82 comments

[ 287 ms ] story [ 2205 ms ] thread
(comment deleted)
I just watched the Benn Jordan's video on this. Even if this is just configuration error on some of their cameras this is terrifying and I think they should be held accountable for this and their previous myriad of CVEs.
Flock or their defenders will lock in on the excuse that “oh these are misconfigured” or “yeah hacking is illegal, only cops should have this data”. The issue is neither of the above. The issue is the collection and collation of this footage in the first place! I don’t want hackers watching me all the time, sure, but I DEFINITELY don’t trust the state or megacorps to watch me all the time. Hackers concern me less, actually. I’m glad that Benn Jordan and others are giving this the airtime it needs, but they’re focusing the messaging on security vulnerabilities and not state surveillance. Thus Flock can go “ok we will do better about security” and the bureaucrats, average suburbanites, and law enforcement agencies will go “ok good they fixed the vulnerabilities I’m happy now”
I know right. It is like we all forgot that cops were literally sharing pictures of Kobe Bryant’s mutilated body in bars for a laugh. A lot of people in law enforcement are totally screwed up in the head.
How is this different from the CCP surveillance? I guess this is easier for third parties to access?
I’m glad Benn has gone into the YouTube space. He has demonstrated a great balanced view on how to sell your soul for advertisement money in YouTube land.

I’ve known of him a long time simply because of his extremely progressive views towards releasing his own music. In other words, I would not care about Benn Jordan but for the fact that he was releasing his own torrented music on WCD 15 years ago

Fair point but there's a crucial nuance: state surveillance used to be limited by human resources. You couldn't assign an agent to every citizen - there aren't enough people. Flock with their AI tracking has effectively removed this scalability constraint. This vulnerability just highlighted how powerful a tool they've built. If these were just dumb cameras, the state would have to hire an army of operators. As it stands, the technology allows for total surveillance with essentially zero marginal cost. And when they fix the security, that terrifying potential for infinite scale isn't going anywhere; it just goes back under the client's control
It's 2025. The ISP gateway I got comes with more default security than these cameras. The barrier to entry on security is lower than it ever has been in history. Whoever let this past the QC phase is an idiot.
Really great investigation, what's the URL of the "vibe coded" site with the access links?
I don't want these cameras to exist but, if they're going to, might we be better off if they are openly accessible? At the very least, that would make the power they grant more diffuse and people would be more cognizant of their existence and capabilities.
I wonder if such a business model could exist where they were effectively "public" and thus, access was uniformly granted to anyone willing to pay. not sure if this would be net better for society, but an interesting thought.
At what point does the top brass at Flock get arrested?
flock is the most heinous reflection of the ills of our current socioeconomic structure. absolutely nobody should be okay with mass surveillance, much less mass surveillance enabled by a private company.
remember when people first started experiencing TSA and there were massive protests at how obscene and violating it all was, then uncovering how useless they were as fake security theater

and they were going to get it all shut down

TWENTY-FIVE YEARS NOW

so good luck getting rid of flock where people don't even know it's happening

Not sure if people realize that cellphone locations, several layers in the firmware and software, can be had without warrant by anyone YEARS LATER

Wasn’t the first edition of the TSA scanner straight up showing pretty much nude photos of people? I seem to remember something like that. Now a days at least it just flags a region on a generic human model for more investigation.

The funniest part though is you pay $80 every five years and just bypass it entirely. I guess they assume terrorists are too stupid to figure out TSA precheck is available.

i guess that while it is alarming that these feeds were "unsecured" I'm just as concerned that they exist at all. Folks worry about it getting into the "wrong hands" but from my POV it was put up by the wrong hands.

While both are a problem I am far more concerned about the power this gives our, increasingly authoritarian, government than about individual stalkers/creeps.

I would love to watch a shorter version of this video that just discussed the deltas between the status quo and Flock, rather than breathlessly reporting the implications of cameras as if they were distinctive to Flock. He'll spend 30 seconds talking about how you can see every activity and every person on the camera --- yeah, that's how cameras work. There are thousands of public IP cameras on the Internet, aimed at intersections, public streets, houses, playgrounds, schools; most of them operated that way deliberately.

There are Flock-specific bad things happening here, but you have to dig through the video to get to them, and they're not intuitive. The new Flock "Condor" cameras are apparently auto-PTZ, meaning that when they detect motion, they zoom in on it. That's new! I want to hear more about that, and less about "I had tears in my eyes watching this camera footage of a children's playground", which is something you could have done last week or last year or last decade, or about a mental health police wellness detention somewhere where all the cops were already wearing FOIA-able body cams.

If open Flock cameras gave you the Flock search bar, that would be the end of the world. And the possibility that could happen is a good reason to push back on Flock. But that's not what happened here.

But isn't that "auto-PTZ" exactly what changes the game here? Sure, there are plenty of open cameras, but usually, that's just a passive stream you have to stare at for hours to spot anything interesting. Here, we have a situation where technology has effectively removed the "friction" from the surveillance process. You don't need to monitor the screen for hours - the algorithm itself grabs the person, zooms in on the face, and tracks them. It’s like the difference between searching for a needle in a haystack by hand and having a powerful magnet. Because of the Flock leak, this magnet is now available to anyone with a link, and that is what's truly terrifying, not just the mere fact of filming a playground
Children could go missing thanks to Flock default settings. HN would tell me to never attribute to malice ... but there may be criminal negligence.

To cover their butts I strongly suggest Flock implement a default "grading system" that will show a city in a banner at the top of their management and monitoring system that based on their camera and network configuration they get an A+ to F-. If the grade is below a C then it must be impossible to get rid of the banner and it must be blinking red. The grading system must be both free, mandatory and a part of the core management code. This assumes Flock will have the willpower to say no when a city demands removal of the flashing red banner. Instead up-sell professional services to secure their mess. I would like to see the NCC Group review their security and future grading system.

Hanlons razor is stupid and we should stop using it.

First off, we don't actually know how ignorant someone is or is not, but from what I see people GREATLY underestimate ignorance.

Rich people building state-sponsored surveillance are not ignorant. They absolutely know the consequences. They either don't care, or they are actually targeting those consequences.

Secondly, it falls apart in organizations. When we apply hanlons razor to an organization, we're claiming EVERYONE there must be ignorant. Which is just obviously not true.

Someone knows, probably lots of people know. And they choose not to act - that is malice. Choosing not to do something is a form of malice.

Oh no. Someone can view cctv data and delete it. Always blown out of proportion. The likelihood of someone a) committing a crime or otherwise b) knowing there was this specific brand of camera software being run on a camera in that area c) knowing how to access these portals

Is basically zero.

Yes, they should be secured so they can only be accessed by law enforcement.

But if your spouse/SO/sister/mother/girlfriend/whatever was assaulted while jogging in a park that had Flock cameras, and it allowed law enforcement to quickly identify, track, apprehend and charge the criminal, you'd absolutely be grateful for the technology. There's nothing worse than being told "we don't have any leads" when someone you care about has been attacked.

If your argument has to start with "now, imagine your sister was raped", then it's probably just a bad argument.

Appealing to emotions, tsk tsk, but going right for the jugular? Yikes.

Also, elephant in the room: if your sister was going to be raped or beaten, it would probably be by someone in her home, in her family. Like her cop husband.

If the cameras are recoding public areas, isn’t it better the recorded footage stays public
It's getting pretty crazy out there. What's your recourse for this? Avoid most populated areas?
Him reading the Flock statement on a Flock camera open on the internet was just so good. I love and support Benn Jordan.
I agree, this was the peak experience of watching this video, and somehow the most "chef's kiss" summation of 2025.
[flagged]
Being on the Internet makes these cameras not CCTV. The circuit should close on the property they're located.
You could kinda already do this with all kinds of security cameras. There are only so many people who are computer proficient, and that number is lower than the number of camera installers.

There have been cases of people getting into baby monitors and yelling at the baby.

But as a tech company, this is extremely irresponsible

BTW, Benn Jordan is also known as The Flashbulb, an ambient legend

Interesting, but nothing new. Shodan users have known about clueless IP camera owners that leave their cameras on the public internet for years. This is a little more interesting because it's from a well-funded startup rather than independently owned Chinese IP cameras.
Searching for ALPR was also one of the popular early queries: https://github.com/jakejarvis/awesome-shodan-queries?tab=rea...

The old PIPS ALPR devices aren't online anymore but they had horrible security as well. Just sending a newline to their UDP port would cause them to send you all images as they were being collected in real-time - no authentication needed. And the images had the license plate information encoded in the JPG metadata. I did a talk about it at some point (https://imgur.com/HHcpJOr) and worked with EFF to take them offline

Easy solution for Flock problem: get rid of visible license plates. Make them 2x1" of size and RFID-readable, give readers to police, problem solved.

Not-that-easy solution is legal ban for such surveillance.

None of these both will happen though.

You accepted TSA and PRISM, you will get used to Flock too.

Next is Flock but for people, with face recognition.

Flock works without license plates. Also, what do you mean "next"?

> if the object class of the identified object is that of a human being, then the object detection module 154 may further analyze the image 501 using a neural network module 507B configured to identify different classes of people (male, female, race, etc.)

https://patents.google.com/patent/US11416545B1

Kirlian Selections rocks