This is a quite scary map. They are all over my local area. It may technically be possible to route a drive around them, but if you take the most convenient path between any two points at least one camera will spot you. I'd have to leave my neighborhood through back roads and enter local shopping areas through sidestreets.
This data shouldn't even be collected in the first place, let alone consolidated into a national network that any police officer can decide to spy on me through.
Download osm data, extract roads and surveillance, gpd overlay how=difference, remove/edit the different osmid's, write to pbf file, convert to obf file w/ osmandmapcreator, import into OsmAnd.
Now you have turn by turn navigation around ALPRs on your phone.
> Now you have turn by turn navigation around ALPRs [that we -- regular people -- know about] on your phone [while still being observed by the ones we don't know about].
I made a version which does the avoidance dynamically at runtime, works for any tracks you want to use: https://alprwatch.org/navigation. It works fully offline after you download the maps and overlays
I can't speak to flock but I know that other vendors in the space have software designed to calculate optimal locations to maximize probability at least one license plate scan for every trip taken.
Presumably that software can then be used to upsell additional cameras because with an increased density your capabilities start to approximate real-time live position tracking instead of just getting approximate locations of hot plates.
It can be. FLOCK data was used to put Bryan Kohberger at the scene along with other people's security camera's. Cops regularly use FLOCK camera's to get hits for criminals that have warrants for violent crime.
I can see why people are ok with them when they're used to get criminals off the streets. However, I've seen multiple times where cops initiate a felony stop (where people are pulled out at gunpoint and detained) against a car they got a hit on - only to find out the person they really wanted wasn't driving or even in the car at all.
What's interesting is businesses and houses have so many cameras nowadays that the first thing cops do when they get to the scene of a violent crime is canvas the area for camera's. So yeah, you can avoid FLOCK, but there are most likely hundreds of other camera's that will capture you driving through any given area.
You can't rely on Flock's "transparency" reports either, they're woefully inadequate. In our County, the Sheriff spoke of a PD in the County getting a Flock hit. It was news to many, including Flock's transparency site, that that PD was a user of their services.
There's a disclaimer when you first open the page that the map is incomplete and that users need to submit the data. It's possible that data hasn't been submitted/parsed yet
I can't find anything corroborating that example either.
I've been seeing a lot of similar grandiose claims made in random comments/Tweets/etc recently that Flock solved this or that specific high profile case that have also turned up zero proof when I did research.
I'm not sure whether it's just individual techno optimist fantasy that somehow becomes confabulated in the brain with some other crime in the news as if Flock was actually used, an organized persuasion/lobbying/misinformation campaign, or something else. But I'm seeing it a lot now which feels a bit concerning.
There have been numerous instances where cops used it to stalk exes, etc. If it isn't already, it will be used to stalk a blacklist of dissidents. It will continue to happen as long as the system exists.
But the cameras that the law enforcement officers canvas in the area aren't centrally aggregated and tagged with meta data such that they can be queried at scale.
Which is fine, because those are owned by private citizens and companies and those citizens are giving their permission to the police to use them. That's the difference between centralized government survalience and CCTVs
> However, I've seen multiple times where cops initiate a felony stop
At what point do we accept that all systems are flawed? There could be many variables as to why the perp wasn't in the car. Maybe the perp stole the car. Maybe the perp borrowed the car. Maybe these systems do not work well in fog etc etc. I don't know how we're supposed to advance technology that makes us safer without getting into these muky situations from time to time.
Flock, like Palantir, is the Torment Nexus from the famous novel Don’t Create The Torment Nexus.
Considering the potential and demonstrated abuse there must be more robust guardrails than currently exist. The required level of safety is more like “nuclear launch codes” or “commercial airliner”, not “local used car lot landing page”.
They do, especially in cities and wealthy suburbs (and honestly a lot of poor rural areas too).
The difference is these typically don't zap that data up to a central database that any agency in the country can access, the way Flock does if only because the security people at Flock are a joke.
No they don’t. You are conflating “any” with “every”.
In my city, the plate reader cop cars have 4 smallish boxes, each mounted above a quarter panel. At most about 1/20 of the police cars for my local PD has these installed.
It’s more likely that private sector cars have them installed because car repo companies will pay bounties for license plate hits on a car they have an active repo contract for.
If you want to explore navigation I made an app: https://alprwatch.org/navigation. It works fully offline, you just need to download the maps and overlays
They are all over certain neighborhoods and areas in my metro.. At first I thought it was due to the wealth of the neighborhoods but.. Now I'm wondering if the maps is just not fully filled in :|
wow. quite literally the only ones in my area are surveilling the county park / community center. that's creepy. I'll just have to assume they're doing something creepier at the public library.
We are all being investigated by the Feds 24/7 — that's what dragnet surveillance is: indiscriminate investigation at scale to be used retroactively.
"Don't do anything bad and nothing will happen" is frankly asinine to me, personally. That same logic could extend to stop-and-frisk or random door-to-door visits to check for citizenship.
Uh speak for yourself but some of us are doing the good crimes and would rather like to continue that fight from outside prison and without being shot in the face.
I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
Beware that Passkey storage is limited though and I don't think you can reuse one for multiple sites. My Yubikey 5 NFC stores up to 32 and you should have some redundancy if you ever lose it. You also can't export them. I only use passkeys (in Bitwarden) for things I don't care about.
As someone who's looking into possibly getting a YubiKey 5 NFC actually, I would like to ask: if you can't export the entries, if you make a backup of the YubiKey (perhaps with the magic of buying two of them), then how would one ensure redundancy?
This does unfortunately actually work pretty well as a security measure. The new domains that are cheap and good for fun side projects, are also cheap for scammers.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
I’m pretty sure YouTube’s built-in AI summary is also biased towards not “spoiling” the video.
Like if the title is a clickbait “this one simple trick to..” the ai summary
right below will summarize all the things accomplished with the “trick” but they still want you to actully click on the video (and watch any ads) to find out more information. They won’t reveal the trick in the summary.
So annoying because it could be a useful time saving feature. But what actually saves time is if I click through and just skim the transcript myself.
The ai features are also limited by context length on extremely long form content. I tried using the “ask a question about this video” and it could answer questions about the first 2 hours in a very long podcast but not the last third hour. (It was also pretty obviously using only the transcript, and couldn’t reference on-screen content)
They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.
The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.
> To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
Metadata is as good as data for deducing your behavior. Think what conclusions can be drawn about a person's behavior from a log of their network connections, from each connection's timestamp, source, destination, and port. Think about the way each additional thing-which-makes-network-requests increases the surveillance value of all the others.
Straight away, many people's NTP client tells the network what OS they use: `time.windows.com`? Probably a Windows user. `time.apple.com`? Probably Mac or iOS. `time.google.com`? You get the idea. Yeah, anyone can configure an NTP client to use any of those hosts, but the vast vast majority of people are taking the default and probably don't even know what NTP is.
Add a metadata point: somebody makes a connection to one of the well-known Wi-Fi captive portal detection hosts around 4PM on a weekday? Maybe somebody just got home from school. Captive portal detection at 6PM on a weekday? Maybe somebody just got home from work. Your machines are all doing this any time they reconnect to a saved Wi-Fi network: https://en.wikipedia.org/wiki/Captive_portal#Detection
Add a metadata point: somebody makes a network connection to their OS's default weather-widget API right after the captive-portal test, and then another weather-API connection exactly $(DEFAULT_INTERVAL} minutes later? That person who got home is probably still home.
I don’t mean P2P in the same sense that BitTorrent or something is P2P. (Splitting one connection into many distributed ones) But more like how a game that does P2P multiplayer has the clients connect directly instead of through a centralized service.
This is something I saw all the time. I’d look something up, knowing that there was probably an easy way to do <basic programming task> in modern c++ with one function call.
Find the stack overflow thread, answer from 10+ years ago. Not modern C++. New questions on the topic closed as duplicate. Occasionally the correct answer would be further down, not yet upvoted.
“Best practice” changes over time. I frequently saw wrong answers with install instructions that were outdated, commands that don’t function on newer OS version, etc etc.
It is not super easy to get around that tech. It used to be easier a long time ago. Apple patches the methods every time they can, and have made hardware adjustments in attempt to make it as hard as possible. A lot of these methods involve tricking the counter so it doesnt increment at all, or somehow rolling it back. If the phone isnt set to wipe after 10 attempts, tricking the timer that time has passed would be enough.
Im not sure if anyone other than Cellebrite knows the exact details of what they are doing. (If they can even unlock latest iPhones that are properly secured. I’m seeing a recent article that implies recently unlocked iPhones had biometrics enabled) I wouldn’t be surprised if their techniques involved disassembling the phone, and tampering with every connection of the chips involved, or depowering them in weird ways as they are counting attempts, or even desoldering and transferring the chips to other boards. I suspect that if apple knew and could patch the method, they would.
It’s impressive that it is so hard to get into iPhones imo. People use 6 digit passcodes to lock their entire digital life. That would be considered horrendously insecure for anything that isn’t an iPhone. You can (and should) increase it to a full password. But a lot of people don’t.
I used to run YouTube with “ad targeting” turned off.
The ads were 100% scams. Lots of AI slop. Deepfakes of celebrities pitching all sorts of scams. Lots of nsfw products and even occasionally illegal things like drugs or guns. Also lots of ads in languages I do not speak.
I recently learned that if you turn on ad targeting you can block certain ads and never see them again. So I’ve turned it on just to block the worst of the ads. But googles ad targeting still can’t target ads to me. It’s maybe only 70% scams now. But their targeting still sucks and I still get ads in foreign languages that I do not speak.
On my desktop I just use Adblock. I really try to avoid YouTube on mobile at all costs because the ads make it completely unusable.
Ah yes. “Non-existent security” is only a pesky detail that will surely be ironed out.
It’s not a critical flaw in the entirety of the LLM ecosystem that now the computers themselves can be tricked into doing things by asking in just the right way. Anything in the context might be a prompt injection attack, and there isn’t really any reliable solution to that but let’s hook everything up to it, and also give it the tools to do anything and everything.
There is still a long way to go to securing these. Apple is, I think wisely, staying out of this arena until it’s solved, or at least less of a complete mess.
Yes, there are some flaws. The first airplanes also had some flaws, and crashed more often than they didn't. That doesn't change how incredible it is, while it's improving.
Maybe, just maybe, this thing that was, until recently, just research papers, is not actually a finished product right now? Incredibly hot take, I know.
I think the airplane analogy is apt because commercial air travel basically capped out at "good enough" in terms of performance (just below Mach 1) a long time ago and focused on cost. Everyone assumes AI is going to keep getting better, but what if we're nearing the performance ceiling of LLMs and the rest is just cost optimization?
This data shouldn't even be collected in the first place, let alone consolidated into a national network that any police officer can decide to spy on me through.
reply