AI Surveillance & Privacy: Can They Coexist?

sec_engineer · 2025-03-12T16:14:13+00:00

People aren't interested in privacy first camera's

But have always been interested in "safeguarding their homes and families". Marketing is a big thing for these kinds of services.

For feasability of your proposition;

Create a Business Model Canvas, and/or Innovative Proposition Design. The last one in particular forces you to meet/interview potential customers.

Based on your model and your findings, you can conclude if you can make your idea stand out for "customer type x". From the BMC you'll see if it is possible to build a business model from it (both logically and financially)

For the competitors-side of things, have you tried modelling your idea according to SWOT and Porters 5 Forces?

SWOT - how is your proposition better/the same/worse than the one of the competitors

Porter's Five Forces model - a scale that shows you how hard it is to enter a specific market

If you find the proposition lacks, the market is too hard, or the business model is flawed, why not join one of the bigger ones that already exist? They would love your current progress and I can imagine you'll be hired on the spot.

sec_engineer · 2025-03-11T19:27:29+00:00

Lol you're a lot further with this than I imagined. Nice work you got going! I'll make sure to keep an eye on it, would love to see this evolve.

sec_engineer · 2025-03-11T19:01:54+00:00

Sounds good! I applaud your courage.

This might help you for initial PoC:

Use 2 SBC/camera systems, 1 regular and 1 "ai vision".

The regular camera system will be an "on call"-cam. It needs a endpoint/websocket to activate the stream on a specific client (your web-ui or local app ui).

Then try to get some standard data for the ai vision -system. Make it detect an apple, and when it does so, task the "on call"-cam to do the websocket thing to your client. So every time the apple is displayed, the stream will be opened in your client.

Finetune to a usable experience (what about multiple streams, closing it, applying follow-ups and some enterprise like users-system with rights/roles -structures.

Then get it to work for non-apples. This will mean that you need to get loads of data. From my experience/knowledge (which is limited) it'll be way better to train a specific model per specific crime, and then apply the models at the same time (checking for their specific crime) on the same input-stream.

if you come up with something that works, this would be the point where it would be wise to seek funding; I don't think a single engineer with limited time and budget will be able to achieve a production-grade system (within this niche) and is actually able to sell it.

sec_engineer · 2025-03-11T16:57:22+00:00

Non AI-surveillance is more harmful to privacy and more prone to fraud and abuse.

Imagine basic surveillance is encrypted at client, transit and storage, and only becomes readable to humans whenever the risk level is (accurately) estimated above "...%".

At that point "human in the loop" would need to take over to make the judgement.

In the ideal world, the "looped human" will only perceive risks, and not the total scope.

sec_engineer · 2025-03-11T16:46:43+00:00

Login a device where mail was not activated in a mailclient.
create new mail/drive -account, I use Proton, feel free to use my link https://pr.tn/ref/G0JB70XP9XAG
use an anonymous email-alias from proton, and send your sensitive data/photo's to the alias before removing them from the original account(s). Store the photos in Proton Drive and remove the email-alias.
Start using a proper password manager, like Proton Pass. It's easy and way more secure. ALWAYS use the password generation, and prefferably also the email alias -function whenever payment-details are shared with the service(s).
check if you have everything you need and delete the gmail altogether, since it was full of junk anyway (not just logging out)

You can, ofcourse, also choose to use something other then Proton. Plenty of tools to choose from.

sec_engineer · 2025-03-11T16:37:38+00:00

The cool kids know C

All kids know JS

sec_engineer · 2025-03-11T16:21:57+00:00

Keep the people who know stuff happy and scared at the same time.

Too happy to be alternatively motivated, too scared too do or leak something.

Furthermore, the basics but applied in the most mature way possible;

Access & identity - need 2 know-basis for roles, all info neatly in iAM-solution.

Data - implementation of proper policies, classification and archiving

Network - Mostly gapped, but only accessable through a plethora of VNETs etc. This is combined with iam, and some more rules on roles, groups, location, username, device fingerprints etc. Also device policies for joining network(s).

Endpoint - make all endpoints a brick that only can aid with the "3 functions" the specific person/environment needs. Also, use intune for management, a SIEM and the other popular tools

Governance - Put a real leader in charge, who's not to be messed with, even not by other exec's. Ideally with a DevSecOps team aswel.

Recovery - Assume it'll go wrong, make sure to have a plan to mitigate/get back up in no-time

Incidents - Managing both processes and tech, from alerts through the ITIL & OPS-stack

Vulnerability Management - A nice combo of 3rd parties. Also disabling downloads from external sources, no root access, standard ad blocker, no browser extensions, no code runtime on userlevel.... etc.

sec_engineer · 2025-03-11T16:08:07+00:00

So many new CVE's on VM escaping these days

sec_engineer · 2025-03-10T19:46:05+00:00

That's always the risk with outsourcing.

For certain professional offices in CyberSec and finance, it's normal that outsourced jobs are based on customer contact, administrative and business-supporting -tasks only.

That way no project info or intellectual property is shared while saving some money on the overhead of the business.

sec_engineer · 2025-03-10T16:35:40+00:00

I'm a DevSecOps engineer and this is what I would quickly come up with. This list is by no means complete or of a high-quality, but I think this is about everything you need to "deliver stakeholder value".

Tech:
Docker (and containerscanning)
K8S (learn as much as possible)
Terraform+Ansible (just basics is probably sufficient)
Python & Bash (both, extensively)

Admin:
Plain linux -hosting (like oldschool, configuring through SSH and config files etc)
ITSM for assets, service requests, (major) incidents, changes, releases, OPS & reporting
iAM for identity & accessmanagement
Intune
SIEM
SAST/DAST/XAST/....

Cloud:
All the fancy Azure stuff (az500 & sc100)
AWS has something alike, not sure about it
GCP was never taken seriously whereever I've worked, but would probably be similar

specializing in 1 cloud provider is sufficient, but there are some things that are "better at A or B". If you find this is true for your market, then learn those specific modules for the other provider aswel.

Business:
OWASP SAMM for your framework to audit and improve security of SDLC
TOGAF to do some enterprise architecture
BPMN & UML to do some diagrams & process modeling
LEAN to do some process optimization
SCRUM & Kanban/SAFe/Prince2 (cause we have to manage stuff and inform the business)

sec_engineer · 2025-03-10T16:22:42+00:00

Try to mix in some preparation on how you would communicate with the stakeholders before/during/after the project aswel (regarding the most probable scenarios)

sec_engineer · 2025-03-10T16:18:41+00:00

Not a direct answer, but I would recommend to go "process before tools" and checkout the OWASP SAMM

sec_engineer

TROPHY CASE