Ben Jordan (5:10)

Yeah, so, I mean, I. My YouTube channel started out with like kind of deep audio synthesis stuff, and then it kind of went into general science and techie stuff, oftentimes related to acoustics or things like that. And I live near Atlanta and we have the highest concentration of surveillance cameras in America. And many, if not most of them, are flock cameras. Like, I literally can't go to a grocery store without passing a flock camera and being tracked by it. And it just, it. It's kind of the story you hear about from anybody who's been proactive or I guess active with the. The surveillance scene. It's like they. They were asking, what are these black cameras? Like, what. What are they doing? And then they find out. And then they find out more, and you just end up down the rabbit hole.

404 Media Host (6:01)

And.

Ben Jordan (6:01)

And you kind of can't believe that this is something that actually exists. And you can't believe how. How much of a fourth amendment violation it is. And so I guess mine was. Was the same story, except that I have the. I have a lab here and the capability to actually test something. So I started testing breaking the AI models that are in pretty much every single license plate reader. And then. Yeah, and then the security vulnerability stuff. I started warning about that when I was making the first video, and it just kind of brought me down. And I'm probably a little bit more attracted to this type of thing or maybe a little bit more concerned about it, because I would categorize myself as like a left libertarian. Like, I truly do believe that privacy is a human right. And I think that it is there at the very fiber of our ability to live out our own destiny. Like, I think it's very important to have privacy when you need it. And this is the opposite of that. So it's. So maybe that's what gives me more energy or makes me more. More likely to keep diving into the same thing. And that's. I guess that's how I got here.

404 Media Host (7:03)

Did you have the same experience that Joseph and I have had where you do a big story about flock or learn something about how these cameras work and what they're doing, and you publish it and then like 500 other leads pop out? Yeah, yeah, because that's what's happened to us. And, you know, it's a very important story and an important company. And, you know, it's been a very, like, important part of our reporting. But also it's like. It feels like it's almost never ending because we've done a couple stories and then it, you know, we'll hear from an activist in Washington. We'll hear from an activist in Texas. Like, there. So many people are sort of pushing back against this on a city level, but they're also, like, creating so much data with their audit logs and all of that sort of thing. And People are pulling in, they're finding like really fucked up things in it. And so it's like, oh, you should look into this, you should look into that. And it's like, we are. But also there's not enough hours in the day to do it because there's so much going on with this company. It's so expansive at this point.

Ben Jordan (8:13)

Yeah, I mean, employees, flock. Employees have reached out to me even like a lot of people have reached out to me. Um, and people have reached out to me about like similar things too. I think after making these videos, some, which, you know, I'll probably tell you about, like, they're actually notable stories that are, that are kind of crazy. Yeah. It not only do I have leads, I think another weird side effect of making the content is it gets repurposed onto TikTok and Instagram where basically you just sort of have. It's like somebody watched my video and then they, they put their face on it instead and they give a two minute version of the video, which I'm totally okay with. Like, I think any sort of advocacy for this is great. Use my content. I don't care. However, they're getting details a little bit wrong just because they're a little bit lazier about it. Like, and that, that's. I could, I have a bone to pick with that. Of course. But the bigger concern is that this company is extremely litigious and kind of malicious, in my opinion. Uh, they're not messing around. And, and I think like, in the next content I make about this, I, I'm definitely gonna mention that in hopes that some of these people watch it and maybe pay a little bit more attention because if you say the wrong thing, they're gonna take advantage of that and, and send you a cease and desist or something much worse.

404 Media Host (9:31)

Yeah, we, we've noticed the same. We're, you know, very happy that people are sort of spreading our reporting on Instagram, on YouTube, on TikTok, and a lot of people are doing their own reporting, but there's also a lot of people who are not, which is fine because they're talking about it and they're raising awareness about it, but. But then they are getting some of the details wrong. And that feels bad because some of those have gone like far more viral than our work on it. And then it's like, okay, it's not the worst that, that people are learning about this, but they are learning sort of like a distorted version of it sometimes. And that, that worries me a little bit.

Ben Jordan (10:10)

Yeah. And it's frustrating when you're sort of asked to respond to someone else's. Someone else's reframing of your content, which is, you know, that's another thing where you're just kind of like, well, hold on, I never said that they said that. But yeah, I mean, I just hope people are more careful. And I mean, a lot of people have been kind of in Flocks crosshairs, myself included. It's been a very stressful year, and you would think that the company would just, like, you know, hire a robust security team and fix this stuff rather than just, you know, attacking every single person who points out the problem. But here we are.

404 Media Host (10:47)

Yeah. You know, you found at least 40 of these flock Condor cameras that are streaming unencrypted to the Internet or streaming for at least days, maybe weeks. Can you take me through a little bit how you discovered this?

Ben Jordan (11:02)

Yeah, I, like. I kept telling myself, like, all right, I'm done with Flock. I have so many other things to be doing. I genuinely have Flock fatigue from the previous round of security vulnerabilities. And then the previous round of, like, the video. I've already made two videos and I never make more than one video on a topic. So, yeah, it randomly. Middle of the night, I'm searching on Shodan, which is kind of a Internet of things search engine. And I had known about the ports that some of the cameras were using, and they were initially being used by the Falcon cameras, if I remember correctly. And some of them are in saved searches. And I don't even remember the methodology. I think I was just kind of punching in numbers, procrastinating, going to sleep. And then I saw some come up and they kind of matched. The interesting thing is I had definitely seen these models in the past, but you see so many things when. When you search stuff on Shodan that a lot of times you don't really want to click everything. And then also you're kind of worried you don't want to click something. And then somebody have your IP address, they have to start your vpn, you know, So a lot of times you kind of get lazy. And this time I didn't. And so I found some. And then I realized that just by searching Flock Admin, I could find even more and different. Different setups that were in these cameras. And so I think I found probably 40, maybe around. I didn't really do a count, and at least 10 were active. I kind of stopped counting at 10. I shared some of the information with John. John Gaines Gainsack, and he found even More. He, he updated the searches for, you know, a little bit smarter way to search because he's more of an expert at this than I am. Yeah. And I mean, immediately we were just without any username, without any password. We were just seeing everything from playgrounds to parking lots with people Christmas shopping and unloading their stuff into cars. I mean, it was. Honestly, we probably saw more stuff that didn't have cars in it than stuff that did.

404 Media Host (13:11)

Yeah, I mean, that's the thing that really stood out to me is that, you know, a lot of our reporting, almost all of it has focused on Flox ALPR cameras. I know that's what your videos have focused on so far. But this company is building a huge surveillance apparatus that is not just ALPRs. You know, they have a drone program and now they have these CONDOR cameras which are specifically focused on tracking people, more or less. You know, I watched the webinar where they.

Ben Jordan (13:38)

Yeah.

404 Media Host (13:39)

Showed this to cops and you know, they do talk about tracking cars as well to go along with their LPRs. But you know, I was able to see these cameras tracking people walking down a bike path, you know, walking down the corner in front of a mall in Bakersfield. And I don't know, I just, I was so struck by how high res it was and how it was clearly tracking people. And then also the kind of banality of the places that they were stationed, like, you know, a bike path, random parking lot, a playground. I'm curious, sort of like what you thought when you saw this stuff, because I know you were pretty affected by it.

Ben Jordan (14:20)

Yeah, I think it was like the first time that I actually got like immediately scared, you know, like, like, like you see the next step right in front of you. You know, like I. All this time I've been saying, you know, this is a slippery slope, this might happen. You know, and that was the first time I was like, oh, it's, it's here. This is it. This is, this is like the stuff that I've been a conspiracy theorist about for the last couple of years. And now we get to view it in real time. So that bike path that you mentioned, I went there and I read Flock's statement under a Flock camera with access to it in real time. But going down that bike path is one of the most uncomfortable, dystopian things I've ever experienced. It's these cameras, they move around and make noise that you could see them moving around and following you. And so it created this, this sort of rift with me where, where it's like okay. So I'm. I'm really angry that this is here. I kind of hate the city or, you know, for allowing it to happen. But, like, why is anybody dealing with this? Like. Like, if I lived nearby, I wouldn't go on the bike path, period. Like, I'd just be like, this is creepy. I don't want to be here. You know, I don't care who's watching me. It's just very strange for these, you know, things to be following you around while you're, like, walking around. Yeah. I think the one that affected me the most was it was a playground, which is powerful. Like, you know, seeing unattended kids being watched from public view is like, you know, I feel like that's one of the most powerful things. And obviously that was, like, something that I wanted to show other people publicly so they could understand how dangerous this is. And there was one just going through this footage, like, collecting some of it for reporting. I just saw a guy sort of walk out. Old. You know, guys looked like he's about 30 years old, walked out and just went on a swing set and like, looked around and then just had a blast on it for 15 minutes. And then, you know, went back to work and left the playground. And that one weirdly felt. I think that one affected me the most because that it. It showed what a person does when they have an expectation of privacy. And, like, that person, had he known that anybody was actively watching him, it's doubt. It's doubtful that he would have enjoyed himself in that moment. Like, it was like this moment of innocence and privacy that I had access to that I didn't think I should have access to.

404 Media Host (16:47)

Yeah, I mean, for me, the most affecting things. I mean, I thought the playground was very harrowing. Honestly, I felt happy that there were not that many people who went to that playground. Like, you know, when I was looking at it, there were just not. There wasn't that much going on there. But for me, it was the fact that it was, you know, these are PTZ cameras. They're pan tilt zoom cameras. And they were following people who were walking around. Like people walking their dogs, a person rollerblading. And the fact that it is tracking you as though you may be a criminal at some point was very. Just very wild to me because I have seen how Flock talks about this to cops. And what they tell them is that we. Our AI automatically tracks people so that you can use this for evidence if you need it at some point. And it's just like, okay, but you're tracking Literally every single person who walks by these things, right?

Ben Jordan (17:48)

Yeah, I mean, I suppose that's the big difference is having everybody's activity in a giant, you know, data set or in a giant, in, you know, giant data storage thing that's being organized by AI versus having the police have a suspect and getting a warrant and then following them, which requires man hours. And if somebody is suspected of something frivolous that's not worth those man hours, then they don't investigate them in that way and they don't track them. So it's easy to see how quickly this gets out of control. A couple years ago I went to University of Chicago to interview some data scientists. It was their sociology department and to interview data scientists and the professor of sociology there who had made this AI crime prediction system that had a 90% Anchorage rewrite. And oddly enough, the neighborhood that this AI model was initially trained on happened to be the neighborhood that I grew up in, which is West Englewood in Chicago, which is Englewood's one of the most violent neighborhoods in America right now. And so it was really interesting to find out that they had never actually visited the neighborhood that was only 15 minutes away. Yet we're spending years studying all the data from it. But more so and more to my point is you very quickly realize that if you have, you know, if you have police constantly monitoring one area, you'll find crime there. Because crime happens everywhere. And that doesn't necessarily make anybody safer. It just means that more crime is being detected where more police are. So that was kind of the, that was kind of the vibe of it is you're able to, to find all of this crime but in the neighborhood next to it, or maybe even a neighborhood that, that didn't have as many socio economic issues. You, you know, you weren't finding crime that maybe you should have found. And I see this in the exact same flavor as that where it's like you could put these cameras up and yes, you're going to find more crime and then you're going to have more people, you know, being affected by, you know, maybe policies that weren't being enforced by actual police officers.

404 Media Host (20:04)

I've been thinking a lot about my goals for 2026. I want to eat a little healthier, work out more, be a little bit more social. And the funny thing about goals is you usually need the right people around you to make them happen. A dietitian, a trainer, maybe even a therapist. It's hard to find people who are so good at what they do. It's like, if you're hiring, how can you find the best people for all the different roles on your team? Well, that's easy. ZipRecruiter, and right now you can try it for free@ziprecruiter.com 404 Media ZipRecruiter's matching technology works fast to help you find top talent so you don't waste your time or money sorting through the wrong candidates. You'll find out right away how many job seekers in your area are actually qualified the role. ZipRecruiter's matching technology works fast to help you find top talent, so you don't waste time or money sorting through the wrong candidates. You'll find out right away how many job seekers in your area are actually qualified for your role, which will help you know if you're searching for a needle in a haystack or a needle in a pile of shiny needles. Let ZipRecruiter help you find the best people for all your roles. 4 out of 5 employers who post on ZipRecruiter get a quality candidate within the first day. See for yourself. Go to our exclusive web address right now to try ZipRecruiter for free. Ziprecruiter.com 404 Media Again, that's ZipRecruiter.com 404 Media ZipRecruiter the smartest way to Hire it's easy to assume that being small means flying under the radar, but the reality is that small businesses are being targeted more and more by bad actors. Cybercriminals know that lean teams often lack the resources to prevent or respond to a breach, and security by obscurity doesn't work. In short, the bad news is teams of any size can be a target. But the good news is even the smallest teams can foil cybercrime. 1Password provides simple security to help small teams manage the number one risk that bad actors weak passwords. 1Password provides centralized management to make sure your company's logins are secure. It's a simple turnkey solution that can be rolled out in hours, whether you have dedicated it staff or not. 1Password is designed to meet small teams where they are, but it's also built to grow with your company. 1Password's Enterprise Password Manager helps your company eliminate security headaches and improve security by identifying weak and compromised passwords and replacing them with strong, unique credentials. I've been using 1Password for years to protect my many, many accounts, and I couldn't recommend them more, and I can't really imagine trying to Manage my accounts without it. Take the first step to better security by securing your team's credentials. Find out more@1Password.com 404 and start securing every login. Now that the holidays are over, you might be feeling like you've got big spending hangover. The drinks, the holiday food, the gifts, it all adds up. Luckily, Mint Mobile is here to help you cut back on overspending on wireless this January. With 50% off unlimited premium wireless. Mint Mobile's end of the year sale is still going on, but only until the end of the month. Cut out wireless's bloated plans and unnecessary monthly charges with 50% off 3, 6 or 12 month plans. All plans come with high speed data and unlimited talk and text delivered on the nation's largest 5G network. Use your own phone with any Mint Mobile plan and bring your phone number along with all your existing contacts. With Mint, I've saved on wireless without having to cut back on other parts of my life. It's like a fake sacrifice. None of the pain, all the savings. My favorite kind of restraint. This January, quit overspending on Wireless with 50% off unlimited premium wireless plans start at $15 a month at mintmobile.com 404media that's mintmobile.com 404media Limited time offer upfront payment of $45 for three months, $90 for six months or $180 for 12 month plan requirement required. That's $15 a month equivalent taxes and fees. Extra initial plan term only after 50 gigabytes may slow down when the network is busy. Capable device required. Availability, speed and coverage varies. C mintmobile.com. Let's talk about the security aspect of this. Just because, I don't know, it's like you walk around, you drive around, you see CCTV cameras, you see cameras out there and so we are being recorded all the time. I don't like it, but I also don't generally think like this is being live streamed somewhere. And if it is being live streamed somewhere, like in a law enforcement context, I imagine that it's going to the police and to no one else. But what was happening here is that literally anyone on the Internet could go and not only look at this stuff, but also, you know, see the settings, see some of the logs, change some of the logs if you wanted to, which we did not do. You know what, what does this say about Flux Security?

Ben Jordan (25:25)

I mean, so before I even had access to look at a stream, I had access to the administration page of the actual camera itself. And 31 days of data of every single person who had walked in front of that camera. I had the ability to delete that stuff. I had access to the logs. Even more problematic, you can't really prove it, but I was finding, when I went up on the logs, I was finding like, parser errors in that player from 45 minutes before I looked at it. And this is before I shared it with John or anything, meaning that someone had watched it and had an issue playing the video because, like, it wouldn't just play a video on its own. Now, it doesn't seem to me like Floch would sit around and watch their cameras all day or something, especially, you know, at a playground or something like that. But it did make me wonder, like, okay, who else? Because these were visible on Shodan. So, like, it is. It's not that far of a stretch to think that there are a lot of people who have already found this and just didn't report it or, you know, maybe. Or were scared to report it or possibly using it for some sort of nefarious use. Yeah, I mean, the security with Flock, I don't know how it could really be any worse, to be honest. Like, I can't imagine it being worse. It was already bad enough being able to poke the camera a few times and connect to it as an access point and then root it and, you know, being able to control outside of the operating system, which is Android, by the way. I mean, so it's like it. I honestly can't think of any way where it could be worse. Like, at this point, if I. If I were, you know, working for the company in security or something, I mean, we're at the point where, like, most cameras, in my opinion, need to be replaced. They need to be replaced with something that's not running Android. They need to be replaced with a proprietary operating system or something that's more low level because there's no need to load all of the libraries and things in the Android OS just for something that restreams and catalogs footage from a security camera. And this is a $7 billion company. Like, there's no excuse why they couldn't develop something like this. That's a start. But right now it really feels to me. I would never say this in one of my videos because this is very opinionated, but it really feels to me like they are aware that this is a huge mess and they're just pushing on until they can have an IPO and then they'll deal with it once the stock market is invested in it and we'll have to, you know, pay the damages.

404 Media Host (28:07)

Yeah. I mean, it struck me that, you know, you and John Gainsack found all of these CVEs, like, you know, made a video, got quite a lot of attention on it because the things that you found were frankly insane. And then here it's just a few weeks later. And this is like an entirely different class of vulnerability and exposure on totally different cameras. And it feels to me like it's new and interesting ways of being insecure.

Ben Jordan (28:40)

Yeah. Long before this, when I was making the Flock security video, it was almost like a catchphrase where I'd say, like, I don't see how it could get any worse. And then something would happen where you'd be like, wow, they pulled it off, they made it worse. And, you know, that happened like three or four times. And then this was like the ultimate one, because again, yeah, like you said, this is completely unrelated and it's. It's exactly what has been promised would never. I mean, there are so many quotes. I mean, right off the bat, the company says that it doesn't collect data of people, that. That it only collects license plates. Like that's right. On their fac. It says that all data is encrypted. You can see now that that is a flat out lie. Like, that is that like, you know, that's not even a misunderstanding of what's happening. They're just lying at this point.

404 Media Host (29:29)

Well, I mean, if it's encrypted, but you give people the endpoint, it's functionally not encrypted. Who cares? Like it doesn't matter. Yeah.

Ben Jordan (29:37)

Yeah. And so it's. It's just mind boggling at this point. But yeah, no, I. I honestly felt a little. I felt a little bit bad. I. I hadn't hit up John about anything Flock related for a few weeks because two days after the video came out, he lost his job. And. And it wasn't. It didn't make any sense to me. You know, it wasn't like he hadn't been showing up to work or. It's not like, you know, a company that was downsizing. Like, he, he was a. He seemed like a valued, high up member of a security team that just randomly got. Got canned two days after the video came out. And he probably won't speak. Speak about this just for, you know, his own lip. But, you know, I could have my own opinions, but I think it's pretty easy for the average person to figure out, yeah, these two things are probably connected. So I actually didn't reach out to him about anything Flock related and just kind of kept things friendly because I felt bad. I felt terrible. Like, it was like, wow, if I didn't release this video, he'd still have a job. And. But when I found this, I was just like, okay, you got to see this. And he immediately, you know, fell down the rabbit hole, too, as did you. And, you know, it is one of the most astonishing security vulnerabilities.

404 Media Host (30:47)

Yeah, I mean, it was The. The cameras that you went and saw are. Were closer up. Like, the ones that I saw were pretty far back. You know, like, very, very wide shots. But there was something pretty like, I had to drive two hours to go see these cameras, and I was surprised by how much it affected me, even though I knew exactly, like, what I was doing. But I was like, oh, I took my dog. I was walking my dog. And I'm like, I'm watching. I'm recording myself being recorded, and I'm watching myself back in real time as I'm doing this, like, on the open Internet.

Ben Jordan (31:27)

Yeah.

404 Media Host (31:27)

In a way that it shouldn't be. And I was kind of surprised by how much it affected me. You knew what you were getting into, but was it weird seeing yourself on these cameras like that you had been watching on the Internet days before?

Ben Jordan (31:41)

Yeah, I've always sort of called that closing the loop. It's like, when you know something exists, your logic lets you know that you have an instinct that something exists. You logically believe it exists, but then you see it. And when you see it, it's like, then you actually. You feel the full weight of the whole thing. It was kind of funny because I was recording. Oh, you know, I was reading Flock's statements contradicting exactly what you would be seeing with your own eyes watching me read it. And random people on the trail were just kind of like, hey, what's going on? Because, you know, then I realized how crazy I was talking into a security camera, into a microphone that had a little recorder on it. Yeah. And I. And I just told them, I'm like, oh, no, I have access to this. And I just showed them my phone, and they were like, oh, my God. What? Yeah. And, I mean, they were. They were blown away by it. So I guess more to your point, it's one of those things where it's like, I always tell people things like this. I always tell people like, yeah, this is. This is a really bad security vulnerability. But that closes the loop. And once, you know, once they saw their image on the phone in real time, I think, you know, probably not likely that they're going to be going on that trail again.

404 Media Host (32:51)

Yeah, for me, it just. It really shows kind of the, like, holistic nature of the surveillance. It, like, adds a lot to sort of what I thought of Flock as a company. Not. Not. Not giving them too much power here, but, like, I had largely thought of them as an ALPR company.

Ben Jordan (33:12)

Yeah.

404 Media Host (33:13)

And sort of seeing, like, the. The cameras that I saw, there was a bunch of Falcon cameras right near it, the ALPR cameras near it. And. And it just. I was like, no, this is like a holistic, like, surveillance state situation. And. And just also seeing that the exposures were not just in California. Like, we saw some in New York, we saw some in Louisiana, you know, various in Georgia. You know, it really is. It's like, it's all over the place. And you click one link and be in, you know, Bakersfield. You click another link and be in suburban Atlanta. Like, they're all over the place.

Ben Jordan (33:51)

Yeah. I guess, like, seeing the scope of it, I guess I just keep asking myself, or I. I mean, I want to ask my. My. The people who watch my platform as well, like, what's it going to take? Like, what is it going to take? So now that we could see children unattended at playgrounds, and we could see women jogging alone on a forest trail, and we could see people buying, you know, a bunch of expensive Christmas gifts and loading it into their van in a. In a shopping. A retailer's parking lot. What's it going to take for somebody to stand up to this? Well, like, what's it going to take for Lowe's to say, yeah, you got to get these out of the parking lot. This is. This is endangering our customers and making us liable. Like, the answer I don't want to hear is it's going to take a child getting abducted or a woman being assaulted. Like, I don't want to hear that, because I don't think that that's necessary at all. I think we could see the risk right here of, like, if I'm finding this stuff. I guess an interesting thing to say here is that if. If you see a security vulnerability on my video or if you hear about it generally in the press, anything like that, chances are that things are a lot worse, because I can only tell you that about things that I can legally access. But if I didn't intend on telling you that, then I would try to obfuscate my research so I didn't get caught, and I would be using more backdoor things. So basically, I am limited by the law to only use the search engine and click on things, you know, and then find them and then show them to you. But if I actually go into that log and take that hash information or, you know, do an audit of the system that's running the software on there, like you could do all those things and you can find a whole lot more, but I just can't report on it and most people can't due to the crazy computer crime laws that we have in this country.

404 Media Host (35:44)

Yeah, I mean, also, you know, you do really great work, but it's like Shodan isn't magic. It's like people know about Shodan. You know, hackers know about it, bad actors know about it. A lot of security researchers obviously know about it. It's like if you were able to find this, like, who knows how many people were able to find it.

Ben Jordan (36:07)

Yeah. And if it's on Shodan, that doesn't mean it's only on Shodan. You know, like somebody could pro. Could have used DuckDuckGo and possibly found the exact same thing. Like, it just depends if the web crawler had reached it or not. Shodan mostly just prioritizes things. Like it just filters out other stuff. But with enough Dorking, I mean, yeah, we found all that in the last video I did. We found Joshua Michael. He found a bunch of GPS location data of police cars and things like that just off Google just from doing Google Dorking. So, yeah, I mean, it would be unlikely for me to think that nobody else had found this. In fact, you know what, I did get an email from somebody who after I had already told the group about this, I got an email from somebody notifying me that they had found a similar camera from a web search engine. I mean, we're in a world right now where we're like banning TikTok and DJI because we're concerned. Concerned about national security and surveillance of Americans. Yet this is allowed, which, you know that I feel like somebody needs to pay attention to that.

404 Media Host (37:17)

Thanks so much for listening. You can watch Ben's videos on YouTube at Ben Jordan. Ben is with two N's and you can find more of our reporting about flock at 404 Media co. As a reminder, 404 Media is a journalist owned company and needs your support. You can subscribe to us at 404 Media co. This episode was created in partnership with Kaleidoscope and was produced and edited by Alyssa Metcalfe. We'll be back with a new episode soon.