Gregory's ServerI have a file here with multiple lines like:
sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/
|
70 comments
 @foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:
 this is one of the many reasons I'm not a security researcher. it's a target rich environment.  Also I'm a reverse engineer. There's no reverse engineering here! That's not reverse engineering! That's just lookin' Also this isn't the only opsec failure they've made but if I say what the other one is, you might be able to figure out what company this is. And if you can do that, they can too, and they might get mad at me @foone
Pretty sure they already can with the info you've just written down if they want. Pretty sure they also don't want, because it would be embarrassing to the extreme for them to come forward after what you just wrote down 😂 @foone oh my god, this is the real life example of the old joke "it works on my machine" "ok box it up and send it to the data center" @foone sounds like a classic "hey guys, im done with the prototype/proof of concept, how is your prese- why is there a desk _between_ our chairs?" scenario  @foone     As always, you are my hero. This is jaw-dropping bad. Play some old Lode Runner on an Apple ][ emulator for brain bleach. Nice find. See if they have a bug bounty program. They won't, given these kinds of findings, but clearly they should.   @foone I'm imagining the dev said "hey, it works!" and five minutes later found himself laid off. Five minutes after that, they were cloning this card. 🤦♀️🙅♀️🙎♀️ I just noticed this is how they heatsinked that raspberry pi I yanked the SD card out of.  @foone@digipres.club i love that the left heatsink is also not the appropriate size at all @foone was it vertically mounted? I wonder if the adhesive started to fail and it tipped over  @foone well, I don't want to say it, but, if I read your posts, I might come to the conclusion that this device was not carefully designed nor built at all!  @foone the fact that it's stayed on is by itself kind of impressive  @foone Secretly terrified this is a former employer's handiwork @foone Oh you are absolutely getting a follow after this firecracker of a thread! 💞
 @foone Okay, now to the important part: how much was the RPi in a fancy plastic box, and how much per month is it to have that box scp stuff to an Azure account? @foone #terrypratchett : it is not spying if you have to take few steps back in order not to turn deaf!   @foone That depends a lot on the prosecutor's familiarity with technology and their desire to look tough on cyber crime. @foone half of reverse engineering is thinking to look though! 😄  @stibbons @foone My favourite bit of that is he then asked the room what he should type next. The entire crowd 'reverse engineered' Biitkeeper in minutes, the entire demo undercutting all the accusations that Tridge was doing something Uber-nefarious requiring 133t hacking skills. That was also the year of Stevens versus Sony, the High Court of Australia decision which allowed defeat of DRM and reverse engineering to achieve interoperability. @foone idk, *un*screwing boxes? that sounds like engineering in reverse to me,  @foone It's not breaking and entering when the house has no doors in the door frames. And no walls.
@foone You know, I never get bored of your tech adventures. Stay awesome. 💜  @foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.  @ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals. I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle. @tshirtman @ciredutempsEsme @foone sounds like they laid off their one man dev team the minute they had a working prototype, no? @foone @ciredutempsEsme ask, and we shall try to answer. Any question you have, someone else has the same question but is afraid to ask. @BenAveling @foone  @foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
 @foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
  @foone it would have made very little difference if they shipped a key instead of a password, but these people clearly don't know what they are doing @panda could have individual keys per device and revoke them as the devices leave service. as it is, they can't do that without changing the passwords on every device @foone they totally could have and instead of ssh they could have used mqtt with some basic acls which would have prevent reading other people's location, but also save the overhead of the ssh handshake     @foone lol, yep... here's another vector: I buy a decent amount of used enterprise hardware on ebay. guess how many former owner's ssh logins, smtp relays, bmc logins that I've come across? hahaha it's a lot. |
well I'm putting this away so I don't accidentally hack them.