> November 13, 2025 — Initial disclosure sent to Flock Safety security team
> November 14, 2025 — First follow-up requesting confirmation of receipt
> November 19, 2025 — Second follow-up; Flock Safety finally acknowledges receipt
> January 7, 2026 — Vulnerability remains unpatched (55+ days)
> I am withholding specific technical details to prevent exploitation while the vulnerability remains unpatched. However, its existence more than 55 days after responsible disclosure with no remediation, demonstrates a systemic pattern of credential mismanagement.
There was a huge fracas re: ShotSpotter in my town, where both the municipality's CIO and auditor (+ their internal research capacity) were sidelined. It took a sad amount of handholding elected officials through ShotSpotter's technical claims for them to shelve a planned deployment.
* https://medium.com/@ajay.monga73/why-developers-still-hardco...
I agree with what you write here. It was a bad proffer / explanation on my part.
…and of course they do the exact opposite. All a bunch of bullshit from inception.
He seems to enjoy spreading factually misguided "statistics" [0] about how Flock is "solving crime". OK buddy.
I mean, just look at how he enagages with those replies. If that's at the helm of YC? WTF.
The “left” view points of the US currently seem to be similar to Reagan. The furthest left I’ve seen the US go in my lifetime is about David Cameron or Boris Johnson levels of “left”.
I used to hold YC in very high regard, but these days I don't think they're materially different from any other investing shop when it comes to values.
On the bright side, they also hire dang, so that's one against 100 million.
https://medium.com/@Arakunrin/the-post-ipo-performance-of-y-...
The most likely outcome is failure, the second most likely outcome is an acquisition. Going public is a distant third
But that's because I funded pretty much all the companies via my investment in an index fund.
YC pretty much takes something like an index fund approach to startups: they finance a lot of them. So naturally they would also have a significant portion of what you deem to be harmful ones.
People buy into IPOs partially because they know a lively secondary market exists, where they can offload the shares later. Index funds are part of that secondary market.
Just to be clear, I don't think investors in IPOs are thieves. I'm just saying that you can legitimately say that the secondary market financies companies just as much as the primary market does. Perhaps a better example might be farmers selling to food factories selling to retailers selling to me. I never hand money directly to the farmers, but you can still say with a straight face that my purchase of bacon funds the pig farm.
YC is not the good guy in this world.
One has to wonder whether these passwords were that way purposefully to avoid accountability for privileged partners. Most of these systems are deployed with grant money that it comes from the department of justice.
https://www.ci.staunton.va.us/home/showpublisheddocument/134... (PDF)
My favorite part:
> [Activists are] also trying to turn a public records process into a weapon against you and against us.
As if people are not simply asking for something to which they are entitled through legislation.
Adults that didn’t grow up.
- someone who screams about the 1st amendment whenever they’re told they’re being an asshole
So annoying.
I haven’t met any of these people; I’m sure some may exist but does anyone actually “like” rather than “tolerate” LLM writing? Anybody have a link to a decent study or survey on this area?
That being said I also don't wonder if there is a point where we're just crowdsourcing the police state?
"For their own safety", as they'd have us believe.
Quis custodiet ipsos custodes?
there is no reasonable expectation of privacy in a public setting, nor should there be. anyone arguing there should be is giving up basic rights because they're scared.
the issue is when public feeds get recorded and are allowed to be viewed at a later date. the data retention is the issue, not the privacy.
In fact, people had a reasonable expectation of privacy in public spaces before there were cameras everywhere.
I personally value my fundamental right to privacy.
Making surveillance public levels the playing field for everybody.
Edit: I'm standing by it. The person they hired for it has a good track record elsewhere. And much as I don't like what Flock is building as a company, at least they're building security in now, even if it wasn't front of mind for them in the past.
He's got his work cut out for him though.
This phrasing implies that the "building security in now" part improves (or decreases the awfulness of) what you don't like.
If what you don't like = bulk, systemic surveillance (of people not suspected of a crime) - how does fixing broke security make that less awful?
https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai...
So, whether it's vendor A or Vendor B municipalities don't care. What they want is the capability. The municipalities have the backing of the communities -with few odd exceptions because most people in most communities want LE to "catch the perps."
https://www.nwprogressive.org/weblog/2025/11/a-preliminary-v...
Thanks for that tip, though.
See Denver for example: https://coloradonewsline.com/2025/08/06/immigration-denver-f...
This is low hanging fruit and if you can get them to shut that off it’s a quick win. Mine had already shut it off. Denver turned it off after above news story got traction.
https://www.cityofevanston.org/Home/Components/News/News/667...
My hope is that https://www.eff.org/deeplinks/2025/11/washington-court-rules... will make Flock get the fuck out of Washington state.
Sedona (with a handy timeline of how they accomplished it) https://livefreeaz.com
Bend, OR https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai...
Hays County, TX https://www.kxan.com/news/hays-county-votes-to-terminate-flo...
Lockhart, TX preemptively rejected them https://www.kxan.com/news/local/caldwell-county/lockhart-cit...
Working on it in our city. Flock has been their own worst enemy—once people know the name of the company, they start seeing it in the news regularly. Start talking to people, show up at city meetings.
The extent to which Flock manipulates police departments is really incredible. Here's a fun little factoid: Lexipol is a company which sells various pre-written policies to police departments, including an ALPR policy; Lexipol is also a parent company of Police1, which helps police departments find public grant money to purchase Flock subscriptions, and Flock in turn is heavily featured on Police1.
So, if you're a police department, you go to Police1 (Lexipol) for news and product info, they pitch you on Flock, you fill out a form, you sign a contract, and then later you need an actual ALPR policy for your department, and Lexipol sells you that, too. The policy of course is extremely friendly towards vendors like Flock.
Flock exerts a lot of influence with the police departments that subscribe to their platform. We've repeatedly had to respond to the same talking points from PDs (and some city officials) that are very clearly getting all of their info from Flock, and in some cases coached by them.
And YCombinator startup Flock Safety is extremely misleading in many of their product, service, and business statements.
I'm also spinning up a new team that will be able to more actively help people get efforts started (or keep them going). Their first meeting is coming up this week too.
In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.
Moreover, university students in programs like architecture are given access to many map layers as part of the school's agreements with the organizations publishing the data. Without that access, students wouldn't be able to pick up the skills needed to do the work they will eventually be hired for. And if students can get data, then it's pretty much public.
Privacy is becoming (or already is) nearly impossible in the 21st century.
privacy while engaging with the digital world is
it isn't hard to be private. you just can't live in or go near cities/towns as much.
I anticipate the apathy to continue, and the bill to be passed along as some form of regressive tax.
a lot of the oregon towns/cities decided to cancel or not renew their contracts though, so I think they just let em get broken and then didnt pay to repair them.
Not to mention the risk of dealing with trigger happy and corrupt cops.
Both would be easier and cheaper than starting WWIII because sadge.
I want to build community through making visible-from-space-sized art projects with those from all around. And then go back to the plague pod I live in that's large enough to meet everyone's needs while keeping population density low enough to get rid of the plagues or make them a much smaller threat.
You know, that thing killing school children: https://www.lbc.co.uk/article/air-pollution-ella-kissi-debra...
The evidence for ULEZ is solid so seriously bringing it as an example of white knight activity whole they're at best malignant, brainwashed goons doesn't help anyone: https://www.bbc.co.uk/news/uk-england-london-67653609
Read up about ULEZ.
There is zero chance of any amount of government in these United States cooperating in any fashion large enough to change the actual Constitution. Zero.
Electoral/constitutional politics isn't going to protect us. "International law" isn't real and neither are other laws. It's time to update threat models to include this fact. The threat-actors are definitely aware of it and using it to their advantage while relying on us to keep thinking on terms of the contrived systems they maintain.
Being creeped out by corporate stalkers and an invasive government seems to be something that a lot of "regular people" of all political allegiances have in common.
Then 3/4 of the states have to ratify it.
I don't think you could get half of states to agree the sky is blue let alone 3/4.
[edit] The Equal Rights Amendment has been in progress since 1972 and while they somehow managed to get 3/4 of states to agree (Virginia agreed in 2020) the 7- and later 10-year deadline built into the bill had long elapsed. And 5 states later tried to rescind their ratifications which isn't really covered in the constitution in the first place.
That one says simply:
> Equality of rights under the law shall not be denied or abridged on account of sex.
So I guess what I'm trying to say is godspeed.
Us foreigners still have to deal with Americans spying on us. (And other countries spying on us.) And Americans still have to deal with non-American organisations spying on them.
It doesn’t limit what a private company can do. And Americans love private companies with full control over their daily lives.
For a historic example of limiting private actors, see https://en.wikipedia.org/wiki/Eighteenth_Amendment_to_the_Un...
I don't get why we treat this any differently. The only difference is they're not as obvious.
stalking requires some kind of menacing or whatnot. i seriously doubt a judge would grant a restraining order just because you think someone is following you without any interaction.
>Stalking is a crime of power and control. It is a course of action directed at an individual that causes the victim to fear for their safety, and generally involves repeated visual or physical proximity, nonconsensual communication, and verbal, written, or implied threats.
If being pervasively spied on by an increasingly fascist government doesn't make you fear for your safety you might want to brush up on your history...
...this is completely up to interpretation. again, just being followed isn't a crime nor does it violate privacy as long as it occurs in public space.
i could say someone on the subway was stalking me because they have the same schedule as me and commute at the same time.
thought experiment: >> if they do not want their conversations in their living room recorded, parsed by automated language models running in our datacenters, and added to their permanent record, they shouldn't have a window to a public space that vibrates. All we are doing is being in a public space, spending billions of VC money to point laser microphones at all homes 24/7 collecting data that anyone in this public space could have collected. You can not outlaw that without outlawing 5 year old Timmy riding his tricycle down the sidewalk, because we are using his right to see the light from his lamp being reflected by the houses, to justify why our creepy business model isn't a violation of millions of peoples privacy. You can't have a reasonable expectation of privacy that allows little Timmy to see, but forbids our corporation to spy on everyone, not in america. We also send electromagnetic waves out on one side off your house and collect them on the other, so we can see you move inside your house. It is basically like ham radio, anyone could do it, little Timmy sends electromagnetic waves through your house when he talks to his friend on a walkie talkie. You think Timmy shouldn't be allowed to have a walkie-talkie? We just send them through all the homes, all the time, everywhere. No we are not on your property all our devices are in public spaces <<
The idea that, if a single piece of information could be collected by a human in a public space, then mass scale collection of that and similar information at all times and in all public spaces, for any purpose by a fully automated behemoth is fine, is insane.
The USA needs to amend its constitution to define the right to privacy in a way that declares mass surveillance and systematic profiling using non-consensual data gathering at scale illegal for being the nefarious violation of basic human rights that it is, before they completely loose what little privacy they have left when they hole up in their homes.
In most states that requires a license with actual professional standards being met to obtain and maintain one. It does not entitle you to harass someone.
> stalking requires some kind of menacing or whatnot.
Repetition, threats, and fear. The standard is "would most reasonable people perceive these actions in the same way?"
The better question is, in the cities that have installed flock, is the crime rate actually down? And can we make FOIA requests to see how often and for what the police have queried the system to receive data? I may not be able to challenge the existence of the system with a TRO but I can constrain police use of it; hopefully, to the point it is no longer economically viable for them to operate it.
It's how much of journalism works: they're labelled "paparazzi" when it's negative-sentiment, or conversely "investigative journalists" when it's positive-sentiment. If you outlaw private citizens observing happenings in public spaces, you outlaw much of journalism. The targets of journalism, practically by definition, do not consent to being observed, analyzed, and reported on ("Journalism is printing something that someone does not want printed. Everything else is public relations"–Orwell).
And certainly the first to be arrested—ironically, if it was entities like Flock you meant to target—would be journalists observing, in public, police and LEO actions. There are a lot of powerful people eager to outlaw that today.
Sure... you just can't charge people for the service. What does Flock do again?
- It mixes two separate issues 1) embedded default API key and 2) unauthenticated token minting
- The bulk of the disclosure focuses on enumeration of sensitive data that is implied could have been exposed via the default API key, but what is actually exposed is unclear: "The 50 "portal:app:access:item" privileges reference private item IDs that cannot be inventoried without actively querying each one which I did not do"
- The default API key was for "development" and there is no assertion that live data existed in that environment (though it wouldn't surprise me)
- The default API key was fixed in June 2025, it is only the token minting that has not been.
- The token minting issue is only asserted to "grant access to the geographic mapping of Flock's camera network locations" which would certainly be useful as a source for unethical updates to https://deflock.me/ but obviously not nearly as sensitive.
(And I've always used bullets/lists in my communications, long before AI did this)
fuck_flock•4w ago
> "I'm writing to you directly because I want there to be zero confusion about what's happening. Flock has never been hacked. Ever."
They are just lying at this point. If you get involved in advocacy related to flock you will likely hear their reps parrot this. Be ready to combat it with concrete examples like this!
shreddit•4w ago
Am i breaking into your home when you leave the door wide open? /s
doublerabbit•4w ago
It's how urban exploration folk get away exploring abandon buildings here in the UK. If you can prove you didn't create damage to gain access; a grey area.
> Trespass (Civil Matter): In England and Wales, simple trespass is typically a civil matter between you and the landowner. You cannot be arrested for civil trespass alone, but the landowner can sue you for damages or an injunction, and police may get involved if you refuse to leave when asked.
Terr_•4w ago
chrisldgk•4w ago
The part you mentioned is at around 7:29.
conductr•4w ago
House guest: but sir, where are all of your belongings?
Flock CEO: oh that, well I leave my front door open at all times. My home has never been broken into