The funny thing is, if they had reasonably secured their webcam, this wouldn't have been that bad. It still protects them from pretty much all automated/dragnet attacks and compromised login info. And it's incredibly unlikely one would expect someone's webcam feed would contain their RSA key. And it's hard to tell whose account on what system this key belongs to.
Microsoft makes me/us do 2FA ~5-20 times a day, doesn't support U2F and implements 2FA in a way that forces you to type a PIN into the phone rather than the other way around (massive phishing hole they don't seem to care about - sometimes I'll be flooded with 2FA prompts and have no idea which ones were initiated by me or by an attacker).
I've joked about writing an app on my phone that would just auto-respond to all the 2FA prompts with my PIN, and have been told that other people actually tried to (or did) implement such an application.
Meanwhile I was at a Googler's place a year ago and watched him tap a U2F device on the side of his laptop to complete the second factor. Sigh.
If you work for Microsoft (I do) that doesn't sound right. There are times when I get 2FA but not often on my work machine. Microsoft employees get a smart card and if your machine has a TPM chip you can create a virtual smart card accessed with a pin or biometric factor like fingerprint or Windows Hello.
I don't use Windows except when interacting with the 15 year-old payroll time entry system. I have nothing nice to say about support for non-Windows users, though most of that is unrelated to 2FA (though supporting U2F would sure be a lot more friendly than proprietary apps that surf on top of the TPM)
No a fan of Microsoft systems, but they have GS-API/Kerberos and AD FS 3. Unix users will want SSH key management, but apart from that, Microsoft made efforts to help people spread single sign-on to much of their infrastructure.
If your payroll system has a web interface, you can have an applicative firewall in front replay your stored credentials as a hacky SSO (after checking your identity another way, of course).
I've had one for about 6 months that I use for gmail. I like it, easy to set up, works pretty much out of the box, security story seems reasonable, and device is physically pretty sturdy so far.
For at least 2 linux boxes I use, I needed to add udev rules for the yubikey. That wasn't immediately obvious and took a few minutes to figure out why it wasn't working.
I'm a fan. It would be nice if there was more support. I can use it on gmail, github, and dropbox. I'm not aware of any other online services that support it (that I use)
What closeparen said. Normally the phone gives you the PIN and you type it into the application you just signed into. Gives you some amount of assurance that the second-factor is going to the desired party.
Instead, MS's 2FA send a notification to your phone where you type in a static, pre-defined PIN. There is no way of knowing what actor or application triggered the 2FA request.
We use Okta at work, and we can either put in a six-digit code, or we can prompt the webapp to push a request to our phone, and then click "accept" or "deny" (after unlocking the phone, of course.)
Okta at least shows which app is requesting permission.
Well someone have started to hack these camera to display a message to the owners: http://www.insecam.org/en/view/402371/ In case it get's fixed this one now says "everone can watch your home, reset the camera" "reset your cam and use a password next time !"
I stopped when seeing that the 3rd canadian camera on the list was in someone's living room. I dont want my ip showing up on thier router's logs when they contact police after noticing all the traffic. I really hope they dont have kids in front of that camera.
An open door is not an invitation to trespass, especially when it has obviously been left open in error.
I can't think of a better analogy, but what if I had a Polaroid camera and go around taking pictures in my property and then throwing those pictures away on the street. If a stranger picks up one (or several) of those pictures, would you consider that trespassing as well?
I'm not saying I am for or against this, but it's definitely a tricky subject. Obviously part of that trickiness is because complex tools (for the general populace) are being sold as simple tools, and so people who buy them have no idea what they are capable of or what is the proper way of using them (securing them with a password, etc).
The case might turn on whether the owners of the camera suffer damage (which here means basically "how upset do the owners of the camera get) and whether a reasonable person would feel they'd been invited to watch this particular camera by the owners of the camera.
That's a lot of uncertainty to shoulder just for the joy of looking at someone's incidentally public camera feed.
Think if this. Some kid uses this website to discover a classmate's open cam and posts some evil pictures. Parents/teachers find out and call cops. Now every ip on that routers logs may be subject to a visit by police, at least all the local ones. A risk not worth taking. I give this website a month.
Sure, I get that, but are these cameras being sold as "secure from anyone that isn't you", or as "keep an eye on things easily, from anywhere in the world!"
The distinction is important, because an implication of secure-by-default means that the manufacturer has dropped the ball. If there's nothing to imply that the device is secure (as opposed to just providing 'security' via CCTV), then this is more a case of the installer of the device willingly, and knowingly, providing a live-stream of their property to the world.
I think part of the problem is that more and more technology products are being sold as "simple to use", although they might actually be really complex tools with far reaching implications not necessarily understood by the end users.
Compare this to, say, driving a vehicle. In most (all?) countries you need a driving permit which implies you have some training to operate said tool. In part because not knowing how to drive could cause damage and/or injury to third parties. And you also have some sort of liability if things go awry.
However consumer technology products are not considered as tools capable of damage (in most cases at least, e.g. computers, routers, phones, etc) and so the implication is that anyone can use them without proper training, since there's no way you can affect a third party.
Obviously those of us who have some sort of training realize that this is not the case, and so I would guess most HNers would secure their routers or Internet connected cameras (I hope...).
So in this context, can you actually blame those that have no training at all, to be doing "unsafe" things, especially since no one will tell them otherwise, including the manufacturer?
It's times like these that I wish MS hadn't axed "Active Desktop" from their newer oses.
Back then you could make an html file with one frame or iframe and point it to a website like this or embed a flash stream.
You could just embed this website and have random webcams as background and your icons and everything else would still work normally on top of your new "background".
Eventually the embedded IE would crash and you'd press F5 and it would fix itself.
There was a similar site, who's name I cannot remember, that was up for a year as a infosec experiment around 2011, 2012. The neat feature about that one was the ability to put in a zip code and see all of the unsecured cameras in that area.
I sell and install security systems as a side-gig (fell into it and its high margin/low effort sale). People demand easy to remember passwords. Ive tried to somehow get them to use better passwords but they always call me to change it. I still try to get them to use a strong password, though.
I'm curious which systems you prefer. I have an irrational aversion to paying a subscription fee, but it seems to take some effort to set up Motion or Zoneminder with recording and mobile alerting, and ease of use lags behind cloud services.
Oh, and cheaper cameras support only mjpeg, which makes live viewing high-bandwidth.
I sell commercial-level stuff. Cant remember the brand from memory. A friend who is in the security business (he works with factories and similar sized clientele) sources them for me. He is the expert. I merely sell and install it. I lack any real interest in this market and mostly easily sell them because other installers are really shady. No real marketing or sales effort. People just call me and I name the price. It pays to treat people well.
I think the modern consensus is that reasonable rate-limiting is a superior option. It doesn't allow for DOS, but still prevents brute-forcing attack. You can even set things up such that too many attempts triggers a notification that something is probably wrong, but users can't be locked out of their own accounts.
"Allow 5 tries, then lock everyone out for 10 minutes" is a rate limiter. If you're talking about an arbitrarily complex one: either you're able to be locked out too, or a botnet allows near-arbitrary retries. A botnet of insecure cameras, perhaps.
It's all a tradeoff. But a smart rate limiter is complex, and rarely necessary when you can be expected to have physical access to the device. Plus, these things haven't even managed basic security, why should we expect them to implement a good rate limiter?
for how people use Shodan and other tools to do some fairly shady things. It's like grey hat at best (find these things and move them around/leave messages to secure your cams) and serious invasion of privacy at worst (people trading caps of women undressing, people having sex, etc).
www.insecam.org/en/view/386702/ - Somebody's RSA keyfob with automatic button presser.