So I've just learned that it is standard practice for police departments to obfuscate dashcams and other recordings by using proprietary formats, like QBX (that is supposed to be a Quickbooks file, but there is a screen recording format for that too.) To make this functional, they burn the QBX file to an ISO image (or maybe an actual CD / DVD) and on the disk include an AutoRun configuration with a set of instructions to open the file, and an application to view the file.
So importantly, this process is used to make things difficult, but protects nothing. Anyone with physical access to the ISO (copy or whatever) can view the file, there's no security whatsoever. Anyone can open the AutoRun text file and see the necessary parameters (or alter them.) There's no encryption, no chain of custody stuff, no MD checksums to verify if things have been tampered with. Nothing here is for security. The only function seems to be to attempt to make it as difficult as possible for the public to obtain and use public records (which can then also make things difficult for the police departments, too, of course.)
But here are the real issues. Using a completely proprietary format (a format not even designed for this use case, it should be noted) causes a few key problems:
- It forces people to download loads of data instead of just the video. It's an unnecessary waste of both police and public resources.
- It forces everyone to view files only on Windows devices, the least secure option. You can secure Windows, but this is a situation where that would rarely happen.
- It requires a relatively large amount of files, configuration and compatibility that is very easy to break and extremely easy to have become legacy and become unreadable over time. What works today doesn't necessarily work tomorrow.
- It requires anyone that is going to use the video to run an unverified and absolutely untrustworthy application that cannot be tested or patched (which breaks many security rules.)
This means that by the use of this system both the police and the public (who have no choice) are forced into buying Windows systems just for this purpose and to run untrustworthy software on that Windows machine. This should break any number of fundamental security processes. No police officer should ever fall for a social engineering trick like this. This would be a very simple way to inject a root kit or trojan into the police department because they are running a completely unverified application. You could provide a download, or just hand out a DVD. The police (and the public) have been trained to blindly run the application on the DVD. They have to do it every day, so fundamental security that we trust that there will be in any government office is totally bypassed.
This is so blatantly impractical, serves no legitimate purpose, undermines basic security to a point that no one technical or not has a real excuse to fall for it, is a clear violation of public trust, and pushes the agenda of private companies at the expense of the public good and police efficiency that it is hard to see the use case as anything less than social engineering on a grand scale. How many police departments have been conditioned to accept something that is literally the textbook example of social engineering for installing a root kit? The police are promoting the very thing they are tasked with protecting us against.