ugh.
-
@glyph oh, most likely.
but I probably have all this shit because they are gone and bankrupt -
or maybe the fools who dumped all the NUCs from their entire "AI remote healthcare" in the recycling without yanking any drives are just somehow REALLY GOOD at knowing how to secure their s3 buckets.
-
assuming their S3 keys aren't just saved in this harddrive somewhere
-
jesus christ this isn't the only time THIS MONTH I've found an IoT device and checked the filesystem contents and it's got their private git repos on it
-
and now I can email the lead developer.
or just commit to their git repo, I guess.
-
okay so the good news is that they don't just have S3 keys laying around in plain text.
the other good news is that they have a secrets manager
the bad news is that they rolled their own secrets manager
the extra bad news is that I have the source for said secrets manager
and the extra extra bad news is that it has to decrypt those keys without external input, meaning I have all the parts here to pull out their s3 keys -
oh hey!
this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing!
so I can SSH into their servers now!
-
Elfififififififi...replied to Foone🏳️⚧️ on last edited by
@foone If there was a bounty for this kind of shit, you'd never have to work again. my god.
-
oh god this thing sends email from gmail
please tell me they didn't embed the google login into this device
-
Foone🏳️⚧️replied to Elfififififififi... on last edited by
@elfi yeah. the problem is I'd have to become a security researcher and I'm reasonably sure I'd rather die
-
tempted to drive past their HQ with a megaphone "I'VE GOT YOUR MODELS, YOU AI HACKS!"
-
wait. did they seriously stuff videos into their redis database?
-
they sure did! I have a video of someone picking something up from outside a door.
-
okay found their S3 creds. they hardcoded them in a Jenkinsfile.
-
not a good sign to see a bash case statement for environment, and prod sets the server to FOOBAR.EGG
and test sets the server to... FOOBAR.EGG -
Gabriel Pettierreplied to Foone🏳️⚧️ on last edited by
@foone hm, are you *sure* they are bankrupt (i mean, not just technically ), if this was in production as of 2 months ago, maybe they just scaled away from this infra and sent everything to ewaste after migrating.
-
Foone🏳️⚧️replied to Gabriel Pettier on last edited by
@tshirtman yeah. they may have just moved everything to cloud-hosted and didn't need their wall of NUCs
-
anyway I'm gonna be near their HQ on thursday. Maybe I'll stop by and ask if they're still in business, and if they are, do they know where their NUCs are?
-
4censord :neocat_flag_pan:replied to Foone🏳️⚧️ on last edited by
@[email protected] didnt you have bascially that same thing happen just a few weeks/months ago? last time with a raspi like thing?
-
Foone🏳️⚧️replied to 4censord :neocat_flag_pan: on last edited by
@4censord yeah! with a completely different company!