Email or username:

Password:

Forgot your password?
Top-level
Foone🏳️‍⚧️

also, you punks are writing python 2 code in 2021? come on, who does that?

I mean, I do all the time, but I'm a known retrocomputerist. I run Windows 95 and MS-DOS regularly. of course I'm using a wildly outdated programming language. I'm not making a product I sell to customers!

134 comments
Foone🏳️‍⚧️

oh cool you can pull the GPS history of a truck from azure without any login, you just need to know the device ID.

Foone🏳️‍⚧️

this might be UPS trucks. I should probably not query any of these GPS histories

Foone🏳️‍⚧️

also they're spamming 9 lines to syslog every minute.

this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one

Gerhard D.

@foone Please stop. It's too damn depressing. Or wait .... SHARE IT!

Foone🏳️‍⚧️

oh sweet jesus they logged into slack from this machine('s image)

I have their chrome profile, with history and cookies and shit!

Foone🏳️‍⚧️

@cadey nah. I didn't get this device legitimately, so I can't really report any security holes in it.

Arne Babenhauserheide replied to Foone🏳️‍⚧️

@foone that’s why we need protection for people who report this stuff.

You may want to talk to folks from @CCC to find the right process to get this off the road before it causes bodily harm.

@cadey

Foone🏳️‍⚧️

this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product.

no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!

Foone🏳️‍⚧️

oh sweet jesus

they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords?

NOPE THEY USED SSHPASS

Foone🏳️‍⚧️

I have a file here with multiple lines like:

sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/

Foone🏳️‍⚧️

well I'm putting this away so I don't accidentally hack them.

Polychrome :clockworkheart: replied to Foone🏳️‍⚧️
@foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:​
Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

this is one of the many reasons I'm not a security researcher.

it's a target rich environment.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.

That's not reverse engineering! That's just lookin'

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also this isn't the only opsec failure they've made but if I say what the other one is, you might be able to figure out what company this is. And if you can do that, they can too, and they might get mad at me

Wouter Verhelst replied to Foone🏳️‍⚧️
@foone
Pretty sure they already can with the info you've just written down if they want.

Pretty sure they also don't want, because it would be embarrassing to the extreme for them to come forward after what you just wrote down 😂
Joseph replied to Foone🏳️‍⚧️
@foone Oh you are absolutely getting a follow after this firecracker of a thread! 💞
nsfw :donor: replied to Foone🏳️‍⚧️

@foone Okay, now to the important part: how much was the RPi in a fancy plastic box, and how much per month is it to have that box scp stuff to an Azure account?

Jürgen replied to Foone🏳️‍⚧️

@foone #terrypratchett : it is not spying if you have to take few steps back in order not to turn deaf!

Dasha Sierra replied to Foone🏳️‍⚧️

@foone You know, I never get bored of your tech adventures. Stay awesome. 💜

Esmé Ciredutemps replied to Foone🏳️‍⚧️

@foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.
🍿

Gabriel Pettier replied to Esmé

@ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals.

I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle.

Haelwenn /элвэн/ :triskell: replied to Foone🏳️‍⚧️
@foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
#wafuposting enjoyer replied to Foone🏳️‍⚧️
@foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
Glyph

@foone this is truly amazing. it's very unfortunate that you can't just post it all because the individual engineers will get blamed, rather than their incandescently irresponsible management

propapanda :verified:

@foone it would have made very little difference if they shipped a key instead of a password, but these people clearly don't know what they are doing

Foone🏳️‍⚧️ replied to propapanda

@panda could have individual keys per device and revoke them as the devices leave service. as it is, they can't do that without changing the passwords on every device

propapanda :verified: replied to Foone🏳️‍⚧️

@foone they totally could have and instead of ssh they could have used mqtt with some basic acls which would have prevent reading other people's location, but also save the overhead of the ssh handshake

Asta [AMP]

@foone@digipres.club ohhhhh no

no no no no

no to all of this but no to this

Randagodron

@foone lol better not talk about a company who sells emmbedded circuits for satellites, a friend checked two recently, boards where dirty as ***, covered in flux residue, lots of solder microballs hanging around (meaning they used too much solder paste and didn't follow their supplier's recommendations on solder masks) and bad solders making the board not functional without rework. Top space-grade shit, everything is fine 😅
If we find products this bad on aerospace devices, I am not surprised that it's even worse in IoT ...

@foone lol better not talk about a company who sells emmbedded circuits for satellites, a friend checked two recently, boards where dirty as ***, covered in flux residue, lots of solder microballs hanging around (meaning they used too much solder paste and didn't follow their supplier's recommendations on solder masks) and bad solders making the board not functional without rework. Top space-grade shit, everything is fine 😅
If we find products this bad on aerospace devices, I am not surprised that...

Foone🏳️‍⚧️

@randagodron they've got the excuse that no one will be able to tell, because their shit will be hiding in orbit

Randagodron

@foone yeah, with the microballs floating around 😛 if only it was not bad enough that it did not work at all and the customer was forced to check the boards before launch ...

t3rminus

@foone holy dang that sounds… so bad. Just really, really bad. And Python 2??

Damn. Whatever you’re looking at I pray I don’t own one…

Sylvhem

@foone Hate it when my employer share my Slack session with hundred of customers.

embix

@foone "leave it so and mark the 'planned obsolescence' checkbox"

Foone🏳️‍⚧️

@elronxenu yeah me too, how do you think I know this? :)

Phyxis

@foone Sometimes you have an investment in that codebase, and escape costs haven't crossed viable yet.

truh

@foone had a coworker rewrite my python3 app in python2 so it runs on google app engine, in 2020 or so.

Had to port it back to python3 later of course.

o76923

@foone@digipres.club
Southwest Airlines avoided the Crowdstrike outage today because their systems still run on Windows 3.1. Clearly these devs had the same idea and use python 2.x for security reasons since nobody is trying to find new exploits in it.

xsspup :blobhaj_hearttrans:

@foone ok I was on your side for not revealing the company up until this

JLab8

@foone try 2024. 😭😭😭😭

Really is a combination fault of the language- WHY BREAK EXISTING CODE WITH A NEW VERSION? WHY?

And the team that decided that using a language that is happy to break your codebase for a massive engineering project with an expected long lifespan of active development.

ch2500

@foone maybe they are... not making a product to sell to customers? :)

Chris [list of emoji]

@foone

I use it out of spite. No, Mr. I'm-Gonna-Break-Your-Code-So-I-Can-Put-Brackets-On-Print, I'm not gonna upgrade to something you can't be bothered to fix correctly! Heck you!

kae 🔜 ANE

@foone this is somehow the worst part of it all

The Doctor

@foone I don't think you want the answer to that.

It's also to early for me to tell stories that end with me sobbing.

Cyber Yuki

@foone Blame the Python designer for that. He decided to cut all compatibility with Python 2 when developing Python 3, and now everyone has to deal with two different flavors of Python, simply because people aren't paid enough to migrate existing code.

Most stupid decision in language design, IMO.

Tom Isaacson

@foone are there any dates in there that reveal when it was developed? Not just 10 year old code.

Go Up