|
Top-level
 HEY FUN FACT: this was used as part of an Alexa/google home type thing! this is the "cloud" half, as in the part sitting in a warehouse somewhere. where it is still stored. and I now have eleven thousand wave files 89 comments
 @foone the people behind this need to be barred from operating a business ever again. I know this shit happens all the time with liquidated assets but it's fucking unacceptable.    @glyph oh, most likely. @glyph @foone sadly, no. at most it's *maybe* a GDPR violation depending on the content of the WAV files, but likely not, and I'm guessing that's going to be impossible to prosecute anyway because the assets are almost certainly a result of an insolvency liquidation. I see this shit all the damn time and right now there's very little recourse for those affected. @gsuberland @glyph @foone The entity that was the data controller at the time of the breach is responsible for reporting it. If the company has been liquidated, the liquidator or administrator may need to handle this obligation (GDPR wise) god the logs are full of errors about assorted video streams failing. now I don't think there's any video stored on this device, but keep in mind: the fools that made this thing fill up with WAV files? they also designed the video streaming part. Where are those videos stored, and how safe are they? or maybe the fools who dumped all the NUCs from their entire "AI remote healthcare" in the recycling without yanking any drives are just somehow REALLY GOOD at knowing how to secure their s3 buckets. jesus christ this isn't the only time THIS MONTH I've found an IoT device and checked the filesystem contents and it's got their private git repos on it okay so the good news is that they don't just have S3 keys laying around in plain text. oh hey! this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing! so I can SSH into their servers now! oh god this thing sends email from gmail please tell me they didn't embed the google login into this device tempted to drive past their HQ with a megaphone "I'VE GOT YOUR MODELS, YOU AI HACKS!" they sure did! I have a video of someone picking something up from outside a door.  @Viss @foone there is some method in the madness. if you've got a lot of transient video data, and you need access to a rolling window of it (either for buffering/stability purposes or for realtime analytics), storing it to disk ends up costing a fortune because you'll end up running headlong into DWPD limits on drives and having to swap them out constantly. but with RAM there's no such wear. for a few hundred concurrent clients you can do it on a single consumer desktop PC worth of RAM. @gsuberland @Viss @foone I first learned of this when I read that FFMPEG supports AMQP. https://ffmpeg.org/ffmpeg-protocols.html#amqp @Viss @foone Redis isn't required to flush to disk (the whole dataset is in-memory) and it supports blob storage, so it's not the worst option. my guess is someone ran the `save` command at some point (or they were doing periodic saves because they didn't separate out nonvolatile data into a separate redis instance) and foone's seeing that last snapshot. not a good sign to see a bash case statement for environment, and prod sets the server to FOOBAR.EGG anyway I'm gonna be near their HQ on thursday. Maybe I'll stop by and ask if they're still in business, and if they are, do they know where their NUCs are? and in case anyone is getting deja-vu: This is a completely different company than the other one I found like 3 weeks ago: I'm really not the right person to work in computer security research, but it'd be nice to have a sort of consulting job with a local one where I can just point them at some really broken shit and they investigate it and maybe give me a commission   @foone hm, are you *sure* they are bankrupt (i mean, not just technically 😆), if this was in production as of 2 months ago, maybe they just scaled away from this infra and sent everything to ewaste after migrating. @tshirtman yeah. they may have just moved everything to cloud-hosted and didn't need their wall of NUCs   @foone Better act fast, 'tis the season for Spirit Halloween to start inhabiting old husks  @foone  Wonder if someone over at like, 404Media, would enjoy writing up a hilariously embarrassing article about these bros. @foone@digipres.club didnt you have bascially that same thing happen just a few weeks/months ago? last time with a raspi like thing?  @foone this is exactly as bad as I believe most cloud startups are. :blobpopcorn:  @foone If there was a bounty for this kind of shit, you'd never have to work again. my god. @elfi yeah. the problem is I'd have to become a security researcher and I'm reasonably sure I'd rather die  @foone@digipres.club @elfi@social.pixie.town preliminary write up, post write up, how much writing lol? like you write a couple lines of code max in Python and about 2+ separate college essays   @voltagex @foone ??? Corporate failures with deficient security policies during hardware decommissioning processes... that has nothing to do with OSS or FOSS. Most of the incidents like that which I've encountered (obtaining e-wasted/grey market used hardware on ebay or freebies) have been with orgs that definitely use MS, the data is right there to prove it when it's happening. It happens to all manner of orgs, but it's not an open source failure. @winterschon it was a joke, playing off that this code had suddenly become open source.  @foone@digipres.club Based on what you've described so far I'd be surprised if you *don't* find their keys.     @foone Uhm. This sounds like you can finance the rest of your life with a class action law suit.   @foone oh great @foone "HEY ALEXA!!! BUY MORE SHIT FROM THAT PLACE!!" "Buying more shit from that place." @foone and people are giving all access for convenience. I have Alexa, & a security camera. My camera constantly wants access to Alexa. Why? Um, no. 🙄 My camera constantly wants me to join some cloud service where all the videos live forever. The SD card’s plenty, thanks. Stop trying to make me go cloud service. I know there are tons of people using the cloud service just to make the prompts go away. 20 years ago we wouldn’t even talk about pot in front of our TVs! |
Gregory's Server
@foone wait WHAT???