Joseph Crawford - Latest Comments in Scary iSight Trick | Joseph Crawford

Re: Scary iSight Trick | Joseph Crawford

Giovanni — Thu, 24 Jan 2008 00:08:03 -0000

hi my name is giovanni and my highschool has distrubited laptops to all of its students i was wondering if u could put this hack on my myspace for me because i cant do it on my own we dont have the dev. toolz please email me and let me know how u feel about this..

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Tue, 20 Nov 2007 18:52:25 -0000

It looks to me like Leopard has fixed this so it can no longer be used... bummer it was cool while it lasted lol.

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Fri, 28 Sep 2007 15:15:40 -0000

I have fixed the video :)

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Wed, 18 Apr 2007 21:48:08 -0000

Yea my site got messed up and I didn't notice this was not working, I will have to get this working again. Thanks for pointing this out.

Re: Scary iSight Trick | Joseph Crawford

Jay — Wed, 18 Apr 2007 16:23:41 -0000

I now notice that the iSight pictue does not show up (Running Safari on my MacBook and iSight is not in use).

Perhaps the 10.4.9 update corrected this "security flaw"?

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Sun, 14 Jan 2007 23:54:24 -0000

Hello,

Honestly I would not be your best bet for advice here, maybe someone else who has commented on this post could help out.

Although it just looks to me like they are showing their video locally (could do it with iChat even) and screen casting it so that it is captured inline with what they are doing.

Re: Scary iSight Trick | Joseph Crawford

Lou Ordorica — Sun, 14 Jan 2007 18:44:14 -0000

Joseph,

I'm looking for a way to show a small, borderless live video window to use in screencasting. The idea is to record the presenter while he is demonstrating software. Here is rough example:

http://mediacast.sun.com/sh...

Would you know how to do this without using a clunky Quicktime preview window?

Thanks

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Fri, 12 Jan 2007 08:04:22 -0000

Thanks for all of the comments guys, I appreciate the feedback

Re: Scary iSight Trick | Joseph Crawford

Leo — Mon, 18 Dec 2006 05:26:39 -0000

I found this info very interesting and useful. Thanx a lot.

Re: Scary iSight Trick | Joseph Crawford

Booperkit — Thu, 14 Dec 2006 11:53:14 -0000

Are there any patches that allow this to work with 10.3.9? Any ideas?

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Mon, 04 Dec 2006 13:20:40 -0000

What do you want to turn off?

Re: Scary iSight Trick | Joseph Crawford

Fanoo — Mon, 04 Dec 2006 13:09:08 -0000

And how do you turn it OFF ?

Re: Scary iSight Trick | Joseph Crawford

Security is Not Just Technolog — Wed, 15 Nov 2006 07:17:41 -0000

Judging by the number of posters that find this scary, I think that one can safely conclude that this trick could be used to "Socially Engineer" an exploit. For example, someone could be convinced that you have video of them doing something embarrassing and that leads to blackmail.

Re: Scary iSight Trick | Joseph Crawford

Bill Mead — Tue, 14 Nov 2006 23:17:05 -0000

The only scary thing about this is that it is a picture of me. Whoa! who is that big fat bald guy? Oh its me!

Re: Scary iSight Trick | Joseph Crawford

Guest — Tue, 14 Nov 2006 17:59:27 -0000

Murdoch,

Except that's not what's happening, because that's not what this does. And if what you said were happening, it would be ridiculously easy to see outbound network connections being made, whether by wired, wireless, or any mechanism. That can't be hidden.

This trick CANNOT BE USED REMOTELY, BY ANYONE.

Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/

Re: Scary iSight Trick | Joseph Crawford

Murdoch — Tue, 14 Nov 2006 13:46:17 -0000

It's weird that I see this now here for the first time, 'cause I just had a dream 2 or 3 days ago that Apple was actually working for some secret agency like the CIA. And all the macs had an iSight now so they could spy on people cause they had access to all of them through some software available only to them. :(

Re: Scary iSight Trick | Joseph Crawford

Godrifle — Tue, 14 Nov 2006 09:54:53 -0000

Check out this version, which also uses your microphone: http://www.uccs.edu/~cbrewe...

Re: Scary iSight Trick | Joseph Crawford

Guest — Tue, 14 Nov 2006 09:49:02 -0000

Jules,

That wouldn't be possible since there's no way to use this remotely.

You could, however, instruct the person to take their own picture with their iSight (e.g., with Photobooth) or other camera and upload it...

There no special way to "use" this in the way you describe just because it happens to be in a web page. I want to make this clear, because if people think that what you describe is possible, then there are ways to abuse it. (See my previous messages.)

Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/

Re: Scary iSight Trick | Joseph Crawford

Peter Morgan — Tue, 14 Nov 2006 08:14:44 -0000

Wow, you can display a local feed from an isight. So what.

Re: Scary iSight Trick | Joseph Crawford

Iain Anderson — Tue, 14 Nov 2006 07:08:11 -0000

That's not scary. This iSight Trick is scary:

http://funwithstuff.com/blo...

Re: Scary iSight Trick | Joseph Crawford

GillesB — Tue, 14 Nov 2006 06:31:44 -0000

A piece of tape is enough to disable it!!!

Re: Scary iSight Trick | Joseph Crawford

Jules — Tue, 14 Nov 2006 06:23:23 -0000

Awesome !!
Would be cool to have the possibility to take a snapshot so this trick could be use, for example, on user registration : user could add a picture to his account.
Just show the user face, then user click on "take a photo" then the photo is uploaded and added to his account , in his prefs.

Cool stuff !

Re: Scary iSight Trick | Joseph Crawford

Crazybitch — Tue, 14 Nov 2006 05:43:54 -0000

Huh.....I have an iSight but it doesn't work. I see no picture, and my iSight is still off.

Re: Scary iSight Trick | Joseph Crawford

Joseph Crawford — Mon, 13 Nov 2006 16:59:21 -0000

Dave,

Thanks for explaining that.

Re: Scary iSight Trick | Joseph Crawford

Guest — Mon, 13 Nov 2006 16:54:18 -0000

Rich,

You are correct that, if anything, this is a reminder that cameras without physical shutters, or the fact that cameras cannot be physically disabled or omitted in the latest iterations of Apple's products. It's also a reminder that if a machine were compromised, an attacker could potentially have control over the camera (as well as anything else), which could cause a variety of problems for secured environments (not to mention personal ones ;-).

But to be clear, this particular demonstration doesn't make such a compromise easier or possible. It merely serves as a reminder that such a compromise, in which an attacker had full remote control over the machine and could do anything with it anyway, could also use the camera.

Joseph,

As far as screenshots are concerned, a screenshot would still have to be taken, and then uploaded somewhere. Again, that is not possible unless it would be via some other mechanism of compromise. It's important to understand that this Quartz-Composer-in-QuickTime-embedded-in-a-web-page trick doesn't make any possible exploit that could take advantage of this easier.

Now, if there was some remote exploit where an attacker could take a screenshot of a web page and upload or capture it somewhere (which currently doesn't exist and I don't see how would be possible, but seems to be what a lot of people are saying), then, yes, this could be interesting. But the point is, some other MAJOR exploit is required to take advantage of this in any way. And if someone already had access to your machine in that way and wanted to use your camera, they're not going to trick you into going to a web page with a Quartz Composer movie in it - they're just going to use your camera. ;-)

The reason why this is "scary" is because you're seeing yourself on a "web page". But in reality all that's happening is you're seeing a QuickTime movie that happens to have an action to display a locally attached iSight that is embedded in a web page. There is no inherent security risk, real or perceived, from even turning on your iSight in this fashion. A security risk would imply and require that it could be used for something improper or without your knowledge, and it cannot.

Saying that it "turns on your iSight without your permission" is like saying that a web page is displaying text "without your permission." There is going to be this strong urge for people to say, "But...but...it's a *camera*! This *has* to be bad somehow!" But in reality, it's not. It's just a nifty trick with no security implications, which is why it's been around for so long, and even Apple itself has demonstrated how this could be done. It's the idea of seeing yourself unexpectedly on a "web page" that's startling.

Now, I will fully agree that iSights and Apple's integrated cameras should have physical shutters or the ability to be physically disabled and/or omitted completely from orders (particularly for government/military applications), but that is another issue altogether.

Also, using this trick to turn on someone's iSight might be a neat trick, but it's somewhat disconcerting. While it may be rude, as long as one understands the technical details of what is actually occurring, that's all that it is: rude. But definitely not a security risk.

Regards,

Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/