
Xiaomi camera playing on Google home hub sends stills from other people's homes - palebluedot
https://www.reddit.com/r/googlehome/comments/eine1m/when_i_load_the_xiaomi_camera_in_my_google_home/
======
joshstrange
Stories like this only confirm to me that while Zoneminder is far from perfect
it was the better option for me compared to using consumer-grade options. I
buy cheap ($40-$60) PoE cameras (I have some Reolink and 1-2 SV3C's I think),
I immediately block their internet access by MAC address, then add them to
ZoneMinder. I have 2 Wyze cameras as well but they are also only allowed to
talk to ZoneMinder and I have flashed a custom firmware on them.

------
siffland
This stuff gets me paranoid, i have a nest doorbell, because i don't care who
can look at my front lawn, and a nest camera that only gets plugged in when no
one is at the house. Other than that i have a closed circuit camera system
with motioneyeos (motion activated) and a few POE cameras with no wifi and
send the footage offsite.

I know it is not as convenient, but these cameras are getting scary. These are
only the stories we know about. imagine who else is watching.

~~~
tuxxy
> because i don't care who can look at my front lawn

This is extremely selfish. What about your neighbors who walk/drive by your
front lawn? You're doing your neighborhood a surveillance disservice.

~~~
CamperBob2
"Public" is a thing distinct from "private." On your property, you get to
decide where the dividing line is. That's one of the primary ideas behind the
notion of private property.

The issue I have is when the property owner isn't told who has access to the
resulting still images or video stream, or is actively deceived about it. I'd
be reluctant to use a Ring camera at my front door for that reason, and
there's no way on Earth I'd install anything like that inside my home.

~~~
lm28469
I'm pretty sure a lot, if not most, door cameras are filming public space.

~~~
CamperBob2
Yes, that's my point. I have a right to do that, and so do you, and so do
Amazon, Google, and the CIA.

See, that's the idea behind the word "public." Nobody has to ask user lm28469
on Hacker News for permission to take photos in public.

This is a _good_ thing.

~~~
distances
Depends on jurisdiction. Dash cams are illegal in many countries.

~~~
CamperBob2
True, only the police are allowed to run dash cams in those countries. We
could also mention the trend toward berserk copyright laws that have much the
same effect. [1]

And these are _not_ good things. Both communal and private interests end up
worse off in the long run with laws like these.

1: [https://www.asmp.org/copyright-tutorial/photos-public-
buildi...](https://www.asmp.org/copyright-tutorial/photos-public-buildings/)

------
dirtyid
Google shutting down Xiaomi access to Assistant following Nest Hub picking up
strangers' camera [1]

>"We’re aware of the issue and are in contact with Xiaomi to work on a fix. In
the meantime, we’re disabling Xiaomi integrations on our devices."

...

>It appears __Google isn 't taking any chances when it comes to this issue,
disabling Xiaomi integrations entirely __. We reached out for further
confirmation that this would mean a blanket disabling of all Mi Home products
and were told that is the case.

Pretty annoying they have to mess up all my other devices, but at least it's
being addressed.

[1] feeds[https://www.androidpolice.com/2020/01/02/uh-oh-xiaomi-
camera...](https://www.androidpolice.com/2020/01/02/uh-oh-xiaomi-camera-feed-
showing-random-homes-on-a-google-nest-hub-including-still-images-of-sleeping-
people/)

~~~
krick
Huh. I'm not sure what should be the baseline of "okay" now anymore, but I
wonder if this isn't worse than leaving things be. Leakage is out there
anyway, and it seems likely now that it is buggy enough for malevolent actor
to find a way to spy on his neighbour. But what about those who is away from
home now and really needs the footage for some reason? I guess lack of this
footage would be a bigger security issue for them than the chance a couple of
frames will leak to somebody else.

~~~
dirtyid
The Xiaomi home app still works. Just no more google assistance for the time
being

------
olodus
Since it only shows stills, could it be some kind of race condition? Don't get
me wrong, the major problem is of course that it has access to other people's
camera feeds but since it only gains access for what seems like a moment maybe
the access getting denied is raced by the update of the screen? I don't know,
why am I even thinking too deeply about this. A major company screwing up IoT.
It happens way too often and there are a million ways they could do it.

~~~
dlgeek
More likely re-used cache.

~~~
creeble
Or a lambda that didn't initialize, say, the customer ID and got it from the
last run because of some edge-case in calling it.

Ask me how I know this, um, exact case.

~~~
yebyen
Yeah, you can get that, "um, exact case" too, with Rails in 2018, ask how I
know it's easy to trip over while switching between web servers like Puma and
Unicorn, because of the different way they each handle objects
threading/forking.

I found out when my new Rails 5.1 app which was using Puma, had to be switched
to Unicorn so that it could work with our uniform platform for Rails apps.
Puma threads are I guess pretty cheap and so are basically disposable, so they
are created freshly all the time, but Unicorn process forks are made once per
app-start because they're process forks, and incur some greater expenses.

So suddenly we noticed when switching to Unicorn that Class vars (those
starting with an "@@" which are declared and have values in the class scope)
are not reliably empty at the start of a request anymore, but usually had some
value left hanging around from the previous request. Class vars are basically
global variables so shame on us, now we know.

That previous request of course could have come from any logged-in user, so be
careful what you store there! It's much easier to say "if the variable is
empty, then initialize it thusly" and count on hitting that corner case once
in a while, than it is to say "what is the order of my actual dependencies and
how do I keep them ordered" – at least it seems easier until it bites you like
this!

------
close04
I have some cameras that are offline (no cloud integration, no internet
connection) and when looking to buy a spare I noticed that all the newer and
otherwise identical models only work with cloud integration. No ONVIF, no
RTSP. Forcing the user's hand into sending all data into their cloud for very
little convenience gained, if any.

------
jdhawk
Stick with ONVIF cameras on a separate VLAN going to a recording platform like
BlueIris, Zoneminder, Milestone, Synology.

