I don't care that Flock was involved, I care that there's no consequence for it when any corporation does this. How can this not result in fines or jail time?
Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.
In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
Security for maps is basically impossible. Maps tend to have to be widely shared within government and engineering, and if you know what you're looking for, it's remarkably straightforward to find ways to access layers you would normally have to pay for. It's a consequence of the need to share data widely for a variety of purposes -- everything from zoning debates within a local county to maps for broadband funding across an entire country create a public need to share mapping information. Keys don't get revoked once projects end as that would result in all the previously published links becoming stale, which makes life harder for everyone doing research and planning new projects.
Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.
Privacy is becoming (or already is) nearly impossible in the 21st century.
I think the issue with Flock isn't that they're a joke security wise the issue is that they exist. If you want to police somebody you don't have to police everyone. I'd argue watching my location at all times is unreasonable search.
If someone followed me around 24x7 with a notebook, transcribing all my movements and affixing carefully attached photos of me to every page, it would be called Stalking and I'm pretty sure I could win at least a restraining order against them in court.
I don't get why we treat this any differently. The only difference is they're not as obvious.
stalking requires some kind of menacing or whatnot. i seriously doubt a judge would grant a restraining order just because you think someone is following you without any interaction.
>Stalking is a crime of power and control. It is a course of action directed at an individual that causes the victim to fear for their safety, and generally involves repeated visual or physical proximity, nonconsensual communication, and verbal, written, or implied threats.
I'm starting to think there should be a constitutional amendment specifying a right to privacy because the last few decades have shown they'll just keep pushing the boundaries otherwise.
The chances of a constitutional amendment, let alone one dedicated to specifically limiting the powers of law enforcement, is, and I'll go on a limb and say I'm correct in this absolute statement, 0.
There is zero chance of any amount of government in these United States cooperating in any fashion large enough to change the actual Constitution. Zero.
It's pretty useless. A (US) constitutional amendment would only protect Americans from US institutions.
Us foreigners still have to deal with Americans spying on us. (And other countries spying on us.) And Americans still have to deal with non-American organisations spying on them.
I have proposed elsewhere that for companies like Flock doing surveillance of the public, it should be legally required for every company executive and board member to have their cameras, ALPR systems, audio surveillance, drone systems, etc - installed outside their homes and along their routes to work and along their routes to their children's schools and their spouses workplaces - and all of that data be publicly accessible. And I'd suggest the same goes for senior management at decision makers at every town and police department and private company that signs a contract with them.
"For their own safety", as they'd have us believe.
If I was being stalked I'd rather have public surveillance data that I could compile (or pay somebody else to compile) versus relying on law enforcement, who has no duty to protect me.
Making surveillance public levels the playing field for everybody.
...people can just follow you in public. there's nothing illegal about that.
there is no reasonable expectation of privacy in a public setting, nor should there be. anyone arguing there should be is giving up basic rights because they're scared.
the issue is when public feeds get recorded and are allowed to be viewed at a later date. the data retention is the issue, not the privacy.
Just a reminder here of this experiment using adversarial techniques to confuse the license plate readers. Just an experiment, may not be legal in all locations, check your local laws.
https://youtu.be/Pp9MwZkHiMQ?si=nas4dOH4vKyAW_5h
Has anyone had success getting their city to take down the Flock cameras? Ours just added them maybe a year and a half ago. They popped up in multiple nearby municipalities around the same time, I'm not sure if it was coordinated action or somehow pulled off at the county level.
I was one of the main organizers of a community group that successfully got Flock contracts canceled in Eugene and Springfield, Oregon. I have also presented several times to city officials in and around Portland, am currently helping groups in other cities around Oregon and elsewhere get started, and I'm working with a state legislative workgroup to begin getting some reasonable legislation in place.
The extent to which Flock manipulates police departments is really incredible. Here's a fun little factoid: Lexipol is a company which sells various pre-written policies to police departments, including an ALPR policy; Lexipol is also a parent company of Police1, which helps police departments find public grant money to purchase Flock subscriptions, and Flock in turn is heavily featured on Police1.
So, if you're a police department, you go to Police1 (Lexipol) for news and product info, they pitch you on Flock, you fill out a form, you sign a contract, and then later you need an actual ALPR policy for your department, and Lexipol sells you that, too. The policy of course is extremely friendly towards vendors like Flock.
Flock exerts a lot of influence with the police departments that subscribe to their platform. We've repeatedly had to respond to the same talking points from PDs (and some city officials) that are very clearly getting all of their info from Flock, and in some cases coached by them.
And YCombinator startup Flock Safety is extremely misleading in many of their product, service, and business statements.
Working on it in our city. Flock has been their own worst enemy—once people know the name of the company, they start seeing it in the news regularly. Start talking to people, show up at city meetings.
Sheer incompetence. I hope (probably in vain) that police departments and local governments become more savvy technical evaluators of fancy tech solutions.
There was a huge fracas re: ShotSpotter in my town, where both the municipality's CIO and auditor (+ their internal research capacity) were sidelined. It took a sad amount of handholding elected officials through ShotSpotter's technical claims for them to shelve a planned deployment.
This does link to an example real-world video showing children playing in a park, as recorded by FLOCK CAMERAS, of which the feed is publicly exposed to the Internet.
I am apprehensive of the surveillance state and it's potential for misuse. However this disclosure content is less than ideal:
- It mixes two separate issues 1) embedded default API key and 2) unauthenticated token minting
- The bulk of the disclosure focuses on enumeration of sensitive data that is implied could have been exposed via the default API key, but what is actually exposed is unclear: "The 50 "portal:app:access:item" privileges reference private item IDs that cannot be inventoried without actively querying each one which I did not do"
- The default API key was for "development" and there is no assertion that live data existed in that environment (though it wouldn't surprise me)
- The default API key was fixed in June 2025, it is only the token minting that has not been.
- The token minting issue is only asserted to "grant access to the geographic mapping of Flock's camera network locations" which would certainly be useful as a source for unethical updates to https://deflock.me/ but obviously not nearly as sensitive.
(And I've always used bullets/lists in my communications, long before AI did this)
With respect to a different public organization with a reach of millions of people, I reported a similar vulnerability where there was an exposed key that services sensitive data. Usually, I don't bother but this time it was bad. I now understand how these things are left exposed for several months to years despite notification. The level of burnout or ignorance that leads to these vulnerabilities elicits harsh backlash where admitting there was ever a problem is worse than exposing a vast amount of people's private data.
> "I'm writing to you directly because I want there to be zero confusion about what's happening. Flock has never been hacked. Ever."
They are just lying at this point. If you get involved in advocacy related to flock you will likely hear their reps parrot this. Be ready to combat it with concrete examples like this!
I recall some extracted video where someone took one of Flock's adamant "it's all fixed now" PR denials and performed it into one of the still-insecure cameras.
If you have a camera and you're only taking photos. You don't have any photos of the car keys and the car going missing do you? /s
It's how urban exploration folk get away exploring abandon buildings here in the UK. If you can prove you didn't create damage to gain access; a grey area.
> Trespass (Civil Matter): In England and Wales, simple trespass is typically a civil matter between you and the landowner. You cannot be arrested for civil trespass alone, but the landowner can sue you for damages or an injunction, and police may get involved if you refuse to leave when asked.
I have a controversial question; In the UK, they have blade runners who take down CCTV. I would have expected a more aggressive response in the USA, considering the culture. Is this not happening?
The gutless liberals that dominate your country’s preconceptions of “the left” are not your anti-police state faction, but you do their work for them by conflating the two. The anti-police state faction are the ones habitually being physically brutalised if not outright murdered by the cops while the media wags their finger at them for their apparent lack of civility.
Many of the flock cameras in my city were disabled by bashing in the solar panels or damaging the camera lens. Unfortunately, flock's contract is such that the city pays for repairs/replacement
The evidence for ULEZ is solid so seriously bringing it as an example of white knight activity whole they're at best malignant, brainwashed goons doesn't help anyone: https://www.bbc.co.uk/news/uk-england-london-67653609
I don't understand? I did some basic research, and it doesn't seem like these cameras have air quality sensors. How exactly would some Android cameras reduce pollution?
Somewhat, but the legal cosequences for getting caught and brought to court if you don't have a few thousand to drop on a lawyer will screw up your life. So it happens less.
Not to mention the risk of dealing with trigger happy and corrupt cops.
I mean we're also increasingly being terrorized by our new gestapo, so far with limited resistance. We aren't really the "radical freedom defenders" we like to claim to be...
Americans are largely cowards. You can see this as we're still mostly afraid of accurately defining and educating about genocide and how we all contribute to it by going to work every day, as well as afraid of feelings that arise around it.
Maybe it was on purpose. They might have been forced by the FBI to implement those keys, so they left everything open to be able to track the enforcers also. 53 = 52 states plus gov
Not always, sometimes they like to role-play as fallen angels from fantasy books (see Palantir.) (Edit: upon review, the metaphor is strained because Sauron didn’t create the palantíri… he did control them later, and there is deeper metaphor that they are unreliable.)
Does anyone else feel like the LLM-tone of this article makes it difficult to understand what's actually important in it? It's not clear to me if the issue is ongoing (like it says) or that it's been resolved by rotating the API key (like it also says). And that's like, the most basic piece of information the article could have in it.
For me it's not about "is this AI", it's "this writing is obnoxious and disrespectful of the reader, and here's why I think AI is likely at the root of it."
I'd like to read stuff written by a human. I know other people like reading LLM output. I don't see what's wrong with telling people whether it's AI-written or not.
Who could have guessed that the greedy, opportunistic, evil corporation whose sole intent is to invade our privacy in the name of "security" would be run by incompetents in the security realm?
Their CEO comes off as a real self-righteous character.
One has to wonder whether these passwords were that way purposefully to avoid accountability for privileged partners. Most of these systems are deployed with grant money that it comes from the department of justice.
“Wow, we totally didn’t know we had everything accessible on Shodan! We totally hope that no federal entities exploited this (fake tears), but I guess we can’t tell anyway! It’s not as if they found out about it from us :(”
> We are committed to protecting human privacy and mitigating bias in policing with the development of best-in-class technology rooted in ethical design, which unites civilians and public servants in pursuit of a safer, more equitable society.
…and of course they do the exact opposite. All a bunch of bullshit from inception.
A root-cause analysis here that's about intrinsic difficulty is misguided IMHO. Secrets and secrets-delivery are an environment service that individual developers shouldn't ever have to think about. If you cut platform/devops/secops teams to the bone because they aren't adding application features, or if you understaff or overwork seniors that are supposed to be reviewing work and mentoring, then you will leak eventually. Simple as. Cutting engineering budgets for marketing budgets and executive bonuses practically guarantees these kinds of problems. Engineering leadership should understand this and deep down, it usually does. So the most direct way to talk about this is usually acknowledging willful negligence and/or greed
You could just read the article before knee-jerking to state repression.
> November 13, 2025 — Initial disclosure sent to Flock Safety security team
> November 14, 2025 — First follow-up requesting confirmation of receipt
> November 19, 2025 — Second follow-up; Flock Safety finally acknowledges receipt
> January 7, 2026 — Vulnerability remains unpatched (55+ days)
> I am withholding specific technical details to prevent exploitation while the vulnerability remains unpatched. However, its existence more than 55 days after responsible disclosure with no remediation, demonstrates a systemic pattern of credential mismanagement.
In fairness to flock, they just hired a CISO and are actively recruiting for a head of product security and privacy as well. So I'm not surprised they're dealing with some of this.
Edit: I'm standing by it. The person they hired for it has a good track record elsewhere. And much as I don't like what Flock is building as a company, at least they're building security in now, even if it wasn't front of mind for them in the past.
That’s fairness to a new employee. Does the multibillion company of a widely-deployed sensitive product deserve a pass for having poor or nonexistent employees doing security previously? Not really IMO.
There should be no "Fairness to Flock" they're building the panopticon.
Freethinking Americans should do what they can to dismantle this overreach, lobby their city leaders with their poor track record on security and thereby safety.
I'm fine giving the new employees a pass on this, but not the company as a whole. Not building security into a product like this from day one should be a criminal offense.
I don't care that Flock was involved, I care that there's no consequence for it when any corporation does this. How can this not result in fines or jail time?
Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.
In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
Security for maps is basically impossible. Maps tend to have to be widely shared within government and engineering, and if you know what you're looking for, it's remarkably straightforward to find ways to access layers you would normally have to pay for. It's a consequence of the need to share data widely for a variety of purposes -- everything from zoning debates within a local county to maps for broadband funding across an entire country create a public need to share mapping information. Keys don't get revoked once projects end as that would result in all the previously published links becoming stale, which makes life harder for everyone doing research and planning new projects.
Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.
Privacy is becoming (or already is) nearly impossible in the 21st century.
privacy isnt impossible
privacy while engaging with the digital world is
it isn't hard to be private. you just can't live in or go near cities/towns as much.
1 reply →
I think the issue with Flock isn't that they're a joke security wise the issue is that they exist. If you want to police somebody you don't have to police everyone. I'd argue watching my location at all times is unreasonable search.
If someone followed me around 24x7 with a notebook, transcribing all my movements and affixing carefully attached photos of me to every page, it would be called Stalking and I'm pretty sure I could win at least a restraining order against them in court.
I don't get why we treat this any differently. The only difference is they're not as obvious.
you just described a private investigator.
stalking requires some kind of menacing or whatnot. i seriously doubt a judge would grant a restraining order just because you think someone is following you without any interaction.
>Stalking is a crime of power and control. It is a course of action directed at an individual that causes the victim to fear for their safety, and generally involves repeated visual or physical proximity, nonconsensual communication, and verbal, written, or implied threats.
11 replies →
I'm starting to think there should be a constitutional amendment specifying a right to privacy because the last few decades have shown they'll just keep pushing the boundaries otherwise.
The chances of a constitutional amendment, let alone one dedicated to specifically limiting the powers of law enforcement, is, and I'll go on a limb and say I'm correct in this absolute statement, 0.
There is zero chance of any amount of government in these United States cooperating in any fashion large enough to change the actual Constitution. Zero.
6 replies →
It's pretty useless. A (US) constitutional amendment would only protect Americans from US institutions.
Us foreigners still have to deal with Americans spying on us. (And other countries spying on us.) And Americans still have to deal with non-American organisations spying on them.
2 replies →
Public camera feeds should be public
I agree with this, especially in the case of camera feeds that are run by organizations that are supposedly servicing the public.
That being said I also don't wonder if there is a point where we're just crowdsourcing the police state?
I think that would lead to society questioning the justification to have them.
1 reply →
At least the police state would also be on record!
To most effectively enable stalking applications
I have proposed elsewhere that for companies like Flock doing surveillance of the public, it should be legally required for every company executive and board member to have their cameras, ALPR systems, audio surveillance, drone systems, etc - installed outside their homes and along their routes to work and along their routes to their children's schools and their spouses workplaces - and all of that data be publicly accessible. And I'd suggest the same goes for senior management at decision makers at every town and police department and private company that signs a contract with them.
"For their own safety", as they'd have us believe.
Quis custodiet ipsos custodes?
1 reply →
If I was being stalked I'd rather have public surveillance data that I could compile (or pay somebody else to compile) versus relying on law enforcement, who has no duty to protect me.
Making surveillance public levels the playing field for everybody.
...people can just follow you in public. there's nothing illegal about that.
there is no reasonable expectation of privacy in a public setting, nor should there be. anyone arguing there should be is giving up basic rights because they're scared.
the issue is when public feeds get recorded and are allowed to be viewed at a later date. the data retention is the issue, not the privacy.
3 replies →
Just a reminder here of this experiment using adversarial techniques to confuse the license plate readers. Just an experiment, may not be legal in all locations, check your local laws. https://youtu.be/Pp9MwZkHiMQ?si=nas4dOH4vKyAW_5h
Has anyone had success getting their city to take down the Flock cameras? Ours just added them maybe a year and a half ago. They popped up in multiple nearby municipalities around the same time, I'm not sure if it was coordinated action or somehow pulled off at the county level.
I was one of the main organizers of a community group that successfully got Flock contracts canceled in Eugene and Springfield, Oregon. I have also presented several times to city officials in and around Portland, am currently helping groups in other cities around Oregon and elsewhere get started, and I'm working with a state legislative workgroup to begin getting some reasonable legislation in place.
The extent to which Flock manipulates police departments is really incredible. Here's a fun little factoid: Lexipol is a company which sells various pre-written policies to police departments, including an ALPR policy; Lexipol is also a parent company of Police1, which helps police departments find public grant money to purchase Flock subscriptions, and Flock in turn is heavily featured on Police1.
So, if you're a police department, you go to Police1 (Lexipol) for news and product info, they pitch you on Flock, you fill out a form, you sign a contract, and then later you need an actual ALPR policy for your department, and Lexipol sells you that, too. The policy of course is extremely friendly towards vendors like Flock.
Flock exerts a lot of influence with the police departments that subscribe to their platform. We've repeatedly had to respond to the same talking points from PDs (and some city officials) that are very clearly getting all of their info from Flock, and in some cases coached by them.
And YCombinator startup Flock Safety is extremely misleading in many of their product, service, and business statements.
It's coming up at the Los Altos Hills city council meeting next week. I would love to know what I should say to try and let our contract expire.
2 replies →
A success in Redmond, WA:
https://www.nwprogressive.org/weblog/2025/11/a-preliminary-v...
Montlake Terrace WA did https://www.heraldnet.com/news/mountlake-terrace-cancels-flo...
My hope is that https://www.eff.org/deeplinks/2025/11/washington-court-rules... will make Flock get the fuck out of Washington state.
It's good that MLT did cancel them, but there's still a ton up that way. Mill Creek, Lynnwood, Marysville, just for a few examples.
Flagstaff, Arizona. https://www.azfamily.com/2025/12/20/flagstaff-cancels-contro...
Maybe Flock sales was going door-to-door in your area.
Sedona (with a handy timeline of how they accomplished it) https://livefreeaz.com
Bend, OR https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai...
Hays County, TX https://www.kxan.com/news/hays-county-votes-to-terminate-flo...
Lockhart, TX preemptively rejected them https://www.kxan.com/news/local/caldwell-county/lockhart-cit...
Working on it in our city. Flock has been their own worst enemy—once people know the name of the company, they start seeing it in the news regularly. Start talking to people, show up at city meetings.
apparently a bunch of cities across oregon and washington are not renewing.
https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai...
I eagerly clicked the link but they're just looking for another vendor that does the same thing. It's like boycotting Marlboro only to buy from Camel.
6 replies →
Both Austin, Texas and San Marcos, Tx are non-renewing Flock . . .
Hillsborough, NC https://www.hillsboroughnc.gov/Home/Components/News/News/856...
Evanston, IL did
Thanks, that’s really relevant.
https://www.cityofevanston.org/Home/Components/News/News/667...
First thing to understand, at least in my case, is that the “city” does not manage the contract. The local PD does. Good luck reasoning with them.
Great.
Thanks for that tip, though.
1 reply →
Sheer incompetence. I hope (probably in vain) that police departments and local governments become more savvy technical evaluators of fancy tech solutions.
There was a huge fracas re: ShotSpotter in my town, where both the municipality's CIO and auditor (+ their internal research capacity) were sidelined. It took a sad amount of handholding elected officials through ShotSpotter's technical claims for them to shelve a planned deployment.
It’s not incompetence. This is simply not caring. If they had any interest in fixing this they would have. It just wasn’t at all important to them.
Previous related discussion:
https://news.ycombinator.com/item?id=46355548
This does link to an example real-world video showing children playing in a park, as recorded by FLOCK CAMERAS, of which the feed is publicly exposed to the Internet.
(this is not the same thing...)
Didn't say it was the same thing; I was linking to a recent related discussion about these cameras
1 reply →
I am apprehensive of the surveillance state and it's potential for misuse. However this disclosure content is less than ideal:
- It mixes two separate issues 1) embedded default API key and 2) unauthenticated token minting
- The bulk of the disclosure focuses on enumeration of sensitive data that is implied could have been exposed via the default API key, but what is actually exposed is unclear: "The 50 "portal:app:access:item" privileges reference private item IDs that cannot be inventoried without actively querying each one which I did not do"
- The default API key was for "development" and there is no assertion that live data existed in that environment (though it wouldn't surprise me)
- The default API key was fixed in June 2025, it is only the token minting that has not been.
- The token minting issue is only asserted to "grant access to the geographic mapping of Flock's camera network locations" which would certainly be useful as a source for unethical updates to https://deflock.me/ but obviously not nearly as sensitive.
(And I've always used bullets/lists in my communications, long before AI did this)
With respect to a different public organization with a reach of millions of people, I reported a similar vulnerability where there was an exposed key that services sensitive data. Usually, I don't bother but this time it was bad. I now understand how these things are left exposed for several months to years despite notification. The level of burnout or ignorance that leads to these vulnerabilities elicits harsh backlash where admitting there was ever a problem is worse than exposing a vast amount of people's private data.
Flock is fond of saying this:
> "I'm writing to you directly because I want there to be zero confusion about what's happening. Flock has never been hacked. Ever."
They are just lying at this point. If you get involved in advocacy related to flock you will likely hear their reps parrot this. Be ready to combat it with concrete examples like this!
I recall some extracted video where someone took one of Flock's adamant "it's all fixed now" PR denials and performed it into one of the still-insecure cameras.
You‘re probably talking about this video: https://youtu.be/vU1-uiUlHTo
The part you mentioned is at around 7:29.
Flock CEO: my home has never been broken into before. Ever.
House guest: but sir, where are all of your belongings?
Flock CEO: oh that, well I leave my front door open at all times. My home has never been broken into
But is it really hacking if they just give you the key?
Am i breaking into your home when you leave the door wide open? /s
If you have a camera and you're only taking photos. You don't have any photos of the car keys and the car going missing do you? /s
It's how urban exploration folk get away exploring abandon buildings here in the UK. If you can prove you didn't create damage to gain access; a grey area.
> Trespass (Civil Matter): In England and Wales, simple trespass is typically a civil matter between you and the landowner. You cannot be arrested for civil trespass alone, but the landowner can sue you for damages or an injunction, and police may get involved if you refuse to leave when asked.
In a sensible world. This would both destroy the company and get the owners jailed.
I have a controversial question; In the UK, they have blade runners who take down CCTV. I would have expected a more aggressive response in the USA, considering the culture. Is this not happening?
Our anti-police-state faction is toothless, while the "aggressive" faction is the one trying to install the police state.
The gutless liberals that dominate your country’s preconceptions of “the left” are not your anti-police state faction, but you do their work for them by conflating the two. The anti-police state faction are the ones habitually being physically brutalised if not outright murdered by the cops while the media wags their finger at them for their apparent lack of civility.
Toothless or defanged? https://www.whitehouse.gov/presidential-actions/2025/09/desi...
Many of the flock cameras in my city were disabled by bashing in the solar panels or damaging the camera lens. Unfortunately, flock's contract is such that the city pays for repairs/replacement
Is there an inflection point at which the city would decide it's not worth renewing the contract?
1 reply →
What city is this?
1 reply →
They are not "taking down CCTV", they're destroying the infrastructure that lowers car fumes pollution. These cameras are not used for anything else.
You know, that thing killing school children: https://www.lbc.co.uk/article/air-pollution-ella-kissi-debra...
The evidence for ULEZ is solid so seriously bringing it as an example of white knight activity whole they're at best malignant, brainwashed goons doesn't help anyone: https://www.bbc.co.uk/news/uk-england-london-67653609
I don't understand? I did some basic research, and it doesn't seem like these cameras have air quality sensors. How exactly would some Android cameras reduce pollution?
1 reply →
Somewhat, but the legal cosequences for getting caught and brought to court if you don't have a few thousand to drop on a lawyer will screw up your life. So it happens less.
Not to mention the risk of dealing with trigger happy and corrupt cops.
Won't it will screw up your life in the UK too?
1 reply →
I mean we're also increasingly being terrorized by our new gestapo, so far with limited resistance. We aren't really the "radical freedom defenders" we like to claim to be...
Go to their homepage and read about the drone capabilities.
Americans are largely cowards. You can see this as we're still mostly afraid of accurately defining and educating about genocide and how we all contribute to it by going to work every day, as well as afraid of feelings that arise around it.
Also afraid to pay reparations and give land back to natives.
Both would be easier and cheaper than starting WWIII because sadge.
2 replies →
The noble blade runners who are valiantly fighting for… more air pollution
I love it when the entire HN comment section devolves into a mere public shaming square with absolutely no substance.
I mean, there is a certain level of incompetence at which that becomes the only reasonable response?
I wouldn't be surprised if the code is just a Chinese stuff with a customisation on top
Maybe it was on purpose. They might have been forced by the FBI to implement those keys, so they left everything open to be able to track the enforcers also. 53 = 52 states plus gov
Do the MBAs now running tech just have a hardon for becoming the scifi dystopians they read as children?
Not always, sometimes they like to role-play as fallen angels from fantasy books (see Palantir.) (Edit: upon review, the metaphor is strained because Sauron didn’t create the palantíri… he did control them later, and there is deeper metaphor that they are unreliable.)
If I had a billion dollars I would shrimply role-play as an actual angel
4 replies →
CEO/founder of Flock has a BS in Electrical Engineering with highest honors from Georgia Tech, and does not appear to have an MBA.
Yes, from what I have seen
The dystopian tech does not seem that bad when you believe you will be the one controlling it.
ding ding ding
Does anyone else feel like the LLM-tone of this article makes it difficult to understand what's actually important in it? It's not clear to me if the issue is ongoing (like it says) or that it's been resolved by rotating the API key (like it also says). And that's like, the most basic piece of information the article could have in it.
Obviously more than just tone. Based on the lack of structure and wording it's clearly substantially AI written.
The article mentions two vulnerabilities. One was remediated June 2025. The other has not been remediated.
I hate that every article nowadays has to be judged on whether it's AI or not.
So annoying.
For me it's not about "is this AI", it's "this writing is obnoxious and disrespectful of the reader, and here's why I think AI is likely at the root of it."
I'd like to read stuff written by a human. I know other people like reading LLM output. I don't see what's wrong with telling people whether it's AI-written or not.
Who could have guessed that the greedy, opportunistic, evil corporation whose sole intent is to invade our privacy in the name of "security" would be run by incompetents in the security realm?
Their CEO comes off as a real self-righteous character.
One has to wonder whether these passwords were that way purposefully to avoid accountability for privileged partners. Most of these systems are deployed with grant money that it comes from the department of justice.
> Their CEO comes off as a real self-righteous character.
https://www.ci.staunton.va.us/home/showpublisheddocument/134... (PDF)
My favorite part:
> [Activists are] also trying to turn a public records process into a weapon against you and against us.
As if people are not simply asking for something to which they are entitled through legislation.
2 replies →
He’s clearly mimicking Alex Karp. And there’s no doubt in my mind that this is one of many backdoors built into Flock.
2 replies →
“Wow, we totally didn’t know we had everything accessible on Shodan! We totally hope that no federal entities exploited this (fake tears), but I guess we can’t tell anyway! It’s not as if they found out about it from us :(”
I'm surprised they didn't name it after some Tolkien reference that they completely misinterpreted...
FYI; Flock was/is a YC backed company
https://www.ycombinator.com/companies/flock-safety
> We are committed to protecting human privacy and mitigating bias in policing with the development of best-in-class technology rooted in ethical design, which unites civilians and public servants in pursuit of a safer, more equitable society.
…and of course they do the exact opposite. All a bunch of bullshit from inception.
1 reply →
Which really makes me sad that no one from YCombinator is speaking up. It’s all about money.
17 replies →
This is extremely disappointing. Absolutely turned off applying for or working for any YC companies now.
4 replies →
VC firms are behind the police state and the break down in world order in general.
YC is not the good guy in this world.
Here's an elucidation, taking that question seriously, supplying a bunch of "Why's" --
* https://medium.com/@ajay.monga73/why-developers-still-hardco...
A root-cause analysis here that's about intrinsic difficulty is misguided IMHO. Secrets and secrets-delivery are an environment service that individual developers shouldn't ever have to think about. If you cut platform/devops/secops teams to the bone because they aren't adding application features, or if you understaff or overwork seniors that are supposed to be reviewing work and mentoring, then you will leak eventually. Simple as. Cutting engineering budgets for marketing budgets and executive bonuses practically guarantees these kinds of problems. Engineering leadership should understand this and deep down, it usually does. So the most direct way to talk about this is usually acknowledging willful negligence and/or greed
1 reply →
[dead]
[dead]
[flagged]
Then time for responsible disclosure or CFAA charges.
You could just read the article before knee-jerking to state repression.
> November 13, 2025 — Initial disclosure sent to Flock Safety security team
> November 14, 2025 — First follow-up requesting confirmation of receipt
> November 19, 2025 — Second follow-up; Flock Safety finally acknowledges receipt
> January 7, 2026 — Vulnerability remains unpatched (55+ days)
> I am withholding specific technical details to prevent exploitation while the vulnerability remains unpatched. However, its existence more than 55 days after responsible disclosure with no remediation, demonstrates a systemic pattern of credential mismanagement.
In fairness to flock, they just hired a CISO and are actively recruiting for a head of product security and privacy as well. So I'm not surprised they're dealing with some of this.
Edit: I'm standing by it. The person they hired for it has a good track record elsewhere. And much as I don't like what Flock is building as a company, at least they're building security in now, even if it wasn't front of mind for them in the past.
He's got his work cut out for him though.
That’s fairness to a new employee. Does the multibillion company of a widely-deployed sensitive product deserve a pass for having poor or nonexistent employees doing security previously? Not really IMO.
> And much as I don't like what Flock is building as a company, at least they're building security in now,
This phrasing implies that the "building security in now" part improves (or decreases the awfulness of) what you don't like.
If what you don't like = bulk, systemic surveillance (of people not suspected of a crime) - how does fixing broke security make that less awful?
That's not how security fairness works! You have to be good from day one.
This is just the Cisco playbook
There should be no "Fairness to Flock" they're building the panopticon. Freethinking Americans should do what they can to dismantle this overreach, lobby their city leaders with their poor track record on security and thereby safety.
I'm fine giving the new employees a pass on this, but not the company as a whole. Not building security into a product like this from day one should be a criminal offense.
A bit late in the game, considering how widely their stuff is deployed?