We Tracked Ourselves with Exposed Flock Cameras - The 404 Media Podcast

Summary7 min read

Podcast Summary: The 404 Media Podcast - "We Tracked Ourselves with Exposed Flock Cameras"

Date: December 24, 2025
Hosts: Joseph, Sam Cole, Emmanuel Maiberg, Jason Koebler

Overview

In this episode, the 404 Media team dives into their recent investigation into Flock's AI-powered security cameras being unintentionally exposed to the public internet. They detail their hands-on experience tracking themselves via these exposed cameras, reveal alarming insights into modern surveillance networks, and reflect on some of the site’s most impactful stories from the year. The discussion is lively, deeply informative, and full of insider perspectives on digital security, surveillance capitalism, and the social consequences of tech mismanagement.

Segment 1: Exposing Flock’s Surveillance Cameras (01:52–24:12)

Key Discussion Points & Insights

Tip-Off and Discovery (02:53)
- Source: YouTuber Ben Jordan tipped off Jason after uncovering 60 Flock "Condor" pan-tilt-zoom (PTZ) cameras streaming unprotected admin interfaces online.
- Scope: These aren’t just license plate readers (Flock’s better-known Falcon ALPRs); Condor cameras offer broader, 24/7 video of public and semi-public spaces, tracking not just cars but people.
- Quote:
  “Basically, Ben Jordan discovered that at least 60 Condor cameras were streaming directly to the Internet… You could see live footage, 31 days of archive, download footage, and even adjust settings—all without a password.” — Jason [05:15]
The Danger of Misconfiguration (06:34)
- No hacking was required; the cameras were completely open to anyone with an IP address—no login, no password.
- Found using Shodan, the IoT search engine often used to find exposed devices on the open web.
Geolocation Sleuthing (09:17)
- The team geolocated around ten cameras through street signs, business markers, and Google Maps, finding CCTV feeds at malls, parks, skateparks—even playgrounds.
- Quote:
  "There was one at a skate park. There was one at a playground where children were playing, which was really, like, quite alarming." — Jason [11:50]
Watching the Watchers (12:41)
- Sam recounts watching a rollerblader in a public park:
  "You could just watch this guy rollerblading up and down this path… the camera zooms in on his face, then switches to track him at another part of the park. It was so bizarre… being able to look at the view from the camera, knowing these people have no idea they're being watched. It's just a really strange feeling." — Sam [13:44]
Testing the System on Themselves (15:15)
- Jason physically visits two of the camera sites in Bakersfield, CA, intentionally walks into frame, and confirms the immediacy and detail of surveillance.
- Sam, 3,000 miles away, texts Jason a screenshot of him in the intersection.
- Quote:
  "It was quite weird and sort of affecting to myself… to walk into the intersection and then see myself show up on the feed." — Jason [16:36]
Flock’s Broader Surveillance Ambitions (18:10)
- Flock is building a “holistic surveillance system,” integrating ALPRs and PTZ cameras with "FlockOS"—a police-facing operating system centralizing city-wide surveillance feeds and allowing for real-time panning, tilting, and zooming.
- AI-powered person-tracking is either manual or automated, and the company claims not to use facial recognition—though others can, using exported video.
- Quote:
  "It's very clear this company wants to be a lot more. They want to be a holistic surveillance system for American cities." — Jason [18:55]
Security, Privacy, and Facial Recognition Risks (21:13)
- Flock blamed a "misconfiguration" and claimed a small number of cameras were affected (they wouldn't specify how many).
- Ben Jordan demonstrated how third-party tools like PimEyes could run facial recognition on the exported footage, identifying people captured by the cameras.
- Quote:
  "[Ben] used facial recognition… and was able to determine who individual people were. Of course, he anonymized it… but it’s shocking how much you could learn." — Jason [21:58]

Notable Quotes & Moments

On the public’s lack of awareness:
“Knowing that they’re everywhere and being intellectually aware you’re being watched is one thing… but being able to look at the view from the camera, from the point of view of the Flock camera, watching everyone… is such a different experience.” — Sam [14:13]
On the reality of surveillance states:
“You can just walk into a feed in Bakersfield, and someone on the other side of the country can see you in real-time on a police camera that’s supposed to be secure.” — Jason [17:09]

Segment 2: Year-in-Review — Most-Read and Impactful Stories (25:41–51:38)

How Year-in-Review Was Compiled (26:09)

Sam’s criteria: Mixing top-trafficked stories (“the ones people really liked to click on”) with ongoing “beats” that together showed significant impact within their subject areas.

Highlights of Major Stories

1. DOGE Website Vulnerabilities (27:46–30:19)

Summary:
A rushed government transparency site, built to tout the benefits of Musk’s involvement with government efficiency (“DOGE”), was found vulnerable to simple SQL injection, letting anyone add or edit content.
Quote:
“They slapped together this really shitty website… the database was vulnerable—very rudimentary—people could add and delete things from this website.” — Jason [28:50]

2. TeleMessage Hack (31:41–34:11)

Summary:
Investigated a Signal clone app (“TeleMessage”) being used by US government agencies. Soon after exposure, the app (which promised secure, archivable messaging) was breached.
Quote:
“The government's still using this tool. They haven’t got rid of it. So who knows? Maybe we’ll see another hack in the future.” — Joseph [34:04]

3. Tea App Breaches & The Weaponization of “Red Flag” Networks (35:36–45:21)

Summary:
Tea, a “women’s safety” app for flagging red flags about men (input by verified female users), suffered catastrophic data leaks—ID photos, chats, and more, much of it exploited by 4chan trolls. Further reporting exposed the founder’s attempts to co-opt grassroots “Are We Dating the Same Guy?” Facebook groups via deception.
Quote:
“...All the data from the app, namely the selfies and photos of IDs that women uploaded… were being leaked on 4chan… It wasn’t just that the data leaked. It leaked with malicious intent…” — Emmanuel [36:24, 38:44]
On the broader problem:
“We’re just in this point with surveillance tech… not only is anyone vulnerable, but anyone can dox anyone. And that’s just created a new normal online that we, I don’t think, fully adapted to yet.” — Emmanuel [44:45]

4. Age Verification Laws and Internet Censorship (46:01–51:33)

Summary:
Sam reviews her reporting on the proliferation of age verification laws in the US (now covering half the country), which require adult sites to verify age (sometimes with biometric info or IDs), chilling free expression and risking privacy.
Quote:
“Pornhub had blocked access in all these states… they’re complying with the law by shutting down access to their site, because Pornhub has the stance these laws are censorship. This is also our stance, just to be clear.” — Sam [47:45]
Increasing Pressure on VPNs:
Lawmakers are now making moves to restrict or ban VPNs, which undercuts attempts to get around these laws.
On the iterative coverage:
“Every time I write about this passing in a new state, someone replies, 'I didn’t know my state was one of these.' Which I think is a big deal… You should know what the law is in your state to decide whether you oppose it.” — Sam [50:14]

Timestamps for Segment Highlights

[02:53] — Initial tip about Flock camera exposure (Jason)
[06:34] — Cameras found entirely open, no hacking needed
[12:41] — Rollerblader tracked in the park (Sam)
[15:15] — Jason geolocates and visits cameras, tracks himself on the feed
[21:13] — Flock’s reply and third-party facial recognition (Jason)
[27:46] — DOGE website “transparent” data manipulation
[31:41] — TeleMessage (Signal clone) hack
[35:36] — Tea app info-leak and weaponized harassment
[46:01] — Age verification laws, VPNs, and privacy risk

Final Takeaways & Tone

Throughout the episode, the team maintains a candid, evidence-heavy, and slightly irreverent tone, with first-hand insights and a strong sense of journalistic mission.
The Flock investigation underlines the real-life implications of surveillance technology missteps—exposing not only technical vulnerabilities but the raw experience and violation of being watched without consent.
In the year-in-review, recurring issues surface: the fragility of personal privacy, the pervasiveness of misconfigured and weaponized tech, and the regulatory creep limiting digital freedoms.
The hosts close with resolve to continue reporting on these issues, explicitly connecting technical stories to everyday people’s safety, privacy, and autonomy.

Standout Quotes with Timestamps

“You just visit it and it’s like, damn, I’m now looking through a Flock camera.” — Joseph [06:57]
“It was so bizarre… being able to look at the view from the camera… is such a different experience… these people have no idea that these cameras are here or that they’re being watched.” — Sam [14:13]
“I drove to that corner, saw the camera, walked into the intersection, and then saw myself show up on the feed.” — Jason [16:36]
“We’re just in this point with surveillance tech… anyone can dox anyone… a new normal online we haven’t fully adapted to yet.” — Emmanuel [44:45]
“Pornhub has the stance that the laws are censorship. This is also our stance, just to be clear.” — Sam [47:45]

For Further Listening

Main Flock camera story and YouTube companion: [Ben Jordan’s video]
Related stories on 404 Media: Age verification legislation, surveillance tech, open data missteps

Note: Advertisement, subscription, and outro segments are omitted from this summary.

Loading summary

Transcript76 lines

[00:00]
A
Foreign.
[00:05]
B
Welcome to the 404 Media podcast where we bring you unparalleled access to hidden worlds, both online and IRL. 404 Media is a journalist founded company and needs your support. To subscribe, go to 404 Media Co as well as bonus content every single week. Subscribers also get access to additional episodes where we respond to their best comments. Gain access to that content@ 404 Media co. I'm your host, Joseph, and with me are the other 404 Media co founders. The first being Sam Cole.
[00:36]
C
Hello.
[00:37]
B
Emmanuel Mayberg.
[00:38]
D
Hey.
[00:39]
B
And Jason Kebler.
[00:41]
A
What's up?
[00:42]
B
All right, before we get into our last podcast of the year, I mean, there are still going to be podcasts on the feed. We'll explain in posts on the site, that sort of thing. Jason, we're doing a gift subscription thing for the next few days as a potential last minute Christmas or holiday gift. Can you just explain what the deal is then?
[01:07]
A
Yeah, 25% off of gift subscriptions. I don't have the link in front of me, which is not helpful.
[01:13]
B
Well, I put it in the show notes.
[01:16]
A
It's in the show notes. Yeah. So that's. That's pretty much it. It's last minute Christmas slash holiday gifts. Or I think you can give it to yourself if you want, if you want to be clever. But. Yeah, do that please.
[01:31]
B
I didn't realize you could do that. So it's like. Well, maybe I don't.
[01:35]
A
You can be like a gift from Joseph to Joseph. I see. Yeah. I mean, I think you may need two different email addresses. I'm not exactly sure how it works because it uses a third party system because Ghost doesn't have gift subscriptions native. But it does work. We've been using it for a long time.
[01:53]
B
Yeah. So if you want to take advantage of that, scroll down in the show notes, copy that link, click that link, whatever, and you'll be able to get a GIF for a loved one or yourself if you really feel like it. We're going to do the first segment about a story we just published as normal. Then the second section is going to be more of a year in review. Some of our biggest and best and favorite stories and that sort of thing. So this first story, Jason, this is one you worked on with Sam as well, who did some additional reporting. The headline was Flock exposed its AI powered cameras to the Internet. We tracked ourselves. A lot of fun stuff going on here. A lot of insight into Flock and how, you know, it does track people, not just license plates and There's a bit of sort of misunderstanding and miscommunication about that. But this starts with a tip that you got. What was that tip? And who gave it to you?
[02:53]
A
Yeah, so the YouTuber Ben Jordan, who has done some really amazing research and reporting into Flock, discovered this essentially, and he published a YouTube video about this earlier this week. Some of my reporting is in that YouTube video. And then, you know, I spoke to him for this story. But essentially, and I encourage you to check it out if you haven't seen it already, although the video has like many, many views, so maybe you have seen it already. It's very good. But basically, Ben Jordan discovered that at least 60 condor cameras were streaming directly to the Internet. And Condor cameras are Flock's pan tilt zoom cameras. They're called PTZ cameras. And what pan tilt zoom means, it's kind of in the name. But they are surveillance cameras that can move and track people. And so they can pan. They can go like left to right, they can go up and down, and they can zoom in on specific subjects.
[04:00]
B
And they're different to the license, the normal license plate reader cameras that everybody knows Flock for. It's like a variation of their camera.
[04:07]
A
Yeah. So Flock has a few different types of cameras. It has a few different types of automated license plate reader cameras. Its main one is called Falcon, and those are ALPR cameras. And what those do is they are specifically, like targeted at license plates. They take photos, for the most part, of cars as they drive by. Whereas these Condor cameras are recording 24, 7, 365, and they're recording video. And their vantage point, for the most part is a lot wider than a Falcon ALPR camera. So they're capturing like an entire scene. Whereas an ALPR camera is largely just capturing cars as they drive by. I say largely because they are taking footage and photos, and so you can see other things on the other types of cameras, and you can sometimes see license plates on the Condor cameras. And it's part of this holistic Flock surveillance ecosystem. So what Ben Jordan found was 60 of these exposed directly to the Internet. What I mean by that is you just need an IP address. It was not HTTPs. They were all HTTP, which I think is an important distinction just in terms of like the actual URL. And if you clicked it, you went to a Flock administrative portal. And on that portal you could see live footage that was being filmed and streamed as it, like, you know, live, obviously. You could see 31 days of archived footage and download that footage. You could, you know, grab different clips. It was possible to change settings on these. You could see information about the cameras, like what type of camera it was, what software it was running. You could see logs, so, you know, access logs, things like uptime and downtime, like, some of them would. Would be knocked off the Internet, and then they would be back on, like, later that day. And there would be, like, a history of that, more or less. And then also, you know, you could. The big. The big thing was that the footage.
[06:35]
B
Was there and all without a password. Yeah. As you say, like, it's not like. It's not like there was some vulnerability in the admin panel that was then exploited and hacked inside. Like, this is not hacking. This is just a panel completely exposed to the wider Internet. You just visit it and it's like, damn, I'm now looking through a flock camera.
[06:57]
A
Yeah. You click a link, and it's like you immediately see the footage and. Or you see the administrative panel from which you can click another link to get to the footage. But there was no login, no password, no, none of that, which suggests a huge, like, misconfiguration, because this is not supposed to happen. And the way that Ben Jordan and John Gaines, who goes by Gainsec, he's a security researcher who found some vulnerabilities that Ben Jordan previously worked on. The way that he found these was through a commercial search engine called Shodan. And it is essentially an Internet of things search engine that has led to a lot of different stories that we've written over the years because security researchers use it to find Internet of things devices that are streaming directly to the Internet. So, like, off the top of my head, in the past, people have found, like, smart billboards that have been streaming to the Internet without an admin password. And so you can go in and you can change what the billboard says or the image that it displays. Sometimes you see, like, road signs, like automated road signs that they put up in work zones, and people often hack those, and sometimes they find them through Shodan, and they either have no password or they have, like, a password that's like admin. Admin. And you can then change what they say.
[08:32]
B
You're able to basically search for very particular devices because you can search by. Show me all of the servers or devices that have a certain port open. And if there is something particularly unique about the products you're looking at, oh, maybe they have a weird port open that's only specific to that sort of service. You can sort of identify them. I don't know how the pair here identified these ones. But presumably they found some sort of like, fingerprint of Flock cameras and then just search Shodan for that. I mean, I think you could probably even search shodan for flocksafety.com but their domains or something like that. Very similar to Census as well, which basically does the same thing.
[09:17]
A
Yeah, I think it was a mix of those few things because I know that some of them were. You could just type in flock and they showed up. I do know that. But then there was like, they iterated and they were able to find more just by doing better searches. Let me talk about what we did. So we see this footage that's streaming to the Internet and we try to discover, like, where are these cameras located? Because all of them had IP addresses that gave us, like, a general geographic location, but it was still a very wide, like, margin for where something would be. For example, the cameras that I ended up going to see were in Bakersfield, California, which is about two hours north of LA with no traffic, which I got lucky and I went up and I saw them. But their IP addresses matched to Sacramento, which is six hours north of la.
[10:19]
B
And so how did you figure that out? Because that's a. That's a big discrepancy.
[10:23]
A
Yeah, I mean, So I played GeoGuessr. I played like GeoGuessr Guy, basically. And so, for example, one of the ones that I found was at this Big O tire shop. It wasn't owned by a Big O tires. Like, it was on a traffic light, but the intersection, I could see the name of one street and I could see Big O tires. And so I just used Google Maps and a lot of searching. And luckily there was a timestamp of the footage in the top left corner of all of this. I could see the time zone that things were in because like, like, bizarrely for some of these, like, some of the businesses would match or like the street names would match, but they would be in, like, different random cities across the country. And then I could sort of, like, figure things out via time zone. And then I used Street View and I clicked around a lot through Street View. Sam also did a lot of this for us, which was, like, extremely helpful. And she can talk a little bit more about what she saw, but we were clicking through a lot of these. There were about 60 of them. Again, I think we were able to geolocate about maybe 10. The others were just super nondescript. So they would be filming a parking lot at an apartment complex where there was no visible street signs or businesses or anything. There was one at, like, A skate park. There was one at a playground where children were playing, which was really, like, quite alarming. That was there. And then I think the craziest one for me was the Peachtree Creek Greenway in Brookhaven, Georgia, which is a suburb of Atlanta. And there were at least three exposed cameras there. And, like, one, these cameras zoom in on people who are walking by. So there was a woman walking her dog, and it just, like, zoomed in on her as she was, you know, walking the dog, and then it would follow her around, and then. I don't know. Sam, do you want to talk about the rollerblader?
[12:41]
C
Yeah. Yeah. This was a really crazy camera feed to look at because, like, again, this. These cameras are not looking at cars, specifically, in a lot of cases, they're looking for people. And there were no cars in this park, obviously. So, like, these cameras are put here to watch people. But this guy, we were able to watch him rollerblading up and down this one path. So you could click on one feed, see him come into the view. The camera zooms in on him, watches him rollerblade away, like, with a friend sometimes. And then you can click on another feed and watch him coming through a different part of the park in almost real time. And his friend drops off eventually. And then we did this for a while. We just watched him go around the park. And obviously, he has no idea these cameras are here, but he rollerblades up at one point, and the camera zooms in on his face. And then he passes a woman. It zooms in on her face, and she kind of turns around and looks. She's on the phone. She's, like, turns around and, like, kind of seems like she's saying to her friend, like, this dude just roller played Bast Me really fast. And then he comes up to the camera where the camera. The pole that the camera is on stops directly underneath the camera. And the camera has followed him all the way to that point, and now it's looking directly down at the ground where he's standing, like, zooming in on his face and his phone. And he's standing there, stopped on his phone, watching footage of himself that he's been recording Rollerblading. I just. Like, this is so. Yeah, that's how clear it is. Like, you can see. I mean, this camera's probably, like, nine feet off the ground or something. It's not that high, but it zooms all the way down on his face, and then you can see him holding his camera or holding his phone, and he's watching, like, replays of himself, obviously. He's like, recording content or something or like watching his own form or something. But it's just so. It was so bizarre because, like, we write about this stuff all the time. We understand that these cameras are everywhere. And knowing that they're everywhere and going about your day and not thinking really that much about them, but being intellectually aware that they're everywhere and you're being watched is one thing. But then being able to look at the view from the camera, from the point of view of the flock camera, watching everyone in this park very closely all day long is such a different experience. And you're like, whoa, these people have no idea that these cameras are here or that they're being watched. It's just really strange feeling.
[15:16]
B
Yeah. So there's. You were watching that footage of sort of these random people. And obviously we didn't publish any identifying information about these random passersby. But as you said, Jason, you then, with Sam's help, geolocated some. You drove to a couple. And the benefit of that, I suppose, was, well, to confirm their flock cameras. I mean, we already knew it because flock is like in the configuration information, but you can look at it and go, well, that's a flock condor camera or whatever. They are very, very distinct looking, like branding wise. And then also, of course, it's just in the same sort of way we do some of our other pieces where, like, I've bought phone location data from a bounty hunter, blah, blah, blah. It's just there's something about putting yourself and almost testing it yourself, and maybe that gets it across to the reader in a more tangible way. Was that, like, the benefit of doing this, like. Cause you didn't have to drive two hours. It's very good.
[16:17]
A
You did. I definitely. I definitely didn't have to. I'm very glad that I did. For the reason that you said one, I knew exactly what I was doing because I had watched that footage already of that intersection. But then it was quite weird and like, sort of, sort of affecting to myself to drive to that corner, see the camera that I had been watching online, get out of the car, and walk into the intersection, and then see myself show up on the feed, which is obviously what would happen. And yet for some reason, it made it feel a lot more real to me. And then I was also just able to, you know, I was able to watch myself on the feed. Sam was watching the feed as well. And so she saw me and texted me and was like, here's you. Here's like, she Took a screenshot and sent me, you know, a screenshot of myself walking in the middle of the street in random Bakersfield, you know, Sam sitting 3,000 miles away. And then I also could see the cameras. So I was able to just make sure that it was flat cameras. I could sort of figure out, like, how they were situated. In this case. It's like the camera's really high off the ground, like, at the very top of a pole. I don't think anyone would notice it. Like, it's very. Like, it's not hidden by any stretch, but it's like 40ft off the ground. And if you're driving or walking by, like, unless you're just staring up into the sky, you're not going to see it. And then another notable thing is that it was outside of a mall, outside of a Macy's, was one of the corners of the intersection. And they had a bunch of flock alpr cameras, the falcon cameras, at the entrance to this mall. And so it does sort of. It showed me that it's like, part of a more holistic surveillance situation, like, in this area. And then I went from that one, and I drove five minutes, and I found another one. And, you know, I only know of two that were exposed in Bakersfield, But Bakersfield has, like, dozens and dozens of these cameras. The other thing that I would say is that I then went and did more reporting. I pulled contracts about these cameras. I watched a flock webinar that they gave to police introducing these cameras a few years ago. And I do think that our work over the last year has been really important, as has the work of a lot of other journalists, in sort of explaining how flock works and how pervasive it is. But our work has almost entirely focused on its automated license plate reader cameras, which, again, is the dominant product that flock sells. But it's very clear that this company wants to be a lot more. And they want to be a holistic surveillance system for American cities that is networked in all the ways that we've talked about before. But. But basically, like, the footage from these cameras, at least as flock presents it to police, can be streamed directly to something called flock os, which you've written about. And it's basically like a police operating system for all of their flock cameras. And you can also sometimes put other devices in there as well.
[19:48]
B
Bring cameras now, recently.
[19:49]
A
Yeah. And so, like, you can. If you're a cop sitting in a command center or whatever, you can pull up these. These cameras and their footage, and you can control the cameras like you can pan, tilt, zoom them. You can, you know, they can also be automated. So last year they introduced AI that automatically tracks people. We have no idea whether these cameras that we saw were being operated manually or whether the AI was operating them. It's just like we have no way of knowing. But they were. A lot of them were zooming in on people. But anyways, in this webinar, they were like, well, if you have an ALPR hit, like if you have a license plate hit, you can then just pull up the surveillance camera and then you can like click from camera to camera to camera and you can operate them and all of this. And it just sort of shows that Flock, again is not just tracking cars. It is tracking people, pedestrians, and then of course by tracking cars, it's tracking the people who are in the cars. But, um, it's. It's just like they have a much bigger surveillance network than I think most people realize.
[21:05]
B
Yeah, I guess. Just to round it out, what did Flock say when you approach them for comment about this misconfiguration?
[21:14]
A
Well, I asked them a lot of questions about how this happened, and they just sent a very short statement in which they said this was a misconfiguration that affected a small number of cameras. They didn't say what the misconfiguration was or how many cameras it ultimately affected. And they said that it has been fixed, which it has been fixed, thankfully. Yeah. And yeah, I mentioned this at the top, but the YouTube video by Ben Jordan is really good on this. You know, he. He made it and sort of like took. I gave him some of my footage because, like, he was a, he was a researcher on, on this story for him and he found the initial thing and so I was like, well, I'm gonna go check it out and I'll let you know. But he did, he showed some of the stuff that is possible with this type of footage. We didn't do this because, I don't know, it just seemed we. We didn't want to do it, but. But I think it's good that he did, which is like he used facial recognition on some of the footage that he saw and he was able to determine who individual people were. And then he did like open source intelligence on some of them and like learned a lot about people who were at different sites who were on these cameras. And like, of course he anonymized it and he changed some details and that sort of thing, but he basically showed like, with this footage streaming insecurely, like, you can learn a lot About a person depending on sort of like what they're doing. And I thought that that was pretty shocking.
[23:00]
B
Yeah. Just to be clear to clarify, Flock itself does not have facial recognition. That they've said repeatedly like we don't have that capability. Maybe that changes in the future, I don't know. But right now they don't do that. I guess what he did is kind of similar to what those students did where they took those metal Ray Bans which at the time didn't have facial recognition in them either, but sort of glued that on. But yeah, the footage is incredibly crisp and very, very detailed and I can imagine it'd be very, very easy to identify people in that footage.
[23:36]
A
Yeah, he ran it through a third party facial recognition system like PIM Eyes or something probably. I assume PIM Eyes, I'm not sure which one. But yeah, like through a, like a non flock related one. But took the footage itself.
[23:50]
B
Yeah.
[23:51]
A
Exported it, put it, put it through a different system. And then using Google and social media and like all that, once you knew it's like oh, this is what this person was actually doing at the Lowe's like parking lot. Or this is what the person was doing at this Christmas market. That where another camera was. It's pretty crazy.
[24:12]
B
All right, we'll leave that there. When we come back after the break, we're going to run through some of our major stories of the past year. We'll be right back after this.
[24:37]
E
When the holidays start to feel a bit repetitive, reach for a Sprite Winter Spiced cranberry and put your twist on tradition. A bold cranberry and winter spice flavor Fusion Sprite Winter Spice Cranberry is a refreshing way to shake things up this sipping season and only for a limited time. Sprite obey your thirst.
[25:00]
F
In Walmart Zuluville, time was ticking away. Only a few nights left till the big holiday. But last minute gifters had no need to worry. Walmart Express delivery got their gifts in a hurry. From Nintendo to Nespresso and Lego flowers, they could check off their lists in as fast as an hour. All of whomuville east, west, south and north could order gifts up until 5pm on December 24th. So this holiday they just do as the who's do with gift delivery this fast, they all gassed from Walmart who knew subject to availability terms and fees apply.
[25:42]
B
All right, and we are back. I don't really have headlines for this one. Sam, you've written sort of preemptively. Is it this Friday? Next Friday, like a sort of year in review two Fridays from now two Fridays. Kind of already losing all sense of time. But you've done something, you've written something that kind of looks back over the year. How did you pick out these stories? They just jumped out to you or these were the ones that most people read or.
[26:09]
C
No, these are. So in lieu of the usual like weekly roundup on the 2nd, on January 2nd, because we'll all be out and not like publishing heavily that week, I put together just like a roundup instead of the weekly roundup. It's just a yearly roundup. It's pretty short, but it'll hold you over if you're in need of the roundup that day. But I looked at just analytics for the site, top stories that we have traffic wise for the last year. And then also just because a lot of the top stories are kind of one off, not really part of a bigger beat, but they went viral for whatever reason. But then there were quite a few stories that were part of a consistent beat that altogether make it the most important or most impactful beat.
[27:02]
A
Of the.
[27:02]
C
Year for that specific topic. So that's kind of the thinking for that. It's a mix of here's some stuff that people really liked to click on this year, which we can go over. But then there are just like bigger, broader topics that altogether kind of make up something that really resonated with people.
[27:24]
B
Yeah, let's run through some of these. The first one is the DOGE website, which I think anybody could push data to it or. Well, or emojis or whatever they wanted. Really. Jason, I think this is one you wrote. People were very interested in this because, I mean, this is way back when Doge. DOGE was the news every day, like earlier in the year, right?
[27:47]
A
Yeah. And I mean, for good reason. And I think that the damage that DOGE did to our federal government and programs, obviously like USAID and nih, et cetera, like, cannot be overstated. But yeah, there was basically like few days early in the year, if I'm remembering correctly. So much has happened this year where the Fed, where, where Elon Musk was tweeting that Doge was saving like all this money and it was saving, you know, billions of dollars, I assume it was a lot of money. And he was. It actually wasn't a lot of money, but Elon Musk was saying that it was a lot of money. Let me be clear. And so they were saying, like, we've killed all these programs also we're super transparent. They weren't being transparent. And so they were like, we're making a website where we are going to explain everything that we've done and how much money it's saved and blah, blah, blah. And so they slapped together this, like, really shitty website that I believe was being run on a WordPress that was not fully hosted on government servers because they spun it up so quickly. And, like, not only did it first have, like a weird templatized thing that they put up publicly, like, that was one of the stories that we did. When it did finally go truly live, the database that they were using was vulnerable to, like, an SQL injection, I believe, like a SQL injection. And so it was like a very rudimentary type of, like, basically very, in a very simple way for people who know what they're doing, they could add and delete things from this website, or specifically they could add to it. And so people were, like, adding their own, like, projects that they had cut more or less. And so some of the hackers, like, sent us the entries that they had pushed onto the live site that said, like, rude things about Elon Musk. And we wrote about that. And it was during a period where there was such intense interest in this that it was, like, very viral story for us. I mean, it was a very bad situation altogether. But, like, compared to the actual damage that the government was doing, like, this was largely just like a really shoddy, like, website configuration situation.
[30:17]
B
It was emblematic of the damage they were doing, as you said.
[30:20]
A
Yeah, like, they reminds me of the Epstein files dump just in terms of, like, how shoddy and, like, things were showing up. Then they were disappearing and they were showing up again and failed redactions.
[30:32]
B
Yeah, yeah, yeah, we don't need scanned, all of that, but we've all been looking, all been looking into that in various ways. The redaction one is really, really funny. The second one was the telemessage hack. This is one I did. I worked with Micah Lee, the security researcher on, and journalists on this as well. Basically, there was a photo where a Trump administration official was using something that looked like Signal. And of course, coming after Signal, Gate, where, you know, the Atlantic editor in chief was accidentally added to a group chat with Yemen strike plans. Signal was very hot at the moment then. So I zoom in onto the photo and find out, that's not Signal, that's something else. And I can't remember exactly what it was, but I think it was like, it was definitely something in the ui, say, that is not quite Signal. I look around and it's this signal clone from a company called Telemessage. And the idea is that it claims to be able to provide the protection of Signal, which it doesn't to be clear, but they say that while also archiving messages for compliance or regulatory reasons or legal issues or whatever. Lots of these products exist. I remember Wickr is sort of this. It was a consumer end to end messaging app. They shut down after it was being used by child abusers way too much. And NBC News reported on that. I think we did a little bit as well. But they had a product where Customs and Border Protection, for instance, could use that app and then also archive the messages for later. Anyway, Telemessage is one of those. We've reported that, hey, look, you know, the government is using this particular tool, which I'd never heard of. You go on YouTube and at the time it had like a couple hundred views. It seemed like a very, very small shop and operation. I mean it was actually owned by a larger company, but the app itself didn't seem to be that well known. Then very shortly after it was hacked, sent a bunch of information, including data on CPP officials to verify it. I'm just going through the phone numbers of these officials and calling them and asking, hey, is that blah blah blah from cpp? They say yes. I'm like, I'm a journalist and there's been a breach I'm trying to verify. And usually they hang up at that point. And one definitely did do that, but we verified the data, published that and then it was like 24 or 48 hours later. Very soon after, another hacker got in and apparently got more data. And NBC reported that. And obviously this was a massive security failure. The hackers managed to get a bunch more data about other government agencies. Santa Ron Wyden sent a letter to the DOJ about it. Honestly, I kind of almost forgot about the story because it has been such a crazy year. And I think people might sort of conflate it with Signal Gate. I mean they are related, but I imagine people may even forget about this hack as well because I mean Signal K, Signal Gate was so significant when they were sharing those Yemen attack plans. But yeah, that went crazy.
[33:46]
A
And I mean what they have in common is that it just shows how like people in high up at the administration just like don't understand how Signal works. Like they, they don't like take, you know, it's only as secure as any of the endpoints and it's just like they're super reckless about it. Yeah, including up to the point that it's just like, they didn't vet this, you know, this offshoot, this. This fork of. Of signal.
[34:12]
B
I remember while it was happening, I had a lot of sources. Well, not sources, I'll say tipsters reaching out. And they were, like, sending me alleged photos from, like, a security conference that was happening at the same time. And I didn't write this up in an article at the time, but it was pretty interesting that Telemessage was being, or rather I think it was Smash, the parent company. They were at security conference displaying the product, and they had some sort of tagline about, oh, we're the most secure messaging product, or something along those lines. And then someone took a photo. Then the day later, that had actually been taken off the stall because then we broke news of the hack. So I don't know, I thought that was pretty funny. And I'm just, like, looking through contracts now which mention Telemessage. There's one from September 22, 2025, with some agency, and then there's one September 11 with another intel, another agency there. So the government's still using this tool. They haven't got rid of it. So who knows? Maybe we'll see another hack in the future. Speaking of hacks, Emmanuel, you wrote a lot about Tea. It started with a hack, then another hack, and then your broader story. Just walk us through that sort of. Well, what is Tea, first of all? And what was the first hack?
[35:36]
D
Yeah, so I would say that Tea's story begins in the media before we actually step into it. And that is back in July, I believe, sometime during the summer, T shot up in the App Store ranking. And Tea is an app where women could log in and share information about men that they dated or want to date. And other women would chime in and share what we call red flags or green flags, saying, oh, this man is someone you shouldn't date because he cheated.
[36:22]
A
Or.
[36:24]
D
Sometimes more severe accusations like he was physically abusive, sometimes relatively benign things like he's rude, he ghosted, things like that. And that became very popular. It got some coverage in the news with the framing that this was a way for women to come together and fight back against men who are nasty that a lot of women run into on the dating apps. And I think this was on July 25th. I woke up in the morning and I got a frenzied call from basically a good Samaritan who said that all the data from the tapp, namely the selfies and photos of IDs that women uploaded to the app in order to verify that they are Actually women, which was like one of the selling points of the app, were being leaked on 4chan, and this person had tried reporting it to T, he tried reporting it to Google, which is where all this data was leaking from. There's this thing called Google Firebase, which is a platform where you can kind of deploy your mobile app. And that was misconfigured and allowed anyone to dig through its data. And I think, Joe, at that point I kind of got in touch with you and we started to write that up.
[38:07]
B
You sent me a frenzy text.
[38:09]
D
Yeah, I was like, oh, this seems actually like. Because we get a lot of tips about leaks and sometimes they're from cybersecurity companies, sometimes they're just from people who know this stuff. But it's like this one seemed like really bad. And I think we both recognize that because of the intimate nature of the data. Like a lot of the time it's text and addresses and emails and you have to sort through it. But we kind of took like one look and we were like, okay, well here's thousands of images of women's faces and their IDs. And we were like, okay, well this seems bad. Let's verify it. We had some.
[38:43]
B
But it was also the 4chan connection.
[38:45]
D
Right. And the 4chan, like, it wasn't just that the data leaked. It leaked with malicious intent. Right. Like these guys on 4chan, the framing in the media was this was a way for women to fight back against bad men. And then like the misogynist community on 4chan was like, Fuck that and we're gonna fight back against that and like really embarrass and make these women's life hell. We had some interesting, very quick methods for verifying that the hack was real. And we published about that. And that was a huge story. I think that was like the most clicked on thing that I published this year with the exception of there was like an Alibaba AI video model that was released and I noticed was immediately turned into a porn producing machine. And I wrote that in like five minutes. And I think that maybe got a little bit more.
[39:44]
B
But anyway, that's just how it is sometimes.
[39:46]
D
Yeah, but we, we brought that up and I think that was like a big enough story as is. But then things got much worse. Like amazingly, as bad as that was, the more we reported on it, the worse the story got. And there's two big beats there. One is we immediately find out that there was another vulnerability and we had good reason to believe that people took advantage of it. And this one was a leak of the direct messages that women were sending each other on the app and discussing, like, extremely personal, extremely volatile things about each other, about things that happened to them, about accusations, accusations about men that they've been with personal data. Personal data, phone numbers, addresses, like, really, really terrible hack. Just because of how specific the data is and also the context of the conversations there because of the subject of the app and what women are there to talk about is not the kind of thing you want leaked, Especially since the app is advertising itself as like, this is a safe space for you to discuss these things. So we wrote about that, and then a lot of people came out of the woodwork to tell me about the origin of the tapp, like how this whole thing got started and who was behind it. The short version there is that there's this practice online that is most popular on Facebook, but there's one group in particular called Are we dating the same guy that Sam had covered previously? Which does basically the exact thing that the tapp does, only it's on Facebook and it's free and it's like a grassroots, community managed thing.
[41:52]
B
And it came a long time before.
[41:54]
D
T. Yeah, it came years before. And the person behind that, Paula Sanchez, would say, who I talked to for the story, would say this is currently like the biggest one. But she would admit that she's not the first person to do it. It's just one that was well organized and caught on. And basically the guy who founded T, Sean Cook, he essentially kind of stole that idea, tried to recruit Paolo Sanchez, who is the founder of Are we dating the same Guy? To be the face of the app. And once she made it clear that she is not going to do that, he essentially just started poaching her audience and her community by false advertising and trying to blur the lines between what is the are we dating the same guy? Community on Facebook and what is the.
[42:49]
B
Tapp by making these fake groups is.
[42:52]
D
Fake, fair to say, fake Facebook profiles and just jumping into every conversation and telling women to join the T app because they'll find information about the man that they're asking about there, whether that was true or not. And just a lot of shady practices which I know now by, like, because I've continued to talk to people about this story and people are still reaching out about it. And I am working on like a longer term follow up to something about T. And I know for a fact now that this is something that worked. And it did confuse people in the are we dating the same guy? Community and caused them to join T. And then that resulted in their information being leaked. And I guess the other thing about this story that I think we will continue to report on in some fashion is that it touches on something that we've all written about at some point. Joe, the thing that always comes to mind is the story that you wrote about this account on TikTok that was doxing people randomly and using Pym Eyes, Pim Eyes or Pumice that we talked about on this podcast that is like a facial recognition thing that anyone can pay for and use online to find people. We're just in this point with surveillance tech and how accessible it is and how knowledgeable the average person is about how it works and how to use it and how to access it, that anyone can dox anyone and anyone can find anyone. And that's just created a new normal online that we, I don't think, fully adapted to yet. And that is just like, I think, a core component of this story. It's like you have these women coming together for good reason. They want to share information. In doing so, they're using all this surveillance tech online, and then that backfires and that's used against them, and it just like, it's really, really messy, I guess, in a new and upsetting way. And I'm sure that will come up next year also.
[45:21]
B
Yeah, I think that's a very, very good takeaway. We live in a very, very strange world when it comes to surveillance by ordinary people who think it's like a good thing to just unmask strangers for seemingly no reason and all that sort of stuff. Sam, to round us out, we touched on this, I think, a couple of episodes ago, but you've been doing a ton of. On the age verification laws which now cover half of the United States. I mean, also related to people uploading their IDs, or at least potentially in some cases. Right. What's sort of been your takeaway this year after doing that coverage for the past year?
[46:02]
C
Yeah, so the first story that I wrote on the first of the year last year was that Pornhub was now blocked in almost all of the US South. And that comprised 17 states at the time. And then, you know, when you look at a map, it's just like the entire south of the United States was not able to go to pornhub without a vpn. Let me put it that way. I guess because pornhub had blocked access in all these states that have age verification legislation in place. This all started. It started a long time ago, obviously, as these Things do. But as far as legislation getting passed, it started about two years ago where Louisiana passed the first law to require platforms, specifically porn platforms and adult platforms that contained more than a third. God, what's the word they use? It's not. I don't even think that they say obscenity. They say harmful. It's material harmful to minors. I think in both, in most of the laws, but they do vary. It's like there is a different word for this depending on what state you're in a lot of times, but, you know, quote unquote, material harmful to minors. And then they define material harmful to minors as porn. And then in some states, material harm for the minors is also like queer content, content with trans people in it, stuff like that. So this has been something that I've been following since then and since a little bit before then with the passage of these laws. And this year, as of a couple weeks ago, we're now looking at about half of the United States we just passed the halfway mark is under age verification law. So that means that in most of these states, not every state, but in most of the states, pornhub has decided to not service estates so you can't access them. You hit a wall. You see Cherie deville giving a very eloquent speech about why they're not. Sherry deville is a porn performer about why they're not com. They're complying with the law by shutting down access to their site. Because pornhub has the stance that the laws are censorship. This is also our stance, just to be clear. Censorship, chilling effect on adult speech and is also privacy risky. There's implications for users privacy when you're collecting something like licenses and IDs and passports in some cases and, you know, like biometric data and things like that that are required by the law. So most people have gone around this by using VPNs, and now VPNs are up for debate. There's pushes here and there by people in power to oppose or even make VPNs illegal. I mean, there's nothing like actually in the books about this yet, because it would be crazy, but obviously crazier things.
[49:19]
B
How on earth would they do that? I mean, maybe it's not clear yet, but is it like we're going to tell the app stores, you can't sell or deliver a VPN app in XYZ State? How's that even work?
[49:32]
C
I mean, it's like it wouldn't work. The only way that it would work would be to crush A lot of the actual good uses of VPNs that lots of people and companies use VPNs for. So I don't know. It's like, I'm not ruling that out, but it would be a big deal if that happened. There are places where I think the law is that. And I don't know if this is past law yet or if it's just. It's still kind of in the stage of moving through toward being enacted legislation. But adult sites might not be able to recommend VPNs, which is something that is what some sites are getting around this with. They're saying, use a VPN to access our content. Yeah, it's something that I've been following for a long time. And it starts to feel very incremental and we're repeating ourselves over and over when we report on this stuff. But every time I write about something like this passing in a new state, we write a blog about how it passed in Mississippi, pass in Wyoming, pass in South Dakota separately every time it happens. And I'm like, God, I'm repeating myself over and over. But then someone will reply and say, I didn't know that my state was one of these states. I didn't know I was in a state where this was happening. Which I think is like a big deal. I think you should know what the law is in your state in order to decide whether or not you oppose it. So, yeah, it's something that we're going to keep covering. Obviously, it's a huge part of the Internet and being able to access it is being able to access it freely for adults. And now especially, we have increasing pressure on totally repealing and dismantling Section 230, which is definitely all related. So we're going to be following that into the New Year as well.
[51:34]
B
Yeah, I mean, I don't want to think about the new year just yet, but me neither.
[51:38]
A
Yes.
[51:38]
C
I just want to think about the.
[51:39]
B
Next two weeks we will be doing that. All right, we'll leave that there. If you're listening to the free version of the podcast, I'll now play us out. But if you are a paying 404 media subscriber, we're going to talk about a bunch of our fun recommendations. Well, mine is fun. I haven't actually looked at your others because I want to be surprised for the next segment, but I'm going to say they're fun. You can subscribe and gain access to that content at 404 Media co.
[52:06]
A
As.
[52:06]
B
A reminder, 404 Media is journalist founded and supported by subscribers. If you wish to subscribe to 404 Media Media and directly support our work, please go to 404 Media CO. You'll get unlimited access to our articles and an ad free version of this podcast. You also get to listen to the Subscribers only section where we talk about a bonus story each week. This podcast is made in partnership with Kaleidoscope. Another way to support us is by leaving a five star rating and review for the podcast. That stuff really helps us out. This has been for a few media. We'll see you again next time. Maybe not next week.
[52:55]
F
And Doug, here we have the Limu Emu in its natural habitat helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating. It's accompanied by his natural ally, Doug.
[53:10]
C
Limu is that guy with the binoculars watching us.
[53:13]
B
Cut the camera.
[53:14]
F
They see us.
[53:14]
A
Only pay for what you need@liberty mutual.com Savings ferry unwritten by Liberty Mutual Insurance Company affiliates excludes Massachusetts.