Website Peeps Into 73,000 Unsecured Security Cameras Via Default Passwords 321
colinneagle writes: After coming across a Russian website that streams video from unsecured video cameras that employ default usernames and passwords (the site claims it's doing it to raise awareness of privacy risks), a blogger used the information available to try to contact the people who were unwittingly streamed on the site. It didn't go well. The owner of a pizza restaurant, for example, cursed her out over the phone and accused her of "hacking" the cameras herself. And whoever (finally) answered the phone at a military building whose cameras were streaming on the site told her to "call the Pentagon."
The most common location of the cameras was the U.S., but many others were accessed from South Korea, China, Mexico, the UK, Italy, and France, among others. Some are from businesses, and some are from personal residences. Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras.
It's not the first time this kind of issue has come to light. In September 2013, the FTC cracked down on TRENDnet after its unsecured cameras were found to be accessible online. But the Russian site accesses cameras from several manufacturers, raising some new questions — why are strong passwords not required for these cameras? And, once this becomes mandatory, what can be done about the millions of unsecured cameras that remain live in peoples' homes?
The most common location of the cameras was the U.S., but many others were accessed from South Korea, China, Mexico, the UK, Italy, and France, among others. Some are from businesses, and some are from personal residences. Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras.
It's not the first time this kind of issue has come to light. In September 2013, the FTC cracked down on TRENDnet after its unsecured cameras were found to be accessible online. But the Russian site accesses cameras from several manufacturers, raising some new questions — why are strong passwords not required for these cameras? And, once this becomes mandatory, what can be done about the millions of unsecured cameras that remain live in peoples' homes?
Ethics (Score:4, Insightful)
Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.
Re: (Score:2, Interesting)
I'm sure the 3 letter agencies of your country share and honor your view on the ethical methods of spying
Re: (Score:3, Interesting)
and local law enforcement
Re:Ethics (Score:5, Interesting)
How would a good person inform the owner that their door is unlocked if the only way is contact them is to walk inside? Or is the correct response to just walk away [wikipedia.org]?
Re: (Score:3)
How would a good person inform the owner that their door is unlocked if the only way is contact them is to walk inside? Or is the correct response to just walk away
Better have a good reason for being there on their property in the first place. And how would you discover the door was unlocked, unless it was left open?
Ring the doorbell wait five minutes.
Go talk to one of their neighbors. Don't enter the building alone if you are not an associate or good acquaintance of the owner.
The owner probably has
Re: (Score:2, Insightful)
A camera is not a private residence. Aside from legitimate cams intended to broadcast publicly, going inside a public or commercial building where a door is unlocked or the entry code is publicly known is completely legal and legitimate. In the case of cameras you don't know what it is until you enter, until then it's reasonable to assume it's a public/commercial camera. Once you learn what it is you should exit if it's reasonable for them to expect privacy and alert someone if it's intended to be secure
Re: (Score:2)
On the contrary, if you don't know what it is, it is *not* reasonable to assume it's a public/commercial camera. If you assume it is you could do something wrong. If you assume it is not, you can't do something wrong (as not accessing is never wrong).
Re: (Score:2)
Re: (Score:3)
It's broadcasting on the Internet. Assuming it's intended to be public is exactly as valid as assuming a website is intended to be public.
Re: (Score:3)
What you describe is not a free society. It is trespassing and unauthorized access. I'm not saying you can't find some cool stuff if you dig around, but don't fool yourself into thinking you are free to go anywhere you want as long as the door's unlocked.
Luckily I live in Canada where fraudulent intent must be proven and that I do not have any colour of right when it comes to "unauthorized access"
Trespass is provincial and in my province the property "that is enclosed in a manner that indicates the occupier’s intention to keep persons off the premises or to keep animals on the premises." must be met - otherwise I am free to enter until I'm told to leave.
Re:Ethics (Score:4, Informative)
There looks to be 255 'territorial' top level domains [slashdot.org] ("country code" TLDs) - not all of which are acknowledged as countries in say, the UN.
That 255 includes: .zr, .an, .cs, .dd no longer exist as countries
1 for European Union
1 for Antarctica
2 for Russia
2 for East Timor
2 for UK
yu,
a crapload of administrative/dependent territories that are inconsistently applied. ie: Canada's "territories" do not get TLDs but similar entities in other countries do.
Re: (Score:2)
The second one.
The first is a good way to die of justifiable homicide everywhere I've lived.
Re:Ethics (Score:5, Interesting)
Re:Ethics (Score:4, Insightful)
To be fair, the Russian website isn't streaming the videos any more than TPB is hosting copyrighted material.
The Russian website has a lot of IMBED tags and links, I imagine.
Re: (Score:2)
also embed :(
Re: (Score:2, Insightful)
WHAT?! You don't seriously want the world's AIs to learn about the world solely from 4Chan and wikipedia, do you? Yootoob user comments are probably what finally convinced skynet to off Mankind.
Like the issue with automated license plate readers, this is another case where something is of little concern when it has to be done manually, one item at a time. But when you automate the process and can grab data on everyone with a click of a button, then you should
Re:Ethics (Score:4, Insightful)
Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.
No, but it also doesn't mean you're not an idiot for not locking your door.
Blame is not a limited commodity - you can add blame to the idiots who don't take precautions without removing any blame from those who break in. Point fingers in both directions. The breeches is a cooperation of the idiots and the outers.
When and why did being an idiot become a right?
Re:Ethics (Score:4, Informative)
When and why did being an idiot become a right?
It's right there in the Declaration of Independence [wikipedia.org] (for people in the US anyway) -- "Life, Liberty and the pursuit of Happiness" -- and ignorance is bliss (or so I've heard...)
Re: (Score:2)
I know you are joking, but the line was plagiarized/borrowed. The original line was "life, liberty, and the pursuit of property". But It wasn't simply about the right to accumulate a bunch of luxuries; in context, it was referring to the pursuit of things that are somehow relevant to a satisfying and productive life. So it would be the right to pursue home ownership for your family, maybe fields for farming, and for many ./ers, it would be the right to accumulate gadgets, for the musically inclined, the rig
Re:Ethics (Score:5, Informative)
I know you are joking, but the line was plagiarized/borrowed. The original line was "life, liberty, and the pursuit of property". But It wasn't simply about the right to accumulate a bunch of luxuries; in context, it was referring to the pursuit of things that are somehow relevant to a satisfying and productive life. So it would be the right to pursue home ownership for your family, maybe fields for farming, and for many ./ers, it would be the right to accumulate gadgets, for the musically inclined, the right to procure instruments, etc. It doesn't take much of a stretch to go from this sort of enlightened satisfaction, to calling it merely "happiness" for simplicity.
Take it from someone who, at 51, is debt-free, has a net-worth of almost $2M, but lost his wife in 2006 after 20 years together, "property" does not make "happiness". Though having "things" might make your pursuit of satisfaction and/or productivity (whatever that means to you) easier, property is a means to an end. Happiness is something you realize from within and, possibly, experience with someone else.
Even after 20 years together, Sue and I held hands where ever we went - I miss that and nothing else I have can, or could ever, compensate for losing her. Remember Sue... [tumblr.com]
The line is better written as, "the pursuit of happiness."
Re: (Score:3)
...Blame is not a limited commodity - you can add blame to the idiots who don't take precautions without removing any blame from those who break in....
Using your logic, if someone uses an armored vehicle to break down the door and go into someone's house, then the homeowner is to blame because he did not have a door lock strong enough to stop an armored vehicle.
Re: (Score:2)
Using your logic, if someone uses an armored vehicle to break down the door and go into someone's house, then the homeowner is to blame because he did not have a door lock strong enough to stop an armored vehicle.
There's a "reasonable" part to "reasonable precautions". I know, "reasonable" requires an ability to reason.
If armored vehicles become a problem, putting up Czech hedgehogs is a reasonable precaution. If contact spreading diseases become a problem, a reasonable precaution is to wash your hands, even if it won't stop everything. If bike theft is a problem, using a bike lock is a reasonable precaution, even if it won't stop a thief with a high speed diamond saw.
And, by Babbage and Hollerith, attacks on Int
Re: (Score:2)
And now we get into the differentiations between "normal care", "prudent care", "stupid behavior", and "paranoid preparedness". Unfortunately the boundaries are subjective.
As well they should be. Humanit and its wonderful inventions and fads change, and not being flexible and expect common sense is a big drawback of common law versus civil law, and the societies that think in absolutes.
Re: (Score:3)
People might be idiots for not understanding that the world is full of terrible people and they need to go out of their way to protect their privacy from criminals, but victim blaming and shaming especially after the fact is not right.
Why not? It doesn't absolve the terrible people from their deeds.
We need to shame those who have something to be ashamed of regardless of whether they're victims or not.
That someone became a victim is sad, but does not in any way mean we cannot criticize them like we can criticize non-victims. If two people don't lock their bikes, and one of them gets stolen, we should not only be able to criticize the guy who did not get his bike stolen. Whether he's a victim or not doesn't change whether he's an idiot.
Re: (Score:2)
Your analogy does not work unless you want to claim that everyone with a Diebold lock is issued the same key. It is not breaking in, it's looking in a windows lacking shutters. If you, as an adult, see a crowd of kids watching someone undress in an open window you have 3 options.
1. Ignore it. Kids are still going to peek, so IMHO you are a douche for ignoring it.
2. Tell the person "Hey, you may want to close that blind when your changing because kids are peeking". This seems to be the most rational an
Re: (Score:2)
What about if the lock, upon installation, begins screaming "EVERYONE HAS A COPY OF THE DEFAULT KEY!!! MAKE A NEW ONE NOW!!!" But the person chooses to ignore it?
Re: (Score:2)
Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.
This is a good analogy, because it is impossible to tell if a door is unlocked (or if a camera has the default username/password) without trying to open the door.
So, what your advice boils down to is that you never can accurately inform someone their door (system) is unlocked..
Re: (Score:2)
They aren't really doors you know. They are cameras hooked on the Internet I assume.
Now, to be easily accessible with default credentials, wouldn't they have to have a public IP address with an open port?
Otherwise, I wonder how those guys got behind so many routers. Plug and play that requires a specific port on the router public IP?
I have a hard time imagining that all those cameras would have their own dedicated public IP.
Re: (Score:2)
An internet-connected camera left on publicly known default credentials is nothing like an unlocked door.
Rather, it's like a wall-sized window on the first floor facing the busiest street of the busiest city on the planet, with the shutters wide open.
Re: (Score:3)
How is this modded +5 or insightful? It's neither. Why are we still comparing locks and doors in meatspace to virtual servers and ports and IP addresses on a globally-interconnected network of computing nodes and electronic resources? They are nowhere near the same thing. When you advertise and/or broadcast a service on a given port and on a given IP-address, you can rest assured that unless it is properly secured, anyone and everyone will access it and utilize the resources it provides.
In most cases, t
Re: (Score:2)
Why the flying hell would anyone not put a strong password on something that's constantly streaming video of inside your house?
The product manual probably does tell the owner to set a password, but most people do not read the manual as most people do not read an EULA before clicking to say that they agree to it. The vendor might be able to make setting a password one of the set-up steps, but if they did they would greatly increase the number of support calls that they get when people forget them. Even if users set passwords: most of them would be trivial or the same one that they use for this on-line banking.
try telling this to old people (Score:5, Interesting)
my father in law went to the at&t store with help on his wifi only ipad. he's totally confused by the need for an itunes store account password, wifi password on his home wifi and wifi passwords at other places
Re:try telling this to old people (Score:5, Insightful)
Tell him they're like keys on a keyring. You need a different key to unlock your desk draw even after you've unlocked your house. And when you go to someone else's house, your key doesn't work for them.
People buy stuff without understanding is... (Score:5, Informative)
Film at 11...
The truth is, many people are using technology today without really understanding any of it. Even my own wife is pretty gumby with computers, if I wasn't there to do something about it, I have no doubt they would be full of malware and viruses.
To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".
Yea, I have to say, I have to clean her machine off of crap every year. Every time I go over there, Internet Explorer has 5 or 6 toolbars installed because she clicks on everything.
And no, she won't let me restrict and lock down the machine, I've tried that.
Re:People buy stuff without understanding is... (Score:5, Insightful)
To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".
That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."
It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself. All some people need is the equivalent of public transportation. We don't let people drive cars or fly planes without some basic skills, and while most don't get good at it, at least good enough to not be an instant hazard for everybody else.
Re: (Score:3)
It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself.
Apple vs Android.
Windows vs Linux.
Self driving cars vs stick shifts.
etc, etc.
Re:People buy stuff without understanding is... (Score:5, Insightful)
Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.
Yes, you can. Your computer can be used as a base for attacking critical infrastructure, because you allowed it to be.
Or you let someone get to your credit card information so you can't afford medication a week.
Or your router gets disabled so you can't dial for help through your IP phone.
Or somone finds classified information on your PC and uses it for nefarious purposes costing lives.
The possibilities are there. Bits and bites can kill people these days.
Re: (Score:2)
People want their computers to be like their cars.
They don't want to know what is happening under the hood. They just want to drive it.
I find most computer guys are like car guys, they assume that everyone should know how the engine works, or should at least care.
Nope, they want it to turn on every morning, take them where they want to go, and shut down at the end of the night with out ever knowing what makes all of it work.
Re: (Score:3)
People want their computers to be like their cars.
They don't want to know what is happening under the hood. They just want to drive it.
Yes, and frankly, I think that is why so many iPhones and iPads have been sold.
Technical people look at those and say, "oh my god, a locked down inferior device that costs more, who wants that crap".
You know what? A lot of people do... How many? About a billion... That's right, between all the models of iPhone and iPad, about 1 billion of them have been sold, give or take a bit...
Clearly a lot of people DO want that...
If Microsoft sold a locked down version of Windows, I think people would actually buy
Re: (Score:3)
Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.
Unwitting user clicks on a cute link that installs malware on the system to turn it into a zombie for a botnet. Unwitting user's system is now participating in an attack that drains hundreds of millions of $$$ from the bank accounts of tens of millions of people that now have lost all their life savings (somewhat similar in outcome to the damage caused by driving on a NYC sidewalk)... all because they followed the cute instead of paying attention what they were doing and following the rules of the Internet
Re:People buy stuff without understanding is... (Score:5, Insightful)
Many people look at computers as if they are appliances. You don't need to know how to configure your toaster. You just plug it in and toast your bread. You don't need to edit some config file to make your refrigerator keep your food cold. Any "settings" come in the form of easy-to-read dials or buttons. Turn the dial on the stove and the heat goes on/up. Turn it the other way and it goes off. There's a group of people who expect computers to act like this. Unfortunately, computers are far more complex than any fridge or stove - especially once you go online and you are opened up to all of the security issues that this entails.
Re: (Score:3)
They could be made simpler by designing and creating applications, UIs and features which "do one thing but do it well".
There's little incentive to do so, though, although I have to say that smartphones got there already, more or less.
Agreed, except (Score:2)
the "unfortunately" part. A machine that effectively extends human intelligence and communication beyond its natural limits, among other things, can't be toaster-level stupid while maintaining its vast flexibility.
I think dumbing it down would cost functionality (as well as jobs, like mine ;)).
Re: (Score:2)
I meant unfortunately for the person who was operating a computer while expecting a toaster level of complexity.
Re: (Score:2)
Routers went through this at one point too. They used to come pre-configured with the username of "admin" and the password of "password" (or some variation depending on manufacturer). This meant that most people would plug in their router and just leave the defaults in place. The most recent routers I've put into place have a setup step for setting the username and password. No, it can't prevent someone from
Re: (Score:2)
There's an easy solution to that problem. Don't fix it and tell her why.
Seriously, if someone isn't willing to learn and use the most basic of computer hygiene practices, they will eventually fall prey to malware and will almost certainly lose data to hardware failure at some point. And if you're the administrator of the computer when that happens, it'll be your fault for not protecting them (at least in their eyes).
You could also try explaining it as a car analogy: e.g. "You wouldn't just hop in your ca
Re: (Score:2)
There's an easy solution to that problem. Don't fix it and tell her why.
I've thought about that... but the truth is, she's my Mom and I can't do that... She loves me, she brought me into this world, and if her one great fault is a refusal to be knowledgeable in computers, well... I'm not perfect either...
or read (Score:2)
Re: (Score:2)
It's not just an issue of understanding, it's apathy and laziness.
Yes, laziness on the part of the programmers of the device.
The default password should allow you to access exactly one function on the device: the "pick a username and password for a new admin" feature. Once that finishes, either the default password is set to cat < /dev/urandom > password_storage_file or else the default user is removed. In case you forget the username and password you set, the device can be reset to factory defaults using some sort of physical "reset" button.
Re: (Score:2)
Re: (Score:2)
To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".
Computer hygiene should be taught like personal hygiene, at the school level for the kids and through other public programs to try to reach the adults and the elderly.
Yea, I have to say, I have to clean her machine off of crap every year. Every time I go over there, Internet Explorer has 5 or 6 toolbars installed because she clicks on everything. And no, she won't let me restrict and lock down the machine, I've tried that.
In case you're the one who usually buys her a computer, she's the perfect use case for a cheap Chromebook. That's what I did for my mom. I didn't really force it on her. I just bought it for her to keep next to her Windows XP laptop. Eventually, as her machine became much slower and slower, she just switched to using the Chromebook on her own.
Re: (Score:2)
Computer hygiene should be taught like personal hygiene, at the school level for the kids and through other public programs to try to reach the adults and the elderly.
Are you kidding? :) My mother turned 70 years old this year, and comes from another time...
In 11th grade, she spend her second half of the year as an exchange student in France. She sailed there on the RMS Queen Elizabeth. No, not the QE2, the original... Back then, you didn't fly across the Atlantic, you sailed...
---
Get her a Mac? Get her a Chromebook? Yea, I've thought about that. She knows Windows, she has used it for 20 years, and frankly, she doesn't want to change.
You can't help someone who doe
Re: (Score:2)
In case you're the one who usually buys her a computer, she's the perfect use case for a cheap Chromebook.
Yes, she is actually... except that Microsoft Office isn't offered on the Chromebook, neither is Internet Explorer (I've installed Chrome, she won't use it)...
She has a few small applications and games that she likes to play, while I could find similar stuff on Chrome (or Mac, or Linux), she doesn't want to change.
---
So why do I keep cleaning her machine? Because she is my Mother, I love her, and that is what a good son does for his Mother.
Re: (Score:3)
And no, she won't let me restrict and lock down the machine, I've tried that.
"Son, there's no way I'm wasting my time changing the oil in my car - you will fix the engine for me if you love me."
Place the blame where it belongs (Score:3, Informative)
Strong passwords are not mandatory because it's the responsibility of the user to read the instructions and secure the device. If they don't, they have no reason to complain. It was their choice to disregard the instructions.
A question is whether people who are that stupid should be allowed to own surveillance devices. The risk of stupid people reacting inappropriately to real situations and causing harm instead of preventing it seems rather high.
Re:Place the blame where it belongs (Score:4, Insightful)
But if a large number of users are not able to use their devices properly (ie. secure them) is that not the fault of the device maker? This isn't even about strong passwords, but just default passwords.
It's a known fact that the general public is not security conscious, and that they do not read through manuals. Shouldn't the makers of these systems work towards making some basic security the default?
The best, but not very good example is Windows. Microsoft provides lots of guidance on how not to get viruses or malware on Windows. Does that mean they get to wash their hands of anything that infects their user's machines when they open powerpoint slides from uncle Bob? Technically yes, but they do have some duty to make their product more secure because they know full well a large number (the majority) of people will click on any link that lands in their inbox.
Re: (Score:3)
No. A large number of users are not able to change oil, tires, brake pads or plugs on their cars either, and that's not the manufacturer's fault. In the case of cars, service stations appeared to fill that market, at a cost.
The problem is that people feel entitled to not bother about doing things themselves
Re: (Score:2)
I could build a device that is, by default, secure against remote intrusion. That's easy. I haven't, because the NSA wants to ban public encryption and GCHQ wants to declare all secure devices terrorist command-and-control centres. I'd rather not be a target for a hellfire missile, thank you very much.
But if I can do it, anyone with half a wit and a credit card can. It's not hard. It's not cheap, but it's not hard.
Such a device aught to be mandatory on eCommerce systems and a minimal version aught to be man
Re: (Score:2)
Instead of assuming that users will read the instructions, assume that users will fiddle with the camera they just bought until it works. If manufacturers made cameras that refuse to transmit the image without changing the default password, then users would have to change the password before it works. It's as simple as that.
Hah. You obviously don't live here in the US of wonderful A.
Here, they would take the camera back to the store, missing some small parts, not packaged back the way it was, and demand a full refund. And then buy a device that "works" out of the box without having to do something as complicated as setting a password.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Users aren't allowed to secure their own devices. Didn't you get the memo from GCHQ?
http://www.ft.com/cms/s/2/c89b... [ft.com]
Encryption and security of any kind are ipso facto creating a terrorist command-and-control centre, apparently.
What is the actual risk? (Score:2)
What is the actual risk here to those using cameras as baby monitors?
Step 1: Someone sees a baby sleeping
Step 2: ????
Step 3: Profit?
"Help! A stranger saw my baby turn over. Call the police!!!" ?
Re: (Score:2)
Step 2: Mom and dad in the baby room for a little slap and tickle
Step 3: Capture and post to redtube.com
Step 4: Profit!
Re: (Score:3)
What is the actual risk here to those using cameras as baby monitors?
Step 1: Someone sees a baby sleeping
Step 2: ????
Step 3: Profit?
"Help! A stranger saw my baby turn over. Call the police!!!" ?
You could make the rather egregious leap that it would assist in kidnapping the child (a crime) since you know exactly where/when they sleep. If someone decided to stand at the curb and look at your kid's window for an awkwardly long time, would you call the police? But yes, the baby monitor thing is just a headline-getter.
Using the cams to identify high value merchandise (certainly some of these cams are protecting things of actual value?) and also identify when no one is around, and then take the final
Re: (Score:2)
If someone decided to stand on the curb for a long time, they'd probably be reported for suspicious activity. Casing a place is a very common precursor to a break-in. I see no reason for the monitoring of a private webcam to be treated any differently in that regard.
A more likely scenario would be for a criminal to drive past at night, see the car gone, and then check the internal cameras of the house for any activity to determine if it's easy to rob. If there's no baby, there's likely no babysitter either.
Re: (Score:3)
Goes to show (Score:2)
It goes to show that, especially in the computer security world, no good deed goes unpunished. You hear about it over and over, try to tell someone something is wrong with their computer security and the instant reaction is to shoot the messenger.
Re: (Score:3)
Computer License (Score:2)
"Take it back to the store, You're too dumb to own a computer" Are these threats now as dangerous or potentially dangerous as operating a motor vehicle?
Training and License? Why not? It couldn't be any worse than it is now. I've literally had a client complaining that he couldn't get his email using Wordpad...
How dumb and negligent do we need people to be before we do something serious about this?
Spam, drive by downloads, malware. Isn't it about time we told the use
Re: (Score:2)
Re: (Score:2)
I would agree, except that most users live in outright denial, rarely (if ever) learn correctly from mistakes and frequently prefer to ignore their suffering until the harm is truly excessive.
Better critical thinking techniques need to be taught in school, along with practices that impede cognitive dissonance.
Further, there need to be recognized groups that have the authority to mentor those who aren't clued up.
Why isn't it mandatory? (Score:2)
Oh Noes! (Score:3)
Not just cameras (Score:5, Interesting)
Re:Not just cameras (Score:4, Insightful)
That's when you return it to the vendor as defective.
They get away with it because people put up with it.
Re: (Score:2)
Why not strong passwords? (Score:3)
why are strong passwords not required for these cameras?
Mainly because most programmers don't know/care about security. Security is hard even when you care (for example a default password isn't a security vulnerability if your userbase is sophisticated enough to change it, and even ssh has had a vulnerability), but if you don't care, it's impossible.
Sad but true.
Re: (Score:2)
Default, simple or non-existent passwords on consumer appliances have nothing to do with programmers. You are silly. There is another vocation called "manufacturing engineering" that might have a problem
Re:Why not strong passwords? (Score:5, Informative)
Default, simple or non-existent passwords on consumer appliances have nothing to do with programmers.
So, I had a wireless router once that would not turn on until I changed the password. It is very much a problem that can be solved by programmers.
Re: (Score:2)
Nope, programmers already have made multitudes of solutions over the years for these issues, but they are not in the manufactured products image. That is another realm, and I speak from industry experience
Re: (Score:2)
Re: (Score:2)
Why not have a default password and have it force a change at first logon? Ideally before the device can connect to the wider net, so there isn't a window of vulnerability to someone locking out the device as soon as it's switched on. Have a physical factory reset button on the device itself to deal with lost passwords. That doesn't require a sophisticated userbase.
Mind you, these cameras require the user to take steps within their home router config to allow external access anyway - they'll pick up an IP f
Re: (Score:2)
Why not have a default password and have it force a change at first logon?
It's a great idea, but it gets back to the problem of programmers not caring. Remember there are plenty of websites out there that still don't encrypt their password lists. It's really bad.
Re: (Score:2)
True. I cringe if I forget a password and the password recovery actually emails me my password rather than sending me to a link to enter a new one. Not many do that now, but at least one large shared hosting provider does and if anyone should know better...
Re: (Score:2)
Mainly because most programmers...
Programmers just implement the requirements.
Re: (Score:2)
Programmers just implement the requirements.
Then you're not a conscientious programmer.
Suitable adverts (Score:2)
I love the way the pages come with adverts for people selling CCTV cameras for the home!
Manufacturers can help make this better (Score:4, Informative)
This is because of people who are too lazy or too intimidated by technology to understand it. You buy the camera, many times you open a port on a router, but you fail to change the password. I am not going to blame the manufacturer for that.
However, manufacturers could make the default a lot more secure by using methods to randomize the default passwords of the cameras. I've setup routers where the default password is printed on a plate on the bottom (next to the mac address and default IP). This gives you a degree of randomness and makes brute force near impossible without physical access to the device. This way, the user still has the freedom to change to a blank password, 'password' as password etc. if they choose to unprotect themselves. But the default becomes reasonably secure.
This is mostly a problem with users, but sometimes the manufacturer needs to adjust the process to help the intimidated, ignorant, or lazy user along.
Re: (Score:3, Interesting)
These days when the local ISP's give out routers, there is a stamp on the router that has the default login, wifi ESSID, and wifi login. You can change these of course, but the defaults are not the same between customers.
When I setup my firewall, it *WOULDN'T* work until I first set a password. This was the very first step.
This isn't customers - many who are less tech savvy - being lazy, it's the manufactures. There is absolutely no reason that they can't either package a unique password or simply require t
Re: (Score:2)
News Flash: (Score:3)
People are stupid, People when confronted with technology are triple stupid.
tempest in a teapot (Score:4, Insightful)
So... some random person somewhere... can see my sleeping baby. But they have no idea where that baby is other than the last hop out of my ISP so they might know I'm somewhere in Atlanta... or whatever. Maybe if they stared at the feed 24/7 for years I might drop my water bill in the crib before I picked the baby up so they could get my address or something... But ok, so they can see a video feed of my sleeping baby? So what?
Short of a camera pointed directly at my bed, or my toilet, I don't see how this would be that god awful. First, I'd never point a camera at my bed. Any camera. Second, someone seeing pictures of me walking around my pizza restaurant? With no address and no idea who I am or where my restaurant is? So what?!?! There are plenty of horribly invasive privacy problems out there. This isn't one of them.
Time sink ... (Score:4, Informative)
... after an hour of poking around. Nothing to see.
What is old is new again (Score:3)
2005 wasn't that long ago, was it?
http://it.slashdot.org/story/0... [slashdot.org]
Re: (Score:3)
I have printed porn images on HP printers around the world using just Google :)
Re:what's the fucking site? (Score:5, Informative)
Re: (Score:2)
That's not what the OP wanted. Specifically, which stream has teh boobies. ;-)
That would be a totally different site, myfreecams.com [slashdot.org]
:)
Re: (Score:2)
Most of these cameras ask the router to open the ports with uPnP.
Re: (Score:3)
Set the default password to be the ethernet MAC address. Problem is most of these cheap china crap cameras all use the SAME mac address.
Just bought 6 1080P IP cameras and discovered I had issues when I powered up more than 1. I looked and all of them have the exact same mac address. Easy enough to change if you know how in the web interface UI, but 99% of consumers would have no clue.