Look at that beer mug hat from (e:james,51014) on my hall tree.

Even the mercury was good

In light of the recent school video recording laptop drama I decided to investigate the system my work uses to manage my laptop.

My camera is taped over and this story explains why. The pack of the cigarettes in the background are candy ones for anyone who is curious and yes I am addicted.


JAMF ENABLES REMOTE IMAGE CAPTURE WITH BUILT IN WEBCAM

The system my work uses to manage the macs there is called JAMF casper suite The system seems pretty solid and allows easy management of macs in an enterprise environment. It basically allows a third party at work to control and monitor the client computer and its usage at all times, install software and to run scripts as root from afar. I frankly haven't trusted or loved my computer the same since it was installed but I realize I have no choice about this as I do not own the machine. The real point of this article is about the image capture part capability which is downright sketchy.

Disclaimer: I am in no way suggesting this is being used inappropriately at my work nor am I suggesting that there was any tampering with the Jamf binary or that there is any malicious intent from anyone. I just thought this might be of interest to anyone else who has their laptop managed with JAMF.

I decided to go ahead and explore the JAMF binary on my computer with a hex editor to see if it had an mention of images.



I found a reference to sendImageCapture. It was also interesting to see they must also be using svn for development. When executed with /usr/sbin/jamf sendImageCapture it attempts to take a picture with the laptop webcam and send an image to the JSS (a server) which manages my computer. It does it pretty sneakily putting the file into /private/snapshot.jpg for a millisecond and then quickly removing it with no notice to the user.

I put a sniffer on the folder to trap the file upon creation and copy it somewhere else so I could examine it. It is indeed a snapshot from my webcam although the feature is either intentionally underexposed as some sort of encryption or slightly flawed in that the images are quite dark. Nevertheless, that can certainly be fixed with some simple image editing I was able to see the room around me in photoshop and possibly they are auto fixed when arriving at the JSS.

In defense of the current deployment I found a Jamf KB about it which seems to mentioned you could not deploy the sendImageCapture.sh and that script is in fact not deployed by our JSS means they probably thought about this and decided not to. The problem is that that script is only one line which executes:

/usr/sbin/jamf sendImageCapture

meaning it is essentially just an alias for something that is already deployed on every computer controlled by JAMF and it can be both locally and remotely executed by the casper user or any other admin user on the machine. Once again: I am in no way suggesting it is being used.

The strange part is that unlike all of the other Jamf functionality it reports nothing in either the system or jamf.log when fired but reports: Uploading /private/tmp/snapshot.jpg to the JSS_URL ... to stdout. Additionally, this feature is not listed when you use /usr/sbin/jamf help which lists all the other jamf commands.

I could not find anything referencing the microphone or sound but I am not assured that does not exist. I assume they would not have this as it would be totally illegal to record randomly without consent.

Don't worry. I am not keeping it.


After with nothing

We went on our annual clothing shopping spree. I bought a pair of
boxers especially for my favorite holiday. Now to hope it's warm out,
it's so freaking soon.