
A podcast that hacks Ring camera owners live - pulisse
https://www.vice.com/en_us/article/z3bbq4/podcast-livestreams-hacked-ring-cameras-nulledcast
======
kick
It's obviously bad to hack into a citizen's systems without consent, but
there's some kind of value that might be created here.

Ring cameras are basically being used as a gigantic police-partnered dragnet:

 _Amazon’s Ring Planned Neighborhood “Watch Lists” Built on Facial Recognition

[https://theintercept.com/2019/11/26/amazon-ring-home-
securit...](https://theintercept.com/2019/11/26/amazon-ring-home-security-
facial-recognition/)

_If this provides a disincentivize to an average user buying Ring cameras,
their immature 'prank' may have unintentionally helped the nation.

~~~
fpgaminer
As someone who tends to fall on the side of privacy more often than not, I'm
actually not sure how I feel about facial recog+home security cameras.

I'm completely against any fully automated system where the police can have
access to the camera's data.

But on the other hand, what if the system was implemented completely locally,
and all with the owner's control and permission?

So your Ring app pops up and says "Hey, your local police department is
looking for a suspect and your camera spotted them. Would you like to share
the footage?".

So many petty crimes (e.g. home burglaries, car breakins, etc) go unsolved
because the police just don't have the tools and resources to go after all
those crimes. I have neighbors who've had their homes and cars broken into.
It's a violating experience, and I think it's justified to want the
perpetrators of those crimes caught and sentenced appropriately; at the very
least to dissuade others.

Within the context of a well built, local, permissioned system, I'm not sure
I'm against it.

Of course A) The likes of Amazon would never build such a system responsibly;
they'd rather gobble up and abuse the data themselves. B) There are serious
security concerns, as evidenced by TFA. C) Civil disobedience and similar acts
are an important part of democratic society, and mass surveillance,
responsible or not, threatens that. And finally, D) something which I think
everyone misses when it comes to facial recognition systems ... they're still
not very good. SOTA published recog systems make a mistake on 1 in 1000 faces
([http://vis-www.cs.umass.edu/lfw/results.html](http://vis-
www.cs.umass.edu/lfw/results.html)), and that's on LFW which is fairly high
quality. I'm sure FAANG does better, and SOTA will continue to improve
quickly, but is that good enough for this kind of application?

So I'm torn.

~~~
mikepurvis
I'm a four season bike commuter, and have been wearing a helmet cam for the
past year or so— it's just breathtaking the amount of small violations I catch
on camera: I don't even go looking for them or dwell at hotspots, and I pick
up probably 5-10 instances per week of things like cars turning right on red
without fully stopping, going through stop signs without fully stopping, not
fully yielding to pedestrians in crosswalks, changing lanes in
roundabouts/intersections, etc etc.

As it is, it's a huge amount of effort to slice out these clips, upload them
somewhere, figure out the plates involved, and then go through my police
department's clunky incident reporting system. On the handful of times I've
bothered to do it (like when I was almost creamed by someone running a red
light), the response has been either nothing or "thanks but we just don't have
time for that", or in one case an indication that they would be unable to
charge the person unless I also had a face shot of who it was in the driver's
seat.

Now, we can argue until we're blue in the face about whether it's right to
snitch on people for these "victimless crimes", but I suspect (and commenters
like Neil Arason agree) that more consistent enforcement would go a _long_ way
toward promoting safer and more respectful driving. A lot fewer people would
drift through stop signs and crosswalks if they didn't think they could get
away with it 99% of the time.

All that to say, if there was a portal somewhere where I could just upload my
timestamped helmet cam and porch cam videos as part of a dragnet operation to
identify and catch repeat violators of the rules of the road, I'd be awfully
tempted to participate, despite ideological misgivings about pervasive
surveillance.

~~~
laumars
Reporting someone for minor traffic offences if they caused an accident is the
right thing to do but reporting people for the sake of reporting people is a
little unsympathetic. I've lost count of the number of times I've misjudged a
situation because kids were screaming in the back of the car, I'm stressed
about something at work and had the briefest laps in concentration; or even
times when I just have a complete brainfart despite being fully focused on the
drive. We also have senses that are entirely fallible -- for example it's very
easy to miss-see something because your brain fills in gaps of information
with "fake" information based on what you expect to see (there was a great
blog post from an ex-fighter pilot on this topic).

There needs to be some flexibility in society that allows for human error in
instances where there is literally no personal, physical, monetary, etc
damage. The kind of police state where all footage is processed for any minor
traffic offences is such a dangerous road (if you pardon the pun) to take
because it leaves people with no margin for genuine human error.

Think of it like senior developers having a bad day and making school boy
errors; or mistyping your username (something that should be muscle memory);
or that guy who accidentally hits "reply to all" \-- we've all made stupid
mistakes. If those mistakes haven't caused harm then I don't see why need to
be reported.

~~~
majormajor
The gap between these mistakes causing harm and not causing harm is basically
just luck.

The less careful we are even when the mistake doesn't cause harm, the more
frequently we'll make the mistake. Some feedback that made people be more
careful, and pay more attention, would be _good_.

And at a larger level: if we can't be bothered to be that careful (or simply
can't at all), and want to be allowed to not be that careful, then maybe we
should make more societal changes to stop depending on humans driving 3000+lb
machines. All this is great data for _less driving_ but because it's mostly
invisible, it can't be used to rebut the "but I want my own car and I want to
drive it myself" folks.

~~~
laumars
Obviously I agree that bad drivers deserve little sympathy. But not all human
errors are down to bad drivers nor a lack of care.

> _The less careful we are even when the mistake doesn 't cause harm, the more
> frequently we'll make the mistake. Some feedback that made people be more
> careful, and pay more attention, would be good._

That only works if mistake are concious. My point is mistakes can be
unintended like rowdy kids causing a distraction at the wrong time.

> _The gap between these mistakes causing harm and not causing harm is
> basically just luck._

I agree. But also the gap between a good driver driving well and a good driver
making an honest mistake because of a badly timed distraction is also just bad
luck.

It's happened to me before -- I've ran a red light at temporary traffic lights
after my 2nd child was born (so I was tired thus required sharper focus) and
my 1st child was so excited about having a baby sister that he kept making a
scene. For a fraction of a second I lost focus and that fraction of a second
happened to be when I was approaching road works. I was lucky that it was a
Sunday evening and driving along a quiet village road so there wasn't any
other vehicles. But I still had ran a red light despite my best efforts of
driving safely.

> _And at a larger level: if we can 't be bothered to be that careful..._

It's not about people not making the effort to drive safely; it's about human
error. If it were _that_ easy to drive then we'd already have infallible
autonomous cars but we don't because driving isn't actually all that easy.
This is also why I'm fully in favour of all these new smart safety features
that autonomy has introduced; they help reduce the impact of the worst
instances of human error.

Just to recap: I have little sympathy for bad or negligent drivers. I just
want to remind people that it's easy to demonise others but sometimes actions
are genuine flukes of bad luck.

~~~
Wowfunhappy
Okay, so you make an error, you get a fine for it.

It's not as though I'm arguing anyone who runs a red light should go to jail.
Heck, maybe our fines are too high, or should take income into account—I think
all of those things would be healthy conversations.

But cars are deadly vehicles, and mistakes—regardless of the
circumstance—should have consequences _before_ someone gets killed. As
frequently as possible.

~~~
kortilla
As long as you are okay with fining cyclists for riding on sidewalks, failing
to come to a complete stop at stop signs, failing to signal turn direction,
failing to yield, etc as well. Same with pedestrians for jaywalking. You can’t
be intolerant of vehicle mistakes and allow for others if you actually care
about safety.

~~~
fabatka
Actually when you drive a car, you have a lot more responsibility. It is
easier to cause serious harm to someone while driving a multi-ton vehicle,
than when riding a bike.

~~~
laumars
I'd say both points are complimentary rather than contradictory. Yes, cars do
require _more_ responsibility, however they are not _exclusively_ responsible
for road safety.

For example cyclists have caused serious harm and even kills pedestrians
before. Also pedestrians and cyclists have caused serious accidents to
motorists when causing car drivers to react suddenly, to swerve or break
harshly which has resulted in those drivers colliding with other motorists.

Just to be clear, I'm not saying the level of responsibility between
pedestrians, cyclists and motorists are equal; clearly they're not. But there
is still _some_ shared responsibility when talking about road safety.

~~~
mikepurvis
There's definitely _some_ , but discussing this requires tact or you quickly
find yourself making "all lives matter"-type arguments that can look like
they're trying set the two sides up as equally dangerous or equally
responsible. Or worse, an argument that ends up boiling down to "as a
motorist, I will only ever drive more slowly and carefully once I no longer
see any cyclist or pedestrian break another law, ever."

It's particularly a challenge because of confirmation bias on the motorist's
side. Every driver can remember times that they were frustrated or had to
swerve to avoid an irresponsible person on a bicycle, but it's likely that
those cases where a cyclist or pedestrian had to jump out of _their_ way have
passed from memory, if they were even noticed at all in the first place. I'm
not immune to this— I have a recollection from a few years ago of driving out
to a pumpkin patch with my family and passing a cyclist on the shoulder of the
country highway without slowing down or given them a proper side buffer. I
wouldn't have thought anything of it at the time except that my partner called
me out on it, but it's perfectly possible that rider felt threatened by what
happened. I suspect that most of the drivers who blow through crosswalks in
front of me have no idea I was in them— in their mind, nothing registered as
"wow, I almost hit someone because I didn't see them, I should down!"

My sense from having had these conversations over the years is that most
drivers enjoy an enormous amount of privilege on the road and are very
resistant to acknowledging the role it has in shaping their views and
experiences.

~~~
perl4ever
"as a motorist, I will only ever drive more slowly and carefully once I no
longer see any cyclist or pedestrian"

I feel like the internet is full of dispatches from a fantasy/science fiction
alternate universe where people are divided into warring tribes of (SUV)
drivers, bicyclists, and pedestrians that are somehow mutually exclusive.

I vaguely remember a time or a place or a timeline when people would drive
here and there, with a bike rack on their car, and then they would get out and
walk or ride their bike somewhere. All in one day!

But I guess today everyone does only one thing their whole life. Or else they
have lost the ability to imagine doing anything other than what they are
currently doing, minute by minute.

~~~
mikepurvis
Sure, there are lots of multi-modal travelers, and by and large those people
are the most even-handed and reasonable in these discussions. :) Some people
who cycle or take transit do so exclusively, but I suspect that many or even
most have a car at home or occasionally rent one, or have at least been in a
passenger in one in the recent past.

Meanwhile, the overwhelming majority of motorists have never experienced the
road from the perspective of a bicycle seat, or last rode a bike decades ago
as a child or teenager. For those who live in a garage door community, it's
possible that you could even go many years with your only vulnerable
pedestrian experience being the weekly dash across the Wal-Mart parking lot.

So yes, there is some tribalism to this. The people who ride bikes (some of
the time) are a minority group, but I don't think we're the ones driving that
mentality.

~~~
perl4ever
"you could even go many years with your only vulnerable pedestrian experience
being the weekly dash across the Wal-Mart parking lot"

You _could_ fall in the mud and get kicked... in the head... with an iron
boot. In the Wal-Mart parking lot, naturally.

------
34679
Luckily, if you click on the link to the original article near the beginning
of this article, there's a video clip from a local news outlet that offers a
sure-fire way to avoid being hacked, from tech security "expert" Michelle
Bordoff:

"Wired cannot be hacked."

"Someone has to be in your home, hardwired to your modem to see anything on
your network."

Someone should let the world's governments and financial institutions know
that all they need to do to stop hackers is stop using wireless servers.

~~~
stallmanite
If she hadn’t mentioned the word modem I’d be on board. An old fashioned
analog camera wired directly to a VHS recorder would be a bitch to hack
remotely right?

~~~
recrudesce
But they are modems. Some of them are just built into routers.

VDSL and cable connections require modems to function.

~~~
stallmanite
I’m talking about an analog camcorder hooked to a vcr. No modem is involved.
The point of my comment was to imagine a hypothetical system in which the
“security expert”’s statement wouldn’t be ridiculous.

------
soylentcola
Completely beside the point, but how is a Discord live stream a "podcast"?

Have media folks just started calling any streaming audio a "podcast" now?

~~~
tw1010
The alternative is "radio" which is even weirder

~~~
djrogers
What’s wrong with calling it a livestream? It’s accurate and already in common
use.

~~~
jedimastert
Livestream implied video

------
mrcu5
The title makes it sound like there is a security issue with the cameras, but
the "hacks" are from password leaks.

~~~
baroffoos
At some point we have to admit that passwords have not worked and the general
public does not understand how to use them despite decades of education
attempts. This problem would be entirely solved if they enforced the use of
2fa

~~~
ehsankia
At the very least, have e-mail 2fa for new devices, it's fairly trivial, isn't
too annoying, and works decently enough. Most banks and important services do
this. Whenever you login for the first time on a new device or far away IP, it
sends you an email to authorize the new device. It's pretty trivial but goes a
long way.

------
jaywalk
I think "hacks" is a pretty strong word here. They're basically just brute
forcing accounts with email and password combos that have been leaked from
other sources.

~~~
michaeloder
Why is Ring allowing brute forcing? Individual cameras should be set to only
allow logins at least a few seconds apart increasing up to several minutes and
perhaps blocking IP addresses with excessive volume. If they're brute forcing
Ring's servers an application firewall would catch and block this.

~~~
goles
The term for this type of attack is credential stuffing.

[https://www.owasp.org/index.php/Credential_stuffing](https://www.owasp.org/index.php/Credential_stuffing)

~~~
grimmfang
This comment shouldn't be downvoted. This is the correct term.

------
beshrkayali
As it has been said before, the S in IoT stands for security.

------
wronglebowski
I read this and I'm not sure how to feel. This is the real world impact of
devices that can actually impact our lives being internet accessible and with
security that doesn't match.

That's not to say a simple password and email isn't secure enough, just that
there's much bigger repercussions when your nest gets hacked as opposed to
your GrubHub account.

~~~
angry-sw-dev
Having your life compromised is never comfortable, but it's never less
comfortable then when you suddenly realize you're being watched and having
your home "invaded" in a potentially very personal way.

So if I understand it, the scenario is the digital equivalent of someone who
uses a single key to fit every lock in their lives -- front door, back door,
car door, ignition, safe deposit box, etc...

The key is stolen, possibly through no specific fault of the owner, and the
owner may not realize it has even happened...

...and then these discord shock jocks go off and brute force these compromised
email/password combinations until they stumble upon a working pair and then
the hapless victim is subjected to the electronic analog of them unlocking the
front door of their home and bursting into the living room yelling "hahaha
gotcha, kill yourself!"

...all in order to increase their views/ratings.

I think it's just a shitty thing to do, but even more so when it involves
children, or people who have no control over the cameras (like animal shelter
workers)... I suppose _maybe_ if they made an effort to alert the owner first,
an email "hey we have your u/p, if you don't change it in 72 hours you're
going to be on our show"...

I think the nulledcast crew ought to take a lesson from Jon Stewart: BE A
FUCKING PERSON ... think about how shitty what you're doing is, and no, the
fact that these people are saps with insecure logins does not mean they
deserve this.

~~~
grahamperich
I'm trying to figure out exactly how these ring hacks are happening. My whole
family and extended family is concerned about them. So just to be clear, there
isn't a known vuln with Ring specifically, right? It's just that people's
email/passwords are getting popped somewhere else on the internet, and then
because of password reuse their Ring account is also compromised? Is that the
gist of it?

~~~
jmuguy
Thats it. And as messed up as it is maybe people will finally wake up to using
better passwords. I'm really tired of local news covering this stuff and
barely mentioning or not mentioning at all how the "hackers" are getting into
the accounts.

~~~
baroffoos
Like they woke up after the first decade of facebook "hacks". Or more likely
they will continue on as normal until we stop using passwords as the only
source of authentication.

~~~
angry-sw-dev
Something you know. Something you have.

The typical two factor is a password (know) and SMS to a cellphone or code to
an email (have).

...though that creates a vulnerability when the cell number can be ported, or
the same password is used to access email... better to use authenticator apps
or a physical "key".

------
jacobwilliamroy
Just heard about this on the radio eating breakfast. The DJ said "so I guess
you should be changing your passwords often if you want to protect your self.
And also turn on uh... what was that thing starts with a 2? 2-something?
Uhhh... yeah 2-fac-tor authentication... yeah. Do that."

The radio crew doesnt talk about computers very often so I thought the way
they spoke was interesting.

------
boatswain
> The software churns through previously compromised email addresses and
> passwords to break into Ring cameras at scale.

Given the sensitive nature of cameras in homes, I think Ring should require
2FA.

~~~
ActorNightly
Or just have a min password length requirement that is at least a 5 word
sentence.

Easier to remember, and more secure.

~~~
SirYandi
Although password security makes no difference to how these devices were
hacked, by password leaks.

~~~
ActorNightly
Method wise, you are correct. However, forcing all the users to adopt a new
password creation paradigm will statistically make this a very small issue.

~~~
jrockway
I kind of doubt it. People will use the same password on every website, and if
you require it to be 4 words, they'll just make it "my password is password"
or something. Password requirements don't improve password security. Reuse and
phishing are always going to be the main problem.

(Of course, bad passwords are bad. One time I exposed a mysql database I use
for local unit tests to the Internet with the credentials root:test. It was
hacked in hours, with a message saying where to send bitcoins to get the
database back. Slightly stronger passwords do help with that sort of thing.)

------
LinuxBender
Have any children heard "Santa Claus" tell them to run across the street to
get their present from the elf in the white van?

~~~
dmschulman
Actually, yes. Almost

[https://abcnews.go.com/US/ring-security-camera-hacks-
homeown...](https://abcnews.go.com/US/ring-security-camera-hacks-homeowners-
subjected-racial-abuse/story?id=67679790)

------
annoyingnoob
If Ring cared about security they would enforce 2FA for everyone.

------
cryptozeus
Once again there is no need for this, anyone using these kinds of systems are
literally trading privacy over small value provided feature.

~~~
danso
Being able to check on children remotely are not a small value to most working
parents, or at least, not particularly smaller than most tech improvements in
life.

~~~
heavyset_go
There are plenty of companies that provide solutions to this problem that
don't integrate with law enforcement as part of their business model.

------
Wordball
If you have a Ring camera pointed at the street, this is literally what you
are asking for.

~~~
OrgNet
I have a camera pointed at the street but it is not a ring camera... am I
asking for it?

~~~
Wordball
Not necessarily. What security measures does the camera have implemented? Have
you told the police that they are free to ask for footage?

~~~
OrgNet
I prevent it from accessing the internet, but I guess they could hack my
network and access it that way

