Gregory's ServerI've also been able to de-stealth a "stealth startup" on linked in.
because this has commits from different users, and I can just look up on linkedin what stealth-startup all those people work/worked at and then look at the name on the IoT box I'm holding
|
Top-level
 137 comments
also, you punks are writing python 2 code in 2021? come on, who does that? I mean, I do all the time, but I'm a known retrocomputerist. I run Windows 95 and MS-DOS regularly. of course I'm using a wildly outdated programming language. I'm not making a product I sell to customers! oh cool you can pull the GPS history of a truck from azure without any login, you just need to know the device ID. also they're spamming 9 lines to syslog every minute. this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one  oh sweet jesus they logged into slack from this machine('s image) I have their chrome profile, with history and cookies and shit!  @cadey nah. I didn't get this device legitimately, so I can't really report any security holes in it.  this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product. no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!  oh sweet jesus they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords? NOPE THEY USED SSHPASS I have a file here with multiple lines like: sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/  @foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:
this is one of the many reasons I'm not a security researcher. it's a target rich environment.  Also I'm a reverse engineer. There's no reverse engineering here! That's not reverse engineering! That's just lookin' Also this isn't the only opsec failure they've made but if I say what the other one is, you might be able to figure out what company this is. And if you can do that, they can too, and they might get mad at me @foone Oh you are absolutely getting a follow after this firecracker of a thread! 💞
 @foone Okay, now to the important part: how much was the RPi in a fancy plastic box, and how much per month is it to have that box scp stuff to an Azure account? @foone #terrypratchett : it is not spying if you have to take few steps back in order not to turn deaf! @foone You know, I never get bored of your tech adventures. Stay awesome. 💜  @foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.  @ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals. I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle.  @foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
 @foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
  @foone it would have made very little difference if they shipped a key instead of a password, but these people clearly don't know what they are doing @panda could have individual keys per device and revoke them as the devices leave service. as it is, they can't do that without changing the passwords on every device @foone they totally could have and instead of ssh they could have used mqtt with some basic acls which would have prevent reading other people's location, but also save the overhead of the ssh handshake  @randagodron they've got the excuse that no one will be able to tell, because their shit will be hiding in orbit      @foone@digipres.club |
@foone i mean it's very bad from a security perspective, but it's very convenient from a hacking perspective.