good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products.
it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS?
also, you punks are writing python 2 code in 2021? come on, who does that?
I mean, I do all the time, but I'm a known retrocomputerist. I run Windows 95 and MS-DOS regularly. of course I'm using a wildly outdated programming language. I'm not making a product I sell to customers!
also they're spamming 9 lines to syslog every minute.
this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one
oh sweet jesus they logged into slack from this machine('s image)
I have their chrome profile, with history and cookies and shit!
this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product.
no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!
oh sweet jesus
they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords?
NOPE THEY USED SSHPASS
I have a file here with multiple lines like:
sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/
this is one of the many reasons I'm not a security researcher.
it's a target rich environment.
Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.
That's not reverse engineering! That's just lookin'
Yeah. Foone had great timing. Like watching a good stand up comedian, but for security sadness.
@ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals.
I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle.
@theothersimo @ciredutempsEsme @foone well, or features were always too high prio for quality to happen.
I've been a one man team shipping devices with custom software to places, and yeah, times was always too short to think about small things like security (though for that business that wasn't really a concern, the worst that could happen was people stealing our code and running with it).
Garva 🚀
Alice Averlong🏳️⚧️
Viss
Ian Littman
Riley S. Faelan
*Ada Freya ⋆.˚🦦⋆🦌 - Neptuwunium
Nephiel
Marcus Müller
Wouter Verhelst
Sparky
Billie Thompson 🦊
Fennix
Bhushan Shah 🤖🥸🦹
Json Doh
gkrnours
Pseudo Nym
BenBE
Deb has moved! (see profile) 🇨🇦
Ozzelot 
Polychrome 
Imran Nazar ~ عمران نزر
Thread Tree
Dasha Sierra
Esme Ciredutemps
Gabriel Pettier
arceuthobium
Ben Aveling
Ryan Castellucci (they/them) 
kira :3
Xe 
ArneBab
aardvark
Max Lee
hazelnot 
gaytabase
Marcin Cieślak