Ring “security” Drone
- Thread starter denverpilot
- Start date
- Joined
- May 18, 2007
- Messages
- 6,726
- Display Name
Display name:
jsstevens
I saw that article! What could possibly go wrong? Geeze, I don't get the fascination with video cameras inside my house. Nor internet controllable door locks. If I can access it from outside, so can somebody else.
flyingcheesehead
Touchdown! Greaser!
From the same company that sells video to the cops...
Yeah, no thanks, I don't like the government IN my house. Cool idea, if it was open source and able to be tightly controlled and use an in-house server.
Yeah, no thanks, I don't like the government IN my house. Cool idea, if it was open source and able to be tightly controlled and use an in-house server.
wsuffa
Touchdown! Greaser!
Cool! Amazon can sell the data to FlightAware since it's an unmanned aircraft, and FA can let everyone see the livestream!
EdFred
Taxi to Parking
And if it was made by Apple. Although if made by Apple you'd probably allow it, nay require, it be in your house as is.
flyingcheesehead
Touchdown! Greaser!
Meh... The big thing here is privacy. Apple is far better at that than the other tech giants. But I'd still prefer it to be in house controlled.
It's not that this thing can't do cool stuff. It really can. It also normalizes cameras in the home that are connected to "the cloud" and that gives me the willies.
Lindberg
Final Approach
Source?
Lindberg
Final Approach
My internet-controllable door locks are more difficult for a burglar to defeat than my windows. And much more useful to me when I'm locked out.
denverpilot
Tied Down
Would love to know what manufacturer you’re using.
Haven’t seen an electronic one yet that isn’t just a non-security core (usually bumpable, always pickable in seconds) cheap consumer grade lock for the keyed backup.
I guess I could go see if Assa Abloy or some real lock company has bothered to do residential electronic by now, but last I checked that was their commercial lineup, and also designed to have the tamper proofing stuff attached to a real security system, or those are defeatable via easy and known exploits also.
For most installations the strike plate and attachment to the frame aren’t done right residentially anyway, so “defeating” these usually is just a matter of a hard shove with a leg. But the bad guys far prefer those decorative side windows next to front doors.
All depends on what ya got, but nobody bothers to defeat locks as a first choice, but defeating a consumer grade electronic is kiddie play if they’re forced to and think you have what they want. Bump key.
Do it so fast it’ll look like they had the real key and are supposed to be there on the big box store junk locks.
flyingcheesehead
Touchdown! Greaser!
There's plenty. Here's the first couple:
https://www.washingtonpost.com/tech...h-police-forces-extending-surveillance-reach/
https://www.eff.org/deeplinks/2020/06/amazon-ring-must-end-its-dangerous-partnerships-police
They say that they "request" your video, but Amazon has not been very good with their internal security and they caught employees watching customer video feeds:
https://www.vice.com/en/article/y3mdvk/ring-fired-employees-abusing-video-data
So yeah, better to not have cameras inside your house feeding "the cloud". The cloud is just someone else's computer...
denverpilot
Tied Down
It’s not even a security problem with them, it’s a willful and corporate ingrained culture to sell data collected by others. Those cultures don’t go away unless eradicated with fire.
Amazon buy out didn’t let go any of the many many people there who think that’s ok behavior.
Amazon buy out didn’t let go any of the many many people there who think that’s ok behavior.
Lindberg
Final Approach
WaPo is behind a pay wall, but the EFF rant (paranoid rant) doesn't support your statement. Of course cops can request videos from owners, and owners can share them. That's why people get these cameras. But Ring isn't directly giving or selling videos to the police.
atbroome
Pre-takeoff checklist
denverpilot
Tied Down
They were. It was not opt-in. Was well documented right around the time of the Amazon buy-out of the company. Hit all the usual IT security news outlets. Boilerplate legalese in their EULA covered their asses.
Whether they’ve changed after getting caught is debatable, but like I said, nobody got fired and it’s deeply ingrained if all the execs and engineers who had to create integrations (and not small ones at that) for LE to even have a “portal” to download from, all willingly went along without a single person standing up and saying “Hey guys, these aren’t OUR cameras, you know... nor is this data truly OURS...” which is the real problem with cloud services.
Either your corporate culture is that you’re just the curator and protector of your customer’s data, or you get into the mistaken mindset of modern Silicon Valley that all customer’s data is just there for you on your servers to do with as you please.
Nothing fixes that broken culture once it starts. BTDT. Got the t-shirt. Been the engineer who said no, put it in writing that you are authorizing this... and waited for the customer complaints to roll in that we knew were coming.
(Early big data analysis people asking customer service to actually log into customer systems in telecom and download statistical data for them to do future sales predictions from. Completely inappropriate use of our special access our support contracts required customers to give to us and a breach of their trust. Big backlash when customers figured out what was happening, people fired over it. We had our written get out of jail free card signed by a “brilliant” VP (so they said the year before at company meetings, rah rah...) who was crap canned.)
Lindberg
Final Approach
Link please.
Groundpounder
En-Route
- Joined
- Jan 27, 2013
- Messages
- 2,852
- Location
- New Hampshire
- Display Name
Display name:
Emerson Bigguns
I would not want to be having some quality time alone with my laptop, and hear some whirring quad copter props come up behind me.
GaryM
Pattern Altitude
Here are two:
https://www.washingtonpost.com/tech...th-whomever-theyd-like-company-tells-senator/
The first detailing the problem of ring video belonging to the police; they can keep it forever, and share however they see fit. They can request video from anyone within half a mile of a location they designate, for a window of 45 days time, without providing information on why they are making the request or stating that a crime had been committed.
Ring is working to incorporate facial recognition software, but promise they will only release it to the public with “thoughtful design including privacy, security and user control.”
The article also talks about Ring Neighbors, their social networking site which can capture interlocking fields of video from adjacent homes, share them to the site, and even allow homeowners to annotate people deemed 'suspicious'.https://arstechnica.com/tech-policy...orbell-footage-without-a-warrant-report-says/
The second article notes that Ring, in return, gets access to real-time 911 call data from the police departments, which they can populate to Ring Neighbors. It also quotes the Fresno County Sheriff's office as stating that neither an opt-in from the homeowner, nor a warrant, is necessary for them to access Ring Video. They simply request it from Amazon.
Lindberg
Final Approach
Here are two:
https://www.washingtonpost.com/tech...th-whomever-theyd-like-company-tells-senator/
The first detailing the problem of ring video belonging to the police; they can keep it forever, and share however they see fit. They can request video from anyone within half a mile of a location they designate, for a window of 45 days time, without providing information on why they are making the request or stating that a crime had been committed.
Ring is working to incorporate facial recognition software, but promise they will only release it to the public with “thoughtful design including privacy, security and user control.”
So if there's a crime in my neighborhood, Ring will tell the police I have a doorbell camera (or the police can just see that for themselves since it's blatantly obvious) and then the police can ask me for the video. THE HORROR! Wait, what's wrong with that? In return, Ring gets access to live dispatch reports so it can keep me informed through the app about what's going on in my neighborhood. What's wrong with that?
From the article:
Still none of these sources supports the original claim that Ring is or has ever just sold video to the police.
BTW, I fully believe that the cameras deter crime. Not a crime, but electric co. tree trimmers broke my fence with their truck, and I noticed it afterward. I knew who it was because they were all up and down our alley. Before I even had a chance to call them the next day, their foreman came and told me what had happened. I hadn't even though to look at the video since I immediately knew who it was, but in his confession, he mentioned the cameras three times. I have little doubt based on history that I never would have heard from them if they hadn't noticed the cameras.
denverpilot
Tied Down
It’s not their data to give or sell. Never was. The customer who uploaded it wrongly assumed the “cloud” service was priced at cost, and their storage of it was just managed by Ring.
The intense amount of development effort required to even offer a web portal to even limit access by jurisdiction or correlate cameras that can see overlapping fields of view is MASSIVE.
Ring ALWAYS planned to sell the data. You don’t fire up an entire fleet of engineers to make the infrastructure needed to even stream that data to LE without a corporate culture that customer uploaded data isn’t the customer’s and you’re just a proper steward of it.
Amazon rescued them. The subscription price from their real customers doesn’t pay their storage bill. Not even close.
Standard unprofitable cloud model. Give customer data away to some real future customer and get them hooked on it. Convince everybody it’s okay to resell customer data for convenience. Then hit em with the sob story that some critical features needed by the new “real” customer (LE in this case) is too expensive to develop now, and pay up, suckers.
If you’re paying less than it would cost you to store the data on site to a “cloud” entity, they’re selling it, or will have to, in order to survive. Guaranteed.
Just because a cop likes the convenience of it, doesn’t justify the release of the data gathered and stored by the cloud customer. Ever.
But that’s the modern Silicon Valley broken culture today. Quite common and repetitively caught doing it. Broke businesses with bad business models that can’t turn a profit, desperate for new revenue streams.
Any service that doesn’t explicitly state whatever you are uploading to them is encrypted and with a key that only you hold... and encrypted before it leaves your premises, is not just going to sell it, they’re planning on selling it.
You don’t build whole divisions writing code to make customer data accessible to any third party unless that was your business plan all along. Or at least from the moment you noticed your storage bill was going to bankrupt you. And that’s stretching it. Too much work involved by way too many people to not be pre-planned.
And the EULA prior to them being open about it proves it. The lawyers knew the plan.
Deep corporate culture in almost all cloud services today to sell customer stored data. Papa Bezos at Amazon wanted in on that action. It’s why he bought Blink nearly simultaneously as Ring.
He didn’t need two companies doing the same thing... unless he had longer term plans for their customer’s uploaded data ... which is identical... why else buy two unprofitable video camera businesses?
“We have an update to our Terms of Service... it’s all good... don’t read it...” lol.
RyanShort1
Final Approach
If they can hack your quad copter, be sure your laptop sins will find you out as well!
Groundpounder
En-Route
- Joined
- Jan 27, 2013
- Messages
- 2,852
- Location
- New Hampshire
- Display Name
Display name:
Emerson Bigguns
Probably, but at least it won't be a live feed to my wife's cellphone.
RyanShort1
Final Approach
She probably already knows.
Groundpounder
En-Route
- Joined
- Jan 27, 2013
- Messages
- 2,852
- Location
- New Hampshire
- Display Name
Display name:
Emerson Bigguns
Oh probably.....
GaryM
Pattern Altitude
We'll never agree here. I see a LOT wrong with that. I disagree with almost everything you've posted in this thread. Our views on the importance of privacy are just worlds apart.
I do find the police department's statement that Amazon hands over the video when they ask to be more credible than Ring's after-the-fact backpedalling almost-denial.
Lindberg
Final Approach
Ok, great. You haven't substantiated your claim that they give or sell it to anyone. They just allow the users to give it to whomever they want.
denverpilot
Tied Down
Unless the corporate culture and policy of your cloud provider for any service is “come back with a warrant”, you don’t want to be using them.
It’s the basics of how to properly treat customer data, and there’s an ever lowering number of us in business who do it as a BASIC fundamental requirement.
Encryption at the customer, encryption at rest, no access by third parties to your data without your explicit opt-in consent...EVER.
Quaint, I know. Find a vendor or product that actually does it and pay them. Not these doofuses who think the data is theirs.
Isn’t even just a privacy issue. Privacy jumps into this one because of the data type and location of the camera.
It’s a proper data handling issue.
Customer sends data to me, it is not mine. I am a steward of their data. Bring me a court order and you can have a copy. And if the customer encrypted it I will not relinquish their key if I even have it, without the order stating so. Period. End of story.
We don’t even look at company owned email without two people present.
There’s proper data handling, and the prevailing Silicon Valley narcissism. Choose vendors wisely. Most wont.
There’s a reason cheap IP cloud storage camera systems are cheap. Just like there’s a reason Zoom is free and nobody serious used them prior to the annoying virus thing saving their butts.
Proper data handling isn’t cheap. Securing the stuff the data sits in even less so. Garmin and one of the largest hospital networks have now both learned the hard way in the last couple of months.
Accidents are bad enough without paying someone who actively wants to give the data to third parties. No matter how “noble” their intentions they’ll admit to in public appear to be.
denverpilot
Tied Down
Well documented in all the security trade rags. If you can’t operate Google it’s definitely not my job to do it for you.
Lindberg
Final Approach
You made an assertion that this is "well documented," but you don't have a single link. And all the links provided say the contrary. I don't think I will spend any time googling.
Lindberg
Final Approach
There are actually laws that address this. If your cloud provider does NOT do that, they're likely breaking the law.
wsuffa
Touchdown! Greaser!
Not necessarily. Read the EULA, Terms and Conditions, and Privacy policy.
Oh, and hope you pick a provider based in a friendly country.
If you do security cameras at home, get ones with local storage (or a local NVR), put it behind a security appliance, and access it by VPN. Still a risk if the firmware /software can "phone out", but still lower risk than cloud.
When I went "cloud" for email and web services, this was an important consideration. Google lost even though they had stated at that point that they stopped mining data. Some providers, like Proton, do a pretty good job, but still may release certain data in accordance with Swiss law.
By the way, some password managers are also not fully private or secure (including the ones that will auto-change your passwords if you ask). Including some of the big names that promise end-to-end encryption.
If the selling point to you is "convenience" then the horse has already left the barn.
Lindberg
Final Approach
Did they repeal the stored communications act recently?
wsuffa
Touchdown! Greaser!
Not necessarily relevant. Given it's age and the body of case law that has defined how it operates, it really doesn't encompass a lot of stuff that defines the current Internet. And if you look closely, the ToC, the EULA, and the Privacy policy often give the data to, or share it with, others (including partners and affiliates).
But, heck, believe what you will.
denverpilot
Tied Down
Since I’ve actually stood there watching this discussion happen with an FBI Agent who didn’t want to get a warrant for customer data and wanted a “favor” of a fake outage while he copied the hard drives of a customer... and we had to tell him to go pound sand and find a Judge...
And also because telecom literally has a get out of jail free card for handing over anything that was buried in the second post 9/11 spying act... they literally can’t be sued for their involvement in government requesting data they’re not supposed to have... full immunity...
I’m going with : You clearly don’t keep up on any of this. The exclusion for telecom is well over a decade old now.
The conversation with the lazy ass FBI Agent was fun though. I think they eventually got their man, but boy did he not want to have to get that subpoena. I’m sure if we had acquiesced they’d have made sure we weren’t charged with anything for our “excellent cooperation”. LOL.
Get out of my data center. Nice to meet you. Go away.
I was the head engineer for the site, but I let the much more angry corporate security guy chew his ass. More fun that way.
We couldn’t care less about our liability in it. Customer data is either always customer data or it isn’t.
With Ring, it isn’t and never has been. That’s just their culture. No respect whatsoever for it.
The LE tie in is just them trying to save face and pretend their root culture problem is justified. Just another “partner” in the data sales and data sharing biz, where the customer expectation was that it is their data, simply being stored for them.
Didn’t read the EULA. Nobody does.
What works and always works is only handing money to a provider who publicly and explicitly states they put you in control of encryption keys. Anything less is just wishful thinking.
I could care less and would hand over the video to help a cop, all they have to do is ask correctly. The problem is when your storage provider decides they hand over data without asking. Ain’t a beef with the LE who want it. Beef is with the vendor who didn’t and never had plans to protect it.
You don’t spend the kind of money and effort they did to build a third party distribution platform when your focus is on your customer and proper data handling. Even building a website for LE to hit to get that data is a multi-month many developer very expensive effort. They knew what they were doing.
Lindberg
Final Approach
Since I actually have read the EULA and use the products, rather than just repeating superstitions, I was genuinely interested in your sources if they'd support Ring's misuse of customer recordings. So I'm actually glad you don't have any.
DaleB
Final Approach
Don’t worry, guys. Really. According to Yahoo, the TSA should be monitoring it all anyway, in case Ring is secretly smuggling drugs using all these unregulated drones exploiting loopholes in FAA regulations. They’ll save us.
denverpilot
Tied Down
The “I’m too lazy to look them up” defense of them is really boring and common on the internet, where your lazy ass fingers can easily find it. Others have posted links. Your research of things is definitely not my job. You’re sitting at your keyboard, champ.
Especially disinterested in assisting you, when you don’t even know the basics of telecom and tech industry exemptions written into law over a decade ago.
Arguing with the uninformed who don’t work in the industry or even know how any of it works in the real world, is incredibly dull. Well a mild pastime at non-IT places like this one when someone decides they can’t abide typing their own searches into Google on them topic.
Doing their homework for them is useless.
Enjoy defending a company with a terrible culture of poor data handling and a parent company not exactly any better.
I have zero idea why a non-professional would even want to do that.
But hey, tell your friends it’s all great from a platform of pure ignorance.
Why not? It’s fun to send friends to the worst possible cloud providers.
Wouldn’t want to actually give them pro level advice or anything. You know, pros. People who actually have to meet real published security standards as a minimum with their customer’s data?
Let us know when you figure out which standard they meet as audited by a third party. We’ll be here.
Lindberg
Final Approach
flyingcheesehead
Touchdown! Greaser!
Interesting - The WaPo one came up for me and I do not subscribe. Anyway, it was about a bunch of Amazon employees who got caught watching customers' video feeds for fun. Having worked as a consultant inside a number of companies, @denverpilot is absolutely right... And even when the lack of security isn't malicious, most companies are simply not bothering to protect customer data at all. The only real exception is in health care where they can get in deep doo-doo for letting information get out, and even then there are the occasional slip-ups. A local health care organization here got in trouble a few years ago when they sold their copiers without removing and destroying the hard drives, many people's private medical information was found on them by the purchasers.
Ring is working to incorporate facial recognition software, but promise they will only release it to the public with “thoughtful design including privacy, security and user control.”
Hah! Amazon/Ring knows how to do exactly none of those things.
Oh, and by the way, Google's Nest Hello camera already has facial recognition! "It's a feature," they'd tell you. Sure, it'll say "Nate is at your door" instead of "Someone is at your door" but you can be damn sure that Google is paying attention to Nate having been at your house at a particular time.
We're a VERY small step away from 1984.
wsuffa
Touchdown! Greaser!
By the way, it's not just limited to video. Look up what law enforcement has done with GEDMatch - and what can happen if anyone in your family submits DNA data to them
Ancestry and 23andMe prohibit it in the T&C, but those can be easily breached if the lawmakers so choose.
Ancestry and 23andMe prohibit it in the T&C, but those can be easily breached if the lawmakers so choose.
- Joined
- Jun 7, 2008
- Messages
- 22,949
- Display Name
Display name:
Bob Noel
I've seen a few EULA, TOS, privacy policy statements, whatever that give me the willys.
Are you permitted to provide an example of two of vendors that actually protect the user's data?