Calling the second one a bug is ridiculous. “If the file /tmp/moses/ exists on the file system then an unauthenticated remote attacker can list all of the non-admin users and change their passwords“. That functionality is way too intentional.
Ah, security cameras. Never-updated linux boxes, frequently with homegrown http servers, often with secret hardcoded credentials in clear text laying around in the firmware blob.<p><a href="https://www.youtube.com/watch?v=B8DjTcANBx0" rel="nofollow">https://www.youtube.com/watch?v=B8DjTcANBx0</a>
Somewhat off-topic:<p>Recently I watched a news segment in Korea about CCTVs connected to the internet without proper security: so many were wide open, and some could even record sound and play it real-time, and their lists were plainly accessible on some websites. The reporter said that the government had responded by <i>blocking these websites from the Korean internet</i> but people still found ways to access them via VPN.<p>As if that's the crux of the problem.<p>The mind boggles.
My house security and automation systems are all behind a firewall and access to them is proxied, including the video feed concentrator for the security cameras. I've had folks call this overkill but I won't directly expose any IoT-like thing to the Internet these days.
“It’s unfortunate, but each camera will need to be updated manually by users,”<p>So most people aren't going to bother unless they get an alarming email from the manufacturer (assuming they even have a list of customer email addresses). Although these appear to be DVR systems for commercial use so it's more likely that a business would have a service contract with someone to manage these things. The service vendor would probably be more inclined to patch the thing than the business owner would.
Any Internet-connected device is, in fact, a server, and must be seen and managed as one. This means strict control of installed services and, first and foremost, regular <i>updates</i> of all its software components (including firmware). If you acquire and install such a server which either can’t be updated or one which you know, realistically, won’t get any updates six months after installation, that’s asking to lose.
I look at mainstream security devices.<p>I look at cheap camera modules and Linux boards.<p>I look some more at the mainstream security devices.<p>I look again at the cheap cameras and Linux boards.<p>Sadly, security cameras are among the most hackable targets on the Internet, because You™ haven't released that competitive solution you've been thinking about that prioritizes security over unnecessary bells and whistles. When you do, you'll corner that vocal fraction of the community you've always been wanting to meet.<p>It doesn't have to be a bureaucratic, incoherent, legacy-burdened headache built from clipboard-remixed vendor samples. Linux, no blobs, a couple lightweight services; and you're done. Remote access in the palm of your hand? Too easy. Anything is possible when you design without agendas.<p>--<p>Your plaintext passwords (which were also using in two other places - argh) just leaked from a vendor's stolen cloud database.<p>A HTTP URL hack that dumps the root password into the browser window surfaced seven months ago.
As opposed to all other days, where simple misconfiguration allows hackers to access CCTV surveillance cameras.<p>(obligatory <a href="https://www.shodan.io/" rel="nofollow">https://www.shodan.io/</a> link ;) )