This Sticker Kills Thwarts Fascists

55 Responses

  1. Mark - Lord of the Albino Squirrels says:

    What, it's not like an evil government space octopus would use satellites to…
    http://forum.nasaspaceflight.com/index.php?action=dlattach;topic=32686.0;attach=540381;image

    nevermind.

  2. penguin_head says:

    Does they have the ability to do this for Linux based machines?

  3. Jim Tyre says:

    It is nothing but a vicious and unfounded rumor that I paid Clark for that plug!

    (Thanks, Clark, I got your wire transfer instructions.)

  4. Matthew Cline says:

    Does they have the ability to do this for Linux based machines?

    It sounds like the feds have to trick the target into visiting a link which installs malware on the computer. So if there's any install-malware-via-visiting-a-website exploits on Linux (either in a browser or in a plugin), those could be used. I'm not up on current Linux security exploits, but even if there aren't any that are known to the public, the government can always buy zero-day exploits from black-hat hackers.

  5. Jim Salter says:

    Back in the hoary old days of eyeball-shaped webcams, I used to rock a Logitech that came with a sliding physical shield that you could cover the lens with when not actively in use. "Hack this, motherfucker."

    Of course, that wouldn't have helped with the mic… ah well.

  6. Xenocles says:

    "Does they have the ability to do this for Linux based machines?"

    I imagine the sticker works independently of your OS.

    But in all seriousness, does the adhesive gum up the lens for when you want to use the camera?

    Edit: Oh, I see that they do not. How delightful.

  7. Dan says:

    I've had a Post-It and tape over my laptop camera for years. Good to know my paranoia was well-placed. Bad that we live in a world where a story like this doesn't shock me in the least.

  8. John Dough says:

    Not true of Macs! The LED and camera are wired together.

  9. SimpleMachine says:

    It would be so much more convenient if we could just put the sticker over the FBI. Need very big sticker.

  10. Marconi Darwin says:

    Odd, I was expecting a rant on this story.

    Clark, you are slipping.

    Or am I, and did I miss it?

  11. cmbeid says:

    Simple fix for Linux (no tape required): Unload the kernel module for the webcam.

  12. Deathpony says:

    Bit late to the party here Clark.

    Hackers have been doing it for a long time; and I think its fair to always assume any capability held by a 14 year old kid is held by the FBI whether they admit it or not.

    Personally, I have stickered my computer, but not because of the FBI. I figure that, as much as I may hate the FBI's guts, it is less of a threat to me than bored teenagers…though the level of moral development may be similar.

    http://www.smh.com.au/digital-life/consumer-security/how-hackers-can-switch-on-your-webcam-and-control-your-computer-20130328-2gvwv.html

  13. penguin_head says:

    Thanks, I am always uncertain with such types of news items explaining webcam vulnerabilities. I figure that the webcam driver is the thing to blame allowing any application to attach to it without explicit permission. At the very least the driver should place a modal dialog on the screen before enabling.

    I'm never sure if there's something lower level (like microcode in the TPM or BIOS) that provides access (say through IPMI) regardless if you have any OS or driver loaded.

  14. Ryan says:

    I wonder if they can still switch on a webcam that has been disabled via the device manager (e.g. device driver disabled).

    Unless they've located a very big gaping hole in the modern Windows administrative user access controls, it seems unlikely. (Unless of course the user was stupid enough to get their machine compromised by clicking unsolicited links in the first place… *sigh*)

    Regardless, no built-in cameras on my machines anyway.

  15. Cat G. says:

    Huh. So, these exploits all still require someone to do something first.

    Interesting. Tell me more. Better yet, send it to me using a strangely named file with six file extensions and an email that makes no sense for me to be receiving. Or a link that tells me it's going to one place while the hover-URL shows someplace else.

    And then I'll laugh because my camera is already in exclusive use by my own spy eye program, because reasons.

    Or, y'know, I can abrogate any sense and click random links and file attachments without bothering to do a five second check. I don't care if you're my mother, I'm not going near it without at least a twice-over. (Actually, in the case of my parents, I won't go there or open anything without a phone call to said parents, a malware and virus scan, and probably isolation in a virtual machine running a virtual machine.)

  16. AP² says:

    @cmbeid

    Linux doors have privilege escalation exploits every once in a while. If they had access to one, it'd be a simple matter to reload the module (or even provide their own).

    @Deathpony

    One thing is accessing the webcam, another is doing so without activating the LED. That story seems to be a few years old, from when people used USB webcams, which didn't used to have LEDs.

    @penguin_head

    Modal dialogs from drivers? Ugh. no thanks. And that'd kill any possibility of automating the camera for non-nefarious uses such as personal vigilance.

    No, the fix is for manufacturers to put electrically connected LEDs to the webcam, such as they can't physically be deactivated by software.

  17. Deathpony says:

    @AP2

    quote from the story

    "A 14-year-old boy motivated by revenge is probably one of the last people you'd want to have unmitigated access to your computer. Especially if you're female, given that one of the most commonly exploited features of RAT software is the ability to spy on a user's webcam. Many modern laptops will display a green light when the webcam is in use; however, RAT developers have long since worked out how to disable that tell-tale sign on some computers."

    The story was from early this year. They are definitely talking about integrated laptop webcams with LED's

  18. Chris says:

    Isn't this an urban legend? I thought the LED was in the power supply circuit to the camera, in which case it would be physically impossible to activate the camera without also activating the light.

    Be nice if someone with electronic skills could verify this.

  19. Clark says:

    @Marconi Darwin

    Odd, I was expecting a rant on this story.

    Clark, you are slipping.

    The plebian details of, you know, earning a paycheck, dealing with family, and all manner of shit that you do not know have – regretfully – interfered.

  20. Clark says:

    @Chris

    Isn't this an urban legend?

    As per the news article which was based on court documents: no.

  21. Matthew Cline says:

    @Cat G.:

    Interesting. Tell me more. Better yet, send it to me using a strangely named file with six file extensions and an email that makes no sense for me to be receiving. Or a link that tells me it's going to one place while the hover-URL shows someplace else.

    A website you regularly visit could get hacked and have the infecting code surreptitiously added. Or, with the FBI/NSA/etc, they could get (or force) the cooperation of a website where you have a user account, with the infecting code targeted at just you.

  22. barry says:

    I've often wondered about the microphones in smartphones.

  23. John says:

    @barry: Cell phones can be remotely activated to be turned into transmitting microphones. Even when the power is turned off. This is why cell phones are not permitted into secure government offices. Outside those offices, you find pigeonholes into which people entering the office leave their phones.

    Leaving the phone outside the office is more convenient than removing the battery every time you need to talk to someone in person.

  24. piperTom says:

    Matthew Cline: "It sounds like the feds have to trick the target into visiting a link…"

    Unlike a bored teenager, the FBI will invade your home, install whatever they like on your machine.

    John Dough: : "Not true of Macs! The LED and camera are wired together."

    That's good. Of course, given their physical access to your machine, the hardware it came with might not be any guarantee. Still, it's good to raise the difficulty; that's all we ever do.

  25. wumpus says:

    @penguin_head

    Linux malware tends to be in the form of trojans (google android malware for many, many examples). If you are sufficiently careful when you install software from non-official repositories, you should be ok. I'm assuming that everything else is likely "the good stuff" that the "bad guys" want to keep for high value targets. Spreading them willy-nilly over low value targets is a good way to get them patched over and useless.

    - note that if you normally install software as root "sudo apt-get install …" or "configure/make/make install", it shouldn't be that hard to slip in a kernal with said module.

  26. The bummer part about the sticker is that it doesn't do anything to check the out-of-control agencies or stop the North Korea-esque "We now choose to release these documents to foster public discussion on our free will and totally not because a court ordered us" declarations.

    All seriousness aside, EFF promoting the stickers does raise public awareness and leads to pressure against that crap. So they are most definitely a Good Thing.

  27. Clark says:

    @Deathpony

    Bit late to the party here Clark.

    Thanks. I always enjoy feedback like that. It is both polite and useful.

  28. Shane says:

    @Jim Tyre

    It is nothing but a vicious and unfounded rumor that I paid Clark for that plug!

    Jim if you are with the EFF, I say right on! That is a great idea. I have you bookmarked and will be purchasing soon. Plus I will tell all of my friends and … wait there's more. I can finally get rid of the pink duck tape on all of my computers … Wooot!!!

  29. OrderoftheQuaff says:

    It's worth remembering that the road between sound and electricity runs both ways; when you look at the circuit diagram, a speaker is exactly the same thing as a microphone.

  30. Sinij says:

    I just logged into Clark's machine to peep through his camera, and to my surprise he looks EXACTLY like his profile pick. Only no glasses. Poser, I always knew he wore these to look smarter.

  31. AlphaCentauri says:

    If you're talking about tricking someone into installing the malware themselves, that's a constant threat and the FBI is an infinitessimal part of the threat. If you're talking about them breaking into your home and installing the malware, it's an expensive and dangerous proposition on their part and would necessarily be limited to a few high-interest targets.

    In both cases, we need judges that do more than rubberstamp the warrants for such actions.

    However, given some of the Supreme Court rulings permitting overreach in searches and seizures, we also need a constitutional amendment that makes "privacy" a more explicit right, hopefully without the whole effort collapsing under the weight of the abortion debate.

    How do we get that started?

  32. rmd says:

    …when you look at the circuit diagram, a speaker is exactly the same thing as a microphone.

    Does inserting the plugs for a headset and external mic physically disconnect the built-in speakers and mic? If so, then a set of dummy pins could be a useful thing.

  33. cskh says:

    I find these comments about the camera and microphones and speakers odd, and the concern seems misplaced. If they (for whichever "they") can manipulate the machine's devices, they control your computer. Those devices are just a part of the machine. They can also take screenshots, capture keypresses, rifle through files, and watch the network traffic. These comments, perhaps unintentionally, sound like, "the camera, yeah the camera, that's the real problem. Put a sticky over it, you're good." No: if someone can control the camera you have a malware problem, not a camera problem.

    On the other hand, does worrying about the camera and sound help instill a proper sense of paranoia? You should never really trust the machine. If the camera issue in particular provokes a more visceral response, that may help with the learning.

  34. Clark says:

    @cskh

    No: if someone can control the camera you have a malware problem, not a camera problem.

    Excellent point. Well said.

  35. For the camera: Cut out a small piece of paper. Center that on a strip of electrical tape. Tape the paper bit over the camera.

    For the mike: Same drill, except wad up a little bit of tissue. Center that over the microphone hole.

  36. Daniel Neely says:

    Cute; but the EFF needs to sell the sticker in silver to better match my laptop's chassic.

  37. cpast says:

    If someone compromises my camera, they pretty much get a picture of me, in my room, typing away. Sometimes I'd be in a classroom, but it doesn't give away much info my IP wouldn't already give away. The main other option is that they'd get an extreme close-up of my touchpad, because the laptop's closed.

    It's MUCH more serious if they can access the data in my laptop. That's a whole lot more personal than my face.

  38. Sami says:

    Forgive me if I'm inadequately paranoid, but… I don't think I actually care? I mean, this implies the FBI could be watching me use my computer, but the very nature of the situation ensures that they would be watching me at the precise times when I am guaranteed not to be doing anything interesting at all.

    Just imagine the poor operator's logs.

    "Subject is staring with a blank expression."
    "Subject is staring, briefly frowned."
    "Subject stopped staring to clean her glasses. Oh god I'm bored."
    "Subject's attention was drawn by something to her left. Something appeared to be happening, but then she left the field of view, and camera showed the back of a chair for fifteen minutes before power shut down."

    If they wanted to invade my privacy in an even faintly meaningful way, hacking the mic or installing a keylogger would be much more effective, and won't be prevented by a sticker.

  39. JTM says:

    I'm just waiting for the Youtube series "FBI reaction to watching you watching porn."

  40. Cat G says:

    @Matthew Cline

    No websites are trusted, for the reason you mention. The potential of a hack targetting a regularly visited website is exactly the reason why you should not trust any links or activity and ensure that your defensive countermeasures (aka, antivirus and anti-malware/spyware) are up to date and operational.

    Somewhat surprised to see this blog from Clark, really – for that very reason. The problem (from a personal responsibility focused view) isn't the camera hardware, it's the lack of personal action to mitigate and neutralize the threat presented by hackers. I know people that have run "insecure" for years with no problem, largely because they are informed and aware of how to avoid infection vectors. The best countermeasures available are useless in the face of user actions to subvert them, for whatever reason. (Usually usability and convenience.) And even security focused programming and hardware practices are ever subject to errors in design and execution.

    TL;dr – The best method of securing your computer is to keep it unplugged, in a safe that no one (including you) have the key or combination for. It just wouldn't be all that useful.

  41. Rhonda Lea Kirk Fries says:

    Forgive me if I'm inadequately paranoid, but… I don't think I actually care?

    Me neither. If the FBI wants to observe my cats' reign of terror on the household, they're welcome to it.

    But I don't see this so much as a way to protect the privacy of my kitties as an opportunity to support our most important online resource–the EFF. Everyone should buy a set of stickers, even if you don't plan to use them. Be sure to share the link, too.

  42. Bob Brown says:

    You can order a Lenovo Thinkpad with no camera; I've got one. However, as others have pointed out, the problem with state-sponsored malware goes much further than potentially seeing me with less than the usual amount of clothing. Something I have not done yet (but it's on my list) is remove my current antivirus program and replace it with one from a company outside the U.S. I have no reason to believe that I may be a target of the FBI/CIA/DHS, etc. but given dragnet surveillance, I have no reason to believe I'm not, either.

    (And, it's a damn shame that I am more worried about my own government than about "hackers" or the Axis of Evil governments.)

  43. Orv says:

    There is something visceral about the idea of being secretly watched, even if in my case all they would learn is that I sometimes pick my nose. I think it taps into Americans' deep-seated shame over the idea that someone, somewhere, might see them naked.

  44. Al says:

    The obvious solution is to just start randomly shouting Walking Dead spoilers into your laptop. Downton Abbey spoilers would probably work too.

  45. Sami says:

    Rhonda Lea Kirk: But I don't see this so much as a way to protect the privacy of my kitties as an opportunity to support our most important online resource–the EFF.

    What, they don't have a "donate" button?

    If I want to support an online resource, I'd rather do it in a way that doesn't come with the wasted resources involved in producing items and shipping them around the world in order to provide me with clutter I don't want.

  46. Rhonda Lea Kirk Fries says:

    @Sami,

    Then don't buy the stickers, but please do consider a donation.

  47. AlphaCentauri says:

    I suppose it's an issue if you don't own the computer, such as at work or school. They may have antitheft software that allows the system administrator to turn on the webcam in case of theft, but they may just decide to be nosy. There was a major to-do when a high school in PA got into a situation with a kid who kept losing/damaging the school computers and his family refused to pay for insurance or replace the computers. He wasn't allowed to remove his replacement computer from campus but did it anyway. The IT admins were pissed off about it and reported it stolen even though they were pretty sure it was at his house, and once the camera was on, they didn't turn it off for weeks.

  48. azazel1024 says:

    Actually compared to most of the NSA stuff, the FBI bit sounds tame. Granted, it might be all on the sly with nary a bit of judicial oversight involved, but the artciles I read about it mention the FBI going warrant hunting to do the taps/malware ploy.

    In a couple of cases Judges told them flat out no. In a few cases they had to correct warrants because of errors contained within. In a few cases Judges narrowed the warrants. In a few cases the Judges told them, go right ahead.

    So long as that is actually the case and the FBI isn't just doing this at a whim, which they could be, it doesn't bother me a wit. Only to the extent that there is REAL judicial oversight to the thing and not simply a rubber stamp.

    The NSA stuff, it is barely even rubber stamped.

  49. A Walrus says:

    I'm used to Clark's posts making me angry, but it's usually not because I agree with him. Developing this capability was a terrible plan. I'm skeptical about the capacity of the FBI/NSA etc. to use it responsibly, but more importantly, it's inevitability going to escape into the wild.

  50. AlphaCentauri says:

    This isn't something they discovered themselves. It was already in the wild.

  51. ntnt says:

    Given the advent of malware designed to blackmail money out of you by encrypting your files until you cough up some dough, how long until we see "click here to view a video of you masturbating, which is on our website, and which will be removed for the low, low fee of $50" ?

  52. Cat G says:

    Mr. Walrus, this capability has been in the wild long before the FBI figured out (or more likely, "seized" it, got it from a cooperating perp, or bought it on the black market).

    For some information, go to Ars here.

  53. Anon-UV-Squirrel says:

    A reminder: you can cover your digital device's built-in cameras with opaque stickers that not only do the job, not only look sporty, but also help support the EFF and the good work they do.

    That's not enough. They can also activate the computer/tablet/cell phone's mic and listen in. Furthermore they can use high frequency audio to transmit data. Google badBIOS for more on that. Researchers have already done proofs of concept that show all parts of what is needed for what Ruiu saw happening can all be done.

  54. Anon-UV-Squirrel says:

    I wonder if they can still switch on a webcam that has been disabled via the device manager (e.g. device driver disabled).

    Unless they've located a very big gaping hole in the modern Windows administrative user access controls, it seems unlikely.

    Think about this. The device manager is just a piece of software. The switch if flipped is an electronic one. Yeah, it's not problem to turn it back on. If you want it off, disconnect it, cut the traces on the circuit board, or even remove or the camera from the circuit board, or disconnect it where it connects into the circuit board. Some cameras are on separate circuit boards. Removing the wires between will work.

  1. December 8, 2013

    […] a comment to a post at Popehat, there was a link to a story in the Sydney Morning Herald that took my breath […]