Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Take iSight snapshots during invalid login attempts Laptop Macs
With the new MacBook Pro's including built-in iSight cameras, I thought it would be useful to take an iSight snapshot of anyone trying to break into my laptop. This is done by tailing /var/log/asl.log for invalid login attempts (both at the login screen and screen saver). I have created an authsight program (1.5KB download) that provides a monitoring daemon which calls the camera after an invalid login attempt, and also includes a launchd manifest. An iSight command line tool named iSightCapture is also required.

It would not be too difficult to modify this tool to call home and even email photos should a laptop be stolen.

[robg adds: I haven't tested this one, but there are easy install/uninstall instructions in the package.]
    •    
  • Currently 2.54 / 5
  You rated: 2 / 5 (13 votes cast)
 
[155,638 views]  

Take iSight snapshots during invalid login attempts | 73 comments | Create New Account
Click here to return to the 'Take iSight snapshots during invalid login attempts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Take iSight snapshots during invalid login attempts
Authored by: steveonamac on Dec 12, '06 12:32:39PM

not being a shell person, this was in fact kinda difficult for me to get going. But i have a log showing now in Geektool that will record the invalid attempts, but no pictures in the folder. The log says

Tue Dec 12 13:01:27 2006 authsightd[1042] /var/log/authfail/steve_12_12_2006_13:1:27.jpg
Tue Dec 12 13:01:29 2006 authsightd[1042] CAPTURE ON [Time 2006.12.12 19:01:28 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user steve.] [Level 3] [UID -2] [GID -2] [Host Steves-iMac-G5-2]
Tue Dec 12 13:01:29 2006 authsightd[1042] /var/log/authfail/steve_12_12_2006_13:1:29.jpg

i see there is a path for the pics, but none there. Any thoughts?

Thanks!



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: johnlunney on Dec 12, '06 01:35:31PM

I haven't tried this out, but I see colons in the path, that's never good.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: JohnnyMnemonic on Dec 12, '06 03:11:14PM

you probably will find that you need to add write permissions to that folder for people besides root. As it was moved into the /var/log directory, it appears to have inherited drwxr-xr-x; just "sudo chmod g+w /var/log/authfail', and then ls -al /var/log | grep authfail.

It should now say:
drwxrwxr-x 6 root wheel 204 Dec 12 14:07 authfail

OTOH, I would like to have this triggered by the presentation of the login box, not just a password attempt. In short, I'd like to see who's trying to wake my screen, not guess my password. Anyone know how to change the watcher to make this happen?

Thanks!



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: superfly on Dec 12, '06 03:29:39PM

You can change the script to watch for "Showing Login Window" instead of "failed to authenticate user". That message appears when you log out, though, so you'll have lots of pictures.

Also, /var/log/secure.log is a lot easier to read than /var/log/asl.log.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: mr007 on Dec 12, '06 03:43:15PM

What about a combination of show login window and failed to authenticate user? I dont wanna have pictures of me all over the place as soon as i wake my MBP up from screensave mode, I just want shots of those who wake it up and try to gain access through the login window that pops up. Something similar to what Deskshade does with its log after the screen has been locked, but with pics!

Any ideas?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: superfly on Dec 12, '06 03:57:52PM

I'm not sure. My screen saver hardly ever gets used.

You could simulate someone trying to break in, and then see what's in the log files. If you can find messages that occur then, and not when you're just normally using the machine, you can change the script to watch for them.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: raider on Dec 12, '06 04:27:04PM

What you want is not actually a combination of failed login attempts and show login window - but instead the combination of show login window and LACK of successful login.

So take a picture whenever the show window occurs, but delete the picture if there is a successful login.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: bradfantin on Apr 12, '07 04:07:14PM

i got a way to make this work. i got a simple program to turn on invisable files. then i located var/logs/authfail and in that foler there were the pictures, only problem was youd have to view these under invisable files, witch are kinda confusing. a simple automator workflow can resolve this by geting finder items, and compying them to your desktop. this way when u log in run the workflow open up the copy of that invisable folder wiht the pics, and throw the copy away so no one gets any ideaas :P



[ Reply to This | # ]
Auto checking!
Authored by: meatmcguffin on Dec 12, '06 02:18:40PM

Enable folder actions for var/log/authfail and add the 'new items' script to it

When you login successfully, a window will pop up and inform you that you have new pictures of sneaky people



[ Reply to This | # ]
Auto checking!
Authored by: mr007 on Dec 12, '06 03:40:36PM

Either that or you can just set the path for the iSight shots as the desktop, that way you see everything there right after a successful login.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: lgc90 on Dec 12, '06 03:21:10PM
The Readme isn't all that helpful:

"To Install:

1. Install isightcapture into /opt/local/bin (or some other useful path)
isightcapture can be found here: http://www.intergalactic.de/hacks.html
NOTE: Be sure to update the path, if different, in the authsightd script

2. Install authsightd into /usr/libexec/
3. Install authsightd.plist into /Library/LaunchDaemons
4. Run: sudo launchctl load /Library/LaunchDaemons/authsight.plist"

Well, I'm already screwed. I have no idea where "/opt/local/bin" is. Anybody care to help out a computer illiterate?

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: mr007 on Dec 12, '06 03:37:13PM

You actually don't need to find opt/local/bin at all. Just find yourself a location where you're confortable keeping the script, and modify the path within authsightd. This cab ne easily done with TextMate or a similar program.

Now, the other two files do need to go where they're telling you to put them. For that, you need to be able to see the hidden folders inside your system.

Use something like this to enable that:

defaults write com.apple.Finder AppleShowAllFiles YES

You'll have to restart the Finder after that Terminal command has been executed.

Have fun, i've tested it myself and it works like a beauty. I'm highly interested in seeing who wakes my MacBook Pro as well.... anyone know how to do that?

Cheers.

Mikel



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: mark hunte on Dec 13, '06 02:17:53AM

You can get to hidden folders by the 'Go' finder menu. just put in the /unix/path/. You not need to do show hidden.

---
mh



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rspeed on Dec 13, '06 10:04:57PM

There's an installer now, it does this all for you.



[ Reply to This | # ]
This is now a Package
Authored by: jzdziarski on Dec 12, '06 05:22:58PM

All-

I have re-released this as a package file, to make installation painless. Same URL. Let me know if there are any problems.

JZ



[ Reply to This | # ]
This is now a Package
Authored by: lgc90 on Dec 12, '06 09:36:57PM

Thanks. It works flawlessly now. I hate to do this to you, but before, I was able to modify the target folder in isightcapture from authfail to the desktop, but when using this package instead, isightcapture doesn't even exist. Is there any way I can make this change now?



[ Reply to This | # ]
This is now a Package
Authored by: steveonamac on Dec 13, '06 05:54:46AM

How did you change the default location? That might be a possible solution to my problem (it records the incident fine, but not images in the folder - see first post on this hint).

Thanks



[ Reply to This | # ]
This is now a Package
Authored by: lgc90 on Dec 13, '06 03:56:55PM

Actually, I think I made the change in authsightd. The string for save location of the picture was set to some hidden folder. I just changed the path to my desktop, but now I can't find authsightd or isightcapture.



[ Reply to This | # ]
This is now a Package
Authored by: Casemon on Dec 12, '06 10:04:47PM

This is a great idea. Agree that email support would be ideal (maybe via the Automator script MattMMatt posted?).

Also, this little app is useless if the intrepid attempts access in the dark. The cmd line capture utility doesn't flash the screen first (like in Photobooth) so photos appear black if taken without ambient lighting (+/- screen brightness settings).

Initial post mentions an uninstall option? Where is this? I couldn't find it by running installer again.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: macuser1960 on Dec 12, '06 07:55:06PM

Thanks JZ. It's working great.

Now, I belive that many people have a question ;
Your MBP is stolen and when thief tried to login, "authsight" took his photos but all of them are staying inside the drive.

Is there a way that "authsight" posts the photos to our e-mail or iDisk ?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: ManasTungare on Dec 15, '06 08:56:45PM
I had written a script to do this a few months ago. It took screenshots (but no iSight captures), but the change to include iSight captures is only slight. It's open source, and all you need is PHP on the server.

[ Reply to This | # ]
Auto View the Photos
Authored by: MattMMatt on Dec 12, '06 08:47:54PM
I just posted to my blog an automater program that checks the folder for new pictures and displays them.
View the post here.

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: Sora15 on Dec 12, '06 10:36:23PM

Ok, I have no idea what I am doing. Some Help. Please.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: sapporo on Dec 13, '06 02:15:01AM
That's a great idea, and would probably make for a nice product if you polished it for end users:
  • Make it easily installable
  • Make configuration easy by providing a System Preferences pane
  • Allow sending the photo via email/http/ftp
    • If you can't connect to the internet, send photo as soon as connectivity is restored
  • Flash screen before taking photo
  • Make sure to record as much additional info as possible
    • Timestamp (might already be in EXIF data)
    • Available WLAN SSIDs


[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: apenstaartje on Dec 13, '06 06:31:26AM
You a product like this company made:
http://orbicule.com/

:)

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: morespace54 on Jan 10, '07 11:23:02AM

Yes and maybe some GPS coordinates... (or a URL to the Google map?)

"So this is the guy who stole my laptop. Where is he now? No clue. He could be in New-York or Bejing... Or somewhere in between..." ;-)



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: themacthinker on Dec 13, '06 10:23:45AM
This is reallly good stuff. It would be nice to wrap it all up with an automator script that would email the pics and such...
--------
www.mostofmymac.com

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: dionysus on Dec 13, '06 12:01:30PM

Anybody have any info on how to uninstall. I assumed that the installer would drop some relevant documentation as the info indicated it included easy install/uninstall info, but I can't see anything of the sort.



[ Reply to This | # ]
MacLoJack
Authored by: jzdziarski on Dec 13, '06 12:48:33PM
[My first post didn't show up for some reason, so here it is again]

You asked for it, now here it is. Presenting MacLoJack
http://www.zdziarski.com/projects/maclojack/

JZ

[ Reply to This | # ]
MacLoJack
Authored by: tyip on Dec 13, '06 11:11:17PM

This is SUPER. Thanks so much.



[ Reply to This | # ]
MacLoJack
Authored by: rspeed on Dec 13, '06 11:35:08PM

Well done! Very simple, but effective.

Would you be opposed to me making a PHP port of the server?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: gmacerola on Dec 13, '06 03:46:03PM

I too would like to know how I can uninstall this.....I have no idea what it is doing...I see it taking my pic when I type the password wrong, but alas, no authfail folder, and no pics....I guess I would just like to know how to uninstall....

email is: gmacerola@gmail.com



[ Reply to This | # ]
To Uninstall...
Authored by: jzdziarski on Dec 13, '06 04:11:32PM

sudo launchctl stop com.zdziarski.authsight
sudo launchctl unload /Library/LaunchDaemons authsight.plist
sudo rm -f /Library/LaunchDaemons/authsight.plist
sudo rm -f /usr/libexec/authsightd
sudo rm -f /usr/libexec/isightcapture
sudo rm -rf /var/log/authfail
sudo rm -f /var/log/authsight.log



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: HintsAnon on Dec 13, '06 05:10:20PM

if someone can email me back on this thatd be great.

I installed the software, tested it and it works. Now, where do i go to find the pictures that were taken????

bandgeekmo@yahoo.com



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rspeed on Dec 13, '06 10:23:00PM

The photos are put in /var/log/authfail/.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: keyslapper on Dec 14, '06 06:32:26AM
If emailing an image is preferred, it might also be worth scripting a traceroute back to your mail server or home system to get as much info as possible about the whereabouts of the laptop.
A simple whois on the IP the traceroute is coming from should lead you right to the system.
There are probably a number of other useful things you can script the system to do that would tell you where your laptop is. If the culprit makes the mistake of attempting a login within range of an open wireless hotspot, you can get loads of information about that nework (for informational purposes, of course).

It would also be cool to pop the culprit's pic up on the screen and let them know that their pic has been emailed to its owner and unless they return the system undamaged immediately, the pic goes to the police. Of course, that assumes they can be intimidated, and it assumes it's even possible to override the login screen.

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: jzdziarski on Dec 14, '06 08:50:23AM

I was curious about this - if a macbook is actually "online" at the main login prompt, or if it waited for a user to log in before bringing up any wireless interface. What if there are three or four different networks? Will it just jump on any one? It usually prompts the user, so if they're not logged in I wasn't sure how it would act. If it does indeed go online before a user logs in, this will make maclojack much more useful to those who lock their mac down.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: macEroni on Dec 15, '06 12:55:33PM
Greetings,

Nice hint! I'm less worred about loosing my laptop, as it doesn't leave home very much. But I have been wondering how to hook into a failed login attempt in order to play a sound.

I've got Play Sound installed (http://MicrocosmSoftware.com/playsound/) and have associated this as the default application for some star trek .wav fille sounds that I got on the internet. I've placed these in a folder in /Users/Shared/star trek sounds/. (I'd be happy to know if there's a better way to simply play a sound file from the command line)

Next, I modified the action line in the perl script to:

my($result) = `open "/Users/Shared/star trek sounds/Computer - access denied.wav"`;

(I'm not a real perl programmer, I just play one on TV.).

My son and I enjoy having the Star Trek computer voice announce "Access denied" on a failed login or wake up attempt. We've set an "Access granted" sound to play as a login item. It would be fun to hook star trek sounds into other events as well.

In the old days, there were several programs that would let you do such things under OS 9. There are one or two of these for OS X, but these are generally limited and I couldn't find one with a hook for failed login attempts.

Have fun!

....Dave

---
Real nice guy.

[ Reply to This | # ]

Also captures for failed remote logins
Authored by: chenga on Dec 15, '06 08:50:52PM

An interesting side effect is that authsight took my picture when I was logging into my MBP via FTP from my Windows box (MBP sits right next to the desktop). I was wondering why all the photos popped onto my desktop (where I have them routed) and asl.log confirmed "failed FTP login" from my Windows machine. The failure came from forgetting to put my login name before the IP address xxxx@192.168.1.3 and then authenticating. Apparently trying to log-in anonymously will trigger the asl.log and thus authsight.

Not sure if there's any good reason to change the program to prevent this from happening, but obviously taking a photo of what's in front of the Mac on a failed remote login doesn't do you much good.



[ Reply to This | # ]
no activity if user does not exist
Authored by: macnixer on Dec 16, '06 09:19:42AM

I have set the login screen to dsplay the textbox for login name instead of pictures. Now the problem is authentication failure would happen if and only if a valid user id was used with a bad password. asl.log doe not log events where the user does not exist. How eles do you think the user could get in.

The firmware password is a must setup for all laptop users else all kinds of settings and prtection are useless as a thief could just wipe the drive.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: joet3ch on Dec 18, '06 05:22:00PM

Im looking for a solution to have the picture auto emailed... Any ideas?

Thanks
-joe



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: smactron on Dec 21, '06 11:21:21AM

Hi there,
How can I make an addition to have the iSight take a photo every x minutes and also at startup and shutdown (or rather as soon as the ability to use AuthSight loads during startup and right before it stops during shutdown)? I have no programming experience but would love to improve this hack by including that option.

On a side-note, with AuthSight and iSightCapture ever support the iSight's movie-recording capability?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: sam_always on Jan 10, '07 06:53:28AM

cool... everything is working fine with my macbookpro....

1 more problem.... i am not able to delete the images inside the authfail folder. Please advise. thanks



[ Reply to This | # ]
Having a ton of trouble
Authored by: HintsAnon on Feb 02, '07 07:17:44PM

Ok. I'm not as computer savvy as you guys so when you're explaining this to me explain it like you're explaining it to your mother.

I installed the original program and couldn't find the files. (the picture files for the invalid logins). So then I just downloaded that application called bad login that pulls all of the files up again and displays all of them in preview. So now I can see them all now. But... when I try to take screen shots on my computer now they don't save to the desktop and I have no idea where they are and I want to be able to delete these old failed login attempts AND I don't understand how to uninstall this thing if I wanted to because I don't understand the gibberish written up above. PLEASE HELP ME!!!



[ Reply to This | # ]
Take iSight snapshots during *VALID* login attempts
Authored by: rpechler on Feb 24, '07 06:16:02PM

I was trying to figure out how to modify this to take pictures at any login... but I think it would require a change to authsightd, but not sure. Anyone find a way to do this?

Thanks, Rex



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: unforeseen:X11 on Jul 01, '07 12:39:39PM

Stopped working for me with OS X 10.4.10. Any solutions in sight?

---
this is not the sig you`re looking for.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: tehrob on Jul 01, '07 05:26:32PM

I have had the same problem, and the app does work if run from the command line.

If you just type in:

$: /usr/libexec/authdightd

and leave the terminal window open, the picture is captured upon invalid login attempts. (through fast user switching for test purposes)

Unfortunately, the plist file stored in the /Library/LaunchDaemons folder does not seem to actually be loading at boot.

If anyone has an alternate way to run at boot, it would be very much appreciated. I have tried to contact the developer twice via email and have gotten nothing in response.

Thanks!



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rosshettel on Jul 02, '07 10:58:36AM

Yeah, it stopped working for me too. I uninstalled it and tried reinstalling the package again, but now the package keeps telling me that there's an error and it can't continue. Wish I knew what exactly that error is though. I emailed the author just now, so if I hear anything I'll post here.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: tehrob on Jul 02, '07 01:39:30PM
The author has de-install instructions on his sight.

http://www.zdziarski.com/projects/authsight/

plus I think that package is a bit more updated than the one here. it includes email support that I haven't gotten to work even when propperly installed yet.

the only other thing I would do is look in your recipts foder and delete the install recipt for authsight. It is at:
/Library/recipts/AuthSight.pkg

If I delete that I get install as an option again, rather than update.

Also, if you try and install an earlier version on top of the newer 1.4 version you get a error saying there is nothing to install.

Still trying to get it to load at boot some other way, including via the StartupItems folder, which has been a learning experience, nothing working so far.

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rosshettel on Jul 03, '07 07:00:07AM

Thanks for that receipt tip. I thought I had deleted it, I followed those instructions, but it turns out I just must've missed it.

So anyways, I dot it installed again, and I'm at the same place you are; it'll work if I leave it running in the terminal.

However, it returned "FATAL: graphics exporter failed" and there's no picture saved. Now, I have MacLoJack installed too, and I just noticed that the iSightCapture isn't working either. Is there something in 10.4.10 that broke iSightCapture too?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: tehrob on Jul 03, '07 03:20:36PM

i believe that error comes up if it doesn't have permission to, or there is no directory to put the captured file in. I have seen it before myself.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rosshettel on Jul 04, '07 02:18:46PM

Yeah, I just needed to fix permissions and that did it. Thanks. Still didn't fix isightcapture in maclojack though. it seems that permissions arent whats wrong



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rblok on Jul 03, '07 10:24:39AM

1. isightcapture is working only with sudo, was it the same way in 10.4.9?
2. authsightd says not able to authenticate user
Think they changed something in com.apple.SecurityServer, can't be in SecurityUpdates, i think i installed all of them before 10.4.10

Who knows how to downgrade to back to 10.4.9?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rosshettel on Jul 04, '07 01:48:22PM

ive gotten isightcapture to work without sudo. i think they did change something in 10.4.10. havent heard anything from the programmer though.

hopefully theres a way to fix it, id prefer not to go back down to 10.4.9, i just got insomnia working with .10



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rosshettel on Jul 04, '07 02:02:41PM
I was poking around the logs and found this in asl.log:
[Facility launchd] [Sender launchd] [PID -1] [Message com.zdziarski.authsight: exited: Terminated] [Level 5] [UID -2] [GID -2] [Host Lucy]
and I found the part you were talking about not authentcaiting user in authsight.log:
CAPTURE ON [Time 2007.07.03 13:55:32 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user rosshettel.] [Level 3] [UID -2] [GID -2] [Host Lucy]
Hopefully this helps.

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: rblok on Jul 04, '07 02:11:10PM

thats the point where i stuck to: is the problem a changed security server or an other isight-usb-id?? in fact: isightcapture stopped working in 10.4.10 thats why authsight don't work anymore.
Today i tried to downgrade and installed 10.4.9 with pacifist - very very bad idea, aqua stopped from starting and it ends in fullscreen terminal



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: kme on Jul 08, '07 08:49:57PM
I'm also in the same boat. Reading from STDERR when `authsightd' calls `isightcapture' I see this error:
FATAL: setting data channel failed - cam busy/not connected ?
Haven't quite figured out why yet though...

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: tehrob on Jul 09, '07 02:12:06AM

I encountered this when the program was already running, and then running it again.

Might be something else for you, but try quiting the program, and then attempting to incorrectly login again.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: teja on Jul 10, '07 08:59:30AM

(This is my first post on macosx hints!)

I am presently running OS X 10.4.10. I can successfully run isightcapture without sudo and I changed permissions of /var/log/authfail as suggested earlier in the thread. Inspite of all these changes, I still wont get any pictures in the /var/log/authfail folder. When I checked the log file, I found

Tue Jul 10 19:32:41 2007 authsightd[33] CAPTURE ON [Time 2007.07.10 14:02:41 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user ravitejasukhavasi.] [Level 3] [UID -2] [GID -2] [Host RaviTeja]
Tue Jul 10 19:32:41 2007 authsightd[33] /var/log/authfail/ravitejasukhavasi_7_10_2007_19_32_41.jpg

and when I manually started the daemon from terminal and simulated an incorrect login (by switching users), I got

FATAL: setting data channel failed - cam busy/not connected ?

I loved the idea behind authsight and will be grateful if someone can help me get this working on my m/c too!



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: tehrob on Jul 10, '07 09:04:40PM
Well, from the horses mouth:

http://www.zdziarski.com/projects/authsight/

NOTE: AuthSight does not work with OSX 10.4.10. I have no plans to further support this tool until Apple replaces the crippled LCD display in my notebook capable of displaying only 242K colors in spite of their false advertising.

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: teja on Jul 12, '07 04:01:22AM

Can someone please explain how I can get authsightd working on OS X 10.4.10?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: teja on Jul 12, '07 04:25:18AM

I know no scripting. Can someone please help me get authsight working on OS X 10.4.10?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: a_calder on Oct 03, '07 09:12:11PM

Anyone know what the obstacle to get this working in 10.4.10? I'd love to get this going.

A.



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: r00st3r on Oct 16, '07 04:25:03PM
The maker of iAlertU has camcapture which is very similar though the big difference is that it works with 10.4.10 (well at least for me it does on a dual 450MHz G4).

http://www.slappingturtle.com/home/

I am currently in the process of creating a custom shell script that will execute at login/screensaver disable/wake from sleep and take a picture of the person and a screenshot after a set time and then email the whole "kit 'n kaboodle" to the owner/concerned party/spying techie (the later is highly less likely ;) ).



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: =RS= on Nov 20, '07 07:47:07AM

For me authsight is working again with 10.4.11
So Apple seems to have repaired something :)



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: zimmerleut on Mar 26, '08 05:40:35AM

unfortunately, all the links seem to be broken. does anybody still have the files etc? else this hint could be taken down :(



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: sstarr on Sep 04, '08 06:38:33AM
The iSight capture script has moved here.

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: garrettc134 on Nov 10, '08 04:58:27PM

How do you use this for leopard?



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: squareSquirrel on Dec 24, '08 03:01:10PM
I know this is an old thread, but I started doing some digging of my own in my pursuit to find a way to protect my mac.

I thought the ideal scenario would:
- run an application at boot
- take snapshots using iSight at regular intervals
- take screenshots of the desktop
- store images locally and send them via ftp

So, I used Automator to create a workflow that does just that.
You can find more info here.

There's a lot of room for improvement and I would love to get some feedback and/or help.

Thanks

[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: developer1 on Jun 20, '10 11:24:02AM

You can download app "MacinLock" from www.kasuminoco.com



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: miuki on Aug 29, '10 12:52:27PM

www.kasuminoco.com isn't available. I've downloaded macinlock from www.macinapp.com. But it's really doesn't work with 10.4



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: james94 on Mar 27, '11 10:39:29AM

Hey guys,
I downloaded the file but it is a .tar file, i have no idea what to do from there. any help will be appreciated. Thanks in advance

James



[ Reply to This | # ]
Take iSight snapshots during invalid login attempts
Authored by: corosou on Feb 25, '13 01:51:22PM

Seems a lot of people are still looking to do, so here is a very simple procedure that will get this working on Mountain Lion and can easily be modified for older versions.

***Mac OS X iSight snapshot email on failed login attempts***

This script will take a snapshot on failed login attempts, email it to my main email account, and also send a text-over-email message, letting me know someone is currently trying to login to my laptop, to my Verizon Wireless cellphone using the email address: ##########@vtext.com. If you're not on Verizon, you'll need to find what your phone's email is.

*Requirements: Gmail account to send mail with and ImageSnap (http://iharder.sourceforge.net/current/macosx/imagesnap/)

1) Download and install ImageSnap:
Copy “imagesnap” executable to /usr/local/bin

*Note: I suggest creating a new gmail account that will be used below to send mail from, so you don’t have to specify your main account password in the sasl config.

2) Append the following lines to the bottom of /etc/postfix/main.cf:
relayhost=smtp.gmail.com:587
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options=
smtp_use_tls=yes
smtp_tls_security_level=encrypt
tls_random_source=dev:/dev/urandom

Create /etc/postfix/sasl_passwd and populate following example below:
smtp.gmail.com:587 account@gmail.com:password

Then run:
postmap /etc/postfix/sasl_passwd; chmod 600 /etc/postfix/sasl_passwd*
postfix stop
postfix start

4) Enable logging failed login attempt to a separate logfile by appending the lines below to the bottom of the /etc/asl.conf file:
# Facility loginwindow gets saved in loginwindow.log
? [= Sender loginwindow] file /var/log/loginwindow.log mode=0640 format=bsd

Restart syslogd:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

5) Create /usr/local/bin/invalid_login_snap.sh and populate following example below:
#--Begin Script--
#!/bin/bash

PATH=/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin:/var/root/bin:/opt/ActivePython-2.6/bin:/usr/sbin:/sbin:/usr/bin:/bin:/usr/X11R6/bin
export $PATH

email=username@gmail.com
cell=555858555@vtext.com

runcheck=`ps -ef|grep -v grep|grep 'tail -f /var/log/loginwindow.log' > /dev/null;echo -n $?`

if [ $runcheck != 0 ];then
nohup tail -f /var/log/loginwindow.log| awk '/The authtok is incorrect/ {system("imagesnap /var/tmp/.snap.jpg > /dev/null; cat /var/tmp/.snap.jpg\|uuencode snap.jpg\|mailx -s \"Macbook Invalid Login Attempt\" $email; echo \"Someone Is Trying To Log Into Your Macbook Check Gmail for Snapshot\" \|mailx -s \"Macbook Invalid Login Attempt\" $cell; rm -f /var/tmp/.snap.jpg")}' &
fi
#--END SCRIPT--
*Note: Be careful to copy the lines above exactly as defined, specially the “, ‘, and \ characters.

Run: chmod a+x /usr/local/bin/invalid_login_snap.sh

Edit cronjob for script to run continuously:
sudo crontab -e

And append to the bottom of the file:
* * * * * /usr/local/bin/invalid_login_snap.sh

Save and exit.

To test: Press “Ctrl-Shift-Eject” to start screensaver and wait for screen lock. Test trying to login with an invalid password, it should take a snapshot and email you the picture.

*Note: This is very raw and not very pretty looking, but it is 100% working for me, and that's all that matters. If you run into problems and can't figure it out, then you need to familiarize yourself a bit better with shell scripting.

Gluck!



[ Reply to This | # ]