 good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products. it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS? 219 comments
 I've also been able to de-stealth a "stealth startup" on linked in.  also, you punks are writing python 2 code in 2021? come on, who does that? I mean, I do all the time, but I'm a known retrocomputerist. I run Windows 95 and MS-DOS regularly. of course I'm using a wildly outdated programming language. I'm not making a product I sell to customers! oh cool you can pull the GPS history of a truck from azure without any login, you just need to know the device ID. also they're spamming 9 lines to syslog every minute. this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one  oh sweet jesus they logged into slack from this machine('s image) I have their chrome profile, with history and cookies and shit!  @cadey nah. I didn't get this device legitimately, so I can't really report any security holes in it.  this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product. no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!  oh sweet jesus they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords? NOPE THEY USED SSHPASS I have a file here with multiple lines like: sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/  @foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:
this is one of the many reasons I'm not a security researcher. it's a target rich environment.  Also I'm a reverse engineer. There's no reverse engineering here! That's not reverse engineering! That's just lookin' @foone You know, I never get bored of your tech adventures. Stay awesome. 💜  @foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.  @foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
 @foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
  @foone it would have made very little difference if they shipped a key instead of a password, but these people clearly don't know what they are doing @panda could have individual keys per device and revoke them as the devices leave service. as it is, they can't do that without changing the passwords on every device @foone they totally could have and instead of ssh they could have used mqtt with some basic acls which would have prevent reading other people's location, but also save the overhead of the ssh handshake  @randagodron they've got the excuse that no one will be able to tell, because their shit will be hiding in orbit     @foone@digipres.club @foone 😬 @foone One way to deal with “it works on my machine” is to make the developer write the code on the prod hardware, I suppose. @weargoggles @foone "it works on my machine", "then we will just ship your machine" @foone@digipres.club oh i've had this one happen before!!  @foone does it have a Bruno Mars mp3 on the filesystem? https://x.com/OverSoftNL/status/1357298938907353088  @foone I work in video games and the products we make at my studio are generally considered to be held together with tape, glue, and broken promises. And then I look at people who are working on things like appliances and cars and their software is SO MUCH WORSE than our bad software. @foone just an utter lack of people in the organization who knew what they were doing and I'm not even joking @foone like the proverbial project done by one precocious somebody's-relative or resourceful generalist grad student who doesn't know what they don't know and everyone else in the organization responsible for delivering the project as a product knows even less @foone Raspbian could and should be so much better imho. They should have build their distribution into something more of a Debian based read only firmware image building system, disable almost all logging to sd by default etc. and educate about best practices. @foone you botched a cool solution to a problem, Boss of course sells it and now you have to deliver something that an unwilling non Computer scientist can work with. NEXT WEEK. @foone Actually not that uncommon. I've found similar stuff at least twice. My dayjob is to maintain an in-house embedded Linux distro for our IoT devices. I regularly get to mess around with the newest pi compute module base white label hardware platforms. So I know what they look like and how to get the SD card out or dump the emmc, if I find one in the wild.  @thememesniper who needs a docker image? just clone the drive of the developer and ship that!  @foone @foone and a general rule of thumb is to NEVER EVER use a raspi in production. These boards are notoriously unreliable. I regularly hear about startups that have outage problems because their IoT devices have faulty raspis. These were designed for education purposes, nothing more.   @foone it worked on his machine, so they shipped his machine
 @foone Quite a wild ride reading this thread! This strikes me as a perfect example of “knowing enough to be dangerous”. Whoever put this product together was able to get it functioning and out the door, but clearly had no idea how to do so properly and adopt best practices. Unfortunately there is a lot of that in the IoT space. 
Because you don't have enough experience in this field to know any better. And your self-esteem prevents you from looking for advice from those who do. I suspect @foone is running a stealth marketing campaign here - I'm now wondering if I can buy one of whatever this is *just* to see how badly they've fucked up!  @foone This is rather common and annoying. RasPi actually did provide a tool to generate a fresh image with all of your changes too.    @foone Good thread, thanks. Have you, by any chance, advised the company in question, and offered your services for a decent fee? 😉   @foone Thank you for writing this up. Even in the more abstract, it’s still instructional on what not to do. @foone That's my kind of open source. Not 'provided as is' but 'provided with an extensive audit trail'. :D  @foone these are the same people who want to replace employees with auto complete. Checks out  @foone “look when we said it wanted to make this open source this wasn’t what we meant”  @foone it's the manager way around the "it works on MY machine " problem. Now everything is that developer's machine   @foone Wow - I already boosted this post but the thread just got worse and worse - read and learn dev people!     @foone Too bad you’re a nice person and won’t dd a disk image and share it via BitTorrent for, let’s say, distributed research purposes. This doesn’t sound like any IoT product I own, thankfully, but I hope this gets reported properly.  @foone Maybe they took this idea and decided to skip the part where you have to configure Docker.  |
Gregory's Server
@foone because they most probably don't know better. :neocat_googly_woozy: