Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Corporate Boardrooms Open To Eavesdropping

Unknown Lamer posted more than 2 years ago | from the it's-a-feature-i-tell-ya dept.

Security 120

cweditor writes "One afternoon this month, a hacker toured a dozen corporate conference rooms via equipment that most every company has in those rooms: videoconferencing. Rapid7 says they could 'easily read a six-digit password from a sticky note over 20 feet away from the camera' and 'clearly hear conversations down the hallway from the video conferencing system.' With some systems, they could even capture keystrokes being typed in the room. Teleconferencing vendors defended their security, saying the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability."

cancel ×

120 comments

Sorry! There are no comments related to the filter you selected.

You're going to be disappointed...and bored (4, Insightful)

elrous0 (869638) | more than 2 years ago | (#38818153)

This may be good for some corporate espionage. But if any hacker is doing this thinking he's going to expose the dark corporate underbelly, he's going to be disappointed.

If my experience is any indication, the evil stuff doesn't go on in rooms like that. Contrary to the movies, you have very few open meetings where a bunch of guys sit around and openly plot evil deeds. Most of that stuff is done in much smaller settings, and even then they use euphemisms and obfuscation. It's not like someone says openly "Hey, can we we bribe some local politicians so we can get away with dumping our factory wastewater into their rivers?" Instead they say something like "How can we cut costs at this factory?" to which someone else responds "Well, if we could get rid of the burdensome environmental regulations down there, then it would help with profitability" to which someone else responds "I'll call our people there and have them talk with some of our political allies."

I imagine some "hacktivists" will hack these systems expecting to get a smoking gun. But after hours of watching, all they'll get are a lot of boring meetings filled with financial figures, shitty powerpoint presentations, and corporate-speak platitudes. It'll be a lot less "Here's our secret plan" and a lot more "Here are the fourth quarter earnings breakdowns" and "Let's talk about how we build synergy in Asian markets..."

Insider trading (5, Insightful)

stevegee58 (1179505) | more than 2 years ago | (#38818217)

If I were looking to do insider trading I wouldn't be bored at all.

Re:Insider trading (1)

iggymanz (596061) | more than 2 years ago | (#38818765)

and 100 years ago that would be done by eavesdropping near or in the boardroom. so what's the big deal?

Re:Insider trading (0)

Anonymous Coward | more than 2 years ago | (#38819725)

Are you next going to ask why cybercrime is different from normal crime?

Re:Insider trading (0)

Anonymous Coward | more than 2 years ago | (#38819947)

Cain't speak for him, but I'm going to ask why you use stupid words like "cybercrime". It's just "crime".

Re:Insider trading (1)

iggymanz (596061) | more than 2 years ago | (#38820001)

there are types of crime a computer makes possible that were impossible before. but I'm not seeing that with this videoconferencing hysteria, all the same issues existed 100 years ago.

Re:Insider trading (2)

EuclideanSilence (1968630) | more than 2 years ago | (#38820249)

Perhaps new ways of committing old crimes. "With a computer" isn't a new kind of crime, it's just a new way of accomplishing it.

Re:Insider trading (1)

kelemvor4 (1980226) | more than 2 years ago | (#38822193)

Perhaps new ways of committing old crimes. "With a computer" isn't a new kind of crime, it's just a new way of accomplishing it.

"With a computer that has rounded corners"

There, now it's new.

Re:Insider trading (1)

camperslo (704715) | more than 2 years ago | (#38823353)

I suppose the smart executives can leak the address of their conferencing system, then let some mis-info leak so the would-be insider trader ends up with a bad deal.

Me? If I saw such a thing, watching the chairs fly would be purely for entertainment. No chair-futures trading for me.

With MS getting money out of Android vendors, I wonder if they'd go so far as to demand likeness-licensing fees for a chair-throwing app?

Re:You're going to be disappointed...and bored (3, Interesting)

vlm (69642) | more than 2 years ago | (#38818287)

I can summarize that long post to nothing ever gets accomplished in meetings, non-criminal or criminal.

Maybe you'll get to stare at a hot intern. Speaking of which, your best hope is "attending" some all-male meetings (not hard to find in the STEM fields) and then hope to catch some higher up making a "questionable" joke. Another possibility is catching people making fun of others, customers, clients, competitors, etc.

A lot of meetings are about primate dominance rituals, a sociology student Might find them interesting, but otherwise... For example maybe two decades ago I had a completely non-technical female boss in a 99% male highly technical industry who felt extreme need to assert dominance, so once a week we sat down in front of the then new ISDN video conferencing system and blew hundreds of dollars on LD costs listening to her cross examine people far away talking about stuff no one cared about which she didn't understand anyway. This was back when LD was like ten cents per minute per channel, and we used something like 8 ISDN B channels over a PRI to videoconference, which works out to something like $48/hour... per site... in addition to the spectacular labor cost of shutting down the entire multi-site department for hours on end. I figured once that with overhead each meeting was well into the 4 figure cost range, yet nothing ever really happened.

Re:You're going to be disappointed...and bored (-1, Flamebait)

elsurexiste (1758620) | more than 2 years ago | (#38818489)

Your comment wasn't sexist at all... not

Re:You're going to be disappointed...and bored (0)

Anonymous Coward | more than 2 years ago | (#38819521)

I didn't see anything sexist about it. Pointing out true, obvious, and quantifiable stereotypes between men and women is not sexist or discriminatory. If they were not true stereotypes, then they would be sexist.

It's no different than pointing out difference in behavior between races and cultures. That doesn't make someone racist.

Even stating that blacks commit more violent crime in this country than whites is not racist. It's true and backed up by facts.

Re:You're going to be disappointed...and bored (1)

jahudabudy (714731) | more than 2 years ago | (#38820711)

Minor (yet important) distinction: blacks are convicted of more violent crimes than whites. Perhaps this is because they commit more, maybe there are other factors. There is quite a bit of debate around exactly this subject.

Re:You're going to be disappointed...and bored (1)

Suki I (1546431) | more than 2 years ago | (#38818503)

The moral is: Don't leave your windows open if you don't want anybody to see and hear what you do.

this is hilarious (5, Insightful)

poetmatt (793785) | more than 2 years ago | (#38818293)

Saying that you're not going to find anything is a hilarious misdirect of the fact that the vulnerability has existed for a long time and still does.

Saying "oh they won't find anything" is still not an answer to "but we left the door wide open".

Re:this is hilarious (0)

Anonymous Coward | more than 2 years ago | (#38819085)

Seems to work for my friend's shitty car.
Locks and security are for people who have something worth stealing.

Re:this is hilarious (1)

3nails4aFalseProphet (248128) | more than 2 years ago | (#38822233)

In the article @ Rapid7.com, HD briefly mentioned WarVOX - another one of his pet projects - as a means to find targets. And that lit the bulb over my head. Yes, the vast majority of what goes on is going to be boring as hell. But don't just use this on "a" target. Wardial to find a crapton of them, automate recording audio from the targets, feed it into some transcription software (cheap solution: perhaps leaving vm for yourself in Google Voice?), and alert on keywords. Let it do its thing and just check in occasionally to hear 20 second clips around whenever someone says "password" or "lawsuit" or "IPO"... whatever tickles your fancy.

Re:You're going to be disappointed...and bored (4, Funny)

Maximum Prophet (716608) | more than 2 years ago | (#38818319)

A few years back, some mob boss was being prosecuted. The government brought in a "Mob Speak" expert to testify, translating the "Mob Speak" to English.
Saturday Night Live did a spoof of this. When a mob boss says "I'm going out for Cigarettes", he means "I'm going to kill the guy". When he says, "Do the Laundry", he means "Kill the guy". When he says "That's great.", he means "Thanks for killing the guy".

All you need is a Corporate to English translator, and you'll get all the incriminating evidence you need.

Re:You're going to be disappointed...and bored (0)

Anonymous Coward | more than 2 years ago | (#38818667)

All you need is a Corporate to English translator, and you'll get all the incriminating evidence you need.

If Corporations are people, and they want to crush other businesses, ergo you are more correct that we may have realised.
Think of what this means for all the businesses forced to close due to the recession!

Re:You're going to be disappointed...and bored (5, Funny)

Anne_Nonymous (313852) | more than 2 years ago | (#38818693)

>> All you need is a Corporate to English translator, and you'll get all the incriminating evidence you need.

margin control programs = cheat the customer
continued price symmetry = cheat the customer
expanded target demographics = cheat the customer
synergistic empowerment = cheat the customer
organic growth paradigm = cheat the customer
proactive globalization = cheat the customer around the world
win-win mindshare bandwidth = cheat the customer
granular rightsizing = cheat the customer
golden parachute = thanks for cheating the customer

Re:You're going to be disappointed...and bored (0)

Anonymous Coward | more than 2 years ago | (#38818803)

privatize = corner a market, establish a monopoly or trust
deregulate = bribe the gevernment into not enforcing laws, relaxing laws or eliminating laws altogether, anarchy

Re:You're going to be disappointed...and bored (1)

publiclurker (952615) | more than 2 years ago | (#38822875)

Aren't some of those "screw the workers", or maybe that is just the local dialect.

Re:You're going to be disappointed...and bored (4, Insightful)

jellomizer (103300) | more than 2 years ago | (#38818393)

Your version is still too dramatic.

It usually goes like this... I go golfing with the senator once a week.
During golfing...
Senator: Hows business?
Business man: It has been better, I think we need to lay off 100 people, we cannot keep ahead of the competition from other States/Country and the key cost is that law that needs us to clean up our water pollution count, we need to change our whole business, and we need to cut people.
Senator: 100 Lay offs during (Thinking that it is an election year), that doesn't sound good, Ill see what I can do.

Then the senator debates to put particular extensions to keep exclude the business from the rules.

Later during the election you will see a Million dollar donation to a Super Pac.

Very rarely people are trying to do evil, they are more often just negligent in doing their work, or too focused on short term issues that they ignore all the long term consequences.

Re:You're going to be disappointed...and bored (1)

Suki I (1546431) | more than 2 years ago | (#38818557)

From my personal limited knowledge, sometimes it works like "hey, call the local utility company anonymously and say there are suds coming out of the street drain/a strange smell by XYZ Corp" with XYZ being a competitor.

Re:You're going to be disappointed...and bored (2)

Sarten-X (1102295) | more than 2 years ago | (#38819139)

Very rarely people are trying to do evil, they are more often just negligent in doing their work, or too focused on short term issues that they ignore all the long term consequences.

This is Slashdot. Your rational and empathetic consideration for others' behavior is not welcome here. Start raging about the evil corporations, or we will be forced to mod you "-1, Sane".

Re:You're going to be disappointed...and bored (3, Interesting)

Anonymous Coward | more than 2 years ago | (#38818481)

I am low down on the corporate later, but even I am regularly in meetings where things like "here is our list of suppliers who haven't been officially announced" and "this supplier is going away in two months, but they don't know it yet" are regularly discussed.

Re:You're going to be disappointed...and bored (1)

nomadic (141991) | more than 2 years ago | (#38818589)

As someone whose job has frequently involved spending way too much time reading board of directors minutes for large corporations, you are completely correct.

Re:You're going to be disappointed...and bored (0)

Anonymous Coward | more than 2 years ago | (#38819341)

Only an idiot makes corruption an agenda item. You talk about it after the meeting is adjourned while shooting the shit if you need a large audience.

Re:You're going to be disappointed...and bored (1)

nomadic (141991) | more than 2 years ago | (#38818631)

Also, when a company does do something wrong, it will be planned in a language that most "hacktivists" don't understand.

Re:You're going to be disappointed...and bored (1)

mallyn (136041) | more than 2 years ago | (#38818919)

Perhaps if one has insomnia problems, this would be good medicine?

Re:You're going to be disappointed...and bored (1)

swb (14022) | more than 2 years ago | (#38819029)

I'll bet most of the "bad" stuff gets discussed way off site and no written record is kept.

Sort of bad gets discussed on golf courses, yachts, private homes, restaurants.

Really bad and they have one of those anonymous meetings where they just happen to be at the same anonymous, camera-less place at the same time so they can deny ever even meeting or colluding.

Re:You're going to be disappointed...and bored (2)

Reasonable Facsimile (2478544) | more than 2 years ago | (#38819745)

And after you hear, "Let's think outside the box, get our ducks in a row, and give 110% and synergize to come up with a game plan," you'll want to drive a rusty nail through your eardrum.

Re:You're going to be disappointed...and bored (1)

fractalspace (1241106) | more than 2 years ago | (#38820725)

Yeah and 90% of the time in the meeting was will fill up with these words: synergy, ecosystem, reaching out, momentum, below the radar, initiatives, collaborative effort, challenging ...

Re:You're going to be disappointed...and bored (0)

Anonymous Coward | more than 2 years ago | (#38820905)

Yeah, this must be a slow day for security news -- hackers have been hacking PBXs, etc. for as long as there have been enterprise phone systems.

How long until.... (0)

Anonymous Coward | more than 2 years ago | (#38818209)

One of those companies goes after him on wiretapping or illegally accessing their networks?

Re:How long until.... (2)

bmo (77928) | more than 2 years ago | (#38819573)

There's no wiretapping if you installed the device yourself and left it to automagically answer the phone, which is what this is about. By doing so, you are giving "authorization" to anyone and everyone to use the device.

It's like leaving a computer connected to the net with root login enabled and the enter key as the password. Whether it was a conscious decision or your own incompetence, nobody is really exceeding authorization by logging in as root.

It's called not even reading the quickstart card and taking 5 seconds to think.

--
BMO

Re:How long until.... (1)

lucifuge31337 (529072) | more than 2 years ago | (#38819883)

Ummm.....that's not how the law works. Just because I left my car doors unlocked and the keys int he ignition doesn't mean you can legally take my car. Just because I left my house unlocked doesn't mean you can stroll in and take a nap.

Re:How long until.... (1)

cizoozic (1196001) | more than 2 years ago | (#38819977)

However I'm told it is also illegal (at least here in Maryland, heard via a radio public service announcement) to leave the keys in the ignition.

Re:How long until.... (2)

bmo (77928) | more than 2 years ago | (#38820595)

But a telecommunications device is not a house or a car, and the laws for communications are different because of that.

Metaphors are not laws.

--
BMO

Re:How long until.... (1)

lucifuge31337 (529072) | more than 2 years ago | (#38821321)

But a telecommunications device is not a house or a car, and the laws for communications are different because of that.

Metaphors are not laws.

-- BMO

Yet the metaphor is accurate, as you still may not use a completely passwordless computer system you find online without at least implied consent (public web servers, etc). This is not up for debate, as it's easy to research case law.

I remember when . . . (3, Insightful)

DickBreath (207180) | more than 2 years ago | (#38818243)

I remember when Microsoft automatically executing email attachments was intended to strike the right balance between security and usability. That was a long time ago, in a galaxy far, far away. But still. Everyone saw the security disaster coming. The "I Love You" email was one of the first to get widespread attention enough to be Microsoft's wake up call on taking security seriously. Gone were the days when you could send dot-dot-slash in a URL to work your way up the inetpub wwwroot directories and then to windows / tftp.exe to pull down malware from evil.com on a fully patched NT 4.0 IIS.

Re:I remember when . . . (2)

v1 (525388) | more than 2 years ago | (#38819391)

"... saying the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability."

was just gonna say, that sounds just like MS's excuse to keep AutoRun functional for so long. It was the most flagrant invitation to viruses that has ever existed.

At least at this point most vendors have figured out that automatic code execution from untrusted sources is not a good tradeoff for convenience.

Re:I remember when . . . (1)

SuricouRaven (1897204) | more than 2 years ago | (#38819423)

Yet I still see frequent attempts to do just that in my webserver logs.

And I run apache on linux.

Re:I remember when . . . (1)

joshuac (53492) | more than 2 years ago | (#38821189)

I remember when Microsoft automatically executing email attachments was intended to strike the right balance between security and usability. That was a long time ago, in a galaxy far, far away.

I'm no fan of Microsoft's security history, but when did they ever have attachments auto execute?

Re:I remember when . . . (1)

EricWright (16803) | more than 2 years ago | (#38821899)

Circa 2000, Outlook Express.

Re:I remember when . . . (1)

DickBreath (207180) | more than 2 years ago | (#38821907)

> when did [Microsoft] ever have attachments auto execute?

It is history.
http://www.bizforum.org/whitepapers/panda-2.htm [bizforum.org]

The incorrect MIME Header vulnerability, which affects some versions of Internet Explorer, allows the content of mail attachments to be run simply when users read the mail with Outlook and Outlook Express (without even opening the attachment). The content of this file could be a virus, worm and Trojan etc.

MIME is a format created for sending and receiving complex content (executable programs, sound files, images, etc). MIME classifies contents in messages according to type and adds, among others, the Content-type tag, specifying the classification group for the code contained in the message.

The modification of this tag can cause Internet Explorer to believe that it is dealing with a sound or image file when it is actually an executable. Klez, Bugbear.B, Nimda, Badtrans or Frethem are just a few of the viruses that try to exploit this vulnerability.

It's not a bug, it's a creature!

Re:I remember when . . . (2)

Tastecicles (1153671) | more than 2 years ago | (#38821987)

IIRC back in the DOS days, the first thing the kernel did to a user-opened file, no matter the extension, was to try and execute it. The same holds for any DOS-based windowing system.

When the .wmf format went viral, people quickly discovered that it could not only send commands to a printer/fax/other such output device, it could also be made to overwrite boot sectors, among other nasty surprises. This issue has still NOT been fixed, after what, nearly two decades?

Just two of many examples I can think of off the top of my head.

Re:I remember when . . . (1)

SkimTony (245337) | more than 2 years ago | (#38822015)

I remember having to set a registry key to disable this in Outlook 97 or 98, and maybe even Outlook 2000. It wouldn't auto-launch a .exe (I don't think), but would automatically run ActiveX or other "active" content code. It was a long time ago, but it definitely did happen.

Re:I remember when . . . (0)

Anonymous Coward | more than 2 years ago | (#38822113)

Ahhh the good old days... I do look fondly on it because hacking and virus writing was just so damn easy back then.

systematic approach (1)

Phoenix666 (184391) | more than 2 years ago | (#38818277)

This should be done systematically and published in quarterly batches, wikileaks style. If the powers that be, who are destroying our freedom and economy as fast as ever they can, can spy on us then it's time we turned the tables. Give them no place to hide.

Does this actually work in real life? (1)

jandrese (485) | more than 2 years ago | (#38818301)

My experiance with those VTC devices is that when they're off, they make efforts to show that they are indeed off, and conversely when someone connects they do stuff like swivel the camera around, turn on lights, etc... It may be possible to do that without someone noticing, but it seems more likely that you're going to get a whole lot of attention from some high power folks.

Re:Does this actually work in real life? (2)

silanea (1241518) | more than 2 years ago | (#38818423)

[...] a whole lot of attention from some high power folks.

Of all the people I have had to brief on new hardware or software those "high power folks" always were the ones who paid the least bit of attention. Well, of course, since whenever they forget which button to press they have a whole army of subordinates to call in and have them get it going for them. You probably could wire a whole fucking Christmas tree lighting to the system and they still would be hard-pressed to notice something happening when it is turned on.

Re:Does this actually work in real life? (5, Funny)

Medievalist (16032) | more than 2 years ago | (#38820203)

You probably could wire a whole fucking Christmas tree lighting to the system and they still would be hard-pressed to notice something happening when it is turned on.

I actually did mount a piece of pegboard in an equipment rack with a smoked glass door and put christmas lights in the holes. I used the kind of lights that have a controller box for running patterns, and set it on "random", and left it running for about five years.

People with suits and ties would just stare at that thing in awe. My boss used to do her dog'n'pony shows standing in front of it.

Re:Does this actually work in real life? (1)

SkimTony (245337) | more than 2 years ago | (#38822055)

That is awesome. Well played, sir, well played.

Re:Does this actually work in real life? (1)

NeverVotedBush (1041088) | more than 2 years ago | (#38822433)

My father had an electronics designer where he worked build a box with blinking lights, some do-nothing knobs, and some toggle switches. He then stenciled it with Binary Ultimate Load Lifter Secondary Harmonic Integral Trace.

Similar results. People would stare at it in amazement thinking it was very important.

Re:Does this actually work in real life? (2)

Medievalist (16032) | more than 2 years ago | (#38823461)

Nice! Mine was labeled "Rozhdyestvo Photonic Emitter" in a very officious font, large enough to read through the smoked glass.

My boss is a native Russian speaker, and Rozhdyestvo is a latinization of ÐоÐÐÐÑÑÐо, which means Christmas. So I literally labeled it "Christmas lights".

My boss was the only one who ever noticed, which was exactly what I intended. She laughed her ass off.

Re:Does this actually work in real life? (1)

The Wild Norseman (1404891) | more than 2 years ago | (#38823445)

I actually did mount a piece of pegboard in an equipment rack with a smoked glass door and put christmas lights in the holes. I used the kind of lights that have a controller box for running patterns, and set it on "random", and left it running for about five years.

And you could casually gesture to it and smugly say to the PHB's, "yup. Six nines uptime."

Re:Does this actually work in real life? (5, Insightful)

Spectre (1685) | more than 2 years ago | (#38818477)

My experiance with those VTC devices is that when they're off, they make efforts to show that they are indeed off, and conversely when someone connects they do stuff like swivel the camera around, turn on lights, etc... It may be possible to do that without someone noticing, but it seems more likely that you're going to get a whole lot of attention from some high power folks.

Since the company I work at does consulting for C-suite people at a lot of different organizations, I'm pretty sure I have observed enough people to cross the line from anecdotal experience to enough data to form a hypothesis (somebody should test it).

The "higher ups" don't understand technology, even as simple as videoconferencing equipment with a remote that is simpler than a typical cable-TV remote.

When they want to use a video conference, they get somebody from "IT" to come in, click the three buttons that make it hook up, then do their conference, and leave the room, still leaving the conference running because they don't know what the "hang-up" button does.

It isn't that they are idiots, it is just that they don't care, they have "people who handle that stuff" so they don't have to.

So, if the camera comes on, swivels around, auto-focuses, red lights come on, they ignore it, because they don't perceive it as "something I need to concern myself with".

Re:Does this actually work in real life? (1)

Anonymous Coward | more than 2 years ago | (#38819785)

My experiance with those VTC devices is that when they're off, they make efforts to show that they are indeed off, and conversely when someone connects they do stuff like swivel the camera around, turn on lights, etc... It may be possible to do that without someone noticing, but it seems more likely that you're going to get a whole lot of attention from some high power folks.

Since the company I work at does consulting for C-suite people at a lot of different organizations, I'm pretty sure I have observed enough people to cross the line from anecdotal experience to enough data to form a hypothesis (somebody should test it).

The "higher ups" don't understand technology, even as simple as videoconferencing equipment with a remote that is simpler than a typical cable-TV remote.

When they want to use a video conference, they get somebody from "IT" to come in, click the three buttons that make it hook up, then do their conference, and leave the room, still leaving the conference running because they don't know what the "hang-up" button does.

It isn't that they are idiots, it is just that they don't care, they have "people who handle that stuff" so they don't have to.

So, if the camera comes on, swivels around, auto-focuses, red lights come on, they ignore it, because they don't perceive it as "something I need to concern myself with".

That may be true for usage scenarios, but I know from supporting these systems for more than 10 years that if they come on unannounced, I got a call. Rarely would the unit coming on be ignored unless the system came on/was left on overnight and no one had been in the room as yet. Almost without exception, if the unit was on and not needed it was turned off as soon as someone came in the room. Plus, we NEVER had auto-answer turned on. That's just stupid as it not only wastes electricity (we had it tied to a projector and lighting controls) it can interrupt a meeting and get the IT support staff in hot water for having it configured that way.

Re:Does this actually work in real life? (1)

OITLinebacker (1799770) | more than 2 years ago | (#38818529)

If the system is already on / always on when a person comes in to use the room, chance are they won't notice. If there is sufficient noise going on in the room, one might not hear the camera moving around and while a person might see that, they'd have to be bored and looking directly at it notice. Do you really notice how many systems (HVAC, Lights, computers, A/V) are on when you walk into a meeting room? Especially if you aren't using them or they don't appear to be doing anything they get ignored. Now the beeping of somebody trying to call in requesting that you answer the Video Call, would surely get noticed. That is why the auto-answer should just go away and die. That would solve 90% of the issue (the other 10% being public addresses).

Re:Does this actually work in real life? (2)

glop (181086) | more than 2 years ago | (#38818593)

It sounded like the examples given were to use the rooms when nobody is in there:
1) look inside the empty room and see what was left on the white board or post it notes etc.
2) listen and here people in an another room.

That seems quite clever and hard to notice. Somebody might walk in, notice the conf system is on and turn it off.

Spying on an actual meeting happening in the same room that the conf system did not seem to be the main target.

Balance (2)

QuietLagoon (813062) | more than 2 years ago | (#38818353)

an effort to strike the right balance between security and usability

Microsoft used that same excuse for the early security problems in Windows. It's time we hear a new reason used to rationalize poor design.

So? (4, Informative)

ledow (319597) | more than 2 years ago | (#38818359)

Not really that new. Most telephone systems allow it too.

The Samsung OfficeServ I have, I'm pretty sure I read in the manual about a "silent auto-answer pickup" you can do to a remote phone to tap into the speakerphone and hear anything said in the room WITHOUT indication of what you're doing on the target phone. All you need is the right passcode (which is easy if you're the IT guy) and the phone extension and you can hear whatever is said in the that room.

Given that phones are much more prevalent, much less prominent, and much more unexpected to be "hacked", I think you'd always have had greater success that way. And modern telecoms is all managed on the LAN and sometimes even remotely, so it's just as at risk as anything else.

The number one rule, of course, is don't let third-parties have access to your network, and don't have those sorts of "features" turned on.

Publicly available isn't the primary issue, (2)

OITLinebacker (1799770) | more than 2 years ago | (#38818483)

it's having it set to auto-accept. I understand why people leave it on, it's because they are lazy. Either the person installing it doesn't want to field support calls every time an admin assistant or board member can't figure out that video/tv doohikie, or they don't want to take the time to train the folks on how to use it. I suppose "ease of use" is another excuse, but in the end this is akin to leaving your cell phone set to auto answer. Nobody has their cell/desk/home phone set to just pick up, you have it ring. Why should a "video phone" be any different? These things need to be publicly addressable because of the nature of who you may need to connect to. It's an extreme PITA to have to configure/re-configure for every call. Now the flip side of this is now more folks are going to try this sort of exploit on a public IP address and the phone will be ringing with spammers even if you have it configure to require a manual answer. So it looks like some of the ease of use of having a publicly addressable VC system is going to go away.

Why video conference? (4, Interesting)

Colonel Korn (1258968) | more than 2 years ago | (#38818485)

My experience is as a scientist and probably is of limited value in other fields, but: I've seen places where the remote meeting culture centered on video conferencing and I've seen places where it instead centered on audio, with the video replaced by slides. The slides normally show useful experimental data or borderline useful financial data. The video normally shows bored people.

When an internal meeting has video it's generally a sign that the meeting doesn't actually need to happen - it's better done through a couple emails or a quick IRC-equivalent chat. Again, outside the world of a scientist I expect this to be different.

Re:Why video conference? (3, Insightful)

Attila Dimedici (1036002) | more than 2 years ago | (#38818971)

I am not a scientist but my experience is similar. Our department has periodic video conferences that were started by our current boss. When he was asked by someone why we were doing video conferences (which required reserving a video conference room in another building from our work area) rather than just an ordinary teleconference (which could be done from our desks, although we usually gather in the conference room adjacent to our office area) his response was, "Well we have the technology, so we might as well use it." Which did not answer the question, which was, "What value does the video add to this meeting?" Personally, I find the video conferences even less useful than the ordinary teleconferences because at least with the teleconferences we can mute the phone and discuss how topics apply to us without having to listen to input from people at other locations input stuff that has nothing to do with our location and still listen to those topics where the experiences of those at other locations are relevant to us (which is rare).

Re:Why video conference? (2)

KozmoStevnNaut (630146) | more than 2 years ago | (#38819691)

All the video conferencing equipment I've seen has both a mute button and a microphone off button. Learn to love them.

You try making sense of a teleconference when you have 10+ people on the line, some of them with bad connections with delays up to multiple seconds. People speak over each other and interrupt and it can be really hard to hear the difference between people with similar voices.

With video, you can gesture and read the other participants' body language. It helps immensely when trying to understand complex trains of thought.

Re:Why video conference? (1)

Attila Dimedici (1036002) | more than 2 years ago | (#38821119)

The problem is that you are still visible. I did not say that video conferencing was never useful, just that it is not useful the way it is used in my department. And the advantages of a video conference are lost when there are 5-10 people in each room of the video conference, I can't see the gestures and body language clearly enough for it to be particularly useful (unless I am trying to read the interpersonal relations of the people on the other end, which may be useful when negotiating a contract or something similar, but serves no purpose when discussing how to fix particular computer problems).

Re:Why video conference? (1)

KozmoStevnNaut (630146) | more than 2 years ago | (#38821259)

Fair enough, it depends a lot on your workflows.

Videoconferencing has worked wonders my my department, which is split up and located at two different physical locations, 200km apart. Having face-to-face contact through videoconferencing has helped us immensely.

Re:Why video conference? (1)

Attila Dimedici (1036002) | more than 2 years ago | (#38821599)

My department is also split up over several different physical locations spread out over the netire country. However, there are very few projects that we work on across locations. We are primarily a support unit for other departments. Teleconferences have some use in allowing us to communicate how we resolve various issues so as to maintain a company wide consistent way of dealing with things.

Re:Why video conference? (1)

Tastecicles (1153671) | more than 2 years ago | (#38822123)

My company uses videoconferencing all the time to communicate between not only offices across the world, but also clients. It's a very handy thing, particularly when it comes to facetime with colleagues that live in another country yet I work very closely with them - sometimes to the point where we independently create virtually identical documents - it adds a dimension and an intimacy to the transaction that is completely absent in a voice-only teleconference or short message exchange. I reckon that's the meat of the discussion here, and the entire point of videoconferencing for the purposes of it: the facetime factor. Also there's something about body language that adds a whole lot more to a conversation than spoken or typed words. If you could see me now while I type this, you'd probably get what I'm trying to say.

And then you could tell me. :)

Re:Why video conference? (2, Informative)

Anonymous Coward | more than 2 years ago | (#38819021)

I'm sure a social scientist could phrase it better, but the reason for video conference is simply one of channels of information.

As humans, our interpersonal interactions are colored by scads of non-verbal dialog, with facial expressions and posture being significant factors. There's even been studies that people tend to think differently based on what they're wearing (work-from-home-in-pajamas-and-robe being less effective than work-from-home-in-a-suit), much less how other people react to them and choose their dialog. So video helps us communicate more effectively.

As a less theoretical example, I've been part of many remote-caller meetings, where it's obvious on ~my~ end that someone didn't understand an issue, you could tell that just looking at them. The problem is, how can someone on a phone know that? How can they tell that 10-20% of your audience is confused and you need to reiterate a point when none of them individually will speak up?

The right balance (1)

Anomalyst (742352) | more than 2 years ago | (#38818527)

being, of course, that which is no QA cost to the vendor.

Not just Teleconferencing... (1)

ArmchairGeneral (1244800) | more than 2 years ago | (#38818553)

I had a job interview a few years ago, and instead of an office, we went to a boardroom. On a whiteboard there were 2 phone numbers with names attached, and right next to those were the passcodes for their voicemail. One was the HR person who was conducting the interview.

Re:Not just Teleconferencing... (3, Interesting)

Bigbutt (65939) | more than 2 years ago | (#38818871)

It was a test. Did you mention it to them?

[John]

Glad ours isn't setup that way (3, Interesting)

afidel (530433) | more than 2 years ago | (#38818559)

I'm glad that for political reasons we use a third party reflector to do our video conferencing. Basically one of our partners had a flaky video conferencing setup that their IT guys couldn't or wouldn't fix but were all too happy to blame us because we would host the conferences. We tried everything we could to insure things went smoothly but when we could find no faults with our setup (and many other sites around the world never dropped) we implemented a layer 8 solution and moved the hosting of the conference off our equipment and onto a third party reflector. The other party continued to drop until their management got so fed up with the obviousness that it was their fault that they hired someone to fix it. Since it works and protects us politically we've kept the system, guess there's a nice bonus out of it in that we have no open inbound ports for the video conferencing gear =)

Low-Tech Solution (3, Interesting)

SniperJoe (1984152) | more than 2 years ago | (#38818683)

I go into a lot of boardrooms in my line of business and I was actually at a business a few weeks ago that was obviously concerned about this, so they used the low-tech solution of a cardboard box over the videoconferencing device.

On the box, in handwritten black magic marker, it said "Do not remove unless participating in a video conference!" Not exactly high-tech, but I suppose it was more effective than nothing.

Re:Low-Tech Solution (1)

Anonymous Coward | more than 2 years ago | (#38819087)

Schrodinger's corporate spy?

Great (1)

cheros (223479) | more than 2 years ago | (#38819151)

Now all you need is SOUND proofing..

Re:Low-Tech Solution (0)

Anonymous Coward | more than 2 years ago | (#38819173)

That solution still allows for audio eavesdropping.

Re:Low-Tech Solution (1)

mjr167 (2477430) | more than 2 years ago | (#38819501)

Wouldn't it be better to just unplug it?

Re:Low-Tech Solution (1)

Tastecicles (1153671) | more than 2 years ago | (#38822147)

Like it.

Although, a deft removal of plug from power point would work better to remove the possibility of either video or audio eavesdropping...

little brother is watching too. (2)

phrostie (121428) | more than 2 years ago | (#38818737)

At a place i used to work there was this one room that had a camera on a 2 axis pivot/drive. it was creepy when it would turn on and swing around to point right at you.

Re:little brother is watching too. (4, Funny)

nomadic (141991) | more than 2 years ago | (#38818807)

At a place i used to work there was this one room that had a camera on a 2 axis pivot/drive. it was creepy when it would turn on and swing around to point right at you.

Did you work at the front gate of Jabba's palace?

Re:little brother is watching too. (1)

phrostie (121428) | more than 2 years ago | (#38821297)

I wish.

I hear the entertainment there is Awesome!

I can never get those things to bloody well work (1)

flyingfsck (986395) | more than 2 years ago | (#38818755)

Skype is making inroads into meetings because it is easy to get to work as opposed to those things. Most fixed video systems are incompatible, so you cannot call any meeting room - it has to be a specific meeting room with similar equipment and even then it seldom works.

Re:I can never get those things to bloody well wor (1)

KhabaLox (1906148) | more than 2 years ago | (#38819097)

Most fixed video systems are incompatible, so you cannot call any meeting room

Can Skype call out to other video conferencing solutions? I know you can call a telephone number, but I didn't realize you could, for example, call a Google+ Hangout.

Re:I can never get those things to bloody well wor (1)

Tastecicles (1153671) | more than 2 years ago | (#38822185)

I've often thought about this; do any net based conferencing solutions such as Skype and Hangout have any compatibility to each other? If not, why not? Is the lack of interoperability purely politically-based, or is it a technological problem (that can be solved, all tech problems can be solved)?

Even the "experts" have problems (4, Interesting)

hawguy (1600213) | more than 2 years ago | (#38819077)

When we bought our video conferencing system, the vendor that implemented gave us their VTC unit's number for testing. Their test VTC system is in their main conference room.

Well, one day we were demoing the unit to a group of people and we called the vendor's unit. They were in the middle of an intense meeting, the CTO of the company was nearly yelling at his staff about a missed sale - I guess he saw the camera swivel into position and yelled "Who turned that bloody thing on! Turn it off!"

Pretty funny from our point of view, and our sales rep called later to apologize.

So if the vendor that implements these for a living can't remember to turn off auto-answer when it's important, how can anyone else? I'm surprised at the number of companies that leave auto-answer turned on. (and am also surprised at the number of companies that re-use conference bridge numbers, I accidentally called into a conference bridge an hour early for a meeting, and got to listen to the vendor talking with a competitor about a new project).

You don't need vidcom to bug a conference room (0)

Anonymous Coward | more than 2 years ago | (#38819233)

Unless everyone leaves their electronic gadgets at the door you'll always have plenty resources to gather info. The problem is that many want their toys, even when it doesn't concern the topic under discussion, so even if you fully swipe a room (which presently costs a good â400 per square meter for government/military quality sweeps) you'll lose the overall battle.

If you have vidcom in a room you should not assume that room to be more than low level secure unless you have crypto secured the communication (i.e. closed network only). And even then I'd unplug the thing by default..

Mostly because of the Inept. (2)

Lumpy (12016) | more than 2 years ago | (#38819345)

The problem is that CEO's are so stupid they refuse to use the videoconference gear like a normal human. They demand the things auto answer which is a GIANT hole. Plus they refuse to do the smart thing and put in a Border controller. Instead they buy an external IP for the VC gear and put them raw on the internet, Again retarded as hell. But this IS common for executives. They refuse to pay $6500.00 for the device they need and was told would increase security. Instead they demand it's done as cheap as possible.

and this is what happens. Polycom, tandberg, and sony VC equipment on the internet with no firewall and set to auto answer. discover the IP address of a VC system and call it using a Standard H323 software client and you are now listening to the room and looking out the cameras. Hell you can pan and zoom the camera if you want.

The problem is the Executives. They refuse to spend the money to install a secure VC system and they refuse to learn the gear.

Great Punishment (1)

mallyn (136041) | more than 2 years ago | (#38819369)

You know folks, judging on how stupid and boring board meetings that I have been at have been . . .

I think these toys could be used for punishment

Force your errant child/dog/cat/whatever to sit in front of one of these eavsdropping session for a while with nothing else to do.

They will shape up fast.

A long time (1)

DarkOx (621550) | more than 2 years ago | (#38819803)

the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability.

I used to work for an organization that sold a great deal of this equipment. I once asked a vendor if they thought "auto answer" was really a sane default; for devices often connected to displays which power separately, while the device (and its recording implements) remain on line all the time in common deployments.

I got pretty much the same line as in the quote. Which I also found a little astonishing, because I have never had a telephone that even featured "auto answer" let alone defaulted to it, and they do pretty much use the telephone as the analog for all their UI elements.

thought it said corporate bedrooms open.... (0)

Anonymous Coward | more than 2 years ago | (#38819895)

I first looked at the headline, and thought it said corporate bedrooms are open for eavesdropping. Figured Carly Fiorina must be getting pretty lonely or something else far worse. I guess I really do have to have caffeine in the mornings. That, and brain-bleach.

Does anyone have VTC that is actually being used? (1)

billybob_jcv (967047) | more than 2 years ago | (#38819971)

VTC is the thing that all executives want to have, but that never gets used. They are bought with great fanfare and everyone wants to use it - for about 90 days - then the controls sit in the corner collecting dust. Having one that is actually powered on and functional would be a novelty.

Smart (0)

Anonymous Coward | more than 2 years ago | (#38820007)

Where is my cone of silence when I need it!

This explains a lot (0)

Anonymous Coward | more than 2 years ago | (#38820255)

"Teleconferencing vendors say they're trying to strike the right balance between security and usability"

Where's the balance? The amount of security is exactly zero. You can't have a balance between two things if you don't have any of one.

As for usability, the concept of answering a call is too advanced for the people in these boardrooms? This goes a long way to explaining the financial crisis.

Boardroom? (1)

wzzzzrd (886091) | more than 2 years ago | (#38820629)

Hm, I read Corporate Bedrooms. Now that would be a nice idea, never mind the eavesdropping.

Autoanswer a compromise!? (1)

Tastecicles (1153671) | more than 2 years ago | (#38821851)

Are you effin' kidding me? Any vendor that claims an autoanswer feature as a compromise between security and usability is one that wouldn't be getting my business! That's just being damn lazy, if you want to take a call, push a button: denial of service through inaction in that case is where the smart money is. Cisco, take heed!

Legal liability from lax/nonexistant security (0)

Anonymous Coward | more than 2 years ago | (#38823267)

Per NYT article about this, access was easily obtained to operating rooms in hospitals and law firms. These are areas where there are strict standards of confidentiality. Having no security at all and allowing open access without any passwords or any questioning at all, as occurred here, may open up hospitals and lawyers to lawsuits from clients and patients. Feds are going after providers with bigger fines these days for HIPAA violations. Hard to see how a suit against a hospital could be defended against when there was no security at all. Apparently also, once into one open system may allow piggybacking into other organizations which may compound the liability issue. Next stop from a law firm's open videoconferencing was potentially a Goldman Sachs boardroom. IT professionals should probably check their systems and warn clearly in writing of such lax security to avoid having their own head's on the chopping block.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>