Join 3,512 readers in helping fund MetaFilter (Hide)

How can I tell if my boss' spyware transmits audio?
May 2, 2012 2:51 PM   Subscribe

I think my boss is spying on me with screen sharing. That's...understandable, or at least discussed in our contract. But I want to make sure it's not capturing audio. How can I check...without using the work computer?

So, sometimes my boss has to go away and I use a laptop and work from home. Mac OS X Lion. he mentioned there would be monitoring software on it. I have reason to believe its eblaster, which hides all it's support and descriptions unless you bought a copy.

He also mentioned before this time away that he had no way of doing screen sharing, which we sometimes have to do.

But today he slipped up and made the computer move while I was getting a yogurt, and then immediately asked me if I was working at the computer.

Okay, fine. Work computer, no expectation of privacy on it. BUT considering how secretive he was about not telling me about fact, lying that he didn't have the capability that he did have, I would like some assurances that it's not transmitting audio. How would I go about checking that? Of course I can't do too much on the computer but I have other Macs available.

I assume packet sniffing, but I've never used any and wouldn't know what to look for so the more detailed you could be, the better. Especially since I can't respond easily.
posted by anonymous to Computers & Internet (11 answers total) 3 users marked this as a favorite
I'm assuming you only have user-level access rights to this computer. If not, you need someone with a linux machine and the tcpdump packet sniffing software (there are windows equivalents, but I'm not too familiar with them).

This machine needs a network interface capable of running in what's called 'promiscuous mode,' which is where the hardware reports ALL packets that it sees (not just those addressed to that computer). Then you need to plug both your work laptop and this linux machine into a non-switched hub, and run tcpdump on the sniffing machine to see what kind of traffic is being sent by your laptop.

All of this requires a fairly high degree of understanding of how networking works at a technical level; in other words, it's not something I can explain to you in the scope of an askme answer. Find a linux geek or someone with a computer science degree to help you with this. If you don't know someone, maybe try your local linux user's group (LUG).
posted by axiom at 3:06 PM on May 2, 2012 [1 favorite]

Disable the microphone (including physically muffling it) and see if he complains?
posted by Reverend John at 3:07 PM on May 2, 2012

I just looked up eBlaster and noticed that it's accessed through a web interface. You could try port-scanning the Mac from a PC on the local network and see if it shows any signs of hosting a web server.

Also, eBlaster seems to be a monitor that intercepts activity, not a remote control, so if you're certain the computer was remotely operated, eBlaster may not be your (only) culprit. In fact, it's not clear that eBlaster even sees the screen. It mainly seems to be monitoring chat apps, email, browser activity (probably by watching raw http requests, not looking at your screen) and office applications (to make sure you're not printing your novel on the company dime). It doesn't appear to be a remote viewer in the least.
posted by Sunburnt at 3:17 PM on May 2, 2012 [1 favorite]

Er, port scan from another personal computer-- it doesn't have to be a windows PC. Sorry, bad habit.
posted by Sunburnt at 3:19 PM on May 2, 2012 [1 favorite]

It should be possible to switch the "sound input" (go to the Sound system preference) to line-in, and then leave nothing plugged in to the line-in port. If your boss is smart, he'll change this back to "built-in mic", but you can check whether that's happened.
posted by adamrice at 3:21 PM on May 2, 2012 [12 favorites]

Is there an audio equivalent of a laser pointer? Get yourself a good pair of industrial headphones and blare some really obnoxious noise directly into the mic all day one day. See how he responds.
posted by phunniemee at 3:24 PM on May 2, 2012 [6 favorites]

Finding the answer via examining the outgoing packets is both technical and tedious as outlined by axiom above. After looking up e-Blaster, it seems like it takes screenshots every second or so. Part of their ad copy says, "Are your children: Spending too much time on MySpace?" which seems… questionable. As in, these guys don't strike me as being 100% legit.

You don't say how he asked if you were at the computer. Text message? IM? If you find yourself in a position to do it, answer him verbally and ask him a question. "Yeah, I'm here, Boss. Did you hear back on that thing for the Peterson account?"

Also, look for a new job. Life is too short to work for Theory 'X' assholes like your boss.
posted by ob1quixote at 3:26 PM on May 2, 2012 [12 favorites]

I don't think port scanning will reveal anything because eblaster probably initiates an outgoing connection in order to get through your firewall. If that's the case, packet sniffing is the only way you're certain to detect that something mischievous is going on.

Though depending on how well-written eblaster is, you might be able detect it by opening up a terminal and typing netstat -A inet. This will list all of the TCP/IP connections your computer currently has open. If eblaster is connecting to an outside machine to send its data, the connection should be listed here (assuming eblaster didn't patch netstat to hide itself).
posted by RonButNotStupid at 3:30 PM on May 2, 2012

Keep in mind that your boss can have your IT guy see EVERYTHING you do on the net without access to your machine at all.

I am an IT admin and I can see all traffic going through our internet connection. Pictures, emails , everything.

Also you can setup a vnc server on a persons machine that only shows all activity on it with no keyboard control and set it up as a service.

Any IT person at ANY company can see what you do on the net without touching your machine. Nothing is private on a work machine.
posted by majortom1981 at 7:11 PM on May 2, 2012 [4 favorites]

majortom, I think the unnerving thing would not be what can be seen in terms of computer activity, which I as an employee would expect might happen* but what can be seen and heard that is not in the realm of computer activity.

like this thing that made the news a couple years ago.

I may be missing some nuance of how the working relationship goes, but I think I'd be looking for a job, not because of the legitimate possibility of monitoring or logging, but for the lying and creepy-sounding checking up.

*at least, I would if I weren't the IT guy, and even then I operate under the assumption that my boss could decide to go through the logs if I ever gave him a reason to.
posted by randomkeystrike at 8:05 PM on May 2, 2012

Eblaster has a cache it accumulates somewhere when the Mac is offline, so it can do a document dump when you re-connect. If you can disconnect from the network but generate lots of activity somehow (accessing local files through your web browser) you may find a way to detect the temp-file that starts building up. Heck, it might not be encoded or encrypted in anyway, so that a search for files containing phrases that you know it captured from your browser, for example, might turn it up.

Needle in a haystack, I admit. That said, I still don't think it's eBlaster if there was any kind of remote manipulation of the mouse-pointer or app-focus or whatever it is that apparently happened while you were getting yogurt.

RonButNotStupid is right that the eblaster software probably makes an outgoing connection; identifying that connection shouldn't be massively hard, as we can be relatively certain it's an http request to an unexpected (i.e. not 80, 81) port-- Likewise, you can manipulate a firewall at home to not allow any http requests coming in, period, which would stymie any control efforts.
posted by Sunburnt at 8:35 PM on May 2, 2012

« Older I am currently working on a Ph...   |  Archiving Really old photos: ... Newer »
This thread is closed to new comments.