There's also a difference between your neighbor not closing her blinds and you using a telescope to look inside her apartment, which is what sites like this are.
I doubt that the instructions for a cheap camera have enough information to walk a non-technical user through the process of setting up port forwarding on their specific router.
I could believe that it’s automatic port forwarding via UPnP for some of these cameras.
However a lot of them are from contractors who install the cameras for people as a service and this is the only way they know how to get them remote access. It’s the same reason different industrial controls and other machines keep getting exposed to the internet. Some installer with a git-er-done attitude knows their customer wants a solution to something (remote access) and they use the first technique they can find to accomplish that without any concern about what it means. They accomplish the thing the customer wants, collect payment, and disappear.
If the customer calls back with a complaint about it, the contractor will happily come visit the site and try to “fix” it for another fee.
If you’re thinking that this is a liability issue you’re not wrong, but in much of the world there is no realistic recourse. Most things like this are pure caveat emptor.
Most network security experts would quit before ever entering a hot attic.
So Cletus the CCTV guy who just spent 8 hours crawling through drop ceilings with a mask on, does a super-clean install, and sets it up as well as he knows how. Which is "good enough" — it works and he's off to the next job. The customer's happy and he gets paid.
Now which one of you network security guys is going to give up his cushy WFH job to go make house calls for CCTV wages?
Cletus is free to get a bank loan and mortgage his house to give it a try as well, though he doesn't have a decade of FAANG employment money to lean on, what he does have is experience with customers and crawling around houses.
Yes, the people setting up these cameras are not following security best practices. But are you sure that you will not make the same mistakes? Are you sure you have never exposed anything you should not have on the Internet, and never will, even as you age?
Let anyone among you who is without fumbling security be the first to throw a stone.
That said, I'm not 100% convinced I could set up a webcam streaming online without accidentally exposing it to the wider internet. Maybe 95% sure? But if even I couldn't guarantee it, what chance does your average joe who mostly only uses his computer for netflix have?
How do so many people end up exposing these cameras to the public internet? Are their ISPs not using NAT by default? Are the users jumping through hoops in order to open it up?
This is an example of everything working as intended. The cameras are supposed to be accessable when you're not at home. Of course the cameras ought to ship with randomized default auth on a sticker attached to the unit the same way any half decent router does these days but they don't.
If your door is unlocked, either through ignorance or negligence, it's still not right for someone else to just walk into your home and look through stuff you thought was private.
Sure, they can do it, but just being able to easily do something doesn't make it right.
It is also funny, and depressing that many of the same people who think might makes right on the internet ends up lamenting how fucked up life is in their low trust societies, when their mindset is exactly what makes a high trust society — you know, the ones where people don't lock doors — impossible.
This isn’t a passive “walked by the window” thing that you might have unwittingly viewed. To actively search for open cameras by crawling every IP then creating a tool to see them, then choosing to watch the footage is a very active, deliberate choice. No one is viewing this footage without making a multi-step choice to view it.
I'm surprised this is still a thing though. I remember being shocked when I came across an extensive feed of these inadvertently pubic CCTV feeds ~15 years ago. I had assumed it was no longer a problem.
We evolved for small tribes, e.g. Dunbar's number is ~150. Roughly 1/129 of the people on the internet are software developers, so in the days of everyone living in villages your in-group would include roughly one person who thinks like we think.
"Inadvertently live-streaming to the 1/129 of the world who consider searches like this to be trivial, with zero feedback unless you found your home accidentally went viral" is not like anything we otherwise experience.
If anything, projecting onto a nearby sidewalk as you describe is more like "I was bathing after my day's work scribing for the king and wouldn't you know it, that 𒈗𒍠𒄀𒋛 living by the temple decided to walk right in and say hi! Doesn't even think to knock, just opened my front door and walked right in.", while the closest thing you can find to accidental live webcams in old writing is gods spying on mortals for fun, making us the Anansi, the Loki, the Eshu. And for the furries, the Coyote.
In other news I'm considering developing a new app and was wondering about VC funding. It's for mapping out ladders adjacent to windows down back alleys. I think it would dovetail well with nipalert.
How else are things supposed to change. Hopefully this will embarrass some oligarch enough to force companies to close their loopholes.
It takes active effort to expose a camera publicly
Sharing on the internet should be one of the hardest things to do in your product. You need to make enough friction that the user can never do it by accident or by default. And the user should be warned at every step.
All with informed consent of course.
Edit: Come to think of it, video chat apps (WhatsApp, Signal, etc.) seem to do this, at least sometimes.
“Electrical Network Frequency (ENF) analysis”.
I’m going to dig more and will leave some links when I get back to a computer.
While right, there are multiple definitions of "private" and for others OP's point still stands.
No. No. No. No. No. No. No. No. No.
So if I put an IP camera inside your bedroom without your notice or consent, and hook that up to the Internet, you'd be okay with that? Because it's public!
A lot of these are probably from default or misconfigurations. A lot of these people with IP cam feeds visible to the Internet probably do not know they are open.
The intent was to say "You cannot call a space private if it has a networked camera in it." Not "only a public space can host a camera".
> "Many of these cameras are in private spaces"
To which the gp answered
> It's not private if it has a ip cam in it
So what? Either he meant to contradict the op (and then it's correct to push back), or this is an entirely superfluous comment given they both understand what the problem is.
They are not contradictory statements.
This:
> If the room has an IP camera in it, it is by definition not private.
Does not necessarily mean this:
> Since cheap cameras have begun to appear everywhere I treat them all as if they were publicly viewable.
The implication is that if someone misconfigured or otherwise didn't know their camera was broadcasting to the world, anyone is morally and legally correct in doing whatever they want with it, and it is their fault because it is "public". That is wrong.
I think it's more so similar to that if you leave something shiny and expensive in a visible position in a car in a neighborhood known for high rate of thievery there are good odds of your stuff being stolen. They are not claiming that the thieves are morally or legally correct.
That said, there are many people for whom "blaming the victim" is forbidden at all costs, and thus don't seem to have the facility to understand not making oneself a target. I suspect that you are replying to somebody possibly like that.
I'm not sure you do. Or at least you're replying to a very uncharitable interpretation.
From my perspective, this read as: the moment you put one of these IP cameras in a room, you should assume you're now in public, no matter what assurances you might have from the manufacturer or what safeguards you might have put in place. So if you intend for a particular space to remain private, don't put one of these cameras there.
> it is their fault because it is "public"
From my reading at least it didn't seem to imply that "it's the camera owner's fault", or that they should know better or that they deserve what they get, etc.
a] they may be exhibitionists
b] they dont realise they are misconfigured
c] someone hacked them to whatever end
d] they are doing nothing wrong thus believe they have nothing to hide.
> As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did.
https://hackaday.com/2026/06/27/requiem-for-long-wave-as-the...
> Baiting deer is illegal!
> This corn pile is intended for squirrels, chipmunks, and other such critters.
> Any deer found eating this corn will be shot!
Then everyone could get what they want: voyeurs can watch exhibitionists like God intended.
(Not sure how much metadata there is on the site since it’s currently suffering the hug of death so I can’t see anything at the moment.)
The point is valuable, and the mission is important, but the ends do not justify the means. If this must be shared, at least use static pictures and don’t stream the content for viewers.
Should Shodan be taken down because it can search for these devices? What about Google because it can find admin consoles?
> What about Google because it can find admin consoles?
Intention and proportion matters. Google is overwhelmingly not used for discovering unsecured endpoints and that is what makes it OK. If you build a search engine that only serves admin consoles and markets itself as the search engine for admin consoles then you have a problem. There is a reason why DDOS for hire services market themselves as selling "stress testing for your own servers," because they are smart enough to know the consequences of knowingly breaking the law.
And standing out in the street staring through with binoculars is still wrong and creepy.
> Should Shodan be taken down because it can search for these devices? What about Google because it can find admin consoles?
It’s not a new idea, nor that controversial, that we restrict things specifically aimed at doing something rather than ones just capable of it.
These things are open server ports on the wild internet. Anyone with a "for" loop can find them easily. If they care about privacy they shouldn't have them public.
I get it if you think this is a legal gray area (it's not), but it's surprising to see how many people seem to think this is plain justified. Makes me think that there's some users that gravitate towards this site because the hacker in hackernews refers to hacking as in accessing systems without permission.
If you think hosting a website like this is ok, I encourage you to talk to a criminal lawyer and consider if you are a criminal. At least do it knowingly, do not pretend shit like this is fine.
If you roll your eyes at the thought of having to manage credentials or refuse to learn how the internet works on a basic level, you're not fit to set up devices connected to the internet.
Secure your shit or don't play with technology you can't handle.
Being able to do something, even if you can do it without the police showing up, is not the same as it being right to do something.
I think it’s wrong to cheat in a relationship but it’s probably legal.
I recall most of them were in Asia.. street cameras, supermarkets.. then I suddenly found myself looking into someone's bedroom.
Fortunately it was empty, but I promptly shat myself and turned off my computer.
https://images.shodan.io/?query=port%3A554+country%3A%22GB%2...
Edit: they're literally the same image
2fc4ad21cfce564f7aa65942eae7d4529c8af3d7ffb6287aa1fd79ebb78eb648 ipcrawl.jpg
2fc4ad21cfce564f7aa65942eae7d4529c8af3d7ffb6287aa1fd79ebb78eb648 shodan.jpg
I’m not even convinced these are all real, or at least are staged:
https://ipcrawl.com/?page=6&cam=63f7feaf5042d223
That’s the invisible man hanging out at a tennis match…
I also question whether this site really fits with HN's values. By being so highly ranked here, a great number of eyeballs are being directed at cameras that are clearly not supposed to be publicly accessible. At a minimum that doesn't seem especially kind.
Feeding faked looped security camera footage is a classic plot device in many films, and could make some good comedy!
These days you could do with AI. Godzilla over Tokyo anyone?
If you look at it, all "feeds" that are without any moving part or human are "live", and when there is anything that could have movements, then it is a "snapshot" that doesn't move.
And then there is this very funny one that I'm quite sure is AI generated: https://ipcrawl.com/?page=2&cam=63f7feaf5042d223 The picture: blob:https://ipcrawl.com/939da98f-dfbf-4019-8518-8bfbdfbcb8df
Without realizing that the entire world can see what the owners are doing when they are at home. Without using any special app at all.
What is the goal?
And they've created a reddit page specifically for this!
Adults too, if you had a pool like this wouldn't everybody want to share their "sex pool party cam"?
I don't really understand this b/c it's trivial to say "write me a letter in the style of <famous letter writer A> mixed with the style of "<famous letter writer B>"
Or
"Here are some examples websites, make a new website that is a remix of all of the example sites".
You would be surprised at the results.