Windows 10 Update Breaks Most Webcams

Now's your chance....

Posted on August 20, 2016 at 8:01 AM • 34 Comments

Comments

SasparillaAugust 20, 2016 8:27 AM

Our 3 letter agencies must have loved this when Microsoft briefed them on this new same time multi application access support for cameras (& microphones?).

As an aside Microsoft is bringing the Windows 10 Update model (i.e. a lump or two of whatever Microsft chooses down your throat no choices) to Windows 7 & 8.1 - and killing breaking updates into individual hot fixes. Microsoft asserts that they own your computer.

After rollout in October they going to back port past updates into it. Looks like data monitoring is coming whether you like it / avoided it or not. There is little talk of this in the press although it seems like a big deal. If you want 7 or 8.1 images based on hot fixes better make them & backup prior 2nd Tuesday in October (& shift update to off or no download).

http://arstechnica.com/business/2016/08/windows-7-8-1-moving-to-windows-10s-cumulative-update-model/

Corporate will have access to security only updates, but Windows Updates for the public will not have that option. Your PC is now Microsoft's & their partners phone.

JackAugust 20, 2016 11:44 AM

There's an obvious solution: put tape over your webcam. Even Mark Zuckerberg does this; see recent press. Or physically cut the cable to your webcam/microphone.

I believe Microsoft's most recent update gaffe only affects USB (and not in-built) webcams.

JackAugust 20, 2016 11:47 AM

@Sasparilla

Microsoft Windows 10 Pro customers also get the option to "Defer feature updates". That's not exclusively limited to Enterprise customers although the majority of consumers are using the Home edition.

WaelAugust 20, 2016 11:55 AM

There's an obvious solution: put tape over your webcam.

I do that, even on my tablets. The microphone is trickier to mask. Best not to conduct confidential conversations near any electronic device. That's by no means a complete solution, but a step towards shrinking the surface of attack (this one through OPSEC.)

Don CooperAugust 20, 2016 1:17 PM

This is without a doubt the single most effective measure MS has ever taken in the protection of their users' security. Insecam.org are livid. /s

EvillitAugust 20, 2016 1:37 PM

@Jack

Oi, what happened to the "privacy is ded"? Mr Zuck has something to hide innit? Oi!

keinerAugust 20, 2016 3:11 PM

@Eviillit

...things change dramatically if you have kids, huh, Mr. Suckerberg?

jfgunterAugust 20, 2016 4:41 PM

microphones not easy to block. Nuther instance of "my" PC upping its spying on me! MSFT is behind in the spy-vs-spy-vs-spy game and is straining to catch up ....

Michael GravesAugust 20, 2016 6:37 PM

You are correct in that internal webcams are not impacted. This is largely because internal webcams don't try to deliver 1080p30. 720p30 can be delivered as uncompressed frames (YUY2, I420, etc) over USB 2.0. In contrast, 720p60 or 1080p30 requires the use of compression to fit across a USB 2.0 link.

The problem only impacts external cameras where the host application will attempt to deliver 1080p30.

I gather that I was one of the first to report this matter to Microsoft, who were utterly unable to deal with it.

How ironic that it finally gets some attention when it causes the single most popular external webcam in the world to fail when used with Skype, a Microsoft application.

Ergo SumAugust 20, 2016 7:51 PM

That's just the tip of the iceberg. Just wait until October, when Windows 7 and 8.1 will start receiving packaged updates, same as Windows 10:

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

The security and performance updates are rolled into a single package. Other than enterprise users, most people will have no choice. You want the security updates? Well, you have to install the performance updates and any other updates that MS deems necessary adding to the package as well.

Do you want telemetry in your Windows 7 and/or 8.1? After October, of course you do...

OioiAugust 20, 2016 9:23 PM

@Ergo Sum

Guess its time to Move to Windows Vista if a Windows is dearly needed.
Someone in Microsoft's basement they forgot about should be still writing updates for it.

WikAugust 20, 2016 11:39 PM

Can't say I'm a fan of what Microsoft's doing. I rather like the thought of owning my own computer. Microsoft corporate says different, though.

Well, looks like I'll have to finally search for alternative ways to maintain control.

Clive RobinsonAugust 21, 2016 5:36 AM

@ Ergo Sum, All,

Just wait until October, when Windows 7 and 8.1 will start receiving packaged updates, same as Windows 10

There is another nasty change...

Currently you have 30days to "roll back" and remove any updates, in October that will go down to 10 days.

This I suspect will be the first of many changes to come to turn your computer into a box into which you will be placed as a product on their shelf of wares to be sold.

Microsoft have waited for the likes of DRM chips to be sufficiently ubiquitous to go the next step which is to stop you putting on your own OS of choice...

Every one just needs to accept that our "New Overlord" Microsoft will do what they think will be good, and you should just take the medicine they prescribe.

The sad thing is, we have seen this happening and we have raised warnings... But as usuall we have been told to stop being paranoid, stop starting conspiracy theories or slandering the "good name and intentions" of those who are doing it. At least one of whom in his own paranoid way declared that FOSS was a cancer and should be stopped in any way possible... Befor the others quietly removed him lest he give the game away before it was to late...

Ergo SumAugust 21, 2016 7:29 AM

@Clive..

Not trying to defend MS, those who know me well would be surprised if I do, but...

MS OS and apps aren't the only ones that takes control of the system, including the telemetry "feature". Other apps, including antivirus and other security software also have built-in telemetry functions as well. Most of these started up with system authority and basically can do anything it wants. Yes, it is a stretch to call antivirus a security software nowadays...

@Doniq...

Thanks for the links, but...

Hosts files, like the link says, will not work since MS hard coded the IPs in the Windows 10 system files. During the last year or so updates for Windows 7 and 8.1, the hard coded IPs had been extended to Windows 7 and 8.1 as well.

Starting in October, MS will also modify group policy objects, that most of the disabling Windows 10 spying software depends on, for the consumer version of Windows. As Clive said:

Every one just needs to accept that our "New Overlord" Microsoft will do what they think will be good, and you should just take the medicine they prescribe.

keinerAugust 21, 2016 7:48 AM

I'm prepared to block Windows from accessing the internet completely (each and every port). End of story. Emails and browsing only on machines with linux or BSB.

AlexAugust 21, 2016 11:14 AM

Windows 10 seems to be malware designed to suck up everything you're doing.
I've looked over some of what is transmitted and I am surprised anyone would use it, it appears to be a "RAT as Operating System" deployment.

AlexAugust 21, 2016 11:18 AM

@Ergo Sum thanks for the pointer on Win7.

Out of curiosity how many here use WinTin?
I notice that most people I have helped through the years with technical issues would be just fine on Linux.

Clive RobinsonAugust 21, 2016 11:39 AM

@ keiner,

I'm prepared to block Windows from accessing the internet completely (each and every port). End of story.

Yup I've been doing that for years on my private/development networks. They are a little more than air-gapped and use custom doubley instrumented data diodes to get data in and out.

As for,

Emails and browsing...

Don't do that with those at either network. The only browsing I do is on a smart phone or other networks / computers I don't have a confidentiality liability for.

As for Email, as some here have moaned about I don't do personal Email any longer. The only downside, I don't get those adverts a lad of my age might be expected to need ;-) But there's always "Daytime TV" if and when I start to go deaf, bald, blind to lazy to climb the stairs or feel I need a stick me in a box fund ;-)

hermanAugust 21, 2016 12:54 PM

@Doniq: The hosts file cannot block hard coded IP addresses.

Anyhoo, last year in February, I looked at the connections that Win10 open with tcpdump and found 39. Since then, others have found a few more. I really don't see the necessity for an OS to open 40+ connections to who-knows-where, so the best way to run Win10 is with the network cable unplugged.

Dirk PraetAugust 21, 2016 1:32 PM

@ Jack, @ Sasparilla

Microsoft Windows 10 Pro customers also get the option to "Defer feature updates".

Windows 10 Pro, Education and up users can use either the Settings Panel or the local GPO Editor to defer upgrades. Home Edition users are scr*wed. The only work-around for now I know of is to trick the OS into thinking that it's on a metered connection, but which only works with wifi, not with cable.

@ Ergo Sum

Do you want telemetry in your Windows 7 and/or 8.1?

I refer to one of my previous posts in last week's squid thread. There's plenty of free utilities out there that stop telemetry on Windows 7, 8 and 10 dead in its tracks. Spybot Anti-Beacon, for example, blocks about 70 MSFT C2 hosts/ip addresses and also takes care of Office 2013 and later telemetry. Some blocking lists as provided by other utilities go reasonably far, and at least one of them even blocks known Skype servers, making in-line Skype upgrades impossible.

Well, you have to install the performance updates and any other updates that MS deems necessary adding to the package as well.

Set your WU settings in 7/8 to "never check" and disable the Windows Update and BIT services. Then install monthly updates on the fly as soon as the distinct KB's in the cluster have been properly identified and allow for manual de-installation and hiding.

Starting in October, MS will also modify group policy objects, that most of the disabling Windows 10 spying software depends on, for the consumer version of Windows.

Since most GPO's translate into services and registry settings, it will almost certainly still be possible for anti-spying utilities to disable those offensive features. In addition, there are couple of really good Windows 10 hardening guides out there, such as http://www.hardenwindows10forsecurity.com .

How far you take those depends both on your personal threat model and to which extent you really require Windows 10. Forking out some extra cash to upgrade from Home to Pro (or doing a search for the evil hax0r utility Microsoft Toolkit) would however seem a good idea to start with. Common private and corporate users will eventually be forced to either upgrade to Windows 10 or migrate to OS X, which has its own issues. Folks with extended security/privacy needs who for some reason require Windows 10 may wish to keep their setup fully air/sound gapped and resort to TAILS, Whonix, CubesOS, Subgraph etc. for browsing and other activities requiring internet connectivity.

@ Don Cooper

This is without a doubt the single most effective measure MS has ever taken in the protection of their users' security. Insecam.org are livid.

+1

The pre-USB, borked NT4 SP1 atapi.sys CD-ROM driver was in the same category.

Vinnie GambinoAugust 21, 2016 3:30 PM

@Clive: Out of curiosity, what specifically provides you with comfort when web browsing from a smart phone? I'm way behind on security for those devices, but most of what I read indicates that for most purposes, it doesn't exist...
Generally, I regard the changes in Win 7 updates as a personal positive, as it finally provides me an inescapable motive to finally completely abandon Windows for *nix. I anticipate a few issues such as replacing Audacity (music file processing utility), but since my retirement, my computer use is so vanilla that (based on Live CD exploration) any of several *nix alternatives will prove to be a relatively painless transition...
-VinnyG

Vinny GambinoAugust 21, 2016 4:14 PM

Another Win 10 update thought: what is to stop some enterprising dissenters from hacking the Enterprise version security-only updates so that they can be (individually) applied to Home? I'm sure that MS has coded some rudimentary protection against this practice, but their past MO is that such safeguards may be easily cracked. I'm assuming that their motive is two-fold: remove what little OS and privacy control remains available to the Win10 Home user; reduce headcount of engineers and techs involved in update creation and distribution. Getting into an arms race to keep the security-only updates out of the hands of a motivated Home user wouldn't be conducive to #2...

-VinnyG

Dirk PraetAugust 21, 2016 5:59 PM

@ Vinny Gambino

Another Win 10 update thought: what is to stop some enterprising dissenters from hacking the Enterprise version security-only updates so that they can be (individually) applied to Home?

That's actually a piece of cake. Install a WSUS server at a location of your choice, download all individual patches/updates for Windows 7->10, then publish the approved ones for all clients you have upgraded from Home to Pro using a well-known evil hax0r utility, and which you then configure to point to the WSUS server instead of the default MSFT Update servers. Once done, the clients will not receive any updates/upgrades from whatever other source than your WSUS server.

Enterprising bar owners already providing free wifi and working together with the local, IT knowledgeable, friendly neighbourhood anarchist can offer it as a complimentary service to their paranoid MSFT patrons.

I anticipate a few issues such as replacing Audacity (music file processing utility)

It's on Linux as well.

BTW: why do you spell your first name both as Vinny and Vinnie? If you're referring to Joe Pesci, your alias would be Vinny Gambini, not Gambino. The Gambino's are one of the five New Yorks "crime families", named after Carlo Gambino but founded by Vincent Mangano.

Clive RobinsonAugust 21, 2016 7:04 PM

@ Vinny Gambino,

Out of curiosity, what specifically provides you with comfort when web browsing from a smart phone?

Nothing about the hardware, the OS any manufacture installed apps, the "air interface", service provider or their equipment gives me comfort.

Thus I assume the smart phone "Is a postcard not a letter" and that every key stroke etc is logged and examined as though on public view at any point in the comms chain.

Thus I mitigate what I do. As others know I don't give javascript house room, which is why I don't do Utube or slashdot, or any other site that says I have to turn it on, the world is to big to care about such idiots[1].

I also never click on "shortend URLs" they are just to easy to abuse in oh so many ways.

I don't do the "Three G's" of Girls, Gambling or Games, or "social networking", Email, Skype or chat/messaging.

I also do not do anything involving finance in any way shape or form on the Internet these days. I decided EBanking was way to much of a risk back when it was "dial into the bank" years befor the Internet. However after my local University book shop closed several years ago I went through the process of researching and getting a pre-pay anonymous credit card just to buy books off of Amazon. But they --or their subcontractors-- did not perform as you would expect... So that as they say was the end of my personal "Online Shopping" experiment. However when working for an organisation that sold high value equipment world wide on the Internet the number of scams[2] you saw in a week nailed the lid down on Ecomerce as far as I was concerned.

So you could say my main mitigation is "not using the Internet" for anything other than as an information resource.

And before anyone asks what I think of Tor or other anonymising technology, you can take it as read that I don't think any of the ones available I've looked at are even close to "fit for purpose".

When you get down to it even IETF privacy technologies have failed, as have NIST standards.

Am I paranoid, I'd like to think not, just pragmatic having been involved with real secure comms systems whilst wearing the green. I got to see some of what went on under BRUSA (later UKUSA) and how the US spyed on UK citizens and passed it back to the UK and vice-versa, just so politico's could stand up in their democratic assemblies and say "We do not Spy on our citizens"... The funny side of it was prior to Ed Snowden when you told people this they either thought you were paranoid, or a conspiracy theorist. Have a look back on this blog to see the "three stages" of "denial, disbelief and anger/acceptance" that quite a number of this blogs contributors went through over the Ed Snowden revelations.

I have a slightly "simplistic view" when it comes to this sort of thing. Firstly I check if the laws of physics alows it, then if technology is available, then think how I would do it before looking for reasons as to why it can not be done. If you have a hunt back in this blog to when news of what the NSA was building out in the scrub around Bluffdale Utah, you will find one thread where Bruce asked if it was possible to record and store every US telephone call. You could see he was still in the disbelief stage when he posted it, and was well into the acceptance stage within a few days. Such is the power of "the simplistic view".

So you could say the only "comfort" I get is in having worked out how I can be spyed upon, and having worked out a mitigation strategy.

[1] Slashdot in particular is a screwed up thus vulnerable site because they can not get simple things right... Which is silly realy, other people have sites that in effect "fail gracefully" if you don't have javascript on so why can not Slashdot? A question that has several answers many of which would indicate some form of data collection etc...

[2] One scam in particular stands out... Goods were ordered, dispatched and payment received, then a request for a returns number was requested but they said they needed it sent by letter on company stationary "for courier insurance reasons". This was odd to say the least, being suspicious I did some checking and it turned out that the courier was a front for illegal immigration...

fajensenAugust 22, 2016 6:12 AM

@Jack - There's an obvious solution:

Slap one's preferred pick of Linux distribution (very easy) or FreeBSD (alas - a good deal harder) on the machine and only run Windows in a controlled environment inside a VM, like we do when analysing other malware. F.W.I.W. Many normal Windows applications runs directly in "Wine" which is provided with Ubuntu or Linux Mint.

Did this to revitalise my daughters laptop, dying from "the death of a thousand updates".

In her case she also needs Kanji - Turning this on via the control panel actually does works Ubuntu and does not break spell-checking like it does with Win-Word. She managed to figure this out herself and she is not a computer person at all, so, I guess that the Linux Desktop is kinda OK now?

PS:

Linux will get p0wned too with the "systemd"-debacle, but, it's a way off yet and there may still be "pure" distributions forked at around that time.

AzimuthAugust 22, 2016 2:18 PM

@Clive

> The funny side of it was prior to Ed Snowden when you told people this they
> either thought you were paranoid, or a conspiracy theorist.

Prior? I wish. It is alive and well these days too. Sometimes I go to the more mainstream, shall we say, web resources related to tech. 'Nothing to hide, nothing to fear' notions are still very prevalent there as well as calling people paranoid when someone bring up the data collection topic.

paulAugust 22, 2016 3:35 PM

Another part of this MSFT takeover that's going to bite some organizations really badly is that MSFT claims to be making the owners of the physical box legally responsible for any issues involving the involuntary collection of telemetry data from minors using a Windows machine. (At least that's the way I understood the text, which is not exactly clear.)

TõnisAugust 22, 2016 4:51 PM

I have a wire that goes nowhere which I plug into the microphone jack so spies can't listen.

albertAugust 22, 2016 5:11 PM

@Tõnis,

Does your microphone physically disconnect the internal mic? Or is mic selection done in software?

. .. . .. --- ....


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.