Email or username:

Password:

Forgot your password?
Top-level
Foone🏳️‍⚧️

assuming their S3 keys aren't just saved in this harddrive somewhere

61 comments
Foone🏳️‍⚧️

jesus christ this isn't the only time THIS MONTH I've found an IoT device and checked the filesystem contents and it's got their private git repos on it

Foone🏳️‍⚧️

and now I can email the lead developer.

or just commit to their git repo, I guess.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

okay so the good news is that they don't just have S3 keys laying around in plain text.
the other good news is that they have a secrets manager
the bad news is that they rolled their own secrets manager
the extra bad news is that I have the source for said secrets manager
and the extra extra bad news is that it has to decrypt those keys without external input, meaning I have all the parts here to pull out their s3 keys

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

oh hey!

this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing!

so I can SSH into their servers now!

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

oh god this thing sends email from gmail

please tell me they didn't embed the google login into this device

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

tempted to drive past their HQ with a megaphone "I'VE GOT YOUR MODELS, YOU AI HACKS!"

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

wait. did they seriously stuff videos into their redis database?

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

they sure did! I have a video of someone picking something up from outside a door.

Viss replied to Foone🏳️‍⚧️

@foone ffffffffffucking what? they stuffed entire videos INTO REDIS?

Graham Spookyland🎃/Polynomial replied to Viss

@Viss @foone this is more of a thing than you might expect. I've seen a few high-volume realtime media distribution backends that use Redis as a rolling video stream cache.

I'm particularly unsurprised to see it here because there are published tools for realtime ML media analytics using redis:

github.com/RedisGears/EdgeReal

Graham Spookyland🎃/Polynomial replied to Viss

@Viss @foone there is some method in the madness. if you've got a lot of transient video data, and you need access to a rolling window of it (either for buffering/stability purposes or for realtime analytics), storing it to disk ends up costing a fortune because you'll end up running headlong into DWPD limits on drives and having to swap them out constantly. but with RAM there's no such wear. for a few hundred concurrent clients you can do it on a single consumer desktop PC worth of RAM.

Graham Spookyland🎃/Polynomial replied to Graham

@Viss @foone Redis isn't required to flush to disk (the whole dataset is in-memory) and it supports blob storage, so it's not the worst option. my guess is someone ran the `save` command at some point (or they were doing periodic saves because they didn't separate out nonvolatile data into a separate redis instance) and foone's seeing that last snapshot.

mirabilos replied to Viss

@Viss @foone maybe the “AI” told them it’s “certainly fine, absolutely!”…

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

okay found their S3 creds. they hardcoded them in a Jenkinsfile.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

not a good sign to see a bash case statement for environment, and prod sets the server to FOOBAR.EGG
and test sets the server to... FOOBAR.EGG

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

anyway I'm gonna be near their HQ on thursday. Maybe I'll stop by and ask if they're still in business, and if they are, do they know where their NUCs are?

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

and in case anyone is getting deja-vu:

This is a completely different company than the other one I found like 3 weeks ago:

digipres.club/@foone/112817523

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

I'm really not the right person to work in computer security research, but it'd be nice to have a sort of consulting job with a local one where I can just point them at some really broken shit and they investigate it and maybe give me a commission

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Why the fuck is this on hacker news? ugh. I'm gonna need to run my own mastodon instance, aren't I?

If you found this on hacker news, you owe me 5$:

digipres.club/@foone/112929955

sleepy replied to Foone🏳️‍⚧️

@foone I run my own, it's not terrible but also is terrible.

vandys replied to Foone🏳️‍⚧️

@foone For single user (or small # of user) instances, you might want to look at the might lighter weight (and therefore cheaper to run):

https://docs.gotosocial.org/en/latest/getting_started/

JLab8 replied to Foone🏳️‍⚧️

@foone honestly, you should probably see if the California Privacy Protection Agency is hiring investigators.

SeanOMik replied to Foone🏳️‍⚧️

@foone where do you find these devices? eBay? A local recycling center?

Gabriel Pettier replied to Foone🏳️‍⚧️

@foone hm, are you *sure* they are bankrupt (i mean, not just technically 😆), if this was in production as of 2 months ago, maybe they just scaled away from this infra and sent everything to ewaste after migrating.

Foone🏳️‍⚧️ replied to Gabriel

@tshirtman yeah. they may have just moved everything to cloud-hosted and didn't need their wall of NUCs

Benjamin Reed replied to Foone🏳️‍⚧️

@foone Did they think the “P" in "PII" stood for “Public”?

Elfi, :verifiedtransbian: cute moth replied to Foone🏳️‍⚧️

@foone Better act fast, 'tis the season for Spirit Halloween to start inhabiting old husks

Σ(i³) = (Σi)² replied to Foone🏳️‍⚧️

@foone
I heard somewhere you were low on cash? I wonder how much what you have there might fetch on some shady website...

:flan_reaper: - On Hiatus replied to Foone🏳️‍⚧️

@foone

Wonder if someone over at like, 404Media, would enjoy writing up a hilariously embarrassing article about these bros.

4censord :neocat_flag_pan: replied to Foone🏳️‍⚧️

@foone@digipres.club didnt you have bascially that same thing happen just a few weeks/months ago? last time with a raspi like thing?

chort ↙️↙️↙️ replied to Foone🏳️‍⚧️

@foone this is exactly as bad as I believe most cloud startups are.

:blobpopcorn:

Wilfried Klaebe replied to Foone🏳️‍⚧️

@foone Can you push to their git server though?

Elfi, :verifiedtransbian: cute moth

@foone If there was a bounty for this kind of shit, you'd never have to work again. my god.

Foone🏳️‍⚧️ replied to Elfi, :verifiedtransbian: cute moth

@elfi yeah. the problem is I'd have to become a security researcher and I'm reasonably sure I'd rather die

Amber replied to Foone🏳️‍⚧️

@foone@digipres.club @elfi@social.pixie.town preliminary write up, post write up, how much writing lol? like you write a couple lines of code max in Python and about 2+ separate college essays

💞 eva 💞 replied to Adam

@voltagex @foone ??? Corporate failures with deficient security policies during hardware decommissioning processes... that has nothing to do with OSS or FOSS.

Most of the incidents like that which I've encountered (obtaining e-wasted/grey market used hardware on ebay or freebies) have been with orgs that definitely use MS, the data is right there to prove it when it's happening. It happens to all manner of orgs, but it's not an open source failure.

Adam ♿ replied to 💞 eva 💞

@winterschon it was a joke, playing off that this code had suddenly become open source.

Juliet Merida (she/they) 🚝🏳️‍⚧️🏹🎯

@foone@digipres.club Based on what you've described so far I'd be surprised if you *don't* find their keys.

Go Up