> City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday.
> Sercet Service spokesman Brian Ebert said the safety of the public or protectees was never jeopardized.
Which implies that we're perfectly safe without these systems.
And here we thought that "public safety" was about keeping the public safe, while actually they were talking about keeping themselves safe from the public.
> On Jan. 12 D.C. police noticed four camera sites were not functioning properly and told OCTO. The technology office found two forms of ransomware in the four recording devices and launched a citywide sweep of the network where they found more infected sites, said Vemulapalli.
This is interesting, because it suggests (to me) that the systems were note specifically targeted because they were part of the CCTV system but were instead caught up in a broader wholesale ransomware attack on whatever system the attackers could get their hands on?
I'm not sure if an un-targeted attack is more or less concerning than a targeted attack. One could of course make a "they should take more care with purportedly critical systems" statement. But the un-targeted scenario implies that a targeted attack on the system could be much more devastating.
If cities want to protect their citizens from authoritarian oppression of their residents, they should start dismantling the mass surveillance systems.
Who knows what the next Executive Order will suddenly implement.
Is it safe to assume all these networks have been pwned by, at a minimum, the Russians, Chinese and Israelis as well as, in all likelihood, a not-insignificant number of tech-savvy criminal syndicates.
It sounds pretty plausible. But, I'm not sure what benefit that gives them? The article says the cameras are trained on public spaces. So in principle they (China, Russia, etc.) could get the same information by having an agent just hang out there (yeah, I know, the same can be said for the DC Police). So pwning the CCTV cameras probably doesn't give them access to any sensitive or novel information.
If you have access you can probably disrupt or modify things when the need arises (making this kind of system even more pointless for their declared purpose than they already are).
Probably not. There really isn't much upside in being able to monitor all those cameras all the time... how would you be able to make money with it? That said, I know some of the pole mounted systems are running a WiFi AP so that an officer doesn't need to get a cherry picker in order to pull video.
A state actor could probably own them one at a time through the AP, but its unlikely that is what happened here.
for the past ten years, no one has cared that virtually any hacking group is roughly as powerful as J. Edgar Hoover, and more dangerous. At least he wasn't anonymous.
> An investigation into the source of the hack continues, said Vemulapalli, who said the intrusion was confined to the police CCTV cameras that monitor public areas and did not extend deeper into D.C. computer networks.
I'm skeptical of this. These types of cameras typically have a cell/LTE internet connection that should be dropping all inbound requests and connect to some sort of a back end via VPN. Its possible that they weren't set up to drop inbound connections from the internet, but it seems much more likely that they were hacked from deeper in the network.
But then they never would've been able to detect the ransomware! How can we make sure our systems are secure if we can't audit them, and how can we audit our systems if we can't SSH in, and how can we meaningfully SSH in if we can only do it from the office and not from employee computers at home? /sarcasm
You can read more about the CCTV cameras on the MPDC website. It does a decent job explaining why the cameras are useful, which was informative for me and I believe would be informative for other commenters as well.
> Sercet Service spokesman Brian Ebert said the safety of the public or protectees was never jeopardized.
Which implies that we're perfectly safe without these systems.