Post An2jIgLUHSIfKuxlBo by foone@digipres.club
(DIR) More posts by foone@digipres.club
(DIR) Post #An2huvCRImnIV8pxOy by foone@digipres.club
2024-10-15T21:16:47Z
2 likes, 0 repeats
oooh, the redbox uses full AES encryption! and they always use the same key which is embedded in the executable right next to the encrypt() and decrypt() functions. well done, guys
(DIR) Post #An2iHvSMVsppxTFoCO by foone@digipres.club
2024-10-15T21:20:58Z
0 likes, 0 repeats
correction: they hardcode two separate keys in the two separate places (that I've found so far) which use AES.
(DIR) Post #An2iLsObpmPLcmNlrc by capeta@ursal.zone
2024-10-15T21:21:35Z
0 likes, 0 repeats
@foone lol
(DIR) Post #An2jIgLUHSIfKuxlBo by foone@digipres.club
2024-10-15T21:32:18Z
2 likes, 0 repeats
this code is enterprise as hellyou need the url for the base client? well you use Redbox.Rental.Services.KioskClientService.KioskClientServiceBaseUrl which is a property that'll ask the ServiceLocator to find an instance of IConfiguration to get the KioskClientServiceBaseUrl object out of it
(DIR) Post #An2jnuNY9gHrpwokBk by foone@digipres.club
2024-10-15T21:37:52Z
0 likes, 0 repeats
@cinebox it's not java! it's C#
(DIR) Post #An2k1WteG5S93uKIOe by foone@digipres.club
2024-10-15T21:40:26Z
0 likes, 0 repeats
they wrote their code as a fuckton of C# services that are always HTTP POSTing at each other
(DIR) Post #An2k42XNacKfm16iLQ by Fangh@shelter.moe
2024-10-15T21:40:31Z
0 likes, 0 repeats
@foone real question : if your code contain a function that use AES to encrypt data, where do you put the key ? because the AES function will need the key as input, so you need to have it stored in your source code somewhere ? right ?
(DIR) Post #An2k6DQe4CA08Dzk5g by foone@digipres.club
2024-10-15T21:40:38Z
1 likes, 0 repeats
HTTP is, as always, the poor man's IPC
(DIR) Post #An2k8gXgnHhl0NT1oO by foone@digipres.club
2024-10-15T21:41:08Z
0 likes, 0 repeats
@Fangh you shouldn't put it in the source at all! it should be stored elsewhere, and loaded at runtime. or it shouldn't be loaded at all, and is stored inside a TPM or similar
(DIR) Post #An2kKkJ0d0PW9SLrmK by gudenau@fosstodon.org
2024-10-15T21:43:54Z
0 likes, 0 repeats
@foone Considering my dad's work stuff I've heard and seen, it's still like this in enterprise code.
(DIR) Post #An2kTURwwtbpa8hexk by gabe@mendeddrum.org
2024-10-15T21:45:28Z
0 likes, 0 repeats
@foone cowards.SMTP is the superior choice.
(DIR) Post #An2lVknfEKCYpBVFvU by mls@techhub.social
2024-10-15T21:57:05Z
0 likes, 0 repeats
@foone boutta ssh into google and find grep a search query
(DIR) Post #An2n0nGUDQV9OtLieO by DrewNaylor@mastodon.online
2024-10-15T22:13:52Z
0 likes, 0 repeats
@foone This is like leaving keys on a shelf beside the door.
(DIR) Post #An2nUOPTBt0p08fIum by piofthings@mastodon.social
2024-10-15T22:18:16Z
0 likes, 0 repeats
@petrillic @foone WSDL is just round the corner!
(DIR) Post #An2nUPGI1VGNdxNUFE by foone@digipres.club
2024-10-15T22:19:12Z
0 likes, 0 repeats
@piofthings @petrillic oh god I used to do WSDL stuff when I was doing soap for the US government all in java.it was so fucking enterprise
(DIR) Post #An2nbu184cQn3arRfk by Fangh@shelter.moe
2024-10-15T22:20:34Z
0 likes, 0 repeats
@foone what is a TMP?
(DIR) Post #An2oVWlRiMDn9j37ZI by njsg@social.sdf.org
2024-10-15T22:30:38Z
0 likes, 0 repeats
@foone @cinebox What is the C# equivalent of AbstractSingletonProxyFactoryBean, and does that code have it?
(DIR) Post #An2p3VRR8f9stotOPA by piofthings@mastodon.social
2024-10-15T22:36:46Z
0 likes, 0 repeats
@foone @petrillic atleast it wasn’t JSONx https://github.com/danharper/jsonx
(DIR) Post #An2pKrjjV18My9jCJE by foone@digipres.club
2024-10-15T22:39:55Z
1 likes, 0 repeats
they logged the first six digits and last 4 digits of every credit card transaction.HAVE YOU EVEN HEARD OF PCI?
(DIR) Post #An2pOYmptegTM5wPRI by rk@mastodon.well.com
2024-10-15T22:40:37Z
0 likes, 0 repeats
@foone MCA was better but IBM kept it proprietary…
(DIR) Post #An2pUJnuVyfOcoBoB6 by foone@digipres.club
2024-10-15T22:41:41Z
1 likes, 0 repeats
1234 56## #### 7890can I buy a vowel?
(DIR) Post #An2peFiYYwOsqaQEM4 by foone@digipres.club
2024-10-15T22:43:27Z
1 likes, 0 repeats
I'm trying to tar up a redbox install and upload it, but each time the tar gets past 50% we find another file with PII in it
(DIR) Post #An2ph13jWDweFme3bU by gsuberland@chaos.social
2024-10-15T22:43:51Z
0 likes, 0 repeats
@foone slip Carol twenty quid and she'll sort you out
(DIR) Post #An2prREj2ya0KwkxQO by tomw@mastodon.social
2024-10-15T22:45:49Z
0 likes, 0 repeats
@foone Is that enough to solve it, since you have the check digit?
(DIR) Post #An2pvxAUGfYoWsvWgy by foone@digipres.club
2024-10-15T22:46:33Z
0 likes, 0 repeats
@lyncia as in those former movie kiosks, yes.
(DIR) Post #An2qtiAx8eNZPEdiIi by apzpins@mstdn.games
2024-10-15T22:57:24Z
0 likes, 0 repeats
@foone Yes, you got Ä.
(DIR) Post #An2r6S9W1WdLTY2ijw by ellenor2000@mastodon.top
2024-10-15T22:59:41Z
0 likes, 0 repeats
@foone AE IOUY
(DIR) Post #An2rDXXoNJukE1mp3g by foone@digipres.club
2024-10-15T23:01:01Z
0 likes, 0 repeats
You're telling me!
(DIR) Post #An2rS3226PG5w5q9Tc by gothpanda@pandapla.net
2024-10-15T23:03:37Z
0 likes, 0 repeats
@foone to be fair, per the pci compliance rules I had to learn a while back, those are the within compliance. The first six and last four of a number are fair game, as long as the rest is removed.
(DIR) Post #An2rnZq9JhzDlpY0nY by MishaVanMollusq@sfba.social
2024-10-15T23:07:32Z
0 likes, 0 repeats
@foone you got one?
(DIR) Post #An2rqBC1PY96CI1Fk8 by ocdtrekkie@mastodon.social
2024-10-15T23:07:51Z
0 likes, 0 repeats
@foone These units are not fairing well around here. They're discolored, rusty, etc. but apparently they're annoyingly hard for the host stores to get rid of.
(DIR) Post #An2rvS6JyUsq5Iroky by foone@digipres.club
2024-10-15T23:08:59Z
1 likes, 0 repeats
OH HEY BAD NEWS:when someone opens up the hard drive of a redbox unit, they can pull a file which has a complete list of titles ever rented, and the email addresses of the people who rented them, and where and when
(DIR) Post #An2s2nhy2QLl7oyo6a by avarisclari@mastodon.social
2024-10-15T23:10:17Z
0 likes, 0 repeats
@foone Ewww
(DIR) Post #An2s5n8GdSJMCxhvHc by djsundog@toot-lab.reclaim.technology
2024-10-15T23:10:38Z
0 likes, 0 repeats
@foone there's probably a german word for the combination of "big oof" and "as could be expected" but damned if I know what it is, but that, that's the vibe
(DIR) Post #An2s8bEfK8oiBC2UPg by modulusshift@digipres.club
2024-10-15T23:10:48Z
0 likes, 0 repeats
@foone huh. That feels like it should be illegal but somehow isn’t. The government *requesting* that data absolutely is…
(DIR) Post #An2sBlEQcB5S3DR4Fs by h0m54r@mastodon.social
2024-10-15T23:11:12Z
0 likes, 0 repeats
@foone Rented from that unit or from any unit? Either way that doesn’t seem good
(DIR) Post #An2sE93D1k3GVHKCJc by foone@digipres.club
2024-10-15T23:11:44Z
0 likes, 0 repeats
@h0m54r just from that unit.
(DIR) Post #An2sHfLVPYDdX9Yt6G by foone@digipres.club
2024-10-15T23:12:11Z
0 likes, 0 repeats
the unit I've got an image for has records going back to at least 2015. I was able to easily match one of them to a real name
(DIR) Post #An2sJBBqV6LSaPlV5s by Novyx@mastodon.social
2024-10-15T23:12:18Z
0 likes, 0 repeats
@foone Well that’s lovely.
(DIR) Post #An2sMKjbTGDJ3a3iHg by foone@digipres.club
2024-10-15T23:13:11Z
0 likes, 0 repeats
@rgegriff against who?Redbox inc is gone
(DIR) Post #An2saPFfTNzP7XldKK by foone@digipres.club
2024-10-15T23:16:22Z
0 likes, 0 repeats
I have 2471 transactions here.
(DIR) Post #An2suUWjZMOjH0KLHE by n1vux@mastodon.radio
2024-10-15T23:19:50Z
0 likes, 0 repeats
@foone that you have so _few_ transactions for nearly 10 years on that one drive may explain why redbox has ceased to be, has joined the parrot eternal. (one rental per day is par for an AirBNB, but unless their costs were really really low that's very bad retail.)
(DIR) Post #An2swoon68P6mhsnPk by acp@sdf.land
2024-10-15T23:20:05Z
0 likes, 0 repeats
@foone Isn't video rental history... one of the few things we have actual privacy laws on the books for? Is the corpse of Redbox on the hook for at least 2471 VPPA violations now?
(DIR) Post #An2szV7IntqUYBovJY by n1vux@mastodon.radio
2024-10-15T23:20:48Z
0 likes, 0 repeats
@foone @rgegriff the CTO at the time this code was frozen?
(DIR) Post #An2t6lR2Wz13BiW2YS by Crazypedia@pagan.plus
2024-10-15T23:22:11Z
0 likes, 0 repeats
@foone that's as bad as grabbing data off a printer HDD :ACNH_Sighing:
(DIR) Post #An2tP5XMWz44kID87s by foone@digipres.club
2024-10-15T23:25:33Z
0 likes, 0 repeats
Somebody I'll call Dave Fakename rented The Giver and The Maze Runner in Morganton, NC on 2015-05-23 at 6:43pm
(DIR) Post #An2tVkrrmFrafTypvM by ieure@retro.social
2024-10-15T23:26:42Z
0 likes, 0 repeats
@foone The first six are the Issuer Identification Number (IIN) and are shared between thousands of customers.They still shouldn't be logged, but, they're the least sensitive part of the number.
(DIR) Post #An2tYwrhczNekJQV9s by foone@digipres.club
2024-10-15T23:27:12Z
0 likes, 0 repeats
@Cloudscout yes
(DIR) Post #An2tcgnTJLqY4NEOm0 by foone@digipres.club
2024-10-15T23:28:00Z
0 likes, 0 repeats
@bosh all of those things would require competence that redbox inc has famously never shown
(DIR) Post #An2uF9mXzfESyA8pxA by martin_piper@mastodon.social
2024-10-15T23:34:53Z
0 likes, 0 repeats
@foone I wrote a tool that takes a binary and sequentially tries all data as decryption keys in there against another file. It doesn't take long to find a decryption key in 2GB.
(DIR) Post #An2uIfMB3XfdlVTr7I by Crazypedia@pagan.plus
2024-10-15T23:35:30Z
0 likes, 0 repeats
@foone lmao oh shit :angry_laugh:
(DIR) Post #An2uLHvubKVpzFRgJ6 by ATLeagle@mastodon.online
2024-10-15T23:35:57Z
0 likes, 0 repeats
@foone hahahahah
(DIR) Post #An2uon4fthHWy4c0OW by targetdrone@mastodon.social
2024-10-15T23:41:20Z
0 likes, 0 repeats
@foone Sounds about right. It was probably written in the late 2000s or so, during the rise of the "microservices" age, from the era when Enterprise Architects were going to save the world.Have pity on those who lived through that particular hell.
(DIR) Post #An2v5iwUVscx4krIPo by foone@digipres.club
2024-10-15T23:44:26Z
0 likes, 0 repeats
found a THIRD set of encryption code. this one is 3des instead of AES, and YEP they still hardcode the passkeys
(DIR) Post #An2vGHVspnX7BuRnNY by foone@digipres.club
2024-10-15T23:45:50Z
0 likes, 0 repeats
@todb the company is gone. who are we suing?
(DIR) Post #An2vVkxLeGK6qnflpY by foone@digipres.club
2024-10-15T23:49:09Z
2 likes, 0 repeats
Redbox.HAL.Configuration.ConfigurationFileService implements IConfigurationFileServiceSTOP MAKING SERVICES AND FACTORIES AND INTERFACES AND JUST READ THE FUCKING JSON FILE YOU ENTERPRISE FUCKERS
(DIR) Post #An2vc8coYrC7zn6xns by foone@digipres.club
2024-10-15T23:50:18Z
0 likes, 0 repeats
AND HEY YOU DON'T NEED A SEPARATE C# CLASS FOR EACH XML FILE YOU LOADYOU CAN JUST HAVE AN XMLLOADER CLASS AND A GENERIC CONFIG FILE. PLEASE
(DIR) Post #An2vf08Ua0hiXIIGFk by foone@digipres.club
2024-10-15T23:50:37Z
0 likes, 0 repeats
@emily @aburka it kinda does that too
(DIR) Post #An2vmsm3poJg1KYkgC by foone@digipres.club
2024-10-15T23:52:15Z
0 likes, 0 repeats
this is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before
(DIR) Post #An2wB2PVeuMYrBWtVI by andrewt@mathstodon.xyz
2024-10-15T23:56:35Z
0 likes, 0 repeats
@foone the important thing is that they can write in a document somewhere that the database is encrypted
(DIR) Post #An2wOcOZBBuUE5Z1vs by donw@mastodon.coffee
2024-10-15T23:59:01Z
0 likes, 0 repeats
@foone Given the checksum that’s probably not a huge number of valid numbers.
(DIR) Post #An2wjDqNejviA9Om4u by ZiggyTheHamster@ruby.social
2024-10-16T00:02:47Z
0 likes, 0 repeats
@foone I saw this with people that had been doing it for 20 years but clearly not very well.They were smart enough to use PBKDF… but the output of this was always a constant because they seeded the RNG with the same value and used a random number as the password.I tried to explain why that’s stupid and they argued that they have no way for the server to know the correct key if they did it differently. Yes, but … this is not a hard problem to solve?
(DIR) Post #An2woSqdIaF093145o by foone@digipres.club
2024-10-16T00:03:46Z
0 likes, 0 repeats
so these people wrote a mostly C# program, with some lua for glue scripting.and then they implemented their own language. it's some bastardized version of BASIC
(DIR) Post #An2wwKTSJff8UTvRia by A_C_McGregor@topspicy.social
2024-10-16T00:05:05Z
0 likes, 0 repeats
@foone Oh No.
(DIR) Post #An2wytTd9DHFd4EKZ6 by gsuberland@chaos.social
2024-10-16T00:05:36Z
0 likes, 0 repeats
@foone this sounds like they're using XmlSerializer to deserialise into classes?if so, ehehehehe probably RCE if any of that stuff is something a user can touch
(DIR) Post #An2x2NYjl5hnnSHSVs by foone@digipres.club
2024-10-16T00:06:16Z
0 likes, 0 repeats
it's a compiled (to bytecode? I think?) cooperative-multitasking BASIC.and god I wish it was the only one of those I'd ever seen
(DIR) Post #An2x8Cs2Pae0Nr5TDU by bloognoo@retro.pizza
2024-10-16T00:07:16Z
0 likes, 0 repeats
@foone and Lua was just there, holding it's little arms to the sky, waiting for someone to tell the grad with Big Not Invented Here Energy to sit down and shut up
(DIR) Post #An2xApqaT7KrqYf75M by Taffer@mastodon.gamedev.place
2024-10-16T00:07:34Z
0 likes, 0 repeats
@foone it’s probably in their GitHub repo too
(DIR) Post #An2xFDpFG9sbNA7sky by foone@digipres.club
2024-10-16T00:08:36Z
0 likes, 0 repeats
okay by "compiling" they mean "parsing". The output of the compiler is a list of tokens, the input is a text file
(DIR) Post #An2xPJUf2bN9qbJHaC by foone@digipres.club
2024-10-16T00:10:25Z
0 likes, 0 repeats
example code:POPSTART-DECKPOPSTART-SLOTPOP END-DECKPOP END-SLOTIF END-SLOT > MAX-SLOT-PER-DECKSETEND-SLOT MAX-SLOT-PER-DECKENDIF
(DIR) Post #An2xWkgIM9b4CBIaDg by foone@digipres.club
2024-10-16T00:11:46Z
0 likes, 0 repeats
@jbaggs they were not good at programming things
(DIR) Post #An2xbgv5lhFjygZilc by foone@digipres.club
2024-10-16T00:12:39Z
1 likes, 0 repeats
Foone's official list of things they never expected to implement their own multitasking programming language, yet found one anyway:* Redbox vending machine motors* Wheel of Fortune (2011, Wii)
(DIR) Post #An2xkOPXx8sVBDy9ZI by MishaVanMollusq@sfba.social
2024-10-16T00:14:10Z
0 likes, 0 repeats
@foone sloppy
(DIR) Post #An2xmvlysx6tEGfmpk by foone@digipres.club
2024-10-16T00:14:38Z
0 likes, 0 repeats
@Taffer thankfully this device doesn't have any github repos in it. that I've seen, at least.this makes it a nice change from the last few things I've opened up
(DIR) Post #An2xpO1qnk7VRVGbfk by MishaVanMollusq@sfba.social
2024-10-16T00:14:46Z
0 likes, 0 repeats
@foone oh lord
(DIR) Post #An2xsEeE8VOTDUZjvM by MishaVanMollusq@sfba.social
2024-10-16T00:15:19Z
0 likes, 0 repeats
@foone infinite face palm
(DIR) Post #An2xucmVNZxEe1aRNI by engarneering@floss.social
2024-10-16T00:15:27Z
0 likes, 0 repeats
@foone thats the bank part to start, Weird.
(DIR) Post #An2yKPxnes5SQ6AXTc by MishaVanMollusq@sfba.social
2024-10-16T00:20:42Z
0 likes, 0 repeats
@foone instead of fresh graduates could it be peeps from Poland ? Back at the Toxicology lab we had Serbian guy who was paying pennies on the dollar to Programmers in Poland to write fixes for systems he ran out of his own pay.And of course India
(DIR) Post #An2yTwDT73Bj3Y2NoO by foone@digipres.club
2024-10-16T00:22:26Z
0 likes, 0 repeats
Redbox.HAL.IPC.Framework.ClientSessionFactoryPLEASE, NO MORE FACTORIESMY CHILDREN ARE STARVING
(DIR) Post #An2yt7TOOgRdCyUdqy by foone@digipres.club
2024-10-16T00:27:00Z
0 likes, 0 repeats
@MishaVanMollusq possibly it was fresh graduates from poland?
(DIR) Post #An2z0dlajFtJOMakuu by foone@digipres.club
2024-10-16T00:28:22Z
1 likes, 0 repeats
oh good they implemented both an internal C# dynamic plugin loading system, as well as the ability to craft arbitrary Invoke()s over TCP/HTTP.So you can call any C# function from anywhere on the machine, I think?
(DIR) Post #An2zFX6llcGJ5KbCZU by jotak@framapiaf.org
2024-10-16T00:31:01Z
0 likes, 0 repeats
@foone WHAT this is an heresy against the mighty DESIGN PATTERNS cult
(DIR) Post #An2zQ2qgbwnuQG5Z1U by bamfic@autonomous.zone
2024-10-16T00:32:55Z
0 likes, 0 repeats
@foone https://github.com/EnterpriseQualityCoding/FizzBuzzEnterpriseEdition
(DIR) Post #An30JIWy0WhQzDDBw0 by gudenau@fosstodon.org
2024-10-16T00:42:54Z
0 likes, 0 repeats
@foone Honestly making a bad threading enabled compiled BASIC is on my list of "awful weekend programming projects."
(DIR) Post #An30MyHbELsfLZm8dU by gbraad@mastodon.social
2024-10-16T00:43:35Z
0 likes, 0 repeats
microservices and DDD was the rage
(DIR) Post #An30ciCMndcK5ypjyy by gudenau@fosstodon.org
2024-10-16T00:46:26Z
0 likes, 0 repeats
@foone It would be amazing if you could figure out a way to create a program that empties the machine and secure wipes the drives...
(DIR) Post #An30ez1bD7merPsdH6 by foone@digipres.club
2024-10-16T00:46:50Z
0 likes, 0 repeats
@MishaVanMollusq nope, disk image from one
(DIR) Post #An31aZwQd0TPrTvQUi by jugglingscarves@mstdn.party
2024-10-16T00:57:13Z
0 likes, 0 repeats
@foone Suddenly very glad I was never tempted to use Redbox.
(DIR) Post #An31xMs1ONWnyzjMIa by mmu_man@m.g3l.org
2024-10-16T01:01:11Z
0 likes, 0 repeats
@foone "hey let's use patterns like in school!"
(DIR) Post #An33m9QrDLux1nnuKW by MishaVanMollusq@sfba.social
2024-10-16T01:21:44Z
0 likes, 0 repeats
@foone score!
(DIR) Post #An34f9coCPdjYLcbNw by foone@digipres.club
2024-10-16T01:31:41Z
0 likes, 0 repeats
@gudenau yeah we've talked about that in the discord. We've compiled a list of places it stores PII
(DIR) Post #An377E7HIFxtV2O3oO by foone@digipres.club
2024-10-16T01:59:08Z
0 likes, 0 repeats
@perplexes I'm still writing a disassembler, it'll be documented someday
(DIR) Post #An39YXuvywiAdclg7U by ali1234@mastodon.social
2024-10-16T02:26:27Z
0 likes, 0 repeats
@foone Reminds me of the time I asked #java what their equivalent of Python's json.loads was and the entire channel couldn't even comprehend the idea of loading a JSON file without knowing the schema in advance.
(DIR) Post #An3CCwfnYk6euP51Ae by jared@mathstodon.xyz
2024-10-16T02:56:12Z
0 likes, 0 repeats
@foone AFAIRC that was their hiring strategy. I recall a conversation with the former CTO sometime around 2015. The word “microservices” was used excessively
(DIR) Post #An3DabflOGmWgGuTy4 by madopal@mastodon.social
2024-10-16T03:11:42Z
0 likes, 0 repeats
@foone AmateurNewGradsAsAService
(DIR) Post #An3E3RNqiuqnAUHQHY by StumpyTheMutt@social.linux.pizza
2024-10-16T03:16:54Z
0 likes, 0 repeats
@foone or maintained somebody else's code
(DIR) Post #An3F7jvdobyFnThRZ2 by dpnash@c.im
2024-10-16T03:28:54Z
0 likes, 0 repeats
@foone About the only way this whole shitshow could be worse would be “use AES” turns out to be “use ABS in ECB mode”. Given the number of times I’ve seen developers who were “using AES” do precisely that, I wouldn’t be at all surprised to see that here as well.
(DIR) Post #An3J8d5R8fdWgPxegy by foone@digipres.club
2024-10-16T04:13:44Z
0 likes, 0 repeats
@froge I don't, but there is a dump of a drive of one in the discord. https://discord.gg/tZThmJ7X
(DIR) Post #An3JplHGYrwWXS3rNI by nelhage@mastodon.social
2024-10-16T04:21:38Z
0 likes, 0 repeats
@foone … I regret to inform you that PCI is actually just find with that. The first 6 are the BIN/IIN (identify the issuer) and not considered sensitive, and the last4 of course are usually displayed to identify cards in cardholder UI, etc.
(DIR) Post #An3JvpYzXVXBZJFKCm by foone@digipres.club
2024-10-16T04:22:48Z
0 likes, 0 repeats
So, quick summary:Redbox went bankrupt and the machines are getting in the hands of individuals. The disk image has been dumped. The software is being reverse engineered: they're not currently very useful, since they need to talk to a server that's gone. But progress is being made
(DIR) Post #An3KAa4TQBndrd0NAe by foone@digipres.club
2024-10-16T04:25:22Z
0 likes, 0 repeats
@pawv it's been done! they're just windows machines so they can run doom easily
(DIR) Post #An3KEkjrhYCy6iM4VU by foone@digipres.club
2024-10-16T04:26:14Z
0 likes, 0 repeats
the devices themselves are windows 7 machines talking to the disc library. It's a small group of services talking to each other, mainly over HTTP
(DIR) Post #An3KLkeYPzpprvCxU0 by foone@digipres.club
2024-10-16T04:27:30Z
0 likes, 0 repeats
it's primarily written in enterprise-as-fuck C#, with some lua scripting, and the "HS" scripting language which seems to be proprietary to redbox machines.
(DIR) Post #An3KPMSaJFMDzfKYvQ by foone@digipres.club
2024-10-16T04:28:08Z
0 likes, 0 repeats
I'm currently trying to acquire one so I can do more hands-on reverse engineering, but for now I'm focusing on the software and how it all interacts
(DIR) Post #An3KSkYXB4tXavjHM0 by foone@digipres.club
2024-10-16T04:28:46Z
0 likes, 0 repeats
and I'm told Doom has already been run on them. It's windows 7, it can run many doom sourceports.With a little extra work you could probably play native MS-DOS Doom on them
(DIR) Post #An3KVJqmvOyHdaUbNg by rk@mastodon.well.com
2024-10-16T04:29:04Z
0 likes, 0 repeats
@foone Ohhh I do love me an embedded scripting language. Do you know if there’s any info on the HS language, or if you have time would you mind posting a sample or two?
(DIR) Post #An3Kf99HZIcdLIpTG4 by foone@digipres.club
2024-10-16T04:30:58Z
0 likes, 0 repeats
MORE FUN FACTS: it turns out the device has a database on it which lists the location of every single other redbox machine. full addresses.
(DIR) Post #An3L364Kfe1WjyvzDE by foone@digipres.club
2024-10-16T04:35:19Z
0 likes, 0 repeats
@rk there's no info, but there are some samples. I don't have access to the full ones right now, but here's a snippet from the discord: GRIPPER STATUS POP GRIPPER-STATUS IF "FULL" == GRIPPER-STATUS LOG "The gripper is full - please fix." APPLOG "The gripper is obstructed - exiting." RESULT CODE="ItemStuckInGripper" MESSAGE="There is a disc stuck in the picker." EXIT "Gripper is obstructed." ENDIF
(DIR) Post #An3L5WESMpFWSopBom by rk@mastodon.well.com
2024-10-16T04:35:42Z
0 likes, 0 repeats
@foone Beautiful, thank you!
(DIR) Post #An3LVq5LB1fBZ96xBg by hyc@mastodon.social
2024-10-16T04:40:27Z
0 likes, 0 repeats
@foone Encryption at rest is always that way though, whatever software is accessing the data always has to have the encryption key(s) available.
(DIR) Post #An3MmCyxughFASUyLg by elronxenu@mastodon.cloud
2024-10-16T04:54:38Z
0 likes, 0 repeats
@foone @rk Why the fuck would you need a domain specific language for that boring code?
(DIR) Post #An3N5kcB5ocMyl9t68 by foone@digipres.club
2024-10-16T04:58:12Z
0 likes, 0 repeats
@elronxenu @rk I have no idea!
(DIR) Post #An3QUn2TW5w9bE5dbM by Red_Shirt_no2@c.im
2024-10-16T05:36:17Z
0 likes, 0 repeats
@foone I’m just joining a C# project and SO MUCH THIS
(DIR) Post #An3RJc3U760uIpnR8y by b_rawr@furry.engineer
2024-10-16T05:45:28Z
0 likes, 0 repeats
@foone so why did that error ask you to dial a number then??
(DIR) Post #An3SHRwKqoiCJ0z74q by tim_lavoie@cosocial.ca
2024-10-16T05:56:03Z
0 likes, 0 repeats
@foone Well... that's actually permitted, you can store no more than the first six and last four digits, without having to be in scope for the rest of PCI.As someone else mentioned, the Luhn formula lets you throw away 90% of the rest.I did a demo some time back, to show why this, _combined_ with storing a hash of the full PAN, was a bad idea. Basically, iterate the middle digits, hash those that pass Luhn, compare until you get a hash that matches the stored one. Couple seconds on a laptiop
(DIR) Post #An3UsTqAwm6Qp6tAbQ by manu@freiburg.social
2024-10-16T06:25:26Z
0 likes, 0 repeats
@foone https://botsin.space/@scream/113311204063728990
(DIR) Post #An3ZI9rGGP3mC7td2m by lritter@mastodon.gamedev.place
2024-10-16T07:14:52Z
0 likes, 0 repeats
@foone the java vibe is strong
(DIR) Post #An3ZQbhobur6sZVU4O by sirmino@mastodon.uno
2024-10-16T07:16:23Z
0 likes, 0 repeats
@foone oh god I wanna make a poster out of this toot
(DIR) Post #An3ZZKAXBIgd6162nw by foone@digipres.club
2024-10-16T07:18:01Z
0 likes, 0 repeats
@sirmino go ahead!
(DIR) Post #An3docCOpNc7AxW23E by simoncozens@typo.social
2024-10-16T08:05:32Z
1 likes, 0 repeats
@foone Oh God yes. I was reading some code in a graphics project last night to try to find an algorithm, and I *couldn't find the algorithm* because 90% of the code was code about code.STOP WRITING CODE ABOUT CODE. JUST WRITE CODE.
(DIR) Post #An3drS5OsqaigDavZo by wilbr@glitch.social
2024-10-16T08:05:32Z
0 likes, 0 repeats
@foone @rk I wonder if there's an item stuck in the gripper
(DIR) Post #An3ffyhXzk7eGf5tY0 by mart_w@chaos.social
2024-10-16T08:26:19Z
0 likes, 0 repeats
@foone That's called masking and us actually perfectly allowed by PCI-DSS. Although it being technically legal obviously still doesn't necessarily make it a good choice
(DIR) Post #An3gWhccE7Yme0vcDA by foone@digipres.club
2024-10-16T08:35:57Z
0 likes, 0 repeats
If you got here from hackernews, you can pay me here:https://ko-fi.com/fooneturingI mean, it'd be nice if anyone else gave me money, I could really use it. But it's not required, unless you found this on hackernews.
(DIR) Post #An3jWVaTGqpLBMWZFI by eniko@peoplemaking.games
2024-10-16T09:09:15Z
0 likes, 0 repeats
@foone OK but this is objectively awesome
(DIR) Post #An3rpZ9L37kPMlQoVM by pascoe@sfba.social
2024-10-16T10:42:32Z
0 likes, 0 repeats
@foone Storing first 6 plus last four is common. https://d30000001huxdea4.my.salesforce-sites.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS
(DIR) Post #An47ja6wA2z9sPTbeK by eppie@furries.club
2024-10-16T13:40:47Z
0 likes, 0 repeats
@foone WHY does every company just store that data so unsecurely?
(DIR) Post #An4FU9i0q9JHHWyQWO by foo@fosstodon.org
2024-10-16T15:07:34Z
0 likes, 0 repeats
@foone An old random personal project of mine was recently at the top of the orange site, and my mentions were an even mix of "wow, what an honor!" and "I'm sorry for your loss."
(DIR) Post #An4GNnInKp4G0Ni0C8 by rrcook@mastodon.social
2024-10-16T15:17:34Z
0 likes, 0 repeats
@foone Please write about the wheel of fortune language, and why you think they did it.
(DIR) Post #An4HIn80ecHVyJqI1g by rrcook@mastodon.social
2024-10-16T15:28:00Z
0 likes, 0 repeats
@foone @elronxenu @rk And why they needed a new one when they already had Lua in their stack.
(DIR) Post #An4N09WHmJ3Bdnh1SS by yesterzine@topspicy.social
2024-10-16T16:31:46Z
0 likes, 0 repeats
@foone The big surprise there is apparently 250 rentals a year is a viable machine.
(DIR) Post #An4QYsMtq1viRdYGHY by rbanffy@mastodon.social
2024-10-16T17:11:41Z
0 likes, 0 repeats
@foone The Giver and The Maze Runner? I feel sorry for them already.
(DIR) Post #An4R68WmmL2g7Q2Gy8 by ajroach42@retro.social
2024-10-16T17:17:44Z
0 likes, 0 repeats
@foone Jesus.
(DIR) Post #An4XVFNt1UI6LeEJqi by gyro@chitter.xyz
2024-10-16T18:29:27Z
0 likes, 0 repeats
@foone evil. evil evil evil
(DIR) Post #An4Y55jgNC00qhW6JU by Boorango@floofy.tech
2024-10-16T18:35:58Z
0 likes, 0 repeats
@foone@digipres.club what ze hell
(DIR) Post #An4hxAEclEms1lqe2q by jspath55@chaos.social
2024-10-16T20:26:30Z
0 likes, 0 repeats
@foone @rk "Win one for the Gripper."--Knute Rockne, tangentially https://archives.nd.edu/research/texts/rocknespeech.htm
(DIR) Post #An4k4KQVT0BTZVwxZQ by foone@digipres.club
2024-10-16T20:50:13Z
0 likes, 0 repeats
@wyatt8740 it wouldn't have stopped anything: the machine has to boot without a human there to enter a password, so it has to get it from somewhere in the machine. The person I got the image from has the whole machine, not just the disk.
(DIR) Post #An4k9CKazatnudVVHk by foone@digipres.club
2024-10-16T20:51:14Z
0 likes, 0 repeats
@kasperd good lord!
(DIR) Post #An4tciVNLhDJgQhSHg by foone@digipres.club
2024-10-16T22:37:20Z
0 likes, 0 repeats
@wyatt8740 no, it's not. I'm just saying that the way we got the data, encrypting it would solve nothing.
(DIR) Post #An5B5IjdwE9jNVab7A by SoLSec@mastodon.social
2024-10-17T01:52:53Z
0 likes, 0 repeats
@foone That fossil got Dox yo!
(DIR) Post #An6NQyyjSzaJ5CiCcS by puppygirlhornypost2@transfem.social
2024-10-15T21:50:03.936Z
0 likes, 0 repeats
@foone@digipres.club would you take them using a shared memory map https://learn.microsoft.com/en-us/windows/win32/memory/creating-named-shared-memory :puniko_giggle:
(DIR) Post #An6NR08h9R9EgONfmq by puppygirlhornypost2@transfem.social
2024-10-15T21:50:33.452Z
1 likes, 0 repeats
@foone@digipres.club is it really enterprise C# if you’re not marshaling everything
(DIR) Post #An6ZGojHutLVqlPJFg by foone@digipres.club
2024-10-17T17:58:38Z
0 likes, 0 repeats
@highvizghilliesuit you have a point
(DIR) Post #An6tPSaVbdYWruhQbQ by foone@digipres.club
2024-10-17T21:44:17Z
0 likes, 0 repeats
@SiteRelEnby it clearly does, and they'd be fined millions per unit (billions across the active units out there, assuming they all have this much data) if there was anyone still left to fine
(DIR) Post #An73iKXujF36yG7enw by foone@digipres.club
2024-10-17T23:39:47Z
0 likes, 0 repeats
@the5thColumnist that article links back to this thread!
(DIR) Post #An85qUY1ouCPNG9goa by mighty_orbot@retro.pizza
2024-10-18T11:38:22Z
0 likes, 0 repeats
@foone New grads? Probably offshore contractors, they produce the same kind of code in my experience.
(DIR) Post #An8YzH4WBqVmr8tNjM by erincandescent@akko.erincandescent.net
2024-10-16T05:03:55.445364Z
1 likes, 0 repeats
@foone PCI actually permits this. There's approx no entropy in the first 6 digits; they just identify your bank. There's a US federal law against this IIRC, but for those of us who work in card payments in Europe first6 + last4 is what we see all the time
(DIR) Post #An8Z24CeUaoNoT1ovY by erincandescent@akko.erincandescent.net
2024-10-16T06:44:27.487097Z
1 likes, 0 repeats
@grawity now anyone who is showing something other than first6 + last4 is grossly violating PCI-DSS and needs to be shot.
(DIR) Post #An8Z265zSKffgNvWoy by erincandescent@akko.erincandescent.net
2024-10-16T08:28:28.734855Z
0 likes, 0 repeats
@grawity …apparently “first 6, any 4” is permitted but only with justification. See this article
(DIR) Post #AnBrGRxLMCEYBXkup6 by jdrch@mastodon.social
2024-10-20T07:13:55Z
0 likes, 0 repeats
@foone Appreciate your research, but I'm not worried about someone discovering my disc rentals (#redbox never rented adult content) or my address (available on county parcel lookup website)
(DIR) Post #AnDtar4aGtOa6Ev62K by foone@digipres.club
2024-10-21T06:49:24Z
0 likes, 0 repeats
@montar @gabe I made a game that did that once.You moved around a maze and threw fireballs at the other uses, but it was actually handled by connecting to an IRC server and having the game yelling I MOVED TO (25,46)! at each other