Website Peeps Into 73,000 Unsecured Security Cameras Via Default Passwords

colinneagle writes: After coming across a Russian website that streams video from unsecured video cameras that employ default usernames and passwords (the site claims it's doing it to raise awareness of privacy risks), a blogger used the information available to try to contact the people who were unwittingly streamed on the site. It didn't go well. The owner of a pizza restaurant, for example, cursed her out over the phone and accused her of "hacking" the cameras herself. And whoever (finally) answered the phone at a military building whose cameras were streaming on the site told her to "call the Pentagon."

The most common location of the cameras was the U.S., but many others were accessed from South Korea, China, Mexico, the UK, Italy, and France, among others. Some are from businesses, and some are from personal residences. Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras.

It's not the first time this kind of issue has come to light. In September 2013, the FTC cracked down on TRENDnet after its unsecured cameras were found to be accessible online. But the Russian site accesses cameras from several manufacturers, raising some new questions — why are strong passwords not required for these cameras? And, once this becomes mandatory, what can be done about the millions of unsecured cameras that remain live in peoples' homes?

Ethics

[iluvcapra]

Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

Re:Ethics

I'm sure the 3 letter agencies of your country share and honor your view on the ethical methods of spying

Re:Ethics

[Ichijo]

How would a good person inform the owner that their door is unlocked if the only way is contact them is to walk inside? Or is the correct response to just walk away?

Re:Ethics

That analogy certainly applies to the Russian website that is streaming the videos, but I think the blogger who has discovered this website that is streaming videos from people's homes and then tried to contact the owners is more like someone seeing their neighbors door open, some people that shouldn't be there walking out the door and then peaking in the door and calling out to see if everything is okay or letting them know when they get home that someone was in their house.

Re:Ethics

Samaritan says "hi subject #82644266222".

WHAT?! You don't seriously want the world's AIs to learn about the world solely from 4Chan and wikipedia, do you? Yootoob user comments are probably what finally convinced skynet to off Mankind.


Like the issue with automated license plate readers, this is another case where something is of little concern when it has to be done manually, one item at a time. But when you automate the process and can grab data on everyone with a click of a button, then you should start getting nervous.

Re:Ethics

[arth1]

Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

No, but it also doesn't mean you're not an idiot for not locking your door.

Blame is not a limited commodity - you can add blame to the idiots who don't take precautions without removing any blame from those who break in. Point fingers in both directions. The breeches is a cooperation of the idiots and the outers.

When and why did being an idiot become a right?

Re:Ethics

>When and why did being an idiot become a right?
 
The same time your rights began to end where my feelings began.

Re:Ethics

[fahrbot-bot]

When and why did being an idiot become a right?

It's right there in the Declaration of Independence (for people in the US anyway) -- "Life, Liberty and the pursuit of Happiness" -- and ignorance is bliss (or so I've heard...)

Re:Ethics

A better analogy is a door with a lever handle lock facing the outside world but set in the locked position. That the door is trivial to unlock doesn't change the fact it's actually locked especially when it's clearly visibly locked. Meanwhile, the internet otherwise does operate as if it's a public space and an unlocked door is in fact equivalent to an open door. Without that distinction, it'd be fundamentally impossible to operate on the internet.

It's why the DMCA's "effectively controls access to a work" provision works with encryption (where you have to hand the user the key) still has legal standing. Because there's a clear intent, even if you use ROT13, that the DMCA was invoked.

Re:Ethics

[s.petry]

Your analogy does not work unless you want to claim that everyone with a Diebold lock is issued the same key. It is not breaking in, it's looking in a windows lacking shutters. If you, as an adult, see a crowd of kids watching someone undress in an open window you have 3 options.

1. Ignore it. Kids are still going to peek, so IMHO you are a douche for ignoring it.

2. Tell the person "Hey, you may want to close that blind when your changing because kids are peeking". This seems to be the most rational and logical thing to do, but as with TFA people are going to accuse you of peeking yourself. Mostly to cover their embarrassment.

3. Go peek with them! Which is what the site hosting all the cameras really is.

It would be a different story if this site was brute forcing passwords, but they are not.

Some people just don't care to close the windows, or get a thrill by keeping them open. They know that people are looking, and you telling them won't help. If that is their prerogative the expectation is that people will look.

Re:Ethics

[QuietLagoon]

...Blame is not a limited commodity - you can add blame to the idiots who don't take precautions without removing any blame from those who break in....

Using your logic, if someone uses an armored vehicle to break down the door and go into someone's house, then the homeowner is to blame because he did not have a door lock strong enough to stop an armored vehicle.

Re:Ethics

[mythosaz]

To be fair, the Russian website isn't streaming the videos any more than TPB is hosting copyrighted material.

The Russian website has a lot of IMBED tags and links, I imagine.

Re:Ethics

[mythosaz]

also embed :(

Re: Ethics

Why the flying hell would anyone not put a strong password on something that's constantly streaming video of inside your house? It's like putting all of your expensive items in direct view of
The front window and leaving the house with the door wide open under the assumption: "eh I live in a good neighborhood, it'll be fine."

Re:Ethics

[mysidia]

How would a good person inform the owner that their door is unlocked if the only way is contact them is to walk inside? Or is the correct response to just walk away

Better have a good reason for being there on their property in the first place. And how would you discover the door was unlocked, unless it was left open?

Ring the doorbell wait five minutes.

Go talk to one of their neighbors. Don't enter the building alone if you are not an associate or good acquaintance of the owner.

The owner probably has relatives, or a cell phone.

Re:Ethics

Tell the person "Hey, you may want to close that blind when your changing because kids are peeking".

4. Take pictures and post them on Twitter, send an anonymous postcard with pics of the kids gathered up in front of their Window and a censored shot

Re: Ethics

[Alain+Williams]

Why the flying hell would anyone not put a strong password on something that's constantly streaming video of inside your house?

The product manual probably does tell the owner to set a password, but most people do not read the manual as most people do not read an EULA before clicking to say that they agree to it. The vendor might be able to make setting a password one of the set-up steps, but if they did they would greatly increase the number of support calls that they get when people forget them. Even if users set passwords: most of them would be trivial or the same one that they use for this on-line banking.

Re:Ethics

[nabsltd]

Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

This is a good analogy, because it is impossible to tell if a door is unlocked (or if a camera has the default username/password) without trying to open the door.

So, what your advice boils down to is that you never can accurately inform someone their door (system) is unlocked..

Re:Ethics

no the site is not even streaming any thing its sending out thumbnails that are hosted off there own host

Re:Ethics

[JMJimmy]

A camera is not a private residence. Aside from legitimate cams intended to broadcast publicly, going inside a public or commercial building where a door is unlocked or the entry code is publicly known is completely legal and legitimate. In the case of cameras you don't know what it is until you enter, until then it's reasonable to assume it's a public/commercial camera. Once you learn what it is you should exit if it's reasonable for them to expect privacy and alert someone if it's intended to be secure/secret.

One thing I question - 73,011 cams in 256 countries? There are only 190-200... even counting random psudo countries I don't think there are 256...

Re: Ethics

When you live in a good neighborhood, it is fine. I don't lock my doors. Even at my daughter's high school, hardly any of the kids lock their bikes up. Theft exists, but it's rare. We don't react to it by refusing to trust everyone.

Humans can have strong communal ethics and not devolve to Lord of the Flies the moment some asshole disrupts things.

Re:Ethics

[JeffAtl]

and local law enforcement

Re:Ethics

[suutar]

And now we get into the differentiations between "normal care", "prudent care", "stupid behavior", and "paranoid preparedness". Unfortunately the boundaries are subjective.

Re:Ethics

[arth1]

Using your logic, if someone uses an armored vehicle to break down the door and go into someone's house, then the homeowner is to blame because he did not have a door lock strong enough to stop an armored vehicle.

There's a "reasonable" part to "reasonable precautions". I know, "reasonable" requires an ability to reason.
If armored vehicles become a problem, putting up Czech hedgehogs is a reasonable precaution. If contact spreading diseases become a problem, a reasonable precaution is to wash your hands, even if it won't stop everything. If bike theft is a problem, using a bike lock is a reasonable precaution, even if it won't stop a thief with a high speed diamond saw.

And, by Babbage and Hollerith, attacks on Internet enabled devices has become problem. And the one who puts a device up on the Internet needs to protect it, within reason.

Re:Ethics

No, but it also doesn't mean you're not an idiot for not locking your door.

People might be idiots for not understanding that the world is full of terrible people and they need to go out of their way to protect their privacy from criminals, but victim blaming and shaming especially after the fact is not right.

Re:Ethics

[mtempsch]

One thing I question - 73,011 cams in 256 countries? There are only 190-200... even counting random psudo countries I don't think there are 256...

There looks to be 255 'territorial' top level domains ("country code" TLDs) - not all of which are acknowledged as countries in say, the UN.

Re:Ethics

[ls671]

They aren't really doors you know. They are cameras hooked on the Internet I assume.

Now, to be easily accessible with default credentials, wouldn't they have to have a public IP address with an open port?

Otherwise, I wonder how those guys got behind so many routers. Plug and play that requires a specific port on the router public IP?

I have a hard time imagining that all those cameras would have their own dedicated public IP.

Re:Ethics

[njnnja]

I know you are joking, but the line was plagiarized/borrowed. The original line was "life, liberty, and the pursuit of property". But It wasn't simply about the right to accumulate a bunch of luxuries; in context, it was referring to the pursuit of things that are somehow relevant to a satisfying and productive life. So it would be the right to pursue home ownership for your family, maybe fields for farming, and for many ./ers, it would be the right to accumulate gadgets, for the musically inclined, the right to procure instruments, etc. It doesn't take much of a stretch to go from this sort of enlightened satisfaction, to calling it merely "happiness" for simplicity.

Re:Ethics

[arth1]

And now we get into the differentiations between "normal care", "prudent care", "stupid behavior", and "paranoid preparedness". Unfortunately the boundaries are subjective.

As well they should be. Humanit and its wonderful inventions and fads change, and not being flexible and expect common sense is a big drawback of common law versus civil law, and the societies that think in absolutes.

Re:Ethics

It would be a different story if this site was brute forcing passwords, but they are not.

They are indeed brute forcing the password using a very short list of known defaults. Your arguments are based on the presumption that the camera web server presents no login prompt at all. The login prompt is the equivalent of a locked door. If someone got a hold of a "master key" for a brand of popular door locks they are not free to go around letting themselves into any house they want. An ineffective lock is NOT the same thing as no lock at all.

Re:Ethics

[arth1]

People might be idiots for not understanding that the world is full of terrible people and they need to go out of their way to protect their privacy from criminals, but victim blaming and shaming especially after the fact is not right.

Why not? It doesn't absolve the terrible people from their deeds.
We need to shame those who have something to be ashamed of regardless of whether they're victims or not.
That someone became a victim is sad, but does not in any way mean we cannot criticize them like we can criticize non-victims. If two people don't lock their bikes, and one of them gets stolen, we should not only be able to criticize the guy who did not get his bike stolen. Whether he's a victim or not doesn't change whether he's an idiot.

Re:Ethics

So do you write an email to google every time you visit their unprotected website? or do you assume, since there is no password, that you are allowed?

Re:Ethics

[CanHasDIY]

An internet-connected camera left on publicly known default credentials is nothing like an unlocked door.

Rather, it's like a wall-sized window on the first floor facing the busiest street of the busiest city on the planet, with the shutters wide open.

Re:Ethics

[CanHasDIY]

The second one.

The first is a good way to die of justifiable homicide everywhere I've lived.

Re:Ethics

[CanHasDIY]

What about if the lock, upon installation, begins screaming "EVERYONE HAS A COPY OF THE DEFAULT KEY!!! MAKE A NEW ONE NOW!!!" But the person chooses to ignore it?

Re:Ethics

[Chris+Mattern]

In the case of cameras you don't know what it is until you enter, until then it's reasonable to assume it's a public/commercial camera

On the contrary, if you don't know what it is, it is *not* reasonable to assume it's a public/commercial camera. If you assume it is you could do something wrong. If you assume it is not, you can't do something wrong (as not accessing is never wrong).

Re:Ethics

beware, victim blaming!

Re:Ethics

[penguinoid]

Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

If we're doing a door analogy, this is like if people's locks came with a default key where everybody who bought the same brand door could open your door. On the lock installation instructions, it tells you how to randomize your key but most users just use the default. Obviously, the purpose of the lock and key is exactly so that other people can't open your door. And then when you show them how anyone at all could open their door they accuse you of lockpicking.

If a lock company did this, they be out of business in no time. There's no reason people who make network devices shouldn't use randomized passwords the same way locks come already randomized.

Re:Ethics

[JMJimmy]

There looks to be 255 'territorial' top level domains ("country code" TLDs) - not all of which are acknowledged as countries in say, the UN.

That 255 includes:
1 for European Union
1 for Antarctica
2 for Russia
2 for East Timor
2 for UK
yu, .zr, .an, .cs, .dd no longer exist as countries
a crapload of administrative/dependent territories that are inconsistently applied. ie: Canada's "territories" do not get TLDs but similar entities in other countries do.

Re:Ethics

[fahrbot-bot]

I know you are joking, but the line was plagiarized/borrowed. The original line was "life, liberty, and the pursuit of property". But It wasn't simply about the right to accumulate a bunch of luxuries; in context, it was referring to the pursuit of things that are somehow relevant to a satisfying and productive life. So it would be the right to pursue home ownership for your family, maybe fields for farming, and for many ./ers, it would be the right to accumulate gadgets, for the musically inclined, the right to procure instruments, etc. It doesn't take much of a stretch to go from this sort of enlightened satisfaction, to calling it merely "happiness" for simplicity.

Take it from someone who, at 51, is debt-free, has a net-worth of almost $2M, but lost his wife in 2006 after 20 years together, "property" does not make "happiness". Though having "things" might make your pursuit of satisfaction and/or productivity (whatever that means to you) easier, property is a means to an end. Happiness is something you realize from within and, possibly, experience with someone else.

Even after 20 years together, Sue and I held hands where ever we went - I miss that and nothing else I have can, or could ever, compensate for losing her. Remember Sue...

The line is better written as, "the pursuit of happiness."

Re:Ethics

[BronsCon]

If something is displayed publicly, it's *very* reasonable to assume it's intended to be public.

Re:Ethics

[BronsCon]

It's why the DMCA's "effectively controls access to a work" provision works with encryption

Because there's a clear intent, even if you use ROT13, that the DMCA was invoked.

Well, no, actually. In order for an encryption scheme to be considered "effective", it must not already be broken. ROT13 is most certainly broken. This is also the reason studios abandon known-broken DRM schemes; anything released before it was known broken is protected under the law, as the scheme was effective when implemented, but it wouldn't be considered "effectively control[ling] access", just the same as putting a known-bad lock on your door would be considered ineffective.

Re:Ethics

[Chris+Mattern]

If something is displayed publicly, it's *very* reasonable to assume it's intended to be public

Or that the owner wants to access a private device remotely. Since that's the safer assumption, and not at all unlikely, it is the more reasonable assumption.

Re:Ethics

[JMJimmy]

In the case of cameras you don't know what it is until you enter, until then it's reasonable to assume it's a public/commercial camera

On the contrary, if you don't know what it is, it is *not* reasonable to assume it's a public/commercial camera. If you assume it is you could do something wrong. If you assume it is not, you can't do something wrong (as not accessing is never wrong).

You must live a very boring life. My best experiences have been poking around places I wasn't sure what they were; both in real life and digital. It's one of the joys of living in a free society.

Re:Ethics

Universal Plug and Play opens up ports on your router so you don't have to!

Re:Ethics

Bullshit.

There is a world of difference between leaving the door to your home unlocked and CONNECTING A CAMERA TO THE FUCKING INTERNET WITHOUT A PASSWORD. It's more like publishing a personal story or picture on a web forum and then getting pissed because people in the Internet can view it.

Re:Ethics

[JMJimmy]

If something is displayed publicly, it's *very* reasonable to assume it's intended to be public

Or that the owner wants to access a private device remotely. Since that's the safer assumption, and not at all unlikely, it is the more reasonable assumption.

You can go in circles with "intent" arguments. Regardless of intent of the owner, the difference between accessing a private home camera and public camera is an IP address. Can you tell the difference between an IP assigned to a public park web cam vs someone's living room? How about the difference between one at a private residence pointed at a bird nest outside vs their bedroom? What about dynamic IPs that might log you into your camera one day and a neighbour's the next?

The problem here is really the entire way default passwords are set. In this day and age it would not be hard to make the default password for the device the serial number or something similar that's unique and is still recorded for support purposes.

Re:Ethics

[mrchaotica]

It's broadcasting on the Internet. Assuming it's intended to be public is exactly as valid as assuming a website is intended to be public.

Re:Ethics

[Chris+Mattern]

Can you tell the difference between an IP assigned to a public park web cam vs someone's living room?

If I have to guess a password (even if it's a default one), it's somewhere I probably shouldn't be.

Re:Ethics

[cayenne8]

Bottom lines:

1. You can't fix stupid

2. You can't legislate against stupid.

Re:Ethics

Logging to a private wireless network without the owner's authorization, even if it's unlocked is similar to trespassing.

Re:Ethics

[ls671]

That's exactly what I suggested in my post and that's why I always disable that. Doesn't it sound like a security risk? Duh..

Re:Ethics

[JMJimmy]

How would a good person inform the owner that their door is unlocked if the only way is contact them is to walk inside? Or is the correct response to just walk away?

We're not exactly talking about an unlocked door though. Think about it this way - you see someone's keys on the ground or left in the door. You knock but no one answers. You might poke your head in to put the keys inside or look in the window to see if anyone is home. Yes you could walk away but that's not very neighbourly of you, who knows the next person to come along might rob them.

Re:Ethics

[JMJimmy]

Can you tell the difference between an IP assigned to a public park web cam vs someone's living room?

If I have to guess a password (even if it's a default one), it's somewhere I probably shouldn't be.

Guessing passwords I would agree in most situations, except where the intent of guessing is for the public good. Default passwords on the other hand are public knowledge and it's not uncommon to have a devices that requires a password be set even if your intent is for public access. We had this issue at a public library I worked at - the router we used to handle the volume was commercial and required a password be set to a non-empty value. We posted the password on the front door of the library so people could continue to use the network when it was closed.

Re:Ethics

What you describe is not a free society. It is trespassing and unauthorized access. I'm not saying you can't find some cool stuff if you dig around, but don't fool yourself into thinking you are free to go anywhere you want as long as the door's unlocked.

Re:Ethics

[BronsCon]

If the owner wishes to access that device remotely and don't wish for the device to be accessed by the general public, perhaps it would be wise to put a password on it? Not the default password that everybody and their mother knows, either; after all, it's not illegal to enter through a door for which you have a key.

Re:Ethics

>> Just because a door is unlocked does not mean you may walk inside [a designated-private place]
A publicly-accessible stream is free game. Even if it's "unintentional", when I post my browser history on a Community Notices board* that's free game.

That said, the article is different. Even if they're uselessly default creds, even if there's nothing but a splash page that says Go Away, that still designates it as nonpublic. HOWEVER, note that use of a third party (cloud, host, whatever) without restricting (conditional when you release) the third party means you allow them to release at their discretion.

*people do the equivalent of this all the time, when they put Data into the wild

Re:Ethics

[JMJimmy]

If the owner wishes to access that device remotely and don't wish for the device to be accessed by the general public, perhaps it would be wise to put a password on it? Not the default password that everybody and their mother knows, either; after all, it's not illegal to enter through a door for which you have a key.

Technically speaking it is. Breaking and Entering is two parts of a crime - the first part is for breaking the seal formed by the door, the second for entering the premises (regardless of whether the door was open or by alternate means). The thing is that only applies to private residences or locked public/commercial buildings. An unlocked version of the latter is considered open to the public.

Re:Ethics

[TWX]

Don't be surprised if a large number of people still disagree with you unfortunately. I made the same argument regarding someone taking naked pictures of themselves using Internet-connected devices, people still got mad that I was victim-blaming. Didn't matter that the victims put themselves into a position to be victimized through their own poor and easily-predicted choices. Some even got mad that I brought it up after the incidents. I pointed out that I'd brought it up last time there was a round of leaks, before this round, so I don't know exactly when they want it brought up.

Re:Ethics

[BronsCon]

Wait... it's illegal to enter through a door for which you have a key? Since the fuck when?

Re:Ethics

[clonehappy]

How is this modded +5 or insightful? It's neither. Why are we still comparing locks and doors in meatspace to virtual servers and ports and IP addresses on a globally-interconnected network of computing nodes and electronic resources? They are nowhere near the same thing. When you advertise and/or broadcast a service on a given port and on a given IP-address, you can rest assured that unless it is properly secured, anyone and everyone will access it and utilize the resources it provides.

In most cases, there are perfectly ethical and legal reasons to access someone else's resources. For example, Google searches, YouTube, IRC, FTP. Is it unethical to download files from an open, unsecured FTP server? Of course it isn't. Is it unethical to watch someone's private camera in their home that they left with no or default credentials? Probably yes, but you'll never know for sure because the default behavior of the network is that if something's wide open, it's there for everyone to use.

When I started college in the 90's, there was a directory on some network drive that was mapped by default for all students. It was called "Network Trash Folder", and had some obscene amount of storage available on it. You better believe it was used for almost a year as a warez-and-mp3 repository for people in the know. Was it unethical to use that resource, that was obviously not officially-sanctioned to be globally available to all users, as a personal storage space? What if some cool/disgruntled/outgoing admin actually made a publicly available storage space knowing people would find it and use it for whatever they wanted? How would anyone know what the intent really was for that resource to be there?

Long story short, it's up to the administrator of a given resource to secure it, lest it be used in ways he or she did not intend. It's not as simple an analogy as "Well, B&E is illegal duh!" Because we aren't dealing with physical resources. If you don't want people watching your cameras, don't put them on publicly routeable ports/addresses or at the very minimum, change the default credentials so people can't access your resources. If you leave everything wide open (or default), expect people to use it. I realize most people don't know this, and this is why they should either learn or pay the consequences. And before I get the "don't blame the victim" song and dance, it's not victim blaming when someone doesn't know enough about how something works to use it safely or securely. If you stupid enough to run your car's engine without oil and it seizes, you're to blame, you're not a victim...if you leave your iPad and laptop and wallet full of cash laying on the seat of your unlocked car downtown and someone rips you off, you're not a victim (unless you count of your own stupidity).

Re:Ethics

[JMJimmy]

What you describe is not a free society. It is trespassing and unauthorized access. I'm not saying you can't find some cool stuff if you dig around, but don't fool yourself into thinking you are free to go anywhere you want as long as the door's unlocked.

Luckily I live in Canada where fraudulent intent must be proven and that I do not have any colour of right when it comes to "unauthorized access"

Trespass is provincial and in my province the property "that is enclosed in a manner that indicates the occupier’s intention to keep persons off the premises or to keep animals on the premises." must be met - otherwise I am free to enter until I'm told to leave.

Re:Ethics

Wait... it's illegal to enter through a door for which you have a key? Since the fuck when?

It can be. If you don't have permission to enter. Just having a key doesn't mean you have the rights to use it. Why would you assume otherwise?

Re:Ethics

[Stan92057]

You cant know the door is unlocked unless you try to open the door. The only way that should happen is you knock/ring doorbell HOMEOWNER opens the door. If you try to open the door you are breaking and entering. There is zero reason you should be seeing if the door is open unless you see smoke or fire or a dead person IN the already open door. Being curious is no valid reason to try to open a door or use a default password people for whatever reason don't change. Keep Out

Re:Ethics

[mysidia]

Let's not forget about the Computer Fraud and Abuse Act. Just port scanning might be bordering on criminal in some cases. But gaining access without authorization by exploiting knowledge of a default secret code or factory backdoor is right-out.

Going inside a public or commercial building where a door is unlocked or the entry code is publicly known is completely legal and legitimate.

Oh really? I believe someone got arrested for trespassing a few months ago for entering an unlocked door into my office building, which is definitely commercial, but not public access either; no on-premise services or point of sale.

The door was unlocked, but the intruder just had no business being on the property, tripped a silent alarm when they entered, and someone called the cops.

Re:Ethics

I like living in a society where you don't need to lock your door, where we actually can trust each other. Why do we security geeks always thinks society will be better if everything is secure, and not the other way around?

Re:Ethics

[weilawei]

We posted the password on the front door of the library

Then you wouldn't be doing much guessing, would you now?

Re: Ethics

[unami]

guess what - my door is never locked, but i'll give you a good-hiding if you come and try whether it is locked.

Re:Ethics

[JMJimmy]

Yup. It's done that way so if you once had a key but were kicked out/fired you can't use that key to gain access after authorization has been withdrawn.

Re: Ethics

[unami]

no, it's about default passwords. in your analogy, that would be like looking for the keys under the doormat or in other obvious hiding places.

Re:Ethics

[BronsCon]

I'm sure you fully understand the point I'm trying to make and are just arguing semantics at this point, so I'll humor you for the sake of entertainment.

Technically, at that point, the key is no longer legally yours. That is, you may still posses it, but you no longer "have" it, in a legal sense, as you were to have turned it over to its rightful owner. Similarly, were the owner of a building, private residence or not, to put a lock on their door, and that lock included a bowl containning dozens of keys in a bowl labeled "Key to my house. Take one, they're free.", which they then proceeded to leave on their front porch, they would be legally giving that key and, with it, legal authority to enter through that door, to anyone who took one. That they can later revoke that authority on an individual basis does not change the fact that this is *exactly* what people are doing when they put a device on the public internet *with default credentials*.

If someone uses that key to come in and steal all their shit, that person is still a criminal; for stealing, though, not for entering, as they were given implicit permission by way of the key.

Re:Ethics

[JMJimmy]

I believe someone got arrested for trespassing a few months ago for entering an unlocked door into my office building, which is definitely commercial, but not public access either; no on-premise services or point of sale.

Are you in Ontario? Your reference to the "Computer Fraud and Abuse Act" suggests not. Canadian law is different. In Ontario companies must post notice, make it obvious entry is prohibited, or he would have had to have been told to leave and then refused to do so.

The door was unlocked, but the intruder just had no business being on the property, tripped a silent alarm when they entered, and someone called the cops.

This is kind of the situation that the Ontario law seeks to keep from being abused. If the lights are on and the door is unlocked and someone walks in thinking the business is open, even if they have no real reason to be there, it's not a crime here. The benefit of the doubt is given to the individual because it can't be proven what their intent was. In that identical situation where the sign on the door said "Closed" they are trespassing because notice was provided that entry was prohibited at that time.

Re:Ethics

[The+Ickle+Jones]

We should drop all forms of security and precaution, because anything else is victim blaming. Obviously.

Re:Ethics

[mysidia]

it can't be proven what their intent was. In that identical situation where the sign on the door said "Closed" they are trespassing because notice was provided that entry was prohibited at that time.

Your comparison doesn't make sense; there was no Closed Sign or Open sign, because the commercial building is not a storefront. It is a place where there are employees who work, and there are authorized personnel who need the convenience of easy access to their work area, but it is not a place where business involving face to face contact is conducted with customers.

Probably the lack of an "Open" sign, were relevant, the fact they drove in through an open gate that completely surrounds the premises, and they parked in a manner that obstructed access to the loading dock after passing several signs that stated "Private Lot; (Company Name) Vehicles Only", then CCTV footage also showed them snooping around trying the doors on some vehicles then trying the locked door on a utility building, and the front door, before they found an unlocked warehouse entrance.

Re:Ethics

The analogy is incorrect. A good neighbor will indeed inform their neighbor that an unlocked door is unwise. Many neighbors even have verbal agreements to keep an eye on each other's property, and the police routinely encourage that. Under those conditions I would even feel comfortable going inside and trying to secure the door.

As for testing the door in the first place, that is problematic unless the neighbor asked first.

However I disagree that a mass test for open video feeds is necessarily analogous to "going into your neighbor's house" in the first place. It could be, but it need not be. If the tester didn't access the video for anything else but security testing, and performed a true mass test (no creeping on handsome/beautiful neighbors) and stuck to a strict ethical script, then it can be done properly. I think!

Re:Ethics

[JMJimmy]

We posted the password on the front door of the library

Then you wouldn't be doing much guessing, would you now?

It was the default password, but that was my point - when the password is public knowledge (be it default or otherwise) entry is reasonable.

In Canadian law you actually commit a crime if you fail to act to prevent certain things. The duty it imposes means you have to act to prevent "danger to life"; anything that "obstructs, interrupts, interferes, damages, or destroys" property or data; or :lawful use or enjoyment" of property (but not data). The only exemption to this duty is if you have another legal justification/excuse with colour of right. Still pretty grey regarding this subject but does have interesting implications for "hacktivism".

Re:Ethics

[0100010001010011]

It's closer to a big window with blinds. If you don't close the blinds you can't complain about people being able to stand on the sidewalk and see.

Just because the window is a fancy box you plug into the internet it isn't my fault you didn't read how to close the blinds. No one is physically entering my house. I can still call you from my cell phone while standing our street.

Close your damn blinds.

Re:Ethics

[mysidia]

It's broadcasting on the Internet.

No. It's accessible from the internet; it's not broadcasting, there is a big difference.

It will respond to a request unicasted to its IP address and a certain port number, and the response will be unicast as well, not broadcast.

The mere fact that it will respond on its IP address is not an authorization to use that IP address to gain access to it.

If it were intended to be accessed, the owner would have provided information about how to access it, or at least listed the IP address in the DNS and major search engines.

Re:Ethics

[mysidia]

Wait... it's illegal to enter through a door for which you have a key? Since the fuck when?

If the key was not provided to you with the permission or authorization of the property owner or their duly authorized agent, then you are committing a trespass.

If you don't know, or a reasonable person would not be confident under your circumstances, that the key you have is in your possession with consent of the right property owner or duly authorized agent to hold and use the key for entrance to that particular place, then you are committing breaking and entering.

But the real issue is not whether you hold a working key, but whether you are consented to access the area.

Just as a random example: If you are an employee at some place, and you have an unauthorized copy made of your key, and you give it to a friend for some reason, and you do not have permission to give it to them, And they use the key to sneak in one night, then they have committed breaking and entering, and you are probably an accessory to the crime (Even if you did not intend that they use the key to break in at night).

Oh yeah, if you learn all of brand X locks use the same kind of key, and you have a copy of that key; it's still breaking and entering if you use your key.

Re:Ethics

[mysidia]

they would be legally giving that key and, with it, legal authority to enter through that door, to anyone who took one.

Bad analogy, that's not what they're doing. A more apt analogy would be, they did a Do-it-Yourself install of a Brand X lock.

They failed to realize, that all Brand X locks come to the manufacturer keyed with a standard very simple bitting and the package just includes a sample plastic key for purposes of testing the lock, and some blanks.

Before putting the lock into permanent use, you're meant to use the sample key to begin the rekeying process, and since it's a user-rekeyable lock, you are meant to take the key blanks to a hardware store or get a locksmith and have them cut the keys to a template of your choice, and just use the plastic key to start the rekeying process.

Unfortunately..... 60 to 70% of the users didn't bother to read the complete installation instructions, so they never proceeded to the rekeying process, and they have just been using the plastic keys to open their deadbolt, which the plastic keys that ship with ALL the Brand X locks are able to open.

This interesting fact is NOT authorization to operate the lock. It's not like leaving a bowl of keys outside your door; it's a procedural error in understanding the lock will be less secure, but it certainly is not an invitation, and it is still trespassing to enter.

Re:Ethics

[Fjandr]

Cue all of the "Oh noes! Can't blame the victim!" Yes, you can. Stupid behavior with perfectly predictable negative results should, indeed, be blamed squarely on the victim. Fuck people who say it shouldn't.

Re:Ethics

[Fjandr]

In many cases, it is absolutely the best way to get stupid behavior stopped.

Re:Ethics

[BronsCon]

I'll refer you to my response to the first reply to that post. I have a feeling you know exactly what I was getting at, but, in case you don't, that should clarify.

Re:Ethics

The owner probably has relatives, or a cell phone.

Or a shotgun.

Re:Ethics

This is also the reason studios abandon known-broken DRM schemes; anything released before it was known broken is protected under the law, as the scheme was effective when implemented, ...

No, the reason the abandon known-broken DRM schemes is because they don't rely upon the DMCA as a basis to protect their "work". The whole point of the DMCA was to both (1) legally go after commercial exploiters of various DRM breaking schemes, which obviously can't work if to go after them legally is to admit said scheme is no longer "effective"--ergo, that's not what the law could ever mean--and (2) to scare people with legal threats if they attempt to break the DRM schemes, period, including being able to take down websites, file lawsuits against people before they actual get as far as breaking DRM schemes, etc. For the former, the DMCA was a great success. For the latter, the DMCA as a legal mechanism is rather futile because the internet works around the "damage" of the censorship that the DMCA imposes and individuals/groups end up either (a) cracking schemes for a "work" and never revealing the exact how or (b) working in quite until finally dumping the whole cracking scheme as a whole, often with source code on the means.

... but it wouldn't be considered "effectively control[ling] access", just the same as putting a known-bad lock on your door would be considered ineffective.

DRM schemes of the nature where the user is given the whole "work" and the lock and the key are "a known-bad lock", so logically they would have to be considered ineffective. Yet consistently court rulings have treated such schemes as effective regardless because the intention is clear and the DMCA is effectively invoked. FYI, the main reason ROT13 is unlikely to be considered effective on, say, /. is because there's an implicit understanding that ROT13 is being used as a joke and the intent is for people to use it--equivalent to there being a building with a level lock that had a "public building; feel free to unlock, enter, and lock when you leave" sign. So, as long as a company wasn't explicitly advertising they were using ROT13 with the implicit, "wink wink", there's no reason ROT13 couldn't be considered an effective mechanism legally. After all, ROT13, XOR, or any other DRM scheme where the user implicitly must have the key are really just points of obfuscation with a backing of implied intent.

Re: Ethics

If you are going to be a piece of shit, please refrain from calling yourself Canadian. Thanks

Re:Ethics

This is exactly right. You don't blame someone for making these mistakes, you blame the perp. Not blaming someone does not imply endorsing their previous choices, it does not cost you anything. Advocate for precaution all you want, say "I told you so", but don't say that their actions /caused/ the crime. It only intensifies neuroticism in victims. This may seem pedantic but it is really important because it is not incompatible with sympathy and victims, people who have inherently gone through some kind of hard time, need some support. Even in non-serious cases for people who are frequently victimized (bully victims, anyone?).

We need to step up our support programs for people in need. Not with money, but with emotional support. School shootings, terrorism, drug abuse, etc can be reduced with more universal access to mental health care. Consider the recent shooting in Canada. Costs for this can be dropped via prevention and that means a cultural shift to being more sensitive towards others.

When and why did being an idiot become a right?

On this, it didn't. But making mistakes is human and not necessarily a product of idiocy. You're making a mistake in thinking that putting in reasonable precaution for all things in life is at all reasonable as a whole. There's just too much going on. You have investments, relationships, work, your mental health, your property, and so much more.

Re:Ethics

[The+Ickle+Jones]

This is exactly right.

You think we should drop all forms of security and precaution? You think no one should ever lock their doors, lock their cars, or take reasonable precautions that could protect them from potential future harm?

This is exactly right. You don't blame someone for making these mistakes, you blame the perp.

Which is what people do. "Who committed the crime?" "The perp." "Who was the one that took unsafe actions when reasonable precautions could have been taken?" "The victim." Blame for different things can be assigned to different people, and none of this means the criminal should get away.

Only in straw man fantasy land does anything else happen in a grand majority of cases.

Re: Ethics

Ethics is fine and dandy, until the next guy that walks into your insecure house comes in and kills every fucking person there because he correctly surmised that people that stand on unfounded and stupid principles are a continuously spewing source of co2, as such, are irrelevant. Take it over, secure their shit, move on down the road

Re:Ethics

If something is displayed publicly, it's *very* reasonable to assume it's intended to be public.

Reasonable to you or reasonable to the court of law?

Guess which one weighs more if you ever end up in a situation where the difference matters.

Re:Ethics

[JMJimmy]

Not exactly. Speaking in terms of Canadian law the "key" and the "authority" are separate. It would actually be a crime to place such a bowl (mischief) because you induced mischief or acted in a reckless manner that would "probably result in an act" (even if one doesn't occur, that is a danger to life, damage to property, etc). It's called "Wilfully causing event to occur".

Where it gets interesting is the "key" and "authority" being given out (ie: default password) belongs to the device manufacturer. It's the owner's responsibility to create a new "key" for which they control the "authority". Because the manufacturer has to give the public the authority to use the default password that means that it's no longer reasonable to expect the "communication" remain private. Voyeurism laws still apply so if you enter, discover it to be a household, you have to exit - but that's no different than glancing into a window - you're not a peeping tom unless you linger.

Re: Ethics

[JMJimmy]

no, it's about default passwords. in your analogy, that would be like looking for the keys under the doormat or in other obvious hiding places.

How so?

Re:Ethics

[JMJimmy]

That was just a simple example of how it works in Ontario. There's a long list of ways to legally notify someone that they are not permitted to enter. Everything from "employees only" signs to fencing to yellow/red paint. The "Private Lot" sign would have done it. Approaching a doorway, regardless of how many you try, is legally protected - just not entering if notice is given. ie: feel free to go up and knock like a mail man or someone seeking assistance might do but stop before you get to a B&E

Re:Ethics

[JMJimmy]

Effectively, except that voyeurism laws that apply to staring into someones window for an extended period also apply to these video signals. ie: you can peek just don't linger/keep coming back.

Re:Ethics

[BronsCon]

Your first paragraph refers to Canadian law, which may apply to you but does not apply to me, or to the majority of Slashdot readers. I can't argue with it as, from your position, you are perfectly correct. Your second paragraph is what's interesting to me, as that's exactly the point I was trying to make.

Actually, the first paragraph is interesting to me, as well, as I did not know that bit of Canadian law. Knowing that this is legally (and likely socially) enforced in Canada, I'd be willing to wager that it we compared the ratio of netcams with default passwords to netcams with non-default passwords in Canada and compared it with the same in the US, Canada would fare considerably better.

We need something like that here in the states, so people start taking a bit of fucking responsibility for themselves and their own actions. Though, if we had it, it would probably be applied to rape victims who wore short skirts and no panties, while being ignored in cases where someone leaves their door wide open and hangs a flashing neon "murder me" sign in the window. And people I know say Canada is backwards...

Re:Ethics

Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

More apt analogy maybe? "Just because I've chosen to do something outside in my yard does not mean you are free to watch me do it"?

Re:Ethics

I was not talking your statement literally. So no. My point is, there is a difference between blame (implying an action caused another) and advocating precaution (implying an action can prevent another). The former has serious consequences to mental health when applied to victims and can even cause them to repeat their mistakes.

Re:Ethics

Hmm Illegal entry ? or Breaking and Entry. ? Or would you just be a peeper ? Course if you the be lawman all you need is reasonable suspicion, (whatever that is) to be OK with the judicial universe.

Re: Ethics

Not a bad analogy, but still not very accurate.

It would be more like you walk by a house and see that they have acme brand storm shutters over the windows, and that they are closed. You know that Acme brand storm shutters have a lock on them, but by default the lock uses all zeros for the code. This is changeable, however that is the default that they ship with.

You go up to the shutters, enter the default code, and pull them open. You then sit and stare inside for a while. When the cops come to arrest you for peeping, you state that although the blinds were closed, they must have intended for you to be able to look in and creepily watch over their baby, since they didn't change the code.

A WebCam that requires credentials to login is not the same as a webpage with a live video feed that requires no credentials. Another good physical analogy would be closed security shutters over a businesses windows versus an unobstructed display window. It's pretty obvious they want you to look in large display window. To anyone that is not a complete idiot, it should be obvious the obstructed windows are meant not to be viewed through, even if you can unlock them through use of a default code that you looked up on the manufacturers website.

Re:Ethics

[graphius]

Wrong, it is not necessarily legal and legitimate to enter a public or commercial building unless you have permission of the owner. A couple of examples, is it legal to enter your white house? Tours are on specific areas only. if you hop the roped off areas you will get in trouble. A store owner can ask you to leave their premises for any reason (they usually won't because they want you to spend money, but the law is on the store owners side) For this case of the cameras it is a bit more complicated because, in essence the owners are publicly broadcasting. I agree that the best thing to do is not to watch. Interesting that the site is hosted in Russia. I think it would be shut down in most western countries. However IANAL

Re:Ethics

[graphius]

Not necessarily. If someone is hanging their laundry outside to dry, it doesn't mean it is public.

Re:Ethics

[graphius]

Just because something is legal does not mean it is ethical.

Re:Ethics

[graphius]

imbibed tags

Re:Ethics

[AK+Marc]

And how would you discover the door was unlocked, unless it was left open?

Someone less ethical before put a note on the door, "this door is unlocked".

Re:Ethics

[AK+Marc]

No. It's accessible from the internet; it's not broadcasting, there is a big difference.

You are giving the technical answer to a non technical question.

Re:Ethics

[JMJimmy]

I'd direct your attention to your own words: "Roped off areas", "ask you to leave", and the fencing/signs/security/etc around "our white house". Those are deemed notices that it's prohibited to enter a specific area. In the absence of those things it would be legal until you are given notice.

Re:Ethics

[JMJimmy]

Just because something is legal does not mean it is ethical.

It was unethical to find and report a security issue at a military instillation? It's unethical to scan publicly available security cameras in an area during an Amber Alert? It's unethical to locate cameras that do give access to private homes for the purpose of notifying them - often GPS data available to allow you to notify local police to follow up?

There are many many ethical reasons for accessing such cameras.

Re:Ethics

[BronsCon]

If they hang it in their front lawn... are you telling me it's illegal to look at it? Of course it's not legal to take,; but, then. nobody claimed it was fine to take someone's security camera because they didn't change the default password, either. Legal to view it? Well, yes, until such time that you could reasonably realize that they, perhaps, hadn't intended to make it public.

But, of course, you knew what I meant and were simply being obtuse for the sake of argument. Bravo.

Re:Ethics

[stoatwblr]

"a crapload of administrative/dependent territories that are inconsistently applied"

Historically, ccTLds have only been allocated when someone applies for them(*). The more likely explanation for Canada's territories not having ccTLDs is simply that noone's asked for one.

(*) Several of the allocations have been fairly dubious. Christmas Island (australian territory) being one example, where the custodian wasn't resident on the island and noone on the island knew anything about the .cx allocation. Tuvaalu (.tv) was another. The government there had to go to court to retrieve their ccTLD from a predatory registration made by a company resident in the UK.

Officially the allocations are the property of the area's government, delegated to XYZ entity as a matter of trust. In most cases the relevant govt is utterly unaware of this and whoever controls the ccTLD acts as if they are not accountable.

Re:Ethics

[stoatwblr]

"Or that the owner wants to access a private device remotely."

In which case they would have changed the password.

Re:Ethics

[graphius]

During an amber alert, the more important goal is to find the missing child. It is a weighing of ethics.
Do you go around testing doors to see if any are unlocked? You may get into trouble.
And the site in question is not being visited to notify owners their security is poor, it is much more voyeuristic than that...

Re:Ethics

[stoatwblr]

"voyeurism laws that apply to staring into someones window for an extended period"

Such laws usually require that the observation position be either

1: Not in a public space
2: Concealed

Or that the observer is using a visual aid (binoculars, telescope, telephoto camera)

This depends on the jurisdiction of course but an "expectation of privacy" does not give anyone carte blanche to wander around naked inside their house when one wall is a picture window facing the street with the curtains open (I've seen prosecutions for exactly this behaviour and judges heavily slammed defences based on "if it's indoors, it's private")

Re:Ethics

[graphius]

If you walk through someone's property it is not legal, but no one is really going to press charges. If it were to go to trial, you could feign ignorance, but you may still be charged with trespassing. There are lots of contributing factors.

Re:Ethics

[The+Ickle+Jones]

You can blame someone for not taking reasonable precautions.

Re:Ethics

But why would you? You're adding insult to injury and decreasing the likelihood that precautions will be taken in the future. You're also making yourself look like an asshole and gaining nothing from it? Say "You can do _ to prevent _" not "You should have done _ if you didn't want _ to happen", that's all I'm asking.

Re:Ethics

[The+Ickle+Jones]

But why would you?

You're still assigning blame, no matter how much you sugar coat it. The point is ultimately just to offer reasonable ways for people to protect themselves.

Re:Ethics

[JMJimmy]

1) That was my point, people from outside the area can scan outdoor cameras in the area to help find the missing child.
2) Random doors would require a key I do not have - but as stated much earlier in this conversation, laws relating to doors and interception of communications are very different.
3) I was referring to the law/ethics of it, not what that particular site is doing which is illegal in many cases.

Re:Ethics

[JMJimmy]

ahh - Canadian law is different. You need only "surreptitiously observe/record" someone where they have a reasonable expectation of privacy or cause to be nude in that space or observe/record for a sexual purpose.

Re:Ethics

[JMJimmy]

Again, it's specific to your local laws, in Ontario: "(2). There is a presumption that access for lawful purposes to the door of a building on premises by a means apparently provided and used for the purpose of access is not prohibited."

Re:Ethics

[Neil+Boekend]

That neon sign is clearly a bad joke and should be treated as such.

Re:Ethics

[BronsCon]

You got my point, though...

try telling this to old people

[alen]

my father in law went to the at&t store with help on his wifi only ipad. he's totally confused by the need for an itunes store account password, wifi password on his home wifi and wifi passwords at other places

Re:try telling this to old people

Tell him they're like keys on a keyring. You need a different key to unlock your desk draw even after you've unlocked your house. And when you go to someone else's house, your key doesn't work for them.

People buy stuff without understanding is...

[FlyHelicopters]

Film at 11...

The truth is, many people are using technology today without really understanding any of it. Even my own wife is pretty gumby with computers, if I wasn't there to do something about it, I have no doubt they would be full of malware and viruses.

To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

Yea, I have to say, I have to clean her machine off of crap every year. Every time I go over there, Internet Explorer has 5 or 6 toolbars installed because she clicks on everything.

And no, she won't let me restrict and lock down the machine, I've tried that.

Re:People buy stuff without understanding is...

[arth1]

To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."

It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself. All some people need is the equivalent of public transportation. We don't let people drive cars or fly planes without some basic skills, and while most don't get good at it, at least good enough to not be an instant hazard for everybody else.

 

Re:People buy stuff without understanding is...

[Jason+Levine]

Many people look at computers as if they are appliances. You don't need to know how to configure your toaster. You just plug it in and toast your bread. You don't need to edit some config file to make your refrigerator keep your food cold. Any "settings" come in the form of easy-to-read dials or buttons. Turn the dial on the stove and the heat goes on/up. Turn it the other way and it goes off. There's a group of people who expect computers to act like this. Unfortunately, computers are far more complex than any fridge or stove - especially once you go online and you are opened up to all of the security issues that this entails.

Re:People buy stuff without understanding is...

Isn't that what the iDevices are?

Re:People buy stuff without understanding is...

[war4peace]

They could be made simpler by designing and creating applications, UIs and features which "do one thing but do it well".
There's little incentive to do so, though, although I have to say that smartphones got there already, more or less.

Re:People buy stuff without understanding is...

[slinches]

There's an easy solution to that problem. Don't fix it and tell her why.

Seriously, if someone isn't willing to learn and use the most basic of computer hygiene practices, they will eventually fall prey to malware and will almost certainly lose data to hardware failure at some point. And if you're the administrator of the computer when that happens, it'll be your fault for not protecting them (at least in their eyes).

You could also try explaining it as a car analogy: e.g. "You wouldn't just hop in your car and start driving without learning the rules of the road, would you?"

Re:People buy stuff without understanding is...

[PPH]

It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself.

Apple vs Android.

Windows vs Linux.

Self driving cars vs stick shifts.

etc, etc.

Re:People buy stuff without understanding is...

That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."

Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.

Re:People buy stuff without understanding is...

You do need to know how to configure your toaster, otherwise you just end up with burnt toast all the time.

Re:People buy stuff without understanding is...

[arth1]

Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.

Yes, you can. Your computer can be used as a base for attacking critical infrastructure, because you allowed it to be.
Or you let someone get to your credit card information so you can't afford medication a week.
Or your router gets disabled so you can't dial for help through your IP phone.
Or somone finds classified information on your PC and uses it for nefarious purposes costing lives.
The possibilities are there. Bits and bites can kill people these days.

Re: People buy stuff without understanding is...

Because if you don't secure your computer, someone can use it to hurt you or a bunch of other people. Duh.

Re:People buy stuff without understanding is...

[stephanruby]

To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

Computer hygiene should be taught like personal hygiene, at the school level for the kids and through other public programs to try to reach the adults and the elderly.

Yea, I have to say, I have to clean her machine off of crap every year. Every time I go over there, Internet Explorer has 5 or 6 toolbars installed because she clicks on everything. And no, she won't let me restrict and lock down the machine, I've tried that.

In case you're the one who usually buys her a computer, she's the perfect use case for a cheap Chromebook. That's what I did for my mom. I didn't really force it on her. I just bought it for her to keep next to her Windows XP laptop. Eventually, as her machine became much slower and slower, she just switched to using the Chromebook on her own.

Re:People buy stuff without understanding is...

Problem is that once you let someone else set the barriers whose hoops you must jump through, they can set them arbitrarily high. It might be that driver's licenses may only go to people who can afford a class given once a year in DC.

This reminds me of Mexico's constitutionally given right to own firearms. The stipulation is that there is only one gun shop in Mexico City where one can legally purchase a firearm, and because the firearm has to be vetted by the military... well, there are none on the military's list deemed salable to civilians. Another comparison is the hoops needed to get a firearm in NYC. Only the wealthiest people can do that.

So, don't assume that forcing people to take tests of pass qualifications will help things. It really will just be used to screw us all over in the end.

Re:People buy stuff without understanding is...

[grumbel5969]

Any "settings" come in the form of easy-to-read dials or buttons.

I'd wish that would be the case. Most home appliances have absolutely horrible user interfaces, completely meaningless symbols instead of text are extremely common. If you get text, it's often squished in some tiny LCD display that requires all worlds to be abbreved. Some functions are only accesible via magical key combinations. Manuals are just as bad, as they tend to explain half a dozens variations of a product at once, while you of course only own a single one of them and so on.
Computer interfaces aren't exactly great either, but overall they are far cleaner and more logical then most of the stuff I have seen in home appliances. The only reason why home appliances don't cause more trouble is because their functionality is so limited that you can memorize the one or two button sequences that make them work and ignore most of the other features they offer.
The big problem with open webcams and such is that they use default passwords in the first place. Those really should outlawed and considered a violation of product safety. There is no reason for them to exist. The other big issues is that the devices aren't transparent for the user. If the webcam is broadcasting things to the Internet, there is no user visible indication that it is doing so. This one is harder to fix, but with all the fancy tech we have, it shouldn't be impossible to get a wireless status report from a device telling you what it's doing. Most devices of course allow that already in some form, but not with a standard interface or protocol.

Re:People buy stuff without understanding is...

Many people look at computers as if they are appliances... Unfortunately, computers are far more complex than any fridge or stove - especially once you go online and you are opened up to all of the security issues that this entails.

Except now, the Internet of Things is turning items like fridges and stoves into computers. So people will only be reinforced in thinking of computers as appliances and vice versa. And it will be a lot more difficult, or perhaps impossible, to 'administer' an appliance and make it secure - so the privacy of techno-peasants is going to be even more thoroughly gang-raped.

Even though I'm pretty liberal with a few mild Libertarian leanings, I'm kind of interested in the idea voiced by an earlier poster who suggested two classes of computer: one class for those with licences or the equivalent, (and the knowledge to use computers securely), and another 'locked down' class for people who can't get beyond the 'appliance' paradigm.

--jenningsthecat, posting as AC because I've already moderated

Re:People buy stuff without understanding is...

[weiserfireman]

People want their computers to be like their cars.

They don't want to know what is happening under the hood. They just want to drive it.

I find most computer guys are like car guys, they assume that everyone should know how the engine works, or should at least care.

Nope, they want it to turn on every morning, take them where they want to go, and shut down at the end of the night with out ever knowing what makes all of it work.

Re:People buy stuff without understanding is...

On one hand, letting them find out consequences can cause them to learn, but there is always the "let the kid play out in the street, if he gets hit by a car, he will learn" where the result is just too life-impacting.

I've solved the ignorant person item with PCs and devices in a number of ways, depending on the person and their range of cluefulness:

1: Get them on a tablet or Chromebook. It has limited functionality, but they tend to be more resistant to malware than general purpose PCs. This generally fixes the problem, as there is no need for an "administrator".

2: Give them Faronics DeepFreeze and detailed instructions on dealing with Patch Tuesday and how to reboot the machine, turn DeepFreeze off, install patches (and do -nothing- else than install Windows patches), reboot again, and turn DeepFreeze back on. This assumes the person has some clue and won't just turn off DeepFreeze and leave it off.

3: Move them to an alternative OS. Nothing is 100% secure, but a Mac with Adblock tends to be a bit harder to get infested than a Windows machine, and if someone only installs software only from the App Store, some website tossing a dmg file and demanding it be installed would be an exception, not the rule... and hopefully the user would know better than to have to log on as admin to run stuff not App Store downloaded.

Linux is similar. Grabbing a file, chmod-ing it +x, and running an executable it is definitely out of the ordinary with most items.

Re:People buy stuff without understanding is...

[RavenLrD20k]

Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.

Unwitting user clicks on a cute link that installs malware on the system to turn it into a zombie for a botnet. Unwitting user's system is now participating in an attack that drains hundreds of millions of $$$ from the bank accounts of tens of millions of people that now have lost all their life savings (somewhat similar in outcome to the damage caused by driving on a NYC sidewalk)... all because they followed the cute instead of paying attention what they were doing and following the rules of the Internet superhighway. I'd say the analogy is fairly apt.

Re:People buy stuff without understanding is...

[Jason+Levine]

The big problem with open webcams and such is that they use default passwords in the first place.

Routers went through this at one point too. They used to come pre-configured with the username of "admin" and the password of "password" (or some variation depending on manufacturer). This meant that most people would plug in their router and just leave the defaults in place. The most recent routers I've put into place have a setup step for setting the username and password. No, it can't prevent someone from using "12345" as their password, but at least the user isn't caught because the device just started working with no password configuration required.

Re:People buy stuff without understanding is...

Stop fixing her computer then. I had a similar problem with a client that would let his kids use his office computer when those kids broke their own. After the third visit, I put a password on his computer and told him that if he lets his kids play on his office computer again, I wouldn't fix it. I've only had to fix the kids computer since then.

Re:People buy stuff without understanding is...

To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."

Change 'computer' to TV and you kind of how people view computers. It's just a TV with a keyboard (or not in the case of Tablets).

It's a much better analogy than traffic and highway and you don't need a license or pass a test to work a computer.

Re:People buy stuff without understanding is...

[bill_mcgonigle]

And no, she won't let me restrict and lock down the machine, I've tried that.

"Son, there's no way I'm wasting my time changing the oil in my car - you will fix the engine for me if you love me."

Re:People buy stuff without understanding is...

[FlyHelicopters]

Computer hygiene should be taught like personal hygiene, at the school level for the kids and through other public programs to try to reach the adults and the elderly.

Are you kidding? :) My mother turned 70 years old this year, and comes from another time...

In 11th grade, she spend her second half of the year as an exchange student in France. She sailed there on the RMS Queen Elizabeth. No, not the QE2, the original... Back then, you didn't fly across the Atlantic, you sailed...

---

Get her a Mac? Get her a Chromebook? Yea, I've thought about that. She knows Windows, she has used it for 20 years, and frankly, she doesn't want to change.

You can't help someone who doesn't want to change.

Re:People buy stuff without understanding is...

[FlyHelicopters]

In case you're the one who usually buys her a computer, she's the perfect use case for a cheap Chromebook.

Yes, she is actually... except that Microsoft Office isn't offered on the Chromebook, neither is Internet Explorer (I've installed Chrome, she won't use it)...

She has a few small applications and games that she likes to play, while I could find similar stuff on Chrome (or Mac, or Linux), she doesn't want to change.

---

So why do I keep cleaning her machine? Because she is my Mother, I love her, and that is what a good son does for his Mother.

Re:People buy stuff without understanding is...

[FlyHelicopters]

People want their computers to be like their cars.

They don't want to know what is happening under the hood. They just want to drive it.

Yes, and frankly, I think that is why so many iPhones and iPads have been sold.

Technical people look at those and say, "oh my god, a locked down inferior device that costs more, who wants that crap".

You know what? A lot of people do... How many? About a billion... That's right, between all the models of iPhone and iPad, about 1 billion of them have been sold, give or take a bit...

Clearly a lot of people DO want that...

If Microsoft sold a locked down version of Windows, I think people would actually buy it. I know I'd buy a copy for my Mom.

Re:People buy stuff without understanding is...

[FlyHelicopters]

There's an easy solution to that problem. Don't fix it and tell her why.

I've thought about that... but the truth is, she's my Mom and I can't do that... She loves me, she brought me into this world, and if her one great fault is a refusal to be knowledgeable in computers, well... I'm not perfect either...

Re:People buy stuff without understanding is...

[Khyber]

"but a Mac with Adblock tends to be a bit harder to get infested than a Windows machine"

Except Macs routinely are first to fall at the Pwn to Own competitions, so no, that's bullshit.

Re:People buy stuff without understanding is...

[FlyHelicopters]

That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."

I'm sure a lot of people said that very thing when cars were new.

She has been driving all her life, most stuff she does she has done all her life. The only really "new" stuff is the Internet.

Frankly a computer would be just fine, if it weren't connected to the Internet all the time, that is really the issue.

Re:People buy stuff without understanding is...

[mean+pun]

Except Macs routinely are first to fall at the Pwn to Own competitions, so no, that's bullshit.

Sounds implausible. Not because Macs are perfectly secure, but because the competition is far from perfect. So a citation for that claim would be nice.

More importantly, are there any significant botnets with Macs in them? (And what about Linux?)

Re: People buy stuff without understanding is...

Holy cow! That's the same combination I have on my luggage!

Re:People buy stuff without understanding is...

[kqs]

So buy her a chromebook or something else (mostly) bulletproof.

I shouldn't have to be a mechanic to own a car, or be a doctor to manage my blood pressure, so others shouldn't need to be an IT guru to read email, watch cat videos, and chat with friends on facebook. If computers need years of training, that means that we as IT folk have failed. (And so far, we have failed.)

Re:People buy stuff without understanding is...

Bites have always been able to kill people...

Re:People buy stuff without understanding is...

[slinches]

That's a valid option as well as long as you're aware of the consequences and that you're choosing it. Life is full of trade-offs. The real mistake is not understanding the choices you're making.

Re:People buy stuff without understanding is...

she brought me into this world

My mom did this to me too, but she's also done so many good things for me that I've forgiven her.

Re:People buy stuff without understanding is...

[FlyHelicopters]

I shouldn't have to be a mechanic to own a car, or be a doctor to manage my blood pressure, so others shouldn't need to be an IT guru to read email, watch cat videos, and chat with friends on facebook.

Yes, and that is why I think Apple has sold a billion iPhones and iPads...

And if the prices were reasonable, I think they'd sell a ton of Macs as well...

Since Office can be purchased for the Mac, honestly I'd buy my Mom a Mac if they were stupid priced.

Re:People buy stuff without understanding is...

Computers are very much like appliances if my appliances are anything to go by. My washing machine went wrong and put water all over the floor, and I had to get someone qualified to come in and fix it. The coffee pot kept flipping the breaker because the socket wire wasn't able to support that kind of power draw, and I had to get an electrician to come and run a new circuit. Sure, I could learn to do both of these things in theory, and I can do basic things like replace a fuse or change a ubend on the sink, but maintaining my everyday run of the mill appliances in my house requires domain experts. Is a computer meant to be different?

Re:People buy stuff without understanding is...

Or somone finds classified information on your PC and uses it for nefarious purposes costing lives.

Why on earth would you have classified information on your PC? I thought that's what Manning got in trouble for, transferring classified information to an unsecured computer system.

Re:People buy stuff without understanding is...

[Fish+(David+Trout)]

To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

Yea, I have to say, I have to clean her machine off of crap every year. Every time I go over there, Internet Explorer has 5 or 6 toolbars installed because she clicks on everything.

And no, she won't let me restrict and lock down the machine, I've tried that.

Then she shouldn't be allowed anywhere near any computer that's connected to the Internet.

Seriously.

An Internet connected computer in the wrong hands can be a very dangerous threat to the rest of us who share the Information Super-Highway with her. Her incompetence and irresponsibility can seriously hurt a lot of people very quickly.

She is behaving like a person who wants to drive a car but is not interested in obtaining a license that proves she knows how to operate said motor vehicle is a safe manner. She just wants to get on the road. To hell with leaning how to drive!

That's irresponsible.

If she cannot take the time to learn how to safely operate a computer connected to the Internet or cannot demonstrate that she knows how to do so, then she should NOT be alowed anywhere near one.

At least not without close supervision.

Re:People buy stuff without understanding is...

[FlyHelicopters]

Then she shouldn't be allowed anywhere near any computer that's connected to the Internet.

That is so easy to say... but it has far reaching implications...

Who would enforce this?

What is the penalty for non-compliance?

Re: People buy stuff without understanding is...

I've been thinking of that idea for about a decade now and it is definitely an interesting one.

I wonder what the test should be though, to separate the smart compute users from the rest. What questions would need to be asked? They would most likely have to be OS agnostic... Lots to ponder.

Re:People buy stuff without understanding is...

Perfect Chromebook customer.

Re:People buy stuff without understanding is...

[Fjandr]

There have been a number of leaks of classified documents because of stupid behavior by people who should know better.

Re:People buy stuff without understanding is...

[NoKaOi]

Except Macs routinely are first to fall at the Pwn to Own competitions, so no, that's bullshit.

Which isn't necessarily relevant to how big of a problem it is for real-life users.

Re:People buy stuff without understanding is...

[Khyber]

" So a citation for that claim would be nice."

Sure, and funny enough you're on the site that can provide you with them, since the exact thing I'm talking about has been ./ headline material several times for several years in a row.

And with a UID as low as yours, you should've seen them.

Re:People buy stuff without understanding is...

[Andtalath]

Give here a chromebook.

I gave my mother my old laptop with openbox and chrome on it, basically the same thing.

And she is happy with it.

Calls me far less than she did with her windows laptop, actually.

The only time it happens is when she needs the admin password for a new wifi.

Re:People buy stuff without understanding is...

[mean+pun]

So your claim that Mac OS X has significantly weaker security than other operating systems is entirely justified by a few news items on /.? You're completely ignoring any selection bias of /., you're completely ignoring the accuracy of these reports, you're ignoring the whole `the plural of anecdote is not proof' issue, and you're blindly assuming that security issues that these Pwn-to-Own events uncover are indicative of real-life security of the operating system.

That justification is, err, somewhat flawed.

Re:People buy stuff without understanding is...

[Khyber]

"but a Mac with Adblock tends to be a bit harder to get infested than a Windows machine"

That's the original claim I'm responding to. Quit putting words in my mouth that I did not say.

The words I said are pretty goddamned simple to understand - Macs are as vulnerable as Windows machines. And if you think the Pwn-to-Own contest isn't worthwhile enough, then bear in mind that roughly half of all Apple computers cannot receive security updates due to how their security practices are implemented, which means there are TONS of vulnerable OSX machines out there as patches are provided only to the newest OS X and the one immediately preceding it, and the older machines may not run the newest versions, which means they're stuck.

Or how about direct talk from the guy that PWNED Apple computers in the 2008 and 2009 Pwn-to-Own - http://www.zdnet.com/blog/appl...

Re:People buy stuff without understanding is...

[vandamme]

Next Christmas, get her a Chromebook.

Re:People buy stuff without understanding is...

[vandamme]

Some day you will get a new toaster and somebody will hack into it.

Re:People buy stuff without understanding is...

[stoatwblr]

"People want their computers to be like their cars.
They don't want to know what is happening under the hood. They just want to drive it."

Even if you don't know what's happening under the hood, you still know you have to add fuel, not run red lights and keep right (or left), etc etc.

Driving licenses are supposed to be there to ensure you know the basic road rules and won't be a menace. I've spent time in countries which don't require a test to get one and unsurprisingly they have death/injury rates 10-50 times higher than countries which do. In countries where cars have recently become affordable those rates are higher still.

I'd argue that setting up a webcam is promoting yourself from "driver" to "technical/DIY/mechanic" status and as such you'd better understand what you're doing or there WILL be painful consequences.

Re:People buy stuff without understanding is...

[stoatwblr]

"I'm sure a lot of people said that very thing when cars were new."

My wife actually said it yesterday - she's from one of those countries where there's no driving license requirement.

And this is despite her past comments about how bad drivers are in in that country (imagine being a passenger in a taxi driven by someone with less than a week behind the wheel. Been there, done that, screamed in horror as he pulled a sharp turn in front of an oncoming 18 wheeler....)

Re:People buy stuff without understanding is...

[stoatwblr]

" You don't need to know how to configure your toaster."

Actually, you do, but you picked that up so long ago that you didn't think about it.

Using your stove analogy, anyone using mine (gas) needs to know to push the button which fires the igniter and I've seen plenty of people without experience of gas appliances stand there wondering why it isn't working.

Re:People buy stuff without understanding is...

It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself.

There are; they're called "iOS devices" and "everything else".

(Plus a few obscure devices that might fit into the iOS category without being iOS devices. And it isn't completely clear-cut. A lot of the "drive it yourself" devices are actually partially controlled by others.)

Re: People buy stuff without understanding is...

[Jason+Levine]

Time from a "Password of 12345" mention to a Space Balls joke: 105 minutes. Your slowing down Slashdot

(Begin recording time until someone corrects "Your" to "You're"...)

Place the blame where it belongs

[arth1]

Strong passwords are not mandatory because it's the responsibility of the user to read the instructions and secure the device. If they don't, they have no reason to complain. It was their choice to disregard the instructions.
A question is whether people who are that stupid should be allowed to own surveillance devices. The risk of stupid people reacting inappropriately to real situations and causing harm instead of preventing it seems rather high.

Re:Place the blame where it belongs

[Imazalil]

But if a large number of users are not able to use their devices properly (ie. secure them) is that not the fault of the device maker? This isn't even about strong passwords, but just default passwords.

It's a known fact that the general public is not security conscious, and that they do not read through manuals. Shouldn't the makers of these systems work towards making some basic security the default?

The best, but not very good example is Windows. Microsoft provides lots of guidance on how not to get viruses or malware on Windows. Does that mean they get to wash their hands of anything that infects their user's machines when they open powerpoint slides from uncle Bob? Technically yes, but they do have some duty to make their product more secure because they know full well a large number (the majority) of people will click on any link that lands in their inbox.

Re:Place the blame where it belongs

How dare you blame the victim! Don't you know it is wrong to do that no matter how dumb they are.

Re:Place the blame where it belongs

[arth1]

But if a large number of users are not able to use their devices properly (ie. secure them) is that not the fault of the device maker? This isn't even about strong passwords, but just default passwords.

No. A large number of users are not able to change oil, tires, brake pads or plugs on their cars either, and that's not the manufacturer's fault. In the case of cars, service stations appeared to fill that market, at a cost.

The problem is that people feel entitled to not bother about doing things themselves, nor pay others to do it. Unless people start to get convicted and otherwise bearing the costs of being idiots, this won't improve.

Re:Place the blame where it belongs

[Nethemas+the+Great]

Initial set up of the device could certainly require setting a password to activate. However, there's nothing stopping, and many will, set an easily guessable password anyway. Fools will forever be fools.

Re:Place the blame where it belongs

Instead of assuming that users will read the instructions, assume that users will fiddle with the camera they just bought until it works. If manufacturers made cameras that refuse to transmit the image without changing the default password, then users would have to change the password before it works. It's as simple as that.

Re:Place the blame where it belongs

[Higaran]

Most users don't care about security. If you made setting up a user name and password the first thing the user see before you can do anything else, people would still put a user name as "user" and password as "pass" or "1234"

Re:Place the blame where it belongs

[jd]

Users aren't allowed to secure their own devices. Didn't you get the memo from GCHQ?

http://www.ft.com/cms/s/2/c89b...

Encryption and security of any kind are ipso facto creating a terrorist command-and-control centre, apparently.

Re:Place the blame where it belongs

[jd]

I could build a device that is, by default, secure against remote intrusion. That's easy. I haven't, because the NSA wants to ban public encryption and GCHQ wants to declare all secure devices terrorist command-and-control centres. I'd rather not be a target for a hellfire missile, thank you very much.

But if I can do it, anyone with half a wit and a credit card can. It's not hard. It's not cheap, but it's not hard.

Such a device aught to be mandatory on eCommerce systems and a minimal version aught to be mandatory on all networked appliances (fridges, toasters, cameras, air conditioning, nuclear reactors....) - that it isn't IS gross incompetence. That the security agencies want to prohibit such technology is gross negligence.

Re:Place the blame where it belongs

[arth1]

Instead of assuming that users will read the instructions, assume that users will fiddle with the camera they just bought until it works. If manufacturers made cameras that refuse to transmit the image without changing the default password, then users would have to change the password before it works. It's as simple as that.

Hah. You obviously don't live here in the US of wonderful A.
Here, they would take the camera back to the store, missing some small parts, not packaged back the way it was, and demand a full refund. And then buy a device that "works" out of the box without having to do something as complicated as setting a password.

Re:Place the blame where it belongs

A large number of users are not able to change oil, tires, brake pads or plugs on their cars either, and that's not the manufacturer's fault.

In some cases it, em>is the manufacturer's fault. When you can't reach the oil filter without putting the car on a lift and removing other parts, and you need special tools that are hard to come by ($$$) unless you're a dealer for that model, then I can't blame the owner of the car for needing to bring it in to a professional in order to get routine maintenance done.

Re:Place the blame where it belongs

[Hamsterdan]

As many people said, that's not a good security practice. People buying those are ordinary users, not tech-savvy like the /. crowd.
So the manufacturer's job is to make sure the first time the device is hooked up it has some kind of minimal security (force the user to change the password for instance)

Re:Place the blame where it belongs

[Idbar]

I don't agree with you, but with the GP. The issue is "default passwords". When you buy a new lock, you're not expected to set your keys to a new value. They come with certain security already which is not "default".

Why people buying these appliances would think differently?

Re:Place the blame where it belongs

[arth1]

I don't agree with you, but with the GP. The issue is "default passwords". When you buy a new lock, you're not expected to set your keys to a new value. They come with certain security already which is not "default".

Whenever I have bought a combination lock, I have had to change it.

With a cylinder lock, you have a hardware key - that's a big difference from a password or combination that you're supposed to remember.
A physical key can be implemented in internet devices too - no access unless you insert a USB fob, for example. But would people want that, and be willing to pay the premium for it?

Re:Place the blame where it belongs

[c6gunner]

Initial set up of the device could certainly require setting a password to activate. However, there's nothing stopping, and many will, set an easily guessable password anyway.

We can do better. I bought a DIR-505 router-thingy a while back and it had a default password assigned, but it was a randomly generated string of characters that was then stuck on a sticker on the side of the device. That's even easier than making the user set up their own password initially. This way those who are most vulnerable (ie. people who don't know how to change the password, or would use a weak one if you give them the option) will be protected, while more advanced users will retain the ability to do whatever the hell they want.

Sure, maybe it costs a bit more to have randomly generated passwords and stickers on each device, but it's definitely money well spent.

Re:Place the blame where it belongs

[NoKaOi]

Strong passwords are not mandatory because it's the responsibility of the user to read the instructions and secure the device. If they don't, they have no reason to complain. It was their choice to disregard the instructions.

So everyone should be an expert on everything they use? That's bullshit. I don't know if I'd necessarily call it a design flaw, but it's definitely a part of the design that could be improved and still be useful by people with no computer expertise. For example, the particular router I have has no default password. It has a random password that is printed on a label on the side of the device. Users have the option of changing it, and can reset the password using the printed password, but no default password is necessary and the cost is only a minor inconvenience that you have to take an extra 30 seconds to read the label and type in the password when you're setting it up. Of course, the hole there is if somebody has physical access, but I think it can be assumed that if somebody has physical access you have bigger problems, and physical access is still a problem with routers with default passwords because then you can just reset them and use the default password.

Re:Place the blame where it belongs

[Andtalath]

Secure defaults is sane.
Insecure defaults are insane.

It's as simple as that.

Re:Place the blame where it belongs

[arth1]

Strong passwords are not mandatory because it's the responsibility of the user to read the instructions and secure the device. If they don't, they have no reason to complain. It was their choice to disregard the instructions.

So everyone should be an expert on everything they use? That's bullshit.

Yes, it is. And bullshit you invented.
Reading the basic instructions does not an expert make.

Re:Place the blame where it belongs

[AK+Marc]

All my luggage came with the password 0000. Most people know to change it. How is this different?

Good quote from TFA...

"Sure, a geek could Google Dork or use Shodan to end up with the same results, but that doesn’t mean the unsecured surveillance footage would be aggregated into one place that’s bound to be popular among voyeurs."

So by making it convenient, that's the real game changer?

What is the actual risk?

[GatorSnake]

What is the actual risk here to those using cameras as baby monitors?

Step 1: Someone sees a baby sleeping
Step 2: ????
Step 3: Profit?

"Help! A stranger saw my baby turn over. Call the police!!!" ?

Re:What is the actual risk?

[YrWrstNtmr]

Step 1: Kid is playing out in the living room
Step 2: Mom and dad in the baby room for a little slap and tickle
Step 3: Capture and post to redtube.com
Step 4: Profit!

Re:What is the actual risk?

[jeffmeden]

What is the actual risk here to those using cameras as baby monitors?

Step 1: Someone sees a baby sleeping
Step 2: ????
Step 3: Profit?

"Help! A stranger saw my baby turn over. Call the police!!!" ?

You could make the rather egregious leap that it would assist in kidnapping the child (a crime) since you know exactly where/when they sleep. If someone decided to stand at the curb and look at your kid's window for an awkwardly long time, would you call the police? But yes, the baby monitor thing is just a headline-getter.

Using the cams to identify high value merchandise (certainly some of these cams are protecting things of actual value?) and also identify when no one is around, and then take the final step of disabling the camera's record/alert functionality (if there even is any) would be a slam dunk hollywood-style heist, done without even hiring the nerdy sidekick hacker to sit in the van and jam on his keyboard for the duration of the job.

Re:What is the actual risk?

Someone sees a *naked* baby sleeping, sells it off as KP. Are the parents liable? How do you prove they didn't leave the cam open on purpose? It's your word against the prosecution.

Re:What is the actual risk?

[jd]

If someone decided to stand on the curb for a long time, they'd probably be reported for suspicious activity. Casing a place is a very common precursor to a break-in. I see no reason for the monitoring of a private webcam to be treated any differently in that regard.

A more likely scenario would be for a criminal to drive past at night, see the car gone, and then check the internal cameras of the house for any activity to determine if it's easy to rob. If there's no baby, there's likely no babysitter either. It's just wardriving with intent.

A third scenario is that the criminals have got something equivalent to packet sniffing for speech. Back in the old pre-common-SSL days, it was common enough for a hostile packet sniffer to log packets that contained a field that was in credit card number format. You didn't have to break in to get all the personal data, you just grabbed it as it went by. You wouldn't then sit there waiting for interesting tidbits of information, you'd simply have your zombie botnet collect interesting-looking sound snippets. It doesn't have to recognize the words, just the patterns. We know for certain the security services had that in 2003 as part of Echelon and Moonpenny, and probably had that as far back as the late 1990s. It would be gross incompetence on the part of anyone dealing with IT security to blithely assume it's not reached the cybercriminal domain.

Hell, just the fact that the intelligence services can sniff for interesting data is a serious risk these days. Both British and American authorities have done some ethically questionable undercover work that (at best) bordered the criminal. And they're some of the better ones. Blatantly criminal endangerment, blackmail and other corrupt practices are widespread.

Re:What is the actual risk?

Are you kidding me? At any given moment, tens of thousands of Russians are jacking off watching poor innocent American baybays remotely over the cybernet highway! There are pedophiles around every corner, especially in Russia! Be afraid, very afraid! Be especially afraid of Russians!

There, I think that sums up the intent.

Re:What is the actual risk?

[Frigga's+Ring]

Depending on where the camera is pointed, it could capture a mother breastfeeding. Plus, if we assume the camera also has a mic, there's a lot of information that could be picked up audibly.

Re:What is the actual risk?

[Chris+Mattern]

A more likely scenario would be for a criminal to drive past at night, see the car gone, and then check the internal cameras of the house for any activity to determine if it's easy to rob.

And the criminal knows the IP address of the unsecured camera for that particular house how...?

Re:What is the actual risk?

[jd]

If they're wardriving, very easily. It's called nmap.

Re:What is the actual risk?

Depending on where the camera is pointed, it could capture a mother breastfeeding. Plus, if we assume the camera also has a mic, there's a lot of information that could be picked up audibly.

Yes, and someone's brain will be irreversibly corrupted if he so much as taken a glimpse of a nipple, right.

Take off your straitjacket, Americans! For a lot of places in of the world, such as Europe, seeing a nipple isn't the end of the world, and mothers do breastfeed in public places.

Re:What is the actual risk?

A more likely scenario would be for a criminal to drive past at night, see the car gone, and then check the internal cameras of the house for any activity to determine if it's easy to rob.

And the criminal knows the IP address of the unsecured camera for that particular house how...?

The miscreant would probably first find the cam, know it's close to them based on IP geoloc, and then try to geoloc the SSID/mac of the access point, or use leaked info like the names of the PCs on the network to find out who owns the house and where it's at (hello public records).

Re:What is the actual risk?

[AK+Marc]

almost none have mics, and the resolution is far worse than professional erotica of the same type.

Goes to show

[just_another_sean]

It goes to show that, especially in the computer security world, no good deed goes unpunished. You hear about it over and over, try to tell someone something is wrong with their computer security and the instant reaction is to shoot the messenger.

Re:Goes to show

[NoNonAlphaCharsHere]

I don't know where you work, but around here, kill the messenger is company policy.

Re:Goes to show

[just_another_sean]

Here too, guess I should have mentioned, I speak from experience!

Computer License

[mrbcs]

Enough of the Word Perfect Users already!

"Take it back to the store, You're too dumb to own a computer" Are these threats now as dangerous or potentially dangerous as operating a motor vehicle?

Training and License? Why not? It couldn't be any worse than it is now. I've literally had a client complaining that he couldn't get his email using Wordpad...

How dumb and negligent do we need people to be before we do something serious about this?

Spam, drive by downloads, malware. Isn't it about time we told the users to smarten up? How much productivity and electricity is wasted because of users dumb mistakes?

Re:Computer License

[PRMan]

Because as long as the harm isn't too egregious, it's better to let people learn from their own suffering rather than making additional laws.

Re:Computer License

[jd]

I would agree, except that most users live in outright denial, rarely (if ever) learn correctly from mistakes and frequently prefer to ignore their suffering until the harm is truly excessive.

Better critical thinking techniques need to be taught in school, along with practices that impede cognitive dissonance.

Further, there need to be recognized groups that have the authority to mentor those who aren't clued up.

Re:Computer License

[Andtalath]

The correct solution is to build secure computers from the ground up.

First step?
Disable anything but an app store/repo unless the user unlocks insecure mode.

Re:Computer License

[AK+Marc]

They don't learn. They just attack others (as a member of a botnet).

We don't need additional laws to prosecute members of botnets. That's what we should be doing. Throw a few in jail, and people will secure or turn off their computers, no new laws needed.

Why isn't it mandatory?

[Ostrich25]

Because not everything needs to be legislated, FFS. The last thing we need are more rules and laws.

Re:Why isn't it mandatory?

[David_W]

This is true, but perhaps TFS is suggesting manufacturers should make it a standard practice to walk you through securing the camera by default, rather than try to make it "plug and play", which results in, well, websites with 73,000 unsecured cameras.

Be careful

[jhstuckey]

I just found a video of myself typing this comment.

Re:Be careful

[easyTree]

Did it take three hours to load? That site is slooooooooooooooooooooooooooooooooooooooooooooooooooow.

Re: Be careful

[Chexsum]

you must be the new guy

Re:Be careful

[AK+Marc]

slow implies it works. I looked for a while and found only one working one, and it looked like an empty DMV deliberately open for people to see the crowd.

The solution? Turn them off

If you are so thoroughly convinced that these misconfigured/vulnerable cameras are a threat to their owners (not going to step into that argument) then just use the default credentials to go in and set a strong random password, or change the IP address to 127.0.0.1, or break the Wifi config (usually these cams are Wifi connected) and poof the threat is gone. Would that be illegal? Yes. Would it be less illegal than chronicling default passwords (which still constitute access protection, btw) and publicizing them? Probably not. These guys are all in and should just see it through. Meanwhile I am going to go check the firmware revs of all my internet facing cams.

Oh Noes!

[NoNonAlphaCharsHere]

If these cameras get secured, how will law enforcement hack into them, get a partial reflection of a face in a hubcap, enhance and run it through facial recognition software and have the perps drivers license picture onscreen within 40 seconds?

Re:Oh Noes!

[easyTree]

Via the backdoors?

How is this even a story?

Is everyone on here too young to remember putting some basic search strings into Google to find open cams and printers?

Re:How is this even a story?

[war4peace]

I have printed porn images on HP printers around the world using just Google :)

what's the fucking site?

what is it and why was it not in the OP? that right because OP is a fagot like the rest of slashdot and dice.

Re:what's the fucking site?

[nukenerd]

http://www.insecam.com/

Re:what's the fucking site?

That's not what the OP wanted. Specifically, which stream has teh boobies. ;-)

Re:what's the fucking site?

[CaseCrash]

That's not what the OP wanted. Specifically, which stream has teh boobies. ;-)

That would be a totally different site, myfreecams.com

:)

It's a user issue

This a user problem.
As long as we continue to provide technology to average consumers, this type of issue will exist. The message that needs to be sent is "If it has connectivity to a remote destination of any kind (wired/wifi etc.) you are at risk of exposing data". Even if you secure the storage locations, many people never consider the pipe between device and storage. I love all those wifi storage devices...

Until the "user community" catches up with modern security concerns, there is very little the technology can do. Even the best secured devices have options to reduce their security.

Most exciting unlocked webcam on the Internet

This unlocked webcam is by far the most exciting on the Internet ;)

Not just cameras

[RobinH]

Cameras are a problem, but it's not just cameras anymore. Nest thermostats, for instance, have occupancy sensors and they connect to the internet to work. So your thermostat tells a server on the internet if anyone's home (potentially). Smart meters have similar problems. We recently bought a temperature sensor (AVTECH brand) for our small server closet, and it automatically connected to GoToMyDevices.com as soon as I got it on the network, and started uploading sensor data. There was nowhere in the device's built-in web interface to enable or even disable this "feature". Nothing in the documentation. I looked online and found a forum where it explained that you had to telnet to the device, and at the main menu you had to select a hidden menu item, and then type a command to turn off this feature. It's that kind of absurdity that makes the whole "internet of things" just a house of cards waiting to collapse.

Re:Not just cameras

[Kaenneth]

That's when you return it to the vendor as defective.

They get away with it because people put up with it.

Re:Not just cameras

[jodido]

But it's not defective. It works perfectly. That's exactly the problem.

Re:Not just cameras

I work perfectly.

You have an undocumented feature

He has a defect.

Re:Not just cameras

We recently bought a temperature sensor (AVTECH brand) for our small server closet, and it automatically connected to GoToMyDevices.com as soon as I got it on the network, and started uploading sensor data. There was nowhere in the device's built-in web interface to enable or even disable this "feature".

So, your office firewalls allow any device to send data to any arbitrary external address?

I would get fired if our firewalls allowed that. Here everything is denied by default, and selectively re-enabled as needed.

Re:Not just cameras

[chihowa]

They get away with it because people put up with it.

They get away with it because it's hidden from the customers.

Most people who bought the sensor either went to GoToMyDevices.com and were delighted to see the sensor data there or didn't go to the website, didn't see the option in the configuration, and never even knew it was happening.

If every single person who noticed and cared that this was happening returned the item, those returns would likely still count fewer than returns of units that should have failed QA. The whole thing wouldn't make a blip on the manufacturer's radar and they'd keep getting away with it. Informed and savvy users are not very common and almost never figure into these businesses' decisions.

Re:Not just cameras

Tell FCC.

Re:Not just cameras

If it does not function exactly as described by the documentation, no more, no less, then yes, it's defective.

AC

Re:Not just cameras

[AK+Marc]

So no Internet for anyone, until explicitly authorized? I worked for a place like that in the '90s. But none since. Today, most offices let everything out, without a problem, it's only in that matters.

Re:Not just cameras

[Neil+Boekend]

A major design flaw is still defective.
If you bought a car and it came without a lock in the door you'd start complaining to the dealer.

Why not strong passwords?

[phantomfive]

why are strong passwords not required for these cameras?

Mainly because most programmers don't know/care about security. Security is hard even when you care (for example a default password isn't a security vulnerability if your userbase is sophisticated enough to change it, and even ssh has had a vulnerability), but if you don't care, it's impossible.

Sad but true.

Re:Why not strong passwords?

[iggymanz]

Default, simple or non-existent passwords on consumer appliances have nothing to do with programmers. You are silly. There is another vocation called "manufacturing engineering" that might have a problem

Re:Why not strong passwords?

[Geeky]

Why not have a default password and have it force a change at first logon? Ideally before the device can connect to the wider net, so there isn't a window of vulnerability to someone locking out the device as soon as it's switched on. Have a physical factory reset button on the device itself to deal with lost passwords. That doesn't require a sophisticated userbase.

Mind you, these cameras require the user to take steps within their home router config to allow external access anyway - they'll pick up an IP from the router's DHCP, but action is required on the router to allow external connections. If someone is savvy enough to configure that, they ought to be savvy enough to know to change the password.

Re:Why not strong passwords?

[phantomfive]

Default, simple or non-existent passwords on consumer appliances have nothing to do with programmers.

So, I had a wireless router once that would not turn on until I changed the password. It is very much a problem that can be solved by programmers.

Re:Why not strong passwords?

[phantomfive]

Why not have a default password and have it force a change at first logon?

It's a great idea, but it gets back to the problem of programmers not caring. Remember there are plenty of websites out there that still don't encrypt their password lists. It's really bad.

Re:Why not strong passwords?

[Geeky]

True. I cringe if I forget a password and the password recovery actually emails me my password rather than sending me to a link to enter a new one. Not many do that now, but at least one large shared hosting provider does and if anyone should know better...

Re:Why not strong passwords?

[iggymanz]

Nope, programmers already have made multitudes of solutions over the years for these issues, but they are not in the manufactured products image. That is another realm, and I speak from industry experience

Re:Why not strong passwords?

[tomhath]

Mainly because most programmers...

Programmers just implement the requirements.

Re:Why not strong passwords?

[phantomfive]

Programmers just implement the requirements.

Then you're not a conscientious programmer.

Re:Why not strong passwords?

[bigpat]

The best solution is to have a complex unique default password for each device and just print it on the back of the device. Sure, that means the company could keep a centralized list of all the passwords which could then get hacked or an invited guest could flip it over and then be able to access your cameras. But that seems a reasonable risk and trade off between security and usability.

Re:Why not strong passwords?

[groovy_daemon]

You had a wireless router that allowed you to configure it without being turned on? What kind of sorcery is it and can I get one!

Re:Why not strong passwords?

[phantomfive]

You had a wireless router that allowed you to configure it without being turned on? What kind of sorcery is it and can I get one!

Where 'turn on' is taken to mean, running and functional.

Redefine words how you like, and anything can happen. :)

Re:Why not strong passwords?

This is exactly how the biggest Italian ISPs solved the issue many years ago. Every router provided by the ISP along with a DSL line (which means the majority of home routers and the near totality of those in the hands of inexperienced users) has a long, pseudo-random default password printed on a sticker on the back.

I don't know about other countries, but it's working flawlessly here. Strong encryption by default even for clueless users.

Re:Why not strong passwords?

[zwarte+piet]

Better solution is that every device has a different default password that's printed on the bottom of it.

Re:Why not strong passwords?

[Fjandr]

Being allowed to put that default functionality into an appliance is not within the purview of the programmers. That would absolutely have to be okayed by people higher on the food chain. Most companies won't do things like that because it increases support calls by users who want to just plug something into the wall and have it work.

Re:Why not strong passwords?

[Fjandr]

More like management not speccing it, or allowing it if it's brought up.

Re:Why not strong passwords?

Because everyone wants security but they don't want to do it, except for enforcement, and they do it because they do it to a person/persons. Your boss, CEO, and marketing..., they think you should have security but they don't want you to do it.

Re:Why not strong passwords?

[AK+Marc]

Many wireless routers now come with the wireless turned off on delivery. You must configure it to "turn it on".

Re:Ethics -- High Hypocrisy Highlighted

Great use of the Straw Man argument!

A normal person would knock on the door.

Regrettably, there is no real link between a closed door and an IP Camera spitting out frames. By nature, a door separates and a camera shares.

Suitable adverts

[johnw]

I love the way the pages come with adverts for people selling CCTV cameras for the home!

Agreed, except

[waspleg]

the "unfortunately" part. A machine that effectively extends human intelligence and communication beyond its natural limits, among other things, can't be toaster-level stupid while maintaining its vast flexibility.

I think dumbing it down would cost functionality (as well as jobs, like mine ;)).

Re:Agreed, except

[Jason+Levine]

I meant unfortunately for the person who was operating a computer while expecting a toaster level of complexity.

Make default passwords hard

[dkman]

why are strong passwords not required for these cameras?

Maybe that is what they need to do. Make the default password something gibberish like df73j5hdfg/5rtdf88GG so that users will change it when they set it up. Even if they change it to FluffyBunny22 at least it won't be the default.

Re:Make default passwords hard

[Lumpy]

Set the default password to be the ethernet MAC address. Problem is most of these cheap china crap cameras all use the SAME mac address.

Just bought 6 1080P IP cameras and discovered I had issues when I powered up more than 1. I looked and all of them have the exact same mac address. Easy enough to change if you know how in the web interface UI, but 99% of consumers would have no clue.

Re:Make default passwords hard

I do that with my users email when I set it up.
Most never change it, almost all complain about it though.

or read

[s.petry]

I think this is the important one, most devices come with a 1 page guide in at least 5 languages that say "CHANGE THE PASSWORD BY DOING THIS ONE THING" and people don't even bother to read the 1 page guide. It's not just an issue of understanding, it's apathy and laziness.

Re:or read

[nabsltd]

It's not just an issue of understanding, it's apathy and laziness.

Yes, laziness on the part of the programmers of the device.

The default password should allow you to access exactly one function on the device: the "pick a username and password for a new admin" feature. Once that finishes, either the default password is set to cat < /dev/urandom > password_storage_file or else the default user is removed. In case you forget the username and password you set, the device can be reset to factory defaults using some sort of physical "reset" button.

Re:or read

[s.petry]

I agree fully, it would not be hard to detect if the default password was in place and disable routing outside of RFC1918 addresses if it's the default.

Re:or read

[Hamsterdan]

SO the device should not enable anything else than the ability to login to set it up. Routers had a similar problem couple years ago. They were wide-open (to cut down on customer support costs). It took a while for them to be relativity secure out-of-the-box (except for WPS). Those cameras are not secured by default so it's cheaper for the manufacturer.

So I buy one to let's say monitor my kid, install it, it uses upnp to open a port on my upnp enabled router and Bingo it works. What incentive do I have to go into the config menus? (anyone will be able to access it using the default password as a side effect.)

By default the default password should work only once, to allow you to change it to something secure. But that means more people would have to call tech support, therefore increasing manufacturer's costs...

Re:or read

[Hamsterdan]

-Engineers: But it's not secure
-Management: But money...

Probably the way it goes

Re:or read

[s.petry]

Yeah, it saves money but the amount money this saves is laughable. A function to look for a default password before adding a default route is tiny, and once stored in prom you are done. As to (your post above) the Engineer claiming "it's not safe" that guy should be fired and replaced with someone willing to make "better" security, not "perfect" security, if in fact an Engineer refused to implement something like this. I have seen some like that in the business, but thankfully they are very rare.

Re:or read

[Dutch+Gun]

I'm not so sure I'd blame management for the myriad of hardware device security failures... at least, not entirely (they're management, so they take some blame for anything that happens in the company, after all). My feeling it's also engineers who even today think about functionality first and security second. We've seen that pattern in both hardware and software over and over, after all. It wasn't management who designed a horribly broken wireless security protocol called WEP a few years back. It was engineers without security experience. I think things have gotten a bit better in some areas, but I'd bet that sort of thinking is still rampant. Just recently we saw smart light bulb developers storing keys directly in firmware that made it trivial to breach a network. Those are stupid, elemental mistakes that any security expert would have warned against.

My guess is that a lot of those engineers thought, like many people here, "who the hell wouldn't change their default username and password", without thinking a step beyond to how they might actually design the system to encourage people to do that as part of the setup procedure. My experience has been that many engineers and programmers tend to be extremely poor at empathizing with normal people about how confusing modern technology can be, similar to how most of my math professors could never understand how anyone couldn't find Calculus simple to understand and beautiful to behold.

Manufacturers can help make this better

[Terry+Pearson]

This is because of people who are too lazy or too intimidated by technology to understand it. You buy the camera, many times you open a port on a router, but you fail to change the password. I am not going to blame the manufacturer for that.

However, manufacturers could make the default a lot more secure by using methods to randomize the default passwords of the cameras. I've setup routers where the default password is printed on a plate on the bottom (next to the mac address and default IP). This gives you a degree of randomness and makes brute force near impossible without physical access to the device. This way, the user still has the freedom to change to a blank password, 'password' as password etc. if they choose to unprotect themselves. But the default becomes reasonably secure.

This is mostly a problem with users, but sometimes the manufacturer needs to adjust the process to help the intimidated, ignorant, or lazy user along.

Re:Manufacturers can help make this better

[Lumpy]

"This gives you a degree of randomness and makes brute force near impossible without physical access to the device"

Nope. I can easily brute force that as there is only the last 6 bytes of the address that I have to brute force. MAC address is not 100% random the first half is device brand and type identifier and is the same for all products in that line.

So I need to brute force 6 characters that are 0123456789ABCDEF. I can crack that in seconds with brute force.

Re:Manufacturers can help make this better

[hankwang]

Who says that the password is equal to the MAC address?

Re:Manufacturers can help make this better

What he said: "the default password is printed on a plate on the bottom (next to the mac address and default IP)"

What you read: "the default password is the mac address and default IP"

See the difference?

Re:Manufacturers can help make this better

routers where the default password is printed on a plate on the bottom (next to the mac address and default IP).

Read GP again. He didn't say the password was the MAC, simply that it was printed next to the MAC.

Re:Manufacturers can help make this better

[phorm]

These days when the local ISP's give out routers, there is a stamp on the router that has the default login, wifi ESSID, and wifi login. You can change these of course, but the defaults are not the same between customers.

When I setup my firewall, it *WOULDN'T* work until I first set a password. This was the very first step.

This isn't customers - many who are less tech savvy - being lazy, it's the manufactures. There is absolutely no reason that they can't either package a unique password or simply require the users to create a password before the first use.

Re:Manufacturers can help make this better

Default password = 1 password.

6 characters at 0-9/A-F = 6^16.

6^16 (much) > 1, even if it is still trivial to try (and nothing says manufacturers can't have a delay on repeated attempts).

Re:Manufacturers can help make this better

You can crack that in seconds in an offline attack. Presumably a login prompt for a camera could have built in brute force throttling that would slow down your attack considerably.

The GP wasn't suggesting using the MAC address as the default password. He was suggesting using a random, strong password for the default and physically print it on the device near where the MAC address is printed.

Re:Manufacturers can help make this better

[adolf]

It's more convoluted than that.

In order for these cameras to be accessible on the Internet in a world of NAT and deny-by-default inbound firewall rules, someone (at the home) MUST have set up port forwarding explicitly...unless the cameras are shipped with UPnP enabled.

I've got mixed thoughts on UPnP (I both loathe and utilize it for different things), but I'm firmly of the opinion -zero- cameras should come with it enabled.

Re:Manufacturers can help make this better

[jwhitener]

"You buy the camera, many times you open a port on a router, but you fail to change the password. I am not going to blame the manufacturer for that."

If a large segment of people, for the last 10 years, have continually forgotten to change default passwords, I am ready to blame the manufacturer(s). Make it so the camera won't turn on/work if the password isn't changed. Maybe generate a random password for each device...

Yeah the people not changing passwords are irresponsible... but if 50% of your customers have been irresponsible for a decade, maybe it is time to admit that the users are not going to change. That means technology is the solution, not changing user behavior.

worthless

the site is worthless pages dont even load..
timeouts on every thing... bad gateways..
the cams are only thumbnails not live live streams

would of been nice if they had included link to the ip address's

RFC 1918

[Pope+Hagbard]

I haven't seen any comments mentioning how these cameras have a public IP address, which is at least as bad as having a default password. Given that most (consumer) routers default to using NAT with an RFC 1918 address (generally in 192.168.x.x) this misconfiguration would presumably have taken effort, i.e. it was deliberate if probably not maliciously so. Even if the cameras have a private IP, they could still be remotely accessed via port forwarding, which also implies such installer/user incompetence.

If there's a need for a remote user to access these cameras' feeds, that's what a VPN is for.

Re:RFC 1918

[Lumpy]

Most of these cameras ask the router to open the ports with uPnP.

Re:RFC 1918

Most IP cameras some with uPnP and dyn-DNS enabled out of the box. So you plug in the camera and it automatically establishes a link to the Internet even with your NAT router. The end-user does not have to setup the port forwarding themselves they just plug it in and use it.

Re:RFC 1918

[maxwells_deamon]

If this feature is not documented clearly and in large bold type, that is a serious problem.

Re:RFC 1918

[LessThanObvious]

Most of the people who install IP cameras exposed to the internet want to be able to view them remotely. I'm sorry to see the people are such idiots that they think a live video feed of a child's bedroom is a good thing to put online, especially with a default password. I'm sure what insecam.com has done is illegal at least in the US, but it is the right thing to do bring attention to the massive issue. If their intentions are good then they should shut it down as soon as it gets main stream media coverage which shouldn't take long. I really hope this also prompts cam manufacturers to make choosing a new password part of the initial setup process or ship units with unique passwords like some of the WiFi routers have started doing.

Re:RFC 1918

[iamwahoo2]

I had no idea that this was part of uPnP. Scary.

Y-Cam Vulnerablities

You don't even have to know the passwords if it's Y-Cam :p Just ask the camera to disclose them!

https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-007.txt
http://www.y-cam.com/y-cam-security-fix/

News Flash:

[Lumpy]

People are stupid, People when confronted with technology are triple stupid.

Re:Ethics -- High Hypocrisy Highlighted

Great use of the Straw Man argument!

A normal person would knock on the door.

Regrettably, there is no real link between a closed door and an IP Camera spitting out frames. By nature, a door separates and a camera shares.

An IP camera doesn't spit out frames, though. It waits for a user to authenticate (however trivially) and then it spits out frames. The expectation of privacy is still there.

73,000 channels

I cant wait until i get my new tv subscription!

tempest in a teapot

[Charliemopps]

So... some random person somewhere... can see my sleeping baby. But they have no idea where that baby is other than the last hop out of my ISP so they might know I'm somewhere in Atlanta... or whatever. Maybe if they stared at the feed 24/7 for years I might drop my water bill in the crib before I picked the baby up so they could get my address or something... But ok, so they can see a video feed of my sleeping baby? So what?

Short of a camera pointed directly at my bed, or my toilet, I don't see how this would be that god awful. First, I'd never point a camera at my bed. Any camera. Second, someone seeing pictures of me walking around my pizza restaurant? With no address and no idea who I am or where my restaurant is? So what?!?! There are plenty of horribly invasive privacy problems out there. This isn't one of them.

Re:tempest in a teapot

You wouldn't want a camera pointed at your bed ever, but your child's bed is okay ?
Your child is still a human being, it deserves a minimum of privacy, not having random Internet denizens watching sleep in bed at night!

Re:tempest in a teapot

So... some random person somewhere... can see my sleeping baby. But they have no idea where that baby is other than the last hop out of my ISP so they might know I'm somewhere in Atlanta... or whatever. Maybe if they stared at the feed 24/7 for years I might drop my water bill in the crib before I picked the baby up so they could get my address or something... But ok, so they can see a video feed of my sleeping baby? So what?

Short of a camera pointed directly at my bed, or my toilet, I don't see how this would be that god awful. First, I'd never point a camera at my bed. Any camera. Second, someone seeing pictures of me walking around my pizza restaurant? With no address and no idea who I am or where my restaurant is? So what?!?! There are plenty of horribly invasive privacy problems out there. This isn't one of them.

Actually it doesn't take a lot of legwork. The default credentials to your cam will probably let me see what the Wifi SSID and password is... And what your neighbors SSIDs are too. Thats one more piece (and some services are nice enough to let me geolocate based on a SSID/mac). If you have a poorly secured (the default) residential gateway (many cable/dsl providers give these out for free and you get what you pay for when it comes to security) I can probably find out the names of all the PCs on your network. Do you or someone you love own an HP, that oh so helpfully named itself after the full name you entered when you set up Windows? Oops! Now I know your name. A quick stop to some other helpful sites on the internet (public records) will fill in the rest.

You laugh, but I have successfully used this trick several times, it takes about 5 minutes of digging using freely available tools and a little brainpower, to start coming up with tons of info about a location in my city like resident names, address, list of household networked equipment, cams, phone presence (so i can be sure to stop by when i know no phones are home, i.e. no people are home) and the like. I wish I were exaggerating. To be fair, none of it is any more harmful than seeing a nice living room full of expensive toys through open curtains, but with the power of the internet I can troll thousands of houses (all within a few miles of me) with a few clicks and pick out exactly which kind of TV I want to steal.

Re:tempest in a teapot

So I take it you never ever go to the baby's room without being properly fully dressed?

Re:tempest in a teapot

[RyoShin]

But ok, so they can see a video feed of my sleeping baby? So what?

It's amazing what you can gleam from little details. I would have thought that reading Sherlock Holmes would have taught many a geek that, even if we never learned how to do it ourselves. For a more recent piece of entertainment, see the now-ended series Monk or Psych.

Is there a window in the picture? Even if the shades or curtains are kept down, it could be used for information. For instance, if you have a tree outside that casts a shadow and it's windy a viewer can look up reported wind speeds in the Atlanta area and see if any particular area is stronger than others. If it's not windy they can watch the direction of shadows change over the day to find out what direction the window is facing. If it's night and they can see the typical flashing lights of emergency vehicles, they can check the various police blotters for the Atlanta area and see if any reported times match up with when they saw the lights.

If the curtains are pulled back maybe they can see a distinguishing landmark through them, even something as simple as a school or government building gives them a radius to work in. And if it's on the ground floor, facing the street, they can see other details about the area. Does it seem middle-class? Upper-class? Lower-class? Does your neighbor across the way have some super-gaudy lawn ornament? People have probably taken photos of it; take a screen-shot and do a reverse image lookup. Even if none of these say the exact address, they probably have an area name and maybe even a lat/long.

Does the monitor have sound? They could see if there's a nearby bell/siren that goes off at the same time every day. If you go in to pick up the baby while on the phone, they could overhear you reading your SSN or CC to someone over the phone (or, hey hey, your address.) Is there an ice cream truck sound? Probably a lot of kids and you're close to an elementary school.

Now, any one of these things alone are unlikely to identify you (except for you reading your address to someone on the phone), but together they can set up enough of a picture that someone in the area can drive around canvasing to nail it down. The camera itself can be used as confirmation; shine a non-obvious light or laser pointer (just don't hit an airplane) on a window you suspect to be the baby's room and have someone watch for it to appear on the webcam. The response to that, of course, is "Okay, so? Some guy knows where I live, so what?"

While the chances are extremely rare--more so than the fear-mongering media would like people to believe--there is a non-0 chance that someone will target you for whatever reason. Maybe they'll just send you creepy letters, or maybe you'll look at a recording of your baby's cam and see a face looking into the window at night. This doesn't mean you should board up your doors and windows, turn off the electricity, and never leave your house full of water and spam (questionably edible, not mail.) But why not take the time to activate security features offered on the camera already? Sure, that could be hacked, but security is about lowering risk, not removing it completely. Or, if it has no security features, unplug it when you're not home.

And, of course, we have the whole NSA thing going on, so why make it easier for them to collect stuff like this?

tl;dr: If you have the ability to enable extra security/privacy, likely trivially, why not?

Time sink ...

[CaptainDork]

... after an hour of poking around. Nothing to see.

Internet

[emohawk]

How are these cameras visible on the internet even with the default username / password? When setting up my fascam I had for use port forwarding to get from the external ip address to the camera, along with binding the Mac address to a static internal IP address, I also had to set up DDNS for the domain name and when my ISP change my external IP address. Surely the router firewall would block all this traffic by default?

Re:Internet

[jeffmeden]

Surely the router firewall would block all this traffic by default?

Enter: UPnP! That, and people who figure out *just* enough of their router to forward port 80 from the outside to the inside (some make this really easy and even just allow you to pick the inside device verbatim as opposed to an address that has to be statically assigned.)

Black tape

[p51d007]

Every laptop I've owned, if it had a web cam, also had a piece of black electrical tape over the camera.

Manufacturers need to step up their game

[lance423]

While a lot will say it is the consumer's fault for not securing (and I'm not saying they're wrong), it's just as much the manufacturers fault for not putting a bigger emphasis on security. People are so willingly ignorant of what kind of functionality their devices have outside of what they want. When setting up ANY device that can be accessed remotely, changing the default logon should be mandatory. Would consumers whine? Probably, but with a brief statement of WHY it has to be done any reasonably thinking person would be willing to put in the effort to change these defaults to avoid this kind of breach.

simple robo script

One argument is to write a script to do the following:
1) change password
2) break the network configuration to take it offline

No invasion of privacy (never saw anything). Failsafe. Owner can simply reset to defaults and replay.
There are plentiful ethical people to help do it. Though it would be funny if they rented a pwnd PC inside a government agency to do it.

Does that sound any better? Maybe there is more than one "right" way to do it? Just try not to overthink it.

What is old is new again

[cetan]

2005 wasn't that long ago, was it?

http://it.slashdot.org/story/0...

Printers are another weak spot

[Pvt_Waldo]

There are a lot of things you can do with some printers that enable web servers without any authentication at all. Print things, ask to do a scan (people forget things on scanners), view and modify contact lists for FAX and scan to email tools, etc. Definitely potential for "denial of ink and paper" attacks on a printer.

IMO manufacturers should only allow local network access to these devices unless you explicitly set or modify the default login.

Re:Printers are another weak spot

[swb]

25 years ago I worked at a major State University. They had a huge, campus-wide network for AppleTalk. You could go into the Chooser and select laser printers or file servers all over the campus.

We were always coming up with conspiracies as to what to do with access to every LaserWriter on campus. Mostly we were curious how many times we'd have to print a porno image before we read about "Random Porno Images Printed Campus Wide" in the student paper.

There was zero security on any of this and I would imagine the network technology of the era probably would have made tracing it tough. Many offices, including ours, were connected behind Ethertalk bridges, which I think had an effect similar to NAT in terms of tracking traffic -- entire departments (ours was 25 people) could have been seen as a single source.

I can't imagine how they do college campus networks these days, you'd almost think they'd firewall departments off.

OMG

One of the security camera pictures on the page of the article looks exactly like Hunter's room in Paranormal Activity 2.

cut the crap

[ruir]

and post the URL of the site.

Risks, OMG think of the children

[ishmaelflood]

" Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras."

What risk, exactly? I can't imagine anything more boring than a video of a sleeping baby.

sleeping babies

[unami]

"Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras." so, where exactly is the risk of someone seeing my sleeping baby - unless i'm a pedophile and doing dirty things to it live on camera?

hmmm

[MakersDirector]

I would find it much more interesting if they peeped into people's houses, and let me select the house address by location on a map like google maps.

You know. If I could 'select' something on a map. say 'hey, check out this map' - and kablammo I have access to someone's house.

or better yet. I could target a person and just hit 'follow mode'

Re:Ethics -- High Hypocrisy Highlighted

And yet here I am, receiving frames from it without authenticating, which is of course, what the original article was about. People looking at that site aren't logging into the cameras, or even connecting to them - they're receiving images from a server in Russia. The people running that site are accessing those routers, yes, but the hypothetical person telling the owner that the door is unlocked/open never went inside.

The analogy breaks down fast and hard there - it's more of "if you see that someone's door is open, and someone is taking pictures of what's inside and passing them around without the owner knowing, should you tell the owner?"

The person telling the owner isn't breaking any laws at all, or even contacting the camera owned by whoever they're contacting - they're informing them that someone else has done so, and is posting the pictures on the internet.

What risk?

[Forthan+Red]

And the "risk" of someone viewing the image of an unknown sleeping baby, at some unknown location, is...? This is the same insanity that keeps parents from posting their kids pictures on line. Do they really think kidnappers are trolling facebook in order to find victims? Does that make any sense?

Cause you got fingers.

People should not have a great expectation of privacy when they hook surveillance equipment to the public electronic publishing platform. People should however, be able to do things they would like to do without first checking with you. People may want to take a jog in the park, for instance, without first checking if you would like to mug them if they do. Do I need to provide more examples?

That's nothing

[advantis]

I've encountered a camera that actively uses UPnP (Gateway profile) to ask the router to forward port 80 to itself and also connects to a Chinese dynamic DNS service as a bonus by default. While you can disable the dynamic DNS setting, you have no say in the UPnP thing.

These cameras are so badly thought out that they crash when a different UPnP device on your network responds.

But hey, they're cheap. You find them on Alibaba (the guys with the big IPO).

Question about NAT

Are these cameras accessible through a NAT firewall or are they communicating with an outside server somewhere that exposes them?