Information Technology

Singapore has called on global organisations such as the United Nations (UN) and World Trade Organisation (WTO) to reform, so international rules are in line with cybersecurity and other key digital developments. The Asian nation also underscores the need for unified cooperation against COVID-19, which it notes has accelerated “self-defeating” sentiments worldwide including protectionism and xenophobia. 
Continued international cooperation was key to overcoming the impact of the pandemic as well as to rebuilding, and nations needed to build greater trust and learn from each other, said Singapore’s Minister for Foreign Affairs Vivian Balakrishnan, in the country’s national statement at the UN General Assembly’s General Debate of the 75th session held Saturday. 
Delivered via video message, Balakrishnan said in his speech: “The world is facing a period of prolonged turmoil. The multilateral system is confronted by nationalism, xenophobia, the rejection of free trade and global economic integration, and the bifurcation of technology and supply chains. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“But, these threats are not new. COVID-19 has, in fact, accelerated and intensified these pre-existing trends. Protectionism and unilateral action will ultimately be self-defeating,” the minister said.
He noted that modern supply chains were complex, where it was difficult to locally produce all key items since materials and expertise from elsewhere always would be needed at various steps of the process. This was reflected in the disruptions many countries experienced in the flow of essential goods during lockdowns.
Bifurcation also reduced the global pool of knowledge as well as opportunities for the sharing of benefits from research and innovation. Because countries had been open to sharing scientific knowledge, Balakrishnan noted, test kits could be produced quickly during the early phase of the current pandemic. The same global cooperation now was essential in the development of a vaccine to ensure equitable and universal access, he said. 
He added that global trust would be eroded if contractual obligations for the export of critical goods and movement of people were breached. 
He further underscored the need for rules-based multilateral system to be reformed, so it was “fit for purpose” and able to adapt to the changing realities of today. 
Apart from the need to work together towards a COVID-19 vaccine and to rebuild communities, Balakrishnan urged for continued efforts to address challenges posed by the digital revolution, cybersecurity threats, climate change, and transboundary pollution.
“We must harness new digital technology for the benefit of all our societies whilst mitigating the possible negative impact,” he said. “COVID-19 has accelerated the deployment of artificial intelligence, robotics, digital payments, e-government services, and remote work.”
Globally, governments, businesses, and individuals needed to be able to transact and transfer data securely across borders. This stressed the need for the world to develop a “trusted, open, and inclusive cyberspace” underpinned by international law and norms of responsible state behaviour, the minister said. In this aspect, he noted, Singapore supported the UN Secretary-General’s Roadmap for Digital Cooperation. 
He further urge the need for international institutions to remain inclusive and transparent.
The UN’s role, for instance, was critical, but the 75-year organisation itself needed to “adapt and reform” so it could respond effectively to current and future challenges, and remain relevant for the next 75 years.
The same was true for the WTO, he added. Noting that the international trade organisation’s rules were designed for an agricultural and manufacturing-based world economy, he said WTO today was in urgent need of reform. 
Balakrishnan said: “The world needs appropriate rules for services, especially digital services and intellectual property, in preparation for this digital age that is unfolding in front of us.”
He stressed that open, rules-based multilateral trading system was a foundation for sustainable global recovery and had enabled countries to trade in goods and services in mutually beneficial ways. Post-pandemic, nations must look to further strengthen this system so it could work better for the future. 
“International governance, now more than ever before, needs to be more representative, more inclusive, and more open. We need to take into account a wide spectrum of views and do more to acknowledge the rich diversity of our global community,” the Singapore minister said. 
RELATED COVERAGE More

Image: Zscaler

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Google has removed this week 17 Android applications from the official Play Store. The 17 apps, spotted by security researchers from Zscaler, were infected with the Joker (aka Bread) malware.
“This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zscaler security researcher Viral Gandhi said this week.
The 17 malicious apps were uploaded on the Play Store this month and didn’t get a chance to gain a following, having been downloaded more than 120,000 times before being detected.
The names of the 17 apps were:
All Good PDF Scanner
Mint Leaf Message-Your Private Message
Unique Keyboard – Fancy Fonts & Free Emoticons
Tangram App Lock
Direct Messenger
Private SMS
One Sentence Translator – Multifunctional Translator
Style Photo Collage
Meticulous Scanner
Desire Translate
Talent Photo Editor – Blur focus
Care Message
Part Message
Paper Doc Scanner
Blue Scanner
Hummingbird PDF Converter – Photo to PDF
All Good PDF Scanner
Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices.
Joker is the Play Store’s bane
But this recent takedown also marks the third such action from Google’s security team against a batch of Joker-infected apps over the past few months.
Google removed six such apps at the start of the month after they’ve been spotted and reported by security researchers from Pradeo.
Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers from Anquanke. This batch had been active since March and had managed to infect millions of devices.
The way these infected apps usually manage to sneak their way past Google’s defenses and reach the Play Store is through a technique called “droppers,” where the victim’s device is infected in a multi-stage process.
The technique is quite simple, but hard to defend against, from Google’s perspective.
Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn’t perform any malicious actions when it’s first run.
Because the malicious actions are usually delayed by hours or days, Google’s security scans don’t pick up the malicious code, and Google usually allows the app to be listed on the Play Store.
But once on a user’s device, the app eventually downloads and “drops” (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.
The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique. This, in turn, has allowed Joker to make it on the Play Store —the Holy Grail of most malware operations— more than many other malware groups.
In January, Google published a blog post where it described Joker as one of the most persistent and advanced threats it has dealt with in the past years. Google said that its security teams had removed more than 1,700 apps from the Play Store since 2017.
But Joker is far more widespread than that, being also found in apps uploaded on third-party Android app stores as well.
All in all, Anquanke said it detected more than 13,000 Joker samples since the malware was first discovered in December 2016.
Protecting against Joker is hard, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.
In other Android security news
Bitdefender reported a batch of malicious apps to Google’s security team. Some of these apps are still available on the Play Store. Bitdefender didn’t reveal the name of the apps, but only the names of the developer accounts from which they were uploaded. Users who have installed apps from these developers should remove them right away.
Nouvette
Piastos 
Progster 
imirova91 
StokeGroove 
VolkavStune 
ThreatFabric also published a report about the demise of the Cerberus malware and the rise of the Alien malware, which contains features to steal credentials for 226 applications. More

Singapore-based cryptocurrency exchange KuCoin disclosed today a mega hack. In a statement posted on its website, the company confirmed that a threat actor breached its systems and emptied its hot wallets of all funds.
Hot wallets are cryptocurrency management apps that are connected to the internet. Cold wallets are stored offline.
Cryptocurrency exchanges like KuCoin use hot wallets as their temporary storage systems for assets that are currently being exchanged on the platform, and they are used to power conversion operations and funds transfers.
KuCoin said it detected the hack after observing “some large withdrawals” from its hot wallets on September 26.
The company said it started a security audit and discovered the missing funds. KuCoin said the hacker managed to steal Bitcoin assets, ERC-20-based tokens, along with other types of tokens.
Currently, the loss is estimated at a minimal $150 million, based on an Etherium address where users tracked some of the stolen funds.
KuCoin has not returned an additional request for comment.
However, KuCoin CEO Johnny Lyu is scheduled to provide additional details about the security breach in a live stream at 12:30 (UTC+8), September 26, 2020.
KuCoin also promised to reimburse users who lost funds in the hack using its cold wallets. Deposits and withdrawals have been temporarily suspended while the company’s security team investigates the incident. More

Image: Pastebin

Pastebin, the most popular website where users can share small snippets of text, has added two new features today that cyber-security researchers believe are going to be widely and wildly abused by malware operators.
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
None of the two features are original, as they have been present on many paste sites for years.
However, they are new to Pastebin, which is, by far, today’s most popular pastes portal, being ranked in the Alexa Top 2,000 most popular sites on the internet.
Pastebin has been abused in malware operations
As with anything popular, this has also attracted a lot of bad content that’s has been hosted on the platform. While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
Across the years, malware authors have used Pastebin to store malicious commands that they retrieve and run on infected hosts, hacked data, IP addresses for malware command and control servers, and many other operational details.
Ted Samuels, an incident response (IR) consultant, told ZDNet today that it’s hard to put a number or percentage on Pastebin’s presence in malware operations, but described it as “not uncommon.”
“Pastebin is by far the most prolific ‘paste site’ and fairly popular staging ground for fileless attacks using PowerShell. For example, a threat actor’s initial payload may use PowerShell to download additional (and often obfuscated) content from pastebin.com for further execution via PowerShell. The prolific CobaltStrike framework can be loaded this way.”
To counteract Pastebin’s rising popularity among malware devs, throughout the years, cyber-security companies have created tools that scrape new Pastebin entries to search for malicious or sensitive-looking content as soon as it’s uploaded on the site. These malicious pastes are indexed in private threat intel databases that are later used for incident response, and are also reported to Pastebin to have them taken down.
But now, security researchers argue that by adding the two new features today, Pastebin is blocking their good-will efforts to detect malware operations and is catering more to the malware crowd rather than actual users and the good guys.
“Unless they’re taking measures that aren’t immediately apparent to prevent the use of Burn After Reading and Password Protection for C2 and malware staging, those would seem to be pretty helpful new features for attackers who use PasteBin for those ends,” Brian, a security researcher from Pittsburgh, told ZDNet.

I can already see how this is going to be abused by threat actors.Going to make tracking these threats 100x harder.Who is pastebin working for? Security or threat actors? https://t.co/wX088qpX7Z
— Jake (@JCyberSec_) September 25, 2020

But the new features go beyond just detecting what was uploaded on the site in real-time. It also impacts post-infection IR investigations.
“This new change will now make it harder for incident responders to quickly evaluate what may have been downloaded and executed in some environments,” Samuels told ZDNet.
Long-time bad blood
But the acidic reaction towards Pastebin’s two new features today is also because of the cyber-security community’s rocky relationship with the site.
Across the years, security researchers have often accused its admins of dragging their feet when needing to take down malicious pastes. Things got very heated earlier this year in April when Pastebin wanted to discontinue the Scraping API; a tool cyber-security researchers were using to detect new content being uploaded on Pastebin.
Pastebin backtracked on the change after massive backlash and media coverage.
It is unclear what Pastebin thinks of the cyber-security community’s latest reaction to its newest features, but in an email, the company said it added “Burn After Read” and “Password Protected Pastes” at the request of its users
“Pastebin stores important data for our users starting from calculations and engineering data, such as algorithms, logs from various services, robots, network devices and ending with proprietary software code,” the company said.
“We have received many requests from our users to implement these features because of their privacy rights, and to help our users protect their work.”
“Pastebin was created by developers for developers, and is used globally by millions. Of course, every platform has bad actors that try to take advantage, including Github, Twitter, Facebook, Dropbox, Privnotes & Sendspace to name a few,” Pastebin said.
As Pastebin pointed out, cyber-security researchers may also be overreacting, as there are dozens of other paste sites like Pastebin around, some of which are even more lenient towards allowing abuse on their platforms when compared to Pastebin.
“Of course there is some overreaction from infosec Twitter, and it’s not just Pastebin. There are many paste sites with similar functionality, postb.in for example,” Samuels said.
Keeping sites like Pastebin accountable for the features they support is necessary, but the two new features also have legitimate uses. If Pastebin is truly so bad, then other actions should have been taken years ago.
“Pastebin and others paste websites should be blocked inside company networks,” SwitHak, a security researcher from France, told ZDNet.
“We know that it is used by bad guys. We need to act in consequence.
“We know the vector, let’s burn it and force attackers to use their own servers. If they host the malware configuration on their own servers, we can burn the attackers’ infrastructure. It’s about making the attack more complicated for the attackers, forcing them to play in our field and imposing cost,” SwitHak added.

However, Pastebin says that while the two new features might be abused, the company also has features to help the good guys.
Earlier this year, we introduced the new Enterprise API subscription to provide better data subscription for our business customers.
Partnered with global cyber security companies for the protection of our site as well as enriching the data of their products and services.
Partnered with global CERTs (Computer Incident Response Center Luxembourg, Canadian Centre for Cyber Security, Austrian Energy CERT) and law enforcement agencies.
Internally, as it relates to malicious content, in partnership with the organizations mentioned above, we take proper actions in mitigating these data.
For researchers, academia and industry organizations approved by us, we grant this access at no cost.
Lastly, implementation of Abuse Management and Threat Analysis teams who work closely with law enforcement and industry partners.
Updated with comments from Pastebin, as they arrived post publication. More

Image: Kon Karampelas

Twitter is notifying developers today about a possible security incident that may have impacted their accounts.
The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers.
The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Twitter account.
In an email sent to developers today, Twitter said that its developer.twitter.com website told browsers to create and store copies of the API keys, account access token, and account secret inside their cache, a section of the browser where data is saved to speed up the process of loading the page when the user accessed the same site again.
This might not be a problem for developers using their own browsers, but Twitter is warning developers who may have used public or shared computers to access the developer.twitter.com website — in which case, their API keys are now most likely stored in those browsers.
“If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed,” Twitter said.
“Depending on what pages you visited and what information you looked at, this could have included your app’s consumer API keys, as well as the user access token and secret for your own Twitter account,” Twitter said.
Twitter said it fixed the issue by changing what content gets cached when users access the developer.twitter.com portal.
The social network also said it has no indication that any API keys have leaked this way, as an attacker must have (1) known about the bug, and (2) had access to a developer’s browser to extract the keys and tokens.
Nonetheless, Twitter decided to notify developers, just to be on the safe side.

“I believe that Twitter did the right thing by notifying the Developers,” John Jackson, an Application Security Engineer at Shutterstock, told ZDNet today.
“While I’m sure they will face scrutiny, transparency about security issues is a commendable community practice,” he added.
“Generally, caching sensitive information such as API keys on the client-side is an extremely bad practice and an obvious misconfiguration. The overall risk of this vulnerability is one that should undoubtedly be taken seriously, but the probability of day to day exploitation is low,” Jackson said.
“I am curious to know what other sensitive information Twitter is caching, as this is not the first situation in which Twitter has done this, seen before when it was discovered that messages were being cached,” Jackson said, referring to a similar incident the social disclosed in April when it said that some private files sent via direct messages might have remained in the browser cache of Firefox browsers. More

A month after TikTok rolled out multi-factor authentication (MFA) for its users, a ZDNet reader discovered that the company’s new security feature was only enabled for the mobile app but not its website.
This lapse in TikTok’s MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.
Reached out for comment on the ZDNet reader’s findings, a TikTok spokesperson said the company plans to expand MFA to cover its official website in the coming future.
In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords.
TikTok web dashboard has limited features
However, while this is technically an “MFA bypass,” the issue is also not as dangerous as it sounds due to the limited options available to TikTok users in the web dashboard.
For example, even if an attacker manages to guess or phish a TikTok user to obtain their account credentials, the attacker can’t change the user’s password via the web dashboard to fully hijack an account.
The only meaningful option they have at their disposal is to upload & post a video to deface the user’s account or promote scams.
However, just because they can’t hijack the account, this doesn’t mean the account is useless. For example, attackers could mount a mass-defacement campaign to promote various topics, from scams to political propaganda.
One such incident happened on Facebook and Instagram earlier this year, security researcher Zach Edwards told ZDNet in an email interview this week. A mysterious hacker broke into Facebook and Instagram accounts, changed the users’ avatars to an image of an ISIS flag, and the accounts were suspended and locked after being flagged by Facebook’s image recognition algorithms, making account recovery a painful and long process for the hacked users.
Moreover, Edwards raises additional questions.
“If TikTok doesn’t actually turn on 2-factor security for an account when a user sets that up, it raises questions about whether the cell phone numbers are being used for a different purpose,” Edwards said.
“It’s a well-known fact that Facebook and other companies have abused 2-factor SMS signups, and a clear indicator that TikTok has done something similar is the reality that the TikTok 2-factor is an illusion, and totally optional when using the website login features.”
The “Active Sessions” page will need to be fixed as well
The good news is that TikTok does intent to fix this issue. However, several other issues will also have to be addressed.
The ZDNet reader who brought this issue to our attention also pointed out that the TikTok mobile app doesn’t show sessions taking place in real-time from the web dashboard. In its current form, this means that TikTok doesn’t warn users when someone used their credentials to access their TikTok account via a browser.

Nonetheless, even if there’s a loophole in TikTok’s current MFA implementation, this doesn’t mean users shouldn’t use it. In fact, they should most definitely use it.
MFA is a security measure that forces users who are accessing an account to provide a second “factor” after providing their username and password. This factor can usually take the form of a one-time code sent via SMS or email, a biometric solution, or a cryptographic token provided by a security key.
Many online companies provide MFA as a second layer of authentication in order to protect accounts against situations where the owner’s credentials have been leaked or acquired by a third-party.
TikTok rolled out SMS and email-based MFA to its 800 million userbase last month in August. The feature is called two-step verification (2SV) in the app’s settings page, and users can enable it by following the steps laid out here.
The company also requires users by default to use complex passwords and also “encourage users to update passwords regularly and avoid using the same passwords across platforms,” a spokesperson said.
In addition, the web login page is also protected by a CAPTCHA field, which seriously increases the threshold for successful credential-stuffing or other forms of automated attacks.
But to be clear, other social media apps like Facebook, Twitter, Instagram, and others, support MFA on their web dashboards and this security feature should apply to all a service’s realty, and not just the mobile app. More

A friend that hovers and never leaves.
I always know a new product is excellent when its makers describe it as “next-level.”

“Next-level of what? Insanity?,” I hear you moan, on seeing the new, wondrous Ring Always Home Cam.
Also: When is Prime Day 2020? Everything we know so far
Oh, how can you be such a killjoy?
When Amazon’s Ring describes it as “Next-Level Compact, Lightweight, Autonomously Flying Indoor Security Camera,” surely you leap toward your ceiling and exclaim: “Finally, something from Amazon I actually want! A drone that flies around my living room!”
For this really is an indoor drone that flies around the room, taking pictures the minute you want. Who can wait, moreover, for the minute your dog leaps up at it and tries to take it out with a nosebutt?
The possibilities with the Always Home Cam are as plentiful as they are delicious.
This drone can tell you when you’ve left the oven on. Because, of course, that rancid burning smell won’t have told you to raise your backside from its customary prostrate slumber before your house catches fire.
You can also use to it constantly harass your dog, your kids, or even your long-suffering spouse.
Just imagine how much more your little Jocasta will love you when you send the Always Home Cam into her bedroom to make sure she’s doing her homework.
Ring isn’t, of course, selling it like that.
[embedded content]
Instead, it offers: “Ever feel like you left the door unlocked, or forgot to turn off the stove? Do you receive a Ring Alarm alert and immediately want to see what’s happening? The Ring Always Home Cam is here to help. This compact, lightweight, autonomously flying indoor camera gives even greater visibility when you’re not home.”
If there’s anything that I want when I’m not home, it’s even greater visibility of my home. Because how can I relax outside my home if I don’t have even greater visibility of what’s going on inside it?
After all, paranoia is one of technology’s most fertile feeding grounds. It’s likely in second place after self-aggrandizement.

Home Office Tours

Naturally, one or two fearful thoughts enter my mind.
What if hackers — or, perish the concept — the police begin to fly this thing around your house? (‘Just a routine search, sir.’)
What if it flies into the bathroom at an extremely inappropriate moment?
What if it mistakes your Roomba for a female Always Home Cam?
If you’re scared of this magical new device, you’d be astonished how much it scares intruders. As Amazon’s ad shows, just the mere sight of an Always Home Cam will send a burglar scurrying out of your house and straight to his psychotherapist.
Please, I’d no more allow a Ring product near my house than I’d allow Jeff Bezos to tug at my individual leg hairs. The company’s security snafus are legendary. But I can see so very many people wanting one of these to impress friends and depress family members.
Also: David Gewirtz: I’m scared of Amazon’s robot drone but I want one anyway
Naturally, Amazon insists this thing has privacy built into its core, just like the company’s altruism. It only films when it’s high above the level of your dining table.
Equally naturally, this device won’t be available until next year.
Perhaps this is because, on Amazon’s own website, images of the Always Home Cam are adorned with a disclaimer: “Ring Always Home Cam has not been authorized as required by the rules of the Federal Communications Commission. Ring Always Home Cam is not, and may not be, offered for sale or lease, or sold or leased until authorization is obtained.”
I can never remember an Amazon product that has excited me more. And to think it makes a buzzing noise while it flies around the house, too.
Also: Amazon Alexa: How developers use AI to help Alexa understand what you mean and not what you say (TechRepublic)

More Alexa More

I actually had to double-check my calendar to make sure today wasn’t April Fool’s. Because watching the intro video of an indoor surveillance drone operated by Amazon seemed like just the sort of geeky joke you’d expect on April 1.

But it isn’t April Fools, and besides, Google has always been the one with the twisted sense of humor. Amazon has always been the one with the twisted sense of world domination.
This was a serious press briefing. None of the Amazon execs presenting even went so far as to crack a pun. Other than Bezos’ maniacal laugh, you rarely ever see an Amazon exec even chuckle.
So the $249 autonomous Always Home Cam announcement wasn’t a joke. It’s an upcoming product expected in 2021. And, as much as it scares me and is likely to scare my wife (and it’s probably going to scare the dog), I think I have to have one.
So let’s take a moment to recap the absurdity of what we’re talking about.
Let’s welcome Skynet into our homes
We don’t have a lot of details, but the video below will give you a quick view of its basic capabilities.
[embedded content]
This is similar in some ways to the highly autonomous Skydio, but designed for indoor flying. The device is roughly the size of a 9-inch square baking pan (but a little thinner, perhaps). It lives in its charging dock (which also blocks the camera’s view when docked). Once you launch the device from your Ring app (and, presumably, via Alexa), the little device goes airborne.
And it flies. Through your house.
Amazon says you can specify a flight path, map your house, locate points of interest, and generally instruct the eye of Skynet where to fly. Cyberdyne, uh, Amazon also says the device has built in obstacle avoidance.
Let’s think about that for a minute. Will the device be able to avoid hanging lamps or plants? What about objects high up on shelves? Will it be able to stand back when a sleep-addled adult gets up in the middle of the night to do middle of the night business? Why would it be out and about at that time anyway?
And what about the downdraft? How close can it fly to bookshelves and knickknacks without air-blasting them to the ground?
How much will it freak out your pets? My spouse? Your spouse? Just how creepy would it be for it to hover over the kids beds because you’re too lazy to get off the couch to see if they’re asleep?
Every rational fiber of my being tells me this is wrong on every level. But as you all know, I don’t have that many rational fibers left. I’m the guy with an Alexa in every room, now including the bathrooms.
Also: Amazon Alexa: How developers use AI to help Alexa understand what you mean and not what you say (TechRepublic)

Home Office Tours

What could you do with this thing?
If we weren’t living in a pandemic, I’d definitely use this to freak out my friends. Invite them over and then, suddenly, have a drone follow them. I know two or three buddies who that, alone, would push over the edge. But we can’t have friends over now, and besides, they read my column. So now they know and the surprise factor is gone. Bummer.
The Always Home Cam is primarily meant as a remote security cam. If you’re out and you get an alert from a Ring doorbell or other security device (I wonder if this will work with other trigger devices), you can virtually fly around your house and see what’s happening.
Back in the day, when I worked 12-16 hour days in an office, I would have loved to have this routinely check on my cat (I had a sweet longhair named Samantha back then). After about five or six hours at work, I always started to worry about whether she’d climbed up a drapery and gotten stuck there. This drone would have let me check.
I do see this as a laziness enabler. Let’s say you’re not sure if you locked the back door or turned off the stove. From the comfort of the couch, you could send the Always Home Cam (can we agree right now that this thing needs an anthropomorphized name?) to check for you.
I’m actually intrigued about using this to check on my 3D printers. I do have cams on many of the printers, but it would be great to be able to send it to each and see whether or not there are problems or jams.
Of course, I usually operate the printers behind closed doors to reduce the sound, so either I’d have to leave the doors open or teach Flying Alexa how to open the door.
I’d love to be able to use this as cam for filming YouTube videos, especially if it can run a specific path and station keep. It’s not clear how much flight time a battery charge holds, but if it’s anything like the drones I fly now, we’re looking at about 10-20 minutes, which would be enough to film any one process for a video.
My guess is that the capabilities (and especially the extended use options) will be very limited on launch. But as we’ve seen with Alexa, it’s quite likely that new features will be added over time.
David’s final thoughts
I don’t know. The more I think about this, the more I want one…bad. But the more I think about it, the more I think it has to be a bad idea. The potential hacking threat is disturbing. The idea that someone could decide to launch a drone inside my house and watch me remotely is unsettling.
Also: Chris Matyszczyk  most decidedly does NOT want one in his home 
Personally, I’m not too concerned because my home life is already almost fully documented online, the aspects of my life you don’t see are boring, and no one wants to watch a middle-aged man walk around the house.

But the implications of abuse by law enforcement and possible stalkers is troubling. If someone has one of these Always Home Cams, can a court order compel Amazon to allow law enforcement to conduct an airborne search of a suspect’s home? Can a hacker or a stalker gain access to the video feed (remember, all it takes is a user name, password, and possibly an authentication code) and watch a victim from the comfort of his or her evil lair?
Amazon does say the device emits an obvious and clearly identifiable sound while flying, so you can hear the machine coming. But what about those who are hard of hearing?
On the other hand, the possibilities for elder care are interesting. If an aging or infirm parent doesn’t answer a call, it might be possible to launch a drone to make sure the elder hasn’t fallen on the floor away from any way to call for help. On the other hand, how much would something like this freak out an elder, especially one that might be cognitively impaired?
Again, I have to say “I don’t know.” If this thing works, it’ll be a game changer and we’ll have to do a lot of thinking about implications and appropriate use.
One thing’s for sure. Amazon doesn’t just want to hear you at home. It wants to be a full-fledged housemate. Whether that’s good or bad, only time will tell.
What about you? Is this something you desperately want or something you’re desperate to avoid? Let us know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

More Alexa More