oooh, the redbox uses full AES encryption!
-
Asta [AMP]replied to Perish! 👻 (the thot) last edited by
@[email protected] @[email protected] (oh, I guess I was talking about builders instead of factories but whatever just instantiate your object already)
-
Asta [AMP]replied to Xandra Granade 🏳️⚧️ last edited by
@[email protected] @[email protected]
"During debate over his nomination, a list of videotapes Bork had rented was leaked to the press, which led to the enactment of the 1988 Video Privacy Protection Act as a response. The leak was inspired by Bork's opposition to privacy protections beyond those explicitly outlined in the constitution."
baaaaahahahaha, this fucking guy though. this is awesome. -
@foone I now really want the forbidden knowledge of wheel of fortune’s bespoke multitasking programming language
-
@perplexes I'm still writing a disassembler, it'll be documented someday
-
So, quick summary:
Redbox went bankrupt and the machines are getting in the hands of individuals. The disk image has been dumped. The software is being reverse engineered: they're not currently very useful, since they need to talk to a server that's gone.But progress is being made
-
the devices themselves are windows 7 machines talking to the disc library. It's a small group of services talking to each other, mainly over HTTP
-
it's primarily written in enterprise-as-fuck C#, with some lua scripting, and the "HS" scripting language which seems to be proprietary to redbox machines.
-
I'm currently trying to acquire one so I can do more hands-on reverse engineering, but for now I'm focusing on the software and how it all interacts
-
and I'm told Doom has already been run on them. It's windows 7, it can run many doom sourceports.
With a little extra work you could probably play native MS-DOS Doom on them
-
rk: not a typewriterreplied to Foone🏳️⚧️ last edited by
Ohhh I do love me an embedded scripting language. Do you know if there’s any info on the HS language, or if you have time would you mind posting a sample or two?
-
MORE FUN FACTS:
it turns out the device has a database on it which lists the location of every single other redbox machine. full addresses.
-
Foone🏳️⚧️replied to rk: not a typewriter last edited by
@rk there's no info, but there are some samples. I don't have access to the full ones right now, but here's a snippet from the discord:
GRIPPER STATUS
POP GRIPPER-STATUS
IF "FULL" == GRIPPER-STATUS
LOG "The gripper is full - please fix."
APPLOG "The gripper is obstructed - exiting."
RESULT CODE="ItemStuckInGripper" MESSAGE="There is a disc stuck in the picker."
EXIT "Gripper is obstructed."
ENDIF -
Howard Chu @ Symasreplied to Foone🏳️⚧️ last edited by
@foone Encryption at rest is always that way though, whatever software is accessing the data always has to have the encryption key(s) available.
-
Comrade elronxenureplied to Foone🏳️⚧️ last edited by
-
Foone🏳️⚧️replied to Comrade elronxenu last edited by
@elronxenu @rk I have no idea!
-
@foone PCI actually permits this. There's approx no entropy in the first 6 digits; they just identify your bank. There's a US federal law against this IIRC, but for those of us who work in card payments in Europe first6 + last4 is what we see all the time
-
@erincandescent ...Speaking of which. What confuses me is that while many sites show only the last 4 digits of my card number, there are some places that *do the exact opposite,* showing it as "1234 5678 9012 xxxx" and doing things like "Please provide the last 4 digits of your card number to confirm your identity", and I'm like, 〈(゜_゜) how does it even make sense
-
@grawity now anyone who is showing something other than first6 + last4 is grossly violating PCI-DSS and needs to be shot.
-
@foone oh god I wanna make a poster out of this toot
-
@sirmino go ahead!