and entered my wifi password. I little bit later I realized that it had reconfigured my router and was broadcasting to the internet. Wow, I'm all for easy to install, but that's crazy. I couldn't believe that my router was configurable automatically without entering the password. I fixed my router, but you have to be pretty tech savvy to understand that your cheap baby cam is broadcasting pictures from inside your house to the entire world by default.
I wanted to get a video baby monitor for my twins, but gave absolutely no thought into getting an internet-connected one. I just didn't see the benefit and it seemed super creepy having the camera accessible over the internet.

Now, after about two months, I realize that I hardly ever use the video feature and the audio is almost always enough. I guess we'll see if I change my mind as the babies get a little older, but I'd rather have my $250 back and just have gotten a simple audio monitor.

This is the purpose of unpnp port forwarding. Devices can request an open port from the firewall. I have yet to see a consumer router where this was off by default. Its dangerous stuff for those with no idea what's going on. At the very least it should be off by default.
Attention for this particular issue is nice. But all these reports are not going to reach the actual user.

I don't see anybody making such a big fuss when people don't close the curtains in their home at night (or even during the day). Sure you can see who is peeking into your house, but technically is it much different then a insecure/unconfigured webcam?

>> "But all these reports are not going to reach the actual user."

I think it might. It was one of the top headlines on the evening news in the UK and the main message was to users - change your password. How many acted on that I don't know but the reports certainly got out to regular people.

It's been on the news here to, i didn't see any drop in the number of cams online from my country.
In the case of the general public it is different. A curtain is a highly intuitive instrument for privacy protection, you pull it and it covers the window. Understanding how to secure a technical device such as a webcam is not as easy or intuitive, especially if as another poster mentioned, the device is configured to broadcast automatically. People will almost always stay with the defaulted configuration unless they fully understand the technology, hence the reason wifi routers now come with long cryptic random passwords.
> If we can take one lesson away from this experience, it is that default passwords do not provide protection from the threats that exist in the modern world.

No shit.... Also this article covers what not to make your password which I think is misleading... This isn't about a hacker guessing easy passwords it's about people setting up these devices and not changed the DEFAULT user/password which is easy to find (or guess: user/user, admin/admin, root/root, user/root, etc).

"An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide,"

That's a terrible analogy. These webcams are accessible publicly on the web with no security. A better analogy would be, it's like leaving your window open, and your window location can be indexed by google, and your window can simultaneously be viewed by anyone around the world in their underwear. And in some cases they can pan, rotate, and zoom your window.

"If we can take one lesson away from this experience, it is that default passwords do not provide protection from the threats that exist in the modern world."

No, if we take away one lesson from this experience it's that the person exposing the serious issue can sometimes recieve the most criticism. Nothing is better, just back to being hidden.

Yeah I also thought the camera company's statement was BS.

Setting a password should be part of the installation process for these kinds of products, and you should not be able to get it up and running without that step.

But none of these companies want to absorb the support costs of dealing with customers who will struggle with that step (and there will be plenty, Insecam was proof of that), so they pass the risk onto their customers and then try to vilify the people who point it out.

> "An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide,"

Actually, I'm pretty sure it does.

I'm a photographer, so I'm constantly following discussions and lawsuits about it. Anything that can be photographed (or videoed) while the operator is standing on public space is fair game. I can absolutely take photos and video of the front of your house while standing on the road. If you happen to have your window down, that's your problem not mine.

Downvotes because I'm wrong (legally speaking) or because you don't like the implications if I'm right?

https://www.aclu.org/kyr-photo

opening paragraph:

"Taking photographs of things that are plainly visible from public spaces is a constitutional right "

>with no security.

My understanding is that the site would try various manufacturer default passwords (perhaps even common passwords as well) to gain access. I think if there's access control, albiet poor, it still does not quality as "no security" or "public." Look, the blinds in my house are open like 5mm or so. If you press your face against my window you can see in. That's not public, just because its easy for you to do.

>exposing the serious issue can sometimes recieve the most criticism.

This wasn't some selfless security researcher. This was a monetized site.

Personally, I'd like to see legislation that forces password changes on devices before they are allowed network access. The wild west of consumer electronics has given us the "internet of (compromised) things." This is not a good trend.

I used to be part of a forum that had a massive list of the default login and unprotected cams. There were maybe 10k-20k per document, maybe 5 or 6 documents. As far as I could tell, all were working cams but 99% of the time there was nothing happening. Either they were too dark to see much, pointed at a front door, or showing rooms with no one in them. I personally never saw any movement on any of the cams except for a sleeping puppy.

On the rare occasion someone found a not-empty cam, there would be screencaps immediately. It was like crowdsourced voyeurism before crowdsourcing was a thing. The best one was a guy who was using the camera to monitor his weed grow op. Apparently, according to more knowledgable users on this forum, he was using the lights inefficiently. It sparked a massive debate on the intricacies of grow lights and that's when the thread died.

It was creepy but far less creepy or exciting than I imagined when I first stumbled upon the thread. Still, change your passwords people.

Funny that everyone is upset by this. When it comes to government surveillance, a lot of people don't seem to care.
The government is only out to get bad guys of course.
Maybe this is a good example of why is not a good idea for our goverments to have irrestricted access to everything, because this kind of people would have access too.