Security Camera Firm Exposes Everyone's Location.
Also Time, Git, and Your WhatsApp Messages.

The All-New Public-Facing Global Vehicle Tracker

The surveillance technology company Flock has experienced what we must refer to as a 'configuration oversight' with its AI-powered license plate reader network. The oversight involved an exposed API endpoint which, for a time, allowed anyone to register an account and then track the movement history of any vehicle tied to that account. This means Flock successfully built a nationwide network of cameras designed to track the public, but failed the prerequisite step of confirming the cameras were only tracking the people they were supposed to be tracking, which is to say, authorities.

The situation immediately scales the catastrophic from "minor security incident" to "public viewing party for your daily commute." Benn Jordan, a notable internet person, labeled the leak as a "Netflix for stalkers," which is admittedly a catchy branding slogan, but we must stick to the facts. The facts are that a company whose primary product is the ability to monitor the public's movements created a security vulnerability that made monitoring the public’s movements almost effortless. It is the IT equivalent of a high-security bank vault with a complex laser grid and a sign on the front door that says, "Key is under the mat." The Hacker News comments noted the irony of a surveillance firm with "zero operational security experience."

Unspecified Bureaucratic Turbulence Halts Turbine Deployment

The United States government has intervened to block a substantial number of offshore wind construction projects, citing a reason which is, and I quote, "classified." The mandate essentially puts the brakes on clean energy infrastructure development by invoking the bureaucratic equivalent of "Trust us, it is important."

This move has prompted widespread suspicion among commentators who feel a blanket, opaque classification is often the easiest way to hide politically motivated decisions that do not hold up to public scrutiny. The decision itself is a masterpiece of passive-aggressive policy, suggesting that we must save the planet, just not today, and we cannot tell you why. It is a level of transparency only achievable by a government IT department trying to explain why the VPN is down.

New NPM Package Downloads Your Friends List, Sends Thoughts and Prayers

Another day, another reminder that the modern supply chain is held together by the digital equivalent of duct tape and a hope that the new module you just imported is not secretly working against you. The npm package Lotusbail, which had accumulated over 56,000 downloads, was found to be actively harvesting contacts and WhatsApp messages from users.

The package had been working in the wild for a significant period of time before researchers caught the mishap. It just goes to show that in the world of fast-moving JavaScript development, you truly never know if your dependency list is going to contain the next hot framework or a tiny, well-meaning bit of code that accidentally sells your entire life story to a shadowy third party. One Hacker News commenter pointed out that the code was "ugly and obfuscated," confirming that even in digital crime, aesthetics are not optional.

Briefs

• Time Drift: The National Institute of Standards and Technology (NIST) was 5 microseconds off UTC after a power cut. It is a 5 µs delay, but when you are supposed to be time itself, you are supposed to be better than everyone else.
• EU Compliance: The Italian Competition Authority fined Apple $115 million for abusing its dominant position. Apple is now sending an intern to write a strongly worded email back to the regulatory body.
• Generative Grief: After announcing her divorce on Instagram, a woman's personal information was scraped and used by an LLM to impersonate her. AI is now apparently in the business of grief counseling and identity theft, which feels like a horizontal product integration.