Full Report
Artist Morry Kolman will be livestreaming feeds of the NBA champions’ ticker-tape parade from NYC’s traffic cameras—and this time, the city’s Department of Transportation isn’t demanding he stop.
Analysis Summary
# Morning News Roll-up June 18, 2026
## Overview
Today's report focuses on the intersection of public surveillance infrastructure and artistic exploitation. The primary narrative involves the redirection of municipal traffic camera feeds for unauthorized public broadcasting, highlighting potential vulnerabilities in the security and governance of city-wide Internet of Things (IoT) devices.
## Top Stories
### Exploitation of NYC Traffic Surveillance Infrastructure
- Summary: Artist Morry Kolman has bypassed traditional municipal control of New York City Department of Transportation (DOT) traffic cameras to livestream public events via a platform called "GardenCam." While the city has previously issued cease-and-desist orders for similar activities, the current campaign highlights a lack of technical enforcement to prevent the scraping and redistribution of these sensitive feeds.
- Source: hxxps://www[.]wired[.]com/story/how-to-watch-the-knicks-parade-on-nyc-traffic-surveillance-cameras/
### GardenCam: Unauthorized Aggregation of IoT Feeds
- Summary: The "GardenCam" project functions as a centralized hub for monitoring localized activities, originally focusing on Madison Square Garden. The project demonstrates how publicly accessible but restricted municipal data can be weaponized or repurposed to monitor police perimeters and "police state" impositions.
- Source: hxxps://gardencam[.]wttdotm[.]com/
### Traffic Cam Photobooth Historical Incident
- Summary: In a predecessor campaign, the actor utilized NYC’s surveillance network to create a "photobooth" application. This resulted in a formal legal challenge (Cease and Desist) from the NYC DOT, citing unauthorized use of government assets and safety hazards.
- Source: hxxps://www[.]trafficcamphotobooth[.]com/
---
# Unauthorized Redistribution of Municipal Surveillance Feeds
## Key Points
- **System Misuse:** Publicly accessible traffic camera streams are being scraped and re-streamed to third-party domains without municipal authorization.
- **Surveillance Reflexivity:** The tools are being used to monitor law enforcement movements, specifically the imposition of security perimeters around high-profile events.
- **Legal vs. Technical Controls:** Despite previous cease-and-desist actions, the actor continues to exploit the lack of robust authentication on the camera feed URLs.
- **Public Safety Risks:** Previous iterations encouraged users to enter roadways to interact with cameras, creating physical safety concerns.
## Threat Actors
- **Morry Kolman:** An independent actor/artist categorized as a "high-effort shitposter" who specializes in technical circumvention for public performance.
- **Motivations:** Artistic expression, social commentary, and challenging municipal data ownership.
## TTPs
- **Web Scraping:** Extracting direct video stream URLs from NYC DOT public-facing portals.
- **Data Aggregation:** Centralizing multiple geographic feeds into a single dashboard for real-time monitoring.
- **Bypassing Policy Controls:** Ignoring administrative legal notices (Cease and Desist) to continue operations under new domains.
- **Public Attribution:** Using social media and art exhibitions (e.g., Art Basel) to publicize the successful exploitation of government infrastructure.
## Affected Systems
- **NYC Department of Transportation (DOT) Traffic Cameras:** Network-connected cameras used for traffic management.
- **Municipal Web Servers:** Infrastructure hosting the "camera map" and live feed data.
- **Public Safety Perimeters:** Physical security zones around Madison Square Garden and City Hall.
## Mitigations
- **Access Control:** Implement robust authentication or token-based access for live camera feeds to prevent unauthorized third-party embedding.
- **Rate Limiting:** Apply strict rate limiting to prevent automated scraping of camera data.
- **Referrer Validation:** Restrict video stream playback to authorized government domains only via "Allow-lists."
- **Technical Disablement:** Following the precedent of the 2024 order, disabling the specific API endpoints or URLs identified in unauthorized projects like GardenCam.
## IoCs
- hxxps://gardencam[.]wttdotm[.]com/
- hxxps://www[.]trafficcamphotobooth[.]com/
- hxxps://www[.]trafficcamphotobooth[.]com/assets/CeaseAndDesist[.]pdf
## Conclusion
The redistribution of NYC traffic feeds by GardenCam represents a persistent exploitation of "open" municipal IoT infrastructure. While currently framed as an art project, the ability to monitor police perimeters in real-time poses a significant security risk during high-profile public events. Municipalities should move toward securing these feeds with modern web authentication standards to prevent unauthorized secondary use.