“Ratters”. Ick.
These are pathetic people who use a canned remote administration tool (RAT) to seize control of other people’s computers…especially to activate their laptop cameras so they can spy on them (which is why I predict some of you will want to tape over your camera). Ars Technica has a whole article on these deeply creepy human beings.
Not all human beings, obviously. Unfortunately, most of them seem to be feeble little child-men.
By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. “lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit,” one poster wrote. “Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves.”
Please, guys, could you stop making me ashamed of my sex? What the fuck is the matter with you?
[Vacula-logic]
If they don’t want to be spied on, they shouldn’t use computers that have cameras or that connect to the internet. WTP?
[/Vacula-logic]
And to think that I was steaming about this article that I saw on Ars Technica today.
*sigh* We can’t win, can we?
:( :( :( :(
I confess to giggling at the “off” button on my one webcam when I first opened up my one laptop… Not because it’s not useful, though. (It’s just a physical shutter, that covers the webcam. That it’s actually labelled “on” and “off” is what gets me, though XD)
But seriously: gaaaaaah WTF is wrong with these creepy assholes? Or more to the point: why do creepy assholes take such damned pride in being creepy assholes?
Oh for fuck’s sake. The douchebags always take their liberties.
if they always thought that…. one has to wonder how finding others doing the same thing makes it NOT a sick fetish?
it’s like saying:
“Well, I always thought having bowel cancer made me sick and in need of treatment, but now that I have found others with bowel cancer, obviously it’s no longer an illness at all!”
the mind reels at the “logic” involved…
I’ve had my webcam covered for over a year, since I visited Cuttlefish University’s tech people and saw every single cam taped over. This one is like Pascal’s Wager wants to be.
meh, I just bought one with a light that comes on whenever it is activated for any reason.
I like to KNOW when someone is trying to hack my puter.
And this is why I refuse to buy a webcam-enabled device: I can pick my nose in as much privacy as the world currently allows.
Trust me, no one wants to see my morning anime hair and me resolving my massive mega-wedgie from tossing and turning.
Ichthyic @ # 8 – Don’t you think someone skilled enough to hack into your cam feed also knows how to disable an “in-use” light?
I started covering my cam after reading about the school district near Philadelphia, PA, where the techies were spying on all the students who’d been given school-issued MacBooks.
What I want to know now is: can “they” also mirror my screen, and/or read files on my hard disk (open or not)?
@peirce
You didn’t read the OP article
sorry, impossible. the light is activated simply by power being fed to the camera.
it’s not software controlled at all.
yes, and yes. though it really depends on what security levels you grant to external access ports. In the later versions of most OSs, it is very difficult to remotely grant administrative access to your puter with a simple trojan, but it CAN be done if you allow that simple trojan to create new executables on your system, which is of course why everyone should be using a decent antiviral/malware proggy.
in short, I’d worry far less about someone taking over your camera, and far more about the fact that if they have managed to do that, your system is compromised in much more damaging ways.
for example, trojans that work to intercept your keystrokes have existed for at least 15 years now, and have only gotten more sophisticated. that data is sent as a lump to a database on someon’s server, and while innocuous in and of itself, if they take a personal interest in your puter at any time, they can start looking for patterns and quickly discern your passwords.
so, obviously:
-get a good antiviral/malware proggy and keep it updated; run a scan once a month or so just to be sure.
-change your passwords regularly (every 3-6 months is a good period).
-don’t use passwords that consist of easily recognizable words
-if you have no need to remotely access your machine yourself, you can in fact completely disable the service entirely. There are many websites that document how to do that.
I’ve have covered the built-in web cams on all my ‘devices’ since I saw what I look like over a web cam.
[I use those skinny post-it thingies]
also I’m a bit paranoid
[reading William Gibson may have had something to do with it.]
and I have been known to pick my nose
oh, and if you even remotely suspect someone may be trying to hack your system, go and change all your important passwords (preferably on a different machine).
and the followup?
:)
Ichthyic
You’ll never hear it from me.
[or see it, the cam is covered]
Mine has 4, and a button on top, which is “supposed” to function as shutter switch. Only problem is, the company that makes the thing does so as a sort of freebee, the manufacturer of the chipset doesn’t bother providing a real driver for it, and as a result, neither the lights, nor the button work (which is a pain in the ass, since the thing is almost always in low-light, and won’t read barcodes either, as a result).
As for someone taking over the camera.. I personally don’t give a frak. If they want to stare at my hairy chest, or watch me walk by without pants on, its there problem, not mine. But, I suppose, some people do have a problem with other people watching them like that… lol
Still, as was said above, if they can manage to install a working hack to access your camera, you have bigger problems than that some dipshit wasn’t to turn on your camera.
Endpoint security is so bad – so indescribably awful – that you’re basically screwed unless your online life is lived with a great deal of care. :( And even that’s not good enough a lot of the time. :(
As well as anti-virus and anti-malware like Spybot, it is not a bad idea to install Comodo Firewall. Or I suppose you could make sure Windows Firewall is enabled (I would much rather run Comodo).
I also use Firefox as my browser and run an extension called “NoScript” which stops ANY code from running from a website unless you specifically allow it.
None of this will 100% make you safe if you download torrents or, much worse, choose to run applications from untrusted sources, but it should minimize the risk somewhat.
I use use software to take over people’s computers all the time.
It’s for work mind you but it’s incredibly simple and can be done with all manner of different software. The install package to install something like Kaseya is small and if you aren’t paying attention could be missed.
I use it to take over their screens, reboot the pc, install software, monitor disc usage, update status, etc.. It’s a paid service but there we many like it out there that are free.
Be vigilant about what you click because many tools only take that for install and if its legit software like Kaseya and you aren’t that proficient or knowledgeable you can be had easily and your AV and Anti-malware may never let you know.
Considering that in this context, the slave isn’t a consenting adult partner who is electing to be controlled as a part of a sexual fantasy but rather someone being used by this idiot, I would go as far to say that this idiot is correct that it is a weird and sick fetish.
And he’s an asshole.
While a good antivirus is essential if you’re using a Windows or Mac, it is no guarantee. The generation of virus signatures always lags a bit on new viral variants. Still, it’s certainly better than nothing. It is also good to have an alternate security program (like Spybot) to do periodic checks using a different malware signature set; this may cover some of the gaps in your primary AV program.
MOST of the infections today come from:
– Visiting a compromised web site, which downloads malware onto your system. Having visited the site safely before is not a guarantee that it hasn’t been maliciously modified since then.
– Opening an infected e-mail attachment.
Hackers try to get you to open attachments or visit compromised sites by phishing, where they send an e-mail that looks like it came from someone you know or have a business relationship with. The e-mail can also actually come from a friend, if their system/e-mail account was hacked and malicious e-mails sent to all the addresses in the account address book.
A few options for the more technically savvy:
– Install a Linux operating system (like Ubuntu) as the host OS, and run your Windows within a virtual machine. Oracle’s VirtualBox is free, and allows you to take snapshots of your virtual machine so that you can take it back to a known safe state. Use of this feature may require saving your data on the host OS, so it is there after a rollback.
– Alternatively (and somewhat easier), visit the internet and do your e-mail on a Linux virtual machine installed on a host Windows or Mac system. Malware is predominantly written against Windows, Macs, and increasingly against mobile OSs like Android. If you open a bad attachment or visit a malicious web site in a Linux VM, it is unlikely it will be compromised. Ubuntu and Mint are the versions most like Windows in terms of how the interface works. VMs used to be slow because of the processing overhead, but they’ve gotten better and most current systems have multiple cores to speed things up.
– Use a safer browser. Google’s Chromium browser is sandboxed, which makes it much harder for any program running in the browser to touch the operating system. Not impossible, but harder. Microsoft has done a lot of work on Internet Explorer (they had to), but I prefer a less mainstream browser myself.
– Go to the McAfee siteadvisor site, and install the browser plug-in program. It provides an indicator in your browser window to show if a site is rated as safe or not. Not a guarantee as it may lag site compromises, but it will warn you if the site you are visiting has been marked as dangerous. It also provides indicators on search results, which is nice.
Remember, most compromises are not caused by new exploits. The older and more well known exploits work great if you haven’t kept your system (and applications) updated. Don’t put it off. If your OS or application asks to update, do it. Note: there’s been a recent compromise to Java, so if you have that installed get the latest version.
Also, Windows usually ships with a default administrator account set up. Set up a standard user account, which does not have the permissions required to install new software, and save the administrator account for doing updates and application installs. Windows has gotten better at asking if you want to install something, but best to make things harder for the malware to do its job.
By the way, Google recently announced a reward of pi million dollars ($3.14159M) to any hacker that can successfully compromise their Chrome operating system.
The internet provides validation and a support group for every flavour of fuckwit on the planet. See also: 4chan, 12chan, motherless and the slymepit for a few notable examples.
No, hardware doesn’t work that way. Be aware of the threat of attack, but don’t imbue the attackers with magic powers.
The real answer to the question of can you disable an activity light on a webcam is: It depends.
For example some logitech web cams it is as easy on windows as altering a registry entry:
http://forums.logitech.com/t5/Webcams/Can-I-turn-off-red-LED/m-p/277305#M52816
Other web cams might require a firmware change, and still others it might be impossible. But to blanket say it can’t be done is incorrect.
Great. This is going to be an “I hate people” day.
Yet another reason to use Linux or some flavor of BSD. I know it’s not always possible but it stops skeezy things like this :(
actually, Linux is just as open to attack as any other operating system… IF you want to operate it remotely, and leave the same pathways and ports open.
sorry, but there is NO operating system immune to trojans or hacking innately.
I’m covered then, since I never said it was a blanket issue, only that mine has a hardware light that has nothing to do with software drivers.
it’s good that you clarified that others that have lights ARE software enabled, though.
While it’s very true that any operating system can be attacked, you have to look at the prior probabilities. Most of the malware is targeting the more popular operating systems, because that’s where the numbers are. If Linux ever gets really popular for users, it will be a bigger target too.
Besides, Linux was designed from the beginning to be a network connected system, and as such had protections designed in at the start. Microsoft had to screw in protections into an OS that was not originally geared to be a networked OS. While that was a couple of generations ago, a lot of the original architecture was retained to maintain backwards compatibility.
Macs, which for a long time bragged about not needing an antivirus program because it was so safe, is a derivation of the UNIX/LINUX line of operating systems.
BTW, most of the hackers now aren’t targeting the operating systems, but the applications. You’ll find lots of hacks for Adobe Reader, Microsoft Office products, web browsers, etc. Those are easier targets. If you’re interested, there are we sites you can subscribe to that send out alerts on newly discovered vulnerabilities on different applications. Kind of depressing really, because there’s always a new vulnerability being found.
Ah yes, the joys of Windows. It’s the perfect storm: clueless end users, an OS with more security holes than Swiss cheese, and a gazillion tech-savvy perverts.
I don’t own a web cam. problem solved.
exactly. which is why i said there is nothing innate to the Linux OS that makes it invulnerable.
meaningless in a modern comparison, sorry.
It’s like you’re trying to say because one system started off with network protections, the other simply can’t accomplish the exact same thing.
it’s a ridiculous premise.
you WERE right in talking about hacking being more of an issue for windows platforms because of the popularity of that system, but the rest was bollocks.
and Apple was just lying when they said their system was safe from viral attack.
so tired of this shit.
For one, it doesn’t use Internet Explorer. But yeah, you have a point of course, malware is mainly written for the predominant OS architecture. But I would take a bet that must Linuxers at least know what a port is, or an RFC. Also, root passwords…
But sure, most often horny asocial creeps will find a way, if they set their mind to it.
like I said… so tired of this shit.
you really think Mac users are NOT clueless? LOL
Linux users, again, started off with a more knowledgeable base, but even THAT has changed drastically since the introduction of modern GUIs and easy installations.
it’s likely that indeed, because of the historic unpopularity of Microsoft (deserved), that they will continue to be the most at risk OS, simply for the huge number of already existing and easily modifiable exploits, but again, this has more to do with the popularity of the OS, and much much less to do with whether it is innately secure or not.
here’s a question for you:
What operating system does the CIA use?
*hint*
it’s a trick question.
neither do I on my windows machines. you haven’t had to use IE on windows for yonks now, and can safely ignore it or even uninstall it.
Oh, I don’t doubt it at all. Just another OS that works fairly well for the average end user without knowing anything about what’s going on under the hood.
I’m talking about average Windows users, not you and me. What’s the market segment of alternate browsers now, 30%?
It works similar to how privileges are assigned in windows file access and services. In fact, it’s actually much MORE secure (by bit length) in 64 bit windows than it is in Linux, and it’s also much more flexible to control.
*shrug*
If Linux was as popular as Windows, and there was a commercial profit motive in configuring it for end users that wanted maximum flexibility with minimum fuss…. you would end up with similar security issues to be sure.
again, the only difference being that the install base is in fact quite a bit different for Linux than Windows… currently.
as was pointed out earlier… look what happened to android.
Imagine if somehow (not possible, but imagine), Linux was the OS chosen for primary mobile distribution instead. Imagine how crippled the security features would have to be to get it to work like android does?
So, this is further proof that the Internet is apparently hosted on planet Freeze Peach where it’s your duty to protect yourself against criminals. I’m wondering if it would help if you have a gun next to you and shoot your computer?
I think you’ve unwittingly stumbled upon the next NRA commercial!
:)
“We need to protect ourselves from internet hoodlums! … And the only sure way to do that is with a gun, of course!”
“Won’t someone think of the poor children, exposed to internet pornography and the homosexual agenda! Who wouldn’t want a gun to protect their precious children from THAT?”
It sounds so ludicrous… but with the way things have been going, I actually shouldn’t say that. I shouldn’t be surprised if the NRA actually HAS considered something along these lines.
The only thing I can think is “Why the fuck would you want to watch me?” If someone is that seriously bored, go for it. I just don’t know why….
[anecdote]
Some years ago, when I got my mum (now 80 y.o.) a camera for Skype, I warned her about the possibility. Practical as she is, she made a decorative (and opaque) little hood for the camera which she withdrew only when she was actually using the camera.
[meta]
Pyra:
“So you can’t see me, no not at all
In another dimension, with voyeuristic intention
Well-secluded, I see all”
(My emphasis)
The Time Warp Lyrics
by Little Nell,Richard O’Brien,Patricia Quinn. From The Rocky Horror Picture Show
You’ll be pleased to learn that it isn’t because of your gender, even though most of them are male. Just because Murray cod are fish doesn’t mean mackerel should be ashamed of being fish. (I’m channeling the Logician)
My Microsoft LifeCam comes with a really useful feature: Magnets on both sides to fit it to it’s little nipple-fixer type thing. When not in use it’s turned around.
Oh and I am practically 100% safe from viruses on the internet. I always wear a condom. Doesn’t matter whether I’m using Windows, Mac or Linux it’s rubber on, no worries.
Louis
P.S. Obvious comedy aside, I’m going with PZ on this one. Well done con-sexuals for finding another way to make me feel ashamed to be associated with you in any way. And I’m not some shrinking violet, pearl clutching virgin. I’m an ex-rugby playing quasi-alcoholic (i.e. British) pervert with gold clusters. This stuff? Erm…no. Properly non-consensual violation/violation of privacy via illegal methods. How many lines, social, ethical and legal do you need to cross before the occasional warning light sounds?
nice!
always knew that screenplay was prophetic.
sounds uncomfortable. does it chafe?
I do not have sex with the internet. The sly minx has yet to succumb to my charms.
{Twirls Victorian moustache diabolically}
The rubber is perfectly comfortable.
Louis
but all the time?
I dunno….
ha, now that set me off thinking about THIS Victorian… “gentleman”.
I think this is a case where cockroach control logic should apply.
Turn the lights on them. The more public exposure, the better. Post links to their forums, comments, websites and hangouts. Let them know that their activities are a matter of public comment.
With respect, could you please not lump me in with these disgusting morons merely because I happen to share a gender with them, that’s rather sexist of you :P
no, it isn’t.
please do expound and clarify though… this should be good.
Well, it was a somewhat lighthearted comment, in case the :P didn’t give that away, but the point behind it was that neither I, nor PZ, should have to be ashamed of being male merely because of the actions of some other people with whom we happen to share a gender.
Stereotyping based on gender is one of the definitions of sexism, is it not?
indeed, but it’s laughable that you think that’s what he was doing there.
Annnd… there goes another chunk of my rapidly dwindling supply of confidence in human nature. These are the same type of creepy characters who think that taking ‘upskirt’ photographs is a charming hobby, they are merely a bit more tech-savvy. It is evidently expecting far too much of them to hope that they might realise that spying on other people without their consent for one’s own gratification is invasive and abusive behaviour, but even the most rudimentary expressions of human deceny are obviously beyond someone who would state in all seriousness that;
It is deeply despressing to think that creatures such as this stink up the internet in such numbers.
What the fuck is wrong with these people!?
“Slaves”? They call their victims “slaves”? And that little twerp quoted in the OP, ” i [sic] enjoy messing with my girl slaves”; I think this one sentence pissed me off more than the rest of the piece put together.
And that LaBrocca guy? “…those with questions about the site “find a thread you don’t like and use it to throw the site under the bus. I can give you countless examples how HF has positively changed people’s lives.””
So he’s using the same defence Reddit and the ‘pit use. Doesn’t fly, arsehole.
*rage*
In how many different ways have we heard, “There are others who do X, so it must be alright that I do X.” They gain validation of their action by way of a rationalization.
It’s like those people who are paranoid that the government is watching them through the television.
Except it’s real.
And instead of the government, it’s perverts.
Is there a way to cover my computer cameras in a way that won’t damage the camera lens? In case I want to take it off later.
@thumper
I said the same thing. Note how they engineered it as an “amoral” site just like reddit?
Also if you read this and feel the need to comment on PZ’s “sexism” please give yourself a beltsander haircut you goddamn useless idiots
@cyberCMDR/21
Thanks for the neat advice! I’m going to try to do what you listed. Although I’m going to have to figure out how one does the Linux virtual machine thing . . .
Sometimes I am, based on the actions of fellow humans, ashamed of being human. Is that humanism?
I fail to see how that is stereotyping. Please elucidate.
BUTWHATABOUTHEMEEEEEEEEN!????
@Ing: Intellectual Terrorist
It does seem to be a “Get out of jail free” card when it comes to disgusting internet sites. I’m all for freedom of speech; one of the things I admire most about America is the protection afforded freedom of speech (I’m not saying the 1st applies here, just expressing admiration), even to the most un popular viewpoints. I’m all for moderators being as hands-off as possible. But there is a clear line between what is disagreeable and what is downright unacceptable, and that is the thing which Reditt and this LaBrocca clown don’t seem to get. It’s their site and they have the right to run it as they wish, but if they allow this shit on their site then they are tacitly endorsing it, so they do not have the right to moan when people tar them and all their regular commenters with the same brush.
@Eristae #61
Take a Post-it and stick it to the edge of the monitor so that the dry, non-sticky part of the post-it hangs directly over the lens. Do not stick the sticky part to the lens or to the actual screen of the monitor. That’ll do it :)
@thumper
Thanks!
Tape? Mine is unplugged when not in use.
It really ruins the fun of buying tech for your kid when you have to explain to her that this is yet another way that skeevy sexual predators might use to prey on her.
These men are breaking into homes to victimize women and girls. They should be locked away.
Bitty, poor, poor you. Won’t anyone think of the menz? What about them? Just because they are the majority of sexual predators and keep women in a state of wariness/fear, even in their own homes, let’s not admit that this has anything to do with male privilege. That might offend teh menz and their feelings are sooooo important.
@Eristae
No worries. You can get mini ones, meant for use as bookmarks, which might work better since they will cover the cam without covering the screen.
If you don’t use the cam often you could just disable it in the device manager. If you have a separate admin account with tricky enough and unique password that changes often, there is very little chance that it can be renabled.
@jackiepapper
#69
It’s not a solution possible for built-in webcams.
@erikthebassist
#71
I have a feeling that a software solution have a potential to be bypassed. Having a separate admin account is a good rule, but not one that a lot of user have the discipline to use it.
For webcams, it’s probably easier to physically cover it up. For one, you can clearly see that it’s “disabled”.
For plugged-in webcams, either unplug it, or have a small box to cover over it.
@Eristae
#63
For a free version, try VirtualBox + any of the free Linux (or try Ubuntu). There’s a lot of tutorial online on how to setup Ubuntu in VirtualBox.
@ Eristae:
Virtual machines are fairly easy. The simplest programs for setting them up are VMWare Player and VirtualVox. Both are free. I like VirtualBox because it allows you to take a snapshot of your virtual machine that you can go back to if things get messed up. VMWare has that capability, but not in the free version. Once installed, you can download the installation disk file for the Linux flavor you want. There are lots of variants.
When you start creating a virtual machine, you can configure the VM’s hardware with how much disk space you want to allot to it, how much memory, how many cores, etc. Don’t set aside too much, as you want to leave memory, disk space, etc. for the host system to keep operating. Installation is easy if you set the VMs CD drive to point to the Linux distribution iso file that you downloaded. Start the VM, it will find the installation file, and begin installing.
Once you have the virtual machine set up and installed, you can explore Linux on your computer. There are more detailed explanations on the web on how to do this and how to use Linux. The interface is a little different, more similar to Macs than Windows, but you have a lot of flexibility in terms of how you can configure the system. VMWare and VirtualBox each have additional guest additions software that include drivers to make the VM work better on your system, so that should be installed early. Just remember, Google is your friend, and there are lots of sites providing answers to questions on how to do things in Linux.
Remember, if you want to use the snapshot feature you should configure a shared folder on the host that the VM can see and access. That way you can transfer files easily between the host and VM. Better to use a directory set aside for the purpose.
As has been noted here, Linux isn’t magic. It is however a lower profile target on the Internet. Besides, distributions like Ubuntu have lots of free software available that can enable you to do many things that may cost or are not available in Windows, so it provides you with options to explore.
Damn, it’s VirtualBox, not VirtualVox. We really need an edit capability after submitting a post.
Ichthyic
Fair enough, but the real strength of Linux lies in the community. People. A relatively large proportion of which are professionals utilising the networking features (not unimportantly it is free and open). A vast army (horde?) with a very vested interest in fixing things fast, without waiting for the “proprietary” solutions of others.
A case in point … Google.
WharGarbl
The only problem with the tape solution is that in many cases the webcam has a mic built in to it, if it’s comprimised, audio is still up for grabs.
As with anything else, there is no way to be 100% safe, on the internet or anywhere else. The real problem is the perpetrator, and that’s why I hope the article in the OP has caught the attention of the FBI’s internet crimes division.
These guys are creepy assholes and I hope they all get caught. Everyone should be entitled to privacy in their own home. Seriously, fuck those creepers.
There’s obviously no way to be 100% safe, but I personally think I’m relatively safe from this. I always boot my main computer from a USB stick or a live DVD and I don’t have any operating systems installed on the internal hard drive. My main operating system, Parabola GNU/Linux, is unable to connect to the wifi because it prevents users from installing any proprietary software, like the firmware for my wifi chip for example. My secondary OS is TAILS, which is on a live DVD, preventing any persistent changes. The third OS I use is an installation of Puppy Linux on a USB stick, and I only use that when I’m in public, so I wouldn’t care if someone is spying on me through that. I probably should tape my computer, but I keep the lid closed most of the time. Eh, I’ll tape it after I post this.
For those who want to run a GNU/Linux OS inside Virtualbox: I personally wouldn’t recommend Ubuntu since by default, it has some software installed that sends your activity to Amazon for advertisements or something, which you can disable. However, Linux Mint is supposedly very user friendly and is one of the more popular distros and isn’t a bad choice unless you take a strong stance on only using free software. Personally, I’d only recommend a distro from the FSF list, and I think that Trisquel is probably the easiest one to use. FSF distro list: http://www.gnu.org/distros/free-distros.html
Actually, come to think of it, I would care if someone is spying on me through Puppy Linux since the only user on that OS by default is root.
Thanks to all who replied to my comment @ # 10.
I sent the full text of the Ars Technica article to a list of friends. So far I’ve received at least seven bouncebacks: those from email accounts at yahoo.com and att.net flagged “Email not accepted for policy reasons.”
Which means, I suppose, that some of the article’s links to ratter web sites triggered a red-flag somewhere in those companies’ servers. I wonder if I’ve been added to some perv or perv-watch database – and just what else major email providers have on their not-allowed list…
Jokes on them, my webcam’s broken.
Other decently useful internet habits:
1. Block ads (AdBlockPlus) and scripts (NoScript) by default. I also use ghostery, just in case. Blocking scripts does a pretty good job of preventing a web page from downloading something onto my computer.
1.1 Additionally, in random bits of “eh, this can’t hurt”, I usually will enforce https:// whenever possible.
2. Encrypt anything you care about – I have a truecrypt partition and also use gpg when I’m really being paranoid.
3. Learn your operating system. Raise all the walls you’re willing to. On Linux Mint, I’ll usually raise ufw; if I’m doing fancier things (like setting up my laptop to be an ssh server), I’ll limit ssh attempts, etc. On Windows, I make damn sure that my computer has all the options for “send info somewhere” turned *off* by default. (I don’t SAMBA – I’d rather just deal with scp). Periodically, I’ll look through the output of ps aux to cross check that there aren’t any “strange” processes I don’t remember.
4. Good passwords. Passwords on the order of 10-16 characters long, with symbols, numbers, etc whenever I can. (Yes, I know about that xckd. My passwords have more entropy than that.)
5. Antivirus: I use avast as my primary antivirus on Windows (I don’t run antivirus on Linux – there’s no good point, as antivirus softwares typically only pick up Windows viruses.) AFAIK it works, (although that might be a function of me never logging into Windows :D)
Hackers…aren’t omnipowerful. I will point out that the two MIT servers that got hacked recently by Anon – both were Windows servers.
The Linux ones – and almost all of our servers are Linux ones – escaped the wrath of Anon.
Ichthyic
The thing is, you can’t uninstall IE, since it shares so much code with Windows Explorer. “Uninstalling” IE just bumps it back up a version.
You can not use it, but that…doesn’t really help, security wise, since fundamentally Microsoft basically took their file broswer and hacked into an interet browser.
I don’t see Microsoft implementing a proper file permissions system.
Can Windows write something secure? Yeah, probably. Are they doing it? Fuck no.
Issac
12.10 only, which like every LTS+0.06 version I’ve ever come across, either a) hates me or b) is only vaguely stable wit my laptop.
But, yeah, Mint has its shinies (like a GUI that’s….say, not meant for touchscreens).
cyberCMDR
…I’d think the money would be in hacking Linux servers, considering how many of those exist (64.7% Unix or Unix-like)
WharGarbl:
You are actually correct there, but, in this case, if someone can remotely undo it, someone using your webcam to spy on you is the least of your worries, as they pretty much have the run of your machine. Myself, whilst I own a webcam, it’s not one built into my monitor or anything like that, and I can’t actually recall the last time it was even taken out of the drawer it’s currently sitting in, far less actually plugged in and used. I think that’s a pretty solid defence against someone using it to spy on me.
I’ve had mine covered since that episode of Criminal Minds with James Van Der Beek back in 2007. Freaked me the hell out. And I insist my kids cover theirs too, unless they are actively skyping.
To those who are more tech savvy than myself, can this camera hacking be done on smartphones? Particularly iPhone 4&5 and Samsung galaxy? My young’uns tend to use their phones more than their laptops and (especially for my girls) tend to carry them everywhere, including the loo.
the current file system has the ability to add way more secure locks than any other OS, period. In fact, it’s been that way since before Vista was released.
it’s implemented in the system, though it IS true that most users won’t bother to learn how to use it.
do you use your smartphone for accessing the web? Is it using a flavor of android?
then it can be hacked.
Android in fact is very easy to hack. I would never put sensitive information on a phone that in any way has access to the internet.
here’s a sample site showing how easy it is to hack android, and what you can do to at least throw up some roadblocks:
http://www.veracode.com/security/android-hacking
oh, as a last tip, in case it hasn’t been mentioned yet.
When any site asks you if you want to leave sensitive information on file permanently, DON’T DO THAT.
examples:
site asks if you would like it to remember your login and password for quick access. correct answer: NO.
site asks you if you want to leave your credit card information stored in your account for quicker processing. NO.
seriously, when we designed consumer sites that processed credit card transactions we ALWAYS made it a point to NEVER store personal information anywhere on the server; it was always passed directly to the credit card transaction company, encrypted.
way, way too many companies keep that information stored on their personal servers, with the result that hackers have plenty of access to your personal info.
At least, if they offer you a choice, you can help to protect yourself by not volunteering your personal information to be stored on their servers.
…and then permanently destroyed after the transaction was complete, for good measure.
So these ratters were what made you ashamed to be a male? Not Stalin, pol pot, Mao, the Popes, pretty much every male monarch ever to sit on a throne etc. I don’t know about you but those guys would make me ashamed to be a male if i were going to be ashamed of my gender due to the actions of other males. I do agree worth your main point made in the post, just had a slight issue with the last line.
on this day, yes.
now we can safely ignore the rest of your fallacy.
bye bye.
[OT + meta]
runicmadhamster:
You write as if PZ had meant only those guys made him ashamed.
(Perhaps so (if extremely unlikely), but it’s not what he actually wrote — and it’s a weird perception)
I have now clarified it for you; specifically, saying X makes one Y doesn’t entail that there is no Z that also makes one Y.
*hands over a beltsander* need a trim?
Thank you, Ichthyic
any time.
;)
…regardless of the point you wanted to make, the way you made it was in the form of a fallacy.
can you not see that?
Bye FTB. The actual bloggers are decent but commenters are rude, impolite and remind me of the youtube commenters. Cya and have fun.
Yes, of course, we’re all terrible, horrible people.
*eyeroll*
Level of difficulty for this flounce, .5, 0 for style, 0 for flare, -.5 technical for “cya”, the only thing that can save this flounce is to stick it. We’re all pulling for you!
hacking web cams……how mid 90’s……everything old is new again….soon i predict some enterpising lass or lad will “discover” all of that yummy unused space in the various bios that can be used for all sorts of fun things. gotta love those firmware updates.
Yeah, because not being popular means that no one will try, instead of, say.. trying anyway, because its interesting to figure out. Also – not popular on desktop is not the same as “not popular at all”. Most people don’t have a clue how much now does run on Linux.
Finally – Even new Win7/Win8 machines are, for the most part, probably run “in” admin mode. Why? Because trying to install shit, or change things, or do a lot of stuff, or just use the bloody machine, in some cases, with it running in “protected user” mode.. is a pain in the ass, and then, since Windows is just adding a lot of extra crap on, to try to pretend it is running protected, instead of truly using a Linux/Unix security model, there are ways to escalate permissions, even when its not running as root/admin.
A properly secured Linux machine, even if you target its software, and ports are allowed open, instead of the OS itself, is pretty damn hard to break. Usually, when someone does, its because it was configured wrong, by someone that didn’t understand what they just opened, installed, or changed, and why it was there in the first place. Even then, usually, it will only compromise the “user” account, not the entire machine. In short, with Windows, you just have to be dumb enough to click a link, and, maybe not even be running in “user” space. With Linux, the guy that installed your OS had to have screwed up **first** most of the time, to leave you where you can get hit, and then they would have to screw up really, really, badly, to kill the machine, not just the user.
(Contrast this with, again, Windows 7/8, where, apparently your user profile can be corrupted, so if you never installed a repair admin account, or made a new account, or enabled the “default” admin account, you machine won’t boot into a functional OS, where changes are permanent, but leaves you, like my dad’s comp for a while, until we got lucky and where able to step back through recoveries, to find a working state, in one where “all changes” are lost, the moment you shut the machine down, including any changes you might have made to system files, in an attempt to fix the problem that is keeping you from booting into the OS… o.O Ugh..!)
Android is a stripped down hybred, so.. who the hell knows how much of the kernel is there, what the security actually looks like, or if they even bothered with any, beyond the theory that, “If they can’t root the thing, we don’t need to worry about anyone finding security holes.”
The biggest problem with software development is that the faster they get a new product out, the more they lead the competition and the more money they make. Unfortunately, security testing is considered a last step for many software development programs, and often gets shortchanged in the rush to market. Since the public is now accustomed to security patches, leaving security holes to catch later is accepted.
Adding security after the fact doesn’t work. The government tried this early on, giving a product to red teams to break and then fixing the holes found. The problem is, they kept finding holes. Security has to be a fundamental part of the design; you can’t patch it in later and fix all the problems. The commercial software industry moves fast however, and in too many cases will not invest the up-front time and effort to design in the needed security.
NOOOO!!! don’t go runichamster!
*sob*
zzzzz
ah, I’m over it now. who was runichamster?
nice strawman.
did I ever say Linux was never attacked?
not hardly.
yeah, if you have no fucking clue what you’re doing.
go figure, that’s the same for ANY operating system.
run along.
“I don’t see Microsoft implementing a proper file permissions system.”
Define “proper file permissions systems”, please.
Thanks!
“A properly secured Linux machine, even if you target its software, and ports are allowed open, instead of the OS itself, is pretty damn hard to break.”
You see, the trick is getting the user to run something on their computer.
All the security in the world won’t help there.
Or did you (and all the Windows bashers) miss this part of the article
“ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files and naming them after popular songs or movies, or through even more creative methods”
And this it the crux of the problem: get the user to do something they shouldn’t.
Runicmadhamster made one (stupid) comment, got two negative replies, and now all FtB commenters are “rude, impolite and remind [him] of the youtube commenters”? Wow. That is one especially delicate little flower.
Kagehi:
Nobody, of course. Nobody would dream of taking a look at the AOSP source code for themselves.
No. The NSAhasn’t taken the slightest interest in making it more secure. Google wouldn’t dream of rolling out new versions with
SELinux features enabled.
Granted, the device manufacturers and telcos add all kinds of crap which isn’t open-source, and actually enabling some of the security features would make users’ lives fractionally more difficult, so there are plenty of security loopholes left. But claiming it must be insecure because we don’t know what’s in it and nobody cares is just … silly.
No, but you implied, incorrectly, that it is just as full of holes. Its not, since, as someone else put it, its not being, usually, shipped out without making sure the security works in the first place, and the rest secondary.
Oh, yeah, not a clue…
Which, under linux, usually, means – 1. Intentionally enabling run permissions on a file that you got via some method other than a repository, 2. intentionally executing a make file, then running the resulting application, assuming that there are no dependency issues, and, for it to do anything to any part of the OS, other than the user, intentionally executing commands to run the resulting application as a root process, since, by default, this isn’t allowed. Oh, right.. and, its a bit more complicated than even that for a normal user to install a kernel extension i.e. “driver”, which is what these things need to be able to do, to some extent, to get proper control over the system.
Under windows, even in user mode, executable files are ubiquitous, so no make files, they are “allow me to run” by default, and in fact, there is no way to even prevent code execution on anything that can execute, and, at worst, it might tell you that its wants to make some changes to the OS, and possibly ask you for the admin password, if it needs to do so, which, under Windows, a visualization program **might not even need to have access to**, to either a) gain control of the user account, and/or escalate to higher privileges.
It is, in other words, not “secure” in the same sense, and, as such, amounts to little more than something in the way of people trying to do “normal” things, never mind stupid ones, which are all too easy to do, since there are no safeguards, still, to even prevent scripting from running, if in an email, never mind any place else (the root cause of the recent Java scare, where security flaws in that allowed installation of dangerous malware – on Windows, but not linux). Noting of course that something like no-script in firefox doesn’t exactly “prevent” that, other than by disallowing the javascript needed to load and execute the pull java app (those being two entirely different things). Under linux… such an app, at least in principle, would not be “run enabled” either, so turning on the javascript wouldn’t automatically execute the app (presuming the app could then, under linux, even do anything).
I read stuff on hacker sources, out of just general interest in how some things work, and pretty much all of them are in agreement that, unless someone intentionally screwed something up, the avenues of attack on a linux system are just.. not that easy, and even getting someone to, “do something they shouldn’t”, tends to be harder, more complicated and/or not all that feasible. I would tend to take their word on it more than people that think its just “Windows bashing”.
Oh, right.. And.. there is a huge difference between, “configured wrong to start with, even/especially in pre-installed copies on new machines, because, by default, some settings are ‘off'”, and, “configured wrong because my boss told me to set it up wrong, and/or disable things that are in fact on, by default.” Just saying…
Kagehi
[skipping the rest of the Gish gallop]
I don’t understand your problem with make. It’s just a tool for ensuring that other tools like compilers, and linkers get invoked in the correct order. Windows (out of the box) doesn’t have make because (unlike Linux) it doesn’t leave dangerous tools like compilers and linkers lying around. Just saying…
carlosda fonseca:
Something like this, perhaps?
File attributes include access control lists by user or group with separate settings for Full Control, Modify, Read & Execute, Read, Write, List Folder Contents, Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership (and more).
Orthogonally to that, the rights of individual users are controlled by group policy settings.
Perhaps someone should point out that the Windows 20xx/NT/XP/Vista/7 family is almost, but not quite entirely, unlike the 3.5/95/98/ME family in all respects except appearance?
@richardh #144
I don’t get it, it seems you’re describing the ACLs that NTFS — the Windows NT File System — has…
Are you insinumicating that Windows NT (including Vista/7/8) does in fact have “proper file permissions”, and has had them for almost 20 years now?
That can’t possibly be, I mean, arey you implying that every Linux fan that as claimed that Windows doesn’t have “proper file permissions” has been wrong all this time?
Well, I’m shocked!
carlosda fonseca:
I used to, but I had to stop when the wheels fell off.
I believe there’s a swooning couch in one corner of the Lounge. Check your USB for smelling salts.
Wait.. You think I am talking about a “problem” with it? Lets be clear here, the only mention I made of it was that its semi-plausible that someone would, under linux, need to “install” something via make, due to the code not being already compiled, where as, with Windows, this almost never happens, since, as you point out, they don’t bother even giving you tools ***period***, safe or otherwise. I know, however, of no instance where anyone has ever had a situation in which make, or the compiler tools under linux, have ever been linked to viruses, or malware either, so.. dangerous? what danger?
As to the other reply to me… Show me where Windows actually comes configured, or ever has been, even under the supposed “new” file systems, so that applications, scripts, etc. are “not automatically run, until you expressly tell the OS to allow it”, and, no, I don’t mean, “If you try to run it, it will ask you.”, since that is a bit, for most users, like asking them, “Please click this button to continue.”, with or without the dire warning that its going to “modify their machine”. Oh, and, you can turn that warning off, so, obviously, its not the same thing as, “don’t execute”, which has to be turned on/off on a “per file” basis, in most cases.
Still, I do find it funnier than heck that Windows is more likely to be hacked anyway, despite the fact that it comes with ***nothing at all*** in terms of “dangerous tools”, but linux has more than you can shake a stick at, and yet, somehow.. you still find vastly fewer “successful” attempts, even when such attempts are made, to break it. Unless, of course, as has been pointed out, someone strip mines it, and guts all the stuff out of it for security, making it “just like Windows”, where nearly everything is either sub-par, i.e., the firewall which serious people replace, to the non-existent tools to protect it from things the firewall won’t.
I didn’t understand why you brought it up at all. It’s irrelevant to your argument.
Sorry, I should have put “dangerous tools” in scare quotes, or something. Sarcasm doesn’t travel well on the interwebs.
Unless you use Group Policy, particularly its Software Restriction Policies, of course. It’s not difficult to restrict execution to executables from specified protected directories, or even files with specific checksums.
But more to the point: when you say “vastly fewer”, “more likely”, “nearly everything”, “sub-par”, it would really help if you could quantify those terms (noting the distinction between relative and absolute statistics) and substantiate your numbers e.g. by referring to online databases of vulnerabilities. Otherwise it just reads like hyperbole.
OK.. Fair enough. As soon as I find actual statistics indicating clear vulnerabilities in linux… lol Seriously though, its hard to use “precise” details when there is virtually no cases, outside of dumbed down OSes like Android, available to make a comparison. The argument from popularity just doesn’t fly for me. Windows desktops may not have ever become absolutely huge, but linux is used on, statistically, far more web servers, and other types of machines, except where it isn’t, and, there are good odds that when one of those servers gets hacked, it will turn out to have been a Windows machine. Not always, since it is possible to misconfigure, say, SQL, and thus end up allowing someone to pull up data that shouldn’t be allowed, but that isn’t an OS issue, its a DB issue, and outside the ability of the OS to protect, pretty much by definition.
Heck, just trying to search google on “statistics hacked servers” gives you… link after link to “Battlefield 3”, not actually information. Changing the query a bit doesn’t help. Its a bit hard to be “precise” about this, instead of relying on, as I said, the opinions of the hacker community, who are the ones both trying to break, and sometimes find and fix, problems, when they just isn’t any obvious data. All I do know is, almost invariably, every time I hear a news report, which goes into any clear details, about what OS was running on the server that got nailed to break someone’s services, they say, “The machine running Windows”. Heck, one Arizona grocery company recently had a major breach, involving datalogging, which stole, in real time, credit card transaction data from their servers, for hundreds of customers. Less than a week after this, I noted that the place I worked at, with the exception of some machines in a locked office, which don’t tie directly into the transaction system, everything from the check stands to the main servers where “booting” into IBM 4760, or something like that, instead of Windows, like they had previously. It might be just a coincidence, but then.. it might not.
“they don’t bother even giving you tools ***period***, safe or otherwise”
I’m pretty sure that dev tools aren’t safe, by definition.
And you can easily get free versions of Visual Studio or, if you don’t like Visual Studio and would rather use your favourite editor, you can get the Windows 8 SDK for free that does in fact include the make tool.
Kagehi:
FTFY. LOL indeed.
You do understand that comprehensive lists of “vulnerabilities” does not mean “severe”. If the vulnerability is something that doesn’t compromise the core of the OS, just the user, that is a very different thing than the far more common, “You can escalate this to root, under Windows”, which happened so often, for such a long time. But, yeah, lets not nitpick over what “vulnerability” actually means, there is no “real” difference between having a stray cat in your house, and a rattlesnake, both are, like with vulnerabilities, “Invasion by animals”.