Comment by fidotron

5 days ago

> As an example, I refuse to buy a doorbell camera that doesn't support RTSP.

This is a good example of conflicting security requirements.

Not wanting the video to go to the cloud is fine, but most cameras with RTSP enabled allow any other device on the network to trivially get the camera stream, and sometimes also control the camera. This is why some camera companies require you jump through hoops to unlock RTSP - I don't like it but I can see why they do it.

This is one reason I've come to believe it's necessary that every device must see a totally different network universe from every other, able only to see the local controller server. (This is how I ended up playing with on AP video relays in my profile, as an effort to see what's involved). Things like multicast discovery is cool, but an absolute privacy and security disaster area.

11 comments

fidotron

Reply
jqpabc123  5 days ago

but most cameras with RTSP enabled allow any other device on the network to trivially get the camera stream, and sometimes also control the camera.

Not a real concern when the network is fully under my control. I can easily restrict access as I see fit.

I surrender all control when I give up my wifi password and allow similar access to somebody's network located somewhere on the internet. Further access can be (and has been) granted to others without user knowledge or consent. For example:

https://arstechnica.com/tech-policy/2022/07/amazon-finally-a...

  • bluGill  5 days ago

    You can - but will you? And you are in the tiny minority of people who understand what that even means. The vast majority of humans have better things to do with their life than figure out how to secure their personal network. (I'm not saying they are too stupid to figure out how - just that they have better things to do with their time)

    • jqpabc123  5 days ago

      The vast majority of humans have better things to do with their life than figure out how to secure their personal network.

      Sure. But this doesn't have to be an either/or choice.

      It's possible to make it easy for those willing to surrender all privacy and control without making it impossible for those who don't.

      Example: Amcrest cameras are just fine with being restricted to the local network. If you ask nicely and order direct, they'll even give you a discount.

      https://amcrest.com/

      5 replies →

    • fidotron  5 days ago

      Exactly, this stuff needs to be made the easy default.

      Right now domestic IoT and Home Assistant are like Windows Mobile and Symbian prior to the iPhone: proof that something interesting and useful is possible in the domain, but requiring an enthusiast level of investment in knowledge and time to maintain and operate.

      Were I a billionaire I would be attempting to launch the Android (in the original intended sense) of IoT to solve that.

      1 reply →

    • NoMoreNicksLeft  5 days ago

      >The vast majority of humans have better things to do with their life than figure out how to secure their personal network.

      One might hope this to be the case, but there are mountains of evidence to the contrary.

      >I'm not saying they are too stupid to figure out how

      Never fear. I'm here to say it so that you don't have to. Most are too stupid.