oooh, the redbox uses full AES encryption!
-
it's primarily written in enterprise-as-fuck C#, with some lua scripting, and the "HS" scripting language which seems to be proprietary to redbox machines.
-
I'm currently trying to acquire one so I can do more hands-on reverse engineering, but for now I'm focusing on the software and how it all interacts
-
and I'm told Doom has already been run on them. It's windows 7, it can run many doom sourceports.
With a little extra work you could probably play native MS-DOS Doom on them
-
rk: not a typewriterreplied to Foone🏳️⚧️ last edited by
Ohhh I do love me an embedded scripting language. Do you know if there’s any info on the HS language, or if you have time would you mind posting a sample or two?
-
MORE FUN FACTS:
it turns out the device has a database on it which lists the location of every single other redbox machine. full addresses.
-
Foone🏳️⚧️replied to rk: not a typewriter last edited by
@rk there's no info, but there are some samples. I don't have access to the full ones right now, but here's a snippet from the discord:
GRIPPER STATUS
POP GRIPPER-STATUS
IF "FULL" == GRIPPER-STATUS
LOG "The gripper is full - please fix."
APPLOG "The gripper is obstructed - exiting."
RESULT CODE="ItemStuckInGripper" MESSAGE="There is a disc stuck in the picker."
EXIT "Gripper is obstructed."
ENDIF -
Howard Chu @ Symasreplied to Foone🏳️⚧️ last edited by
@foone Encryption at rest is always that way though, whatever software is accessing the data always has to have the encryption key(s) available.
-
Comrade elronxenureplied to Foone🏳️⚧️ last edited by
-
Foone🏳️⚧️replied to Comrade elronxenu last edited by
@elronxenu @rk I have no idea!
-
@foone PCI actually permits this. There's approx no entropy in the first 6 digits; they just identify your bank. There's a US federal law against this IIRC, but for those of us who work in card payments in Europe first6 + last4 is what we see all the time
-
@erincandescent ...Speaking of which. What confuses me is that while many sites show only the last 4 digits of my card number, there are some places that *do the exact opposite,* showing it as "1234 5678 9012 xxxx" and doing things like "Please provide the last 4 digits of your card number to confirm your identity", and I'm like, 〈(゜_゜) how does it even make sense
-
@grawity now anyone who is showing something other than first6 + last4 is grossly violating PCI-DSS and needs to be shot.
-
@foone oh god I wanna make a poster out of this toot
-
@sirmino go ahead!
-
@foone Oh God yes. I was reading some code in a graphics project last night to try to find an algorithm, and I *couldn't find the algorithm* because 90% of the code was code about code.
STOP WRITING CODE ABOUT CODE. JUST WRITE CODE.
-
@grawity …apparently “first 6, any 4” is permitted but only with justification. See this article
-
If you got here from hackernews, you can pay me here:
I mean, it'd be nice if anyone else gave me money, I could really use it. But it's not required, unless you found this on hackernews.
-
Asta [AMP]replied to Simon Cozens last edited by [email protected]
@[email protected] @[email protected] but what if one day someone sees our code and goes "oh my god! This is amazing! This should be a library!" and it becomes a big project we're in charge of and our boss is like "you've saved the company with your use of factories!" and we go yachting together and : (
(this is genuinely the only reason I can think of why projects that are for highly specific niches end up being overarchitected. hope, basically?) -
GunChleocreplied to DJ Sundog - from the toot-lab last edited by
-
@gunchleoc @djsundog @foone this. This is the one!