Conversation

Notices

1. Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 06:17:03 JST Foone🏳️‍⚧️

   oooh, the redbox uses full AES encryption!

   and they always use the same key which is embedded in the executable right next to the encrypt() and decrypt() functions. well done, guys

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 06:21:13 JST Foone🏳️‍⚧️

     in reply to

     correction: they hardcode two separate keys in the two separate places (that I've found so far) which use AES.

     Kuba Orlik repeated this.
   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 06:32:32 JST Foone🏳️‍⚧️

     in reply to

     this code is enterprise as hell

     you need the url for the base client? well you use Redbox.Rental.Services.KioskClientService.KioskClientServiceBaseUrl which is a property that'll ask the ServiceLocator to find an instance of IConfiguration to get the KioskClientServiceBaseUrl object out of it

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 06:40:41 JST Foone🏳️‍⚧️

     in reply to

     they wrote their code as a fuckton of C# services that are always HTTP POSTing at each other

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 06:41:33 JST Foone🏳️‍⚧️

     in reply to

     HTTP is, as always, the poor man's IPC

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 06:41:59 JST Foone🏳️‍⚧️

     in reply to

     • Fangh

     @Fangh you shouldn't put it in the source at all! it should be stored elsewhere, and loaded at runtime. or it shouldn't be loaded at all, and is stored inside a TPM or similar

   • Fangh (fangh@shelter.moe)'s status on Wednesday, 16-Oct-2024 06:42:00 JST Fangh

     in reply to

     @foone real question : if your code contain a function that use AES to encrypt data, where do you put the key ? because the AES function will need the key as input, so you need to have it stored in your source code somewhere ? right ?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 07:40:11 JST Foone🏳️‍⚧️

     in reply to

     they logged the first six digits and last 4 digits of every credit card transaction.

     HAVE YOU EVEN HEARD OF PCI?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 07:41:55 JST Foone🏳️‍⚧️

     in reply to

     1234 56## #### 7890

     can I buy a vowel?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 07:43:41 JST Foone🏳️‍⚧️

     in reply to

     I'm trying to tar up a redbox install and upload it, but each time the tar gets past 50% we find another file with PII in it

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:01:17 JST Foone🏳️‍⚧️

     in reply to

     You're telling me!

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:09:13 JST Foone🏳️‍⚧️

     in reply to

     OH HEY BAD NEWS:

     when someone opens up the hard drive of a redbox unit, they can pull a file which has a complete list of titles ever rented, and the email addresses of the people who rented them, and where and when

   • ~ (modulusshift@digipres.club)'s status on Wednesday, 16-Oct-2024 08:11:34 JST ~

     in reply to

     @foone huh. That feels like it should be illegal but somehow isn’t. The government *requesting* that data absolutely is…

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:12:36 JST Foone🏳️‍⚧️

     in reply to

     • Tachibana Kanade

     @h0m54r just from that unit.

   • Tachibana Kanade (h0m54r@mastodon.social)'s status on Wednesday, 16-Oct-2024 08:12:37 JST Tachibana Kanade

     in reply to

     @foone Rented from that unit or from any unit? Either way that doesn’t seem good

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:13:06 JST Foone🏳️‍⚧️

     in reply to

     the unit I've got an image for has records going back to at least 2015.

     I was able to easily match one of them to a real name

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:16:37 JST Foone🏳️‍⚧️

     in reply to

     I have 2471 transactions here.

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:25:47 JST Foone🏳️‍⚧️

     in reply to

     Somebody I'll call Dave Fakename rented The Giver and The Maze Runner in Morganton, NC on 2015-05-23 at 6:43pm

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:44:41 JST Foone🏳️‍⚧️

     in reply to

     found a THIRD set of encryption code.
     this one is 3des instead of AES, and YEP they still hardcode the passkeys

     Kuba Orlik repeated this.
   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:49:24 JST Foone🏳️‍⚧️

     in reply to

     Redbox.HAL.Configuration
     .ConfigurationFileService implements IConfigurationFileService

     STOP MAKING SERVICES AND FACTORIES AND INTERFACES AND JUST READ THE FUCKING JSON FILE YOU ENTERPRISE FUCKERS

     Kuba Orlik repeated this.
   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:50:32 JST Foone🏳️‍⚧️

     in reply to

     AND HEY YOU DON'T NEED A SEPARATE C# CLASS FOR EACH XML FILE YOU LOAD

     YOU CAN JUST HAVE AN XMLLOADER CLASS AND A GENERIC CONFIG FILE. PLEASE

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 08:52:29 JST Foone🏳️‍⚧️

     in reply to

     this is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:03:58 JST Foone🏳️‍⚧️

     in reply to

     so these people wrote a mostly C# program, with some lua for glue scripting.

     and then they implemented their own language. it's some bastardized version of BASIC

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:06:29 JST Foone🏳️‍⚧️

     in reply to

     it's a compiled (to bytecode? I think?) cooperative-multitasking BASIC.

     and god I wish it was the only one of those I'd ever seen

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:08:49 JST Foone🏳️‍⚧️

     in reply to

     okay by "compiling" they mean "parsing". The output of the compiler is a list of tokens, the input is a text file

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:10:39 JST Foone🏳️‍⚧️

     in reply to

     example code:

     POP START-DECK
     POP START-SLOT
     POP END-DECK
     POP END-SLOT
     
     IF END-SLOT > MAX-SLOT-PER-DECK
     SET END-SLOT MAX-SLOT-PER-DECK
     ENDIF

     Kuba Orlik repeated this.
   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:12:51 JST Foone🏳️‍⚧️

     in reply to

     Foone's official list of things they never expected to implement their own multitasking programming language, yet found one anyway:

     * Redbox vending machine motors
     * Wheel of Fortune (2011, Wii)

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:14:55 JST Foone🏳️‍⚧️

     in reply to

     • Taffer :godot: 🇨🇦

     @Taffer thankfully this device doesn't have any github repos in it. that I've seen, at least.

     this makes it a nice change from the last few things I've opened up

   • Taffer :godot: 🇨🇦 (taffer@mastodon.gamedev.place)'s status on Wednesday, 16-Oct-2024 09:14:56 JST Taffer :godot: 🇨🇦

     in reply to

     @foone it’s probably in their GitHub repo too

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:22:41 JST Foone🏳️‍⚧️

     in reply to

     Redbox.HAL.IPC.Framework.ClientSessionFactory

     PLEASE, NO MORE FACTORIES

     MY CHILDREN ARE STARVING

   • Medea Vanamonde🏳️‍⚧️ ♀ (mishavanmollusq@sfba.social)'s status on Wednesday, 16-Oct-2024 09:27:14 JST Medea Vanamonde🏳️‍⚧️ ♀

     in reply to

     @foone instead of fresh graduates could it be peeps from Poland ? Back at the Toxicology lab we had Serbian guy who was paying pennies on the dollar to Programmers in Poland to write fixes for systems he ran out of his own pay.

     And of course India

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:27:14 JST Foone🏳️‍⚧️

     in reply to

     • Medea Vanamonde🏳️‍⚧️ ♀

     @MishaVanMollusq possibly it was fresh graduates from poland?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:28:36 JST Foone🏳️‍⚧️

     in reply to

     oh good they implemented both an internal C# dynamic plugin loading system, as well as the ability to craft arbitrary Invoke()s over TCP/HTTP.

     So you can call any C# function from anywhere on the machine, I think?

   • Medea Vanamonde🏳️‍⚧️ ♀ (mishavanmollusq@sfba.social)'s status on Wednesday, 16-Oct-2024 09:47:06 JST Medea Vanamonde🏳️‍⚧️ ♀

     in reply to

     @foone you got one?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 09:47:06 JST Foone🏳️‍⚧️

     in reply to

     • Medea Vanamonde🏳️‍⚧️ ♀

     @MishaVanMollusq nope, disk image from one

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 10:31:54 JST Foone🏳️‍⚧️

     in reply to

     • gudenau

     @gudenau yeah we've talked about that in the discord. We've compiled a list of places it stores PII

   • gudenau (gudenau@fosstodon.org)'s status on Wednesday, 16-Oct-2024 10:31:55 JST gudenau

     in reply to

     @foone It would be amazing if you could figure out a way to create a program that empties the machine and secure wipes the drives...

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:23:02 JST Foone🏳️‍⚧️

     in reply to

     So, quick summary:
     Redbox went bankrupt and the machines are getting in the hands of individuals. The disk image has been dumped. The software is being reverse engineered: they're not currently very useful, since they need to talk to a server that's gone.

     But progress is being made

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:26:27 JST Foone🏳️‍⚧️

     in reply to

     the devices themselves are windows 7 machines talking to the disc library. It's a small group of services talking to each other, mainly over HTTP

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:27:43 JST Foone🏳️‍⚧️

     in reply to

     it's primarily written in enterprise-as-fuck C#, with some lua scripting, and the "HS" scripting language which seems to be proprietary to redbox machines.

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:28:22 JST Foone🏳️‍⚧️

     in reply to

     I'm currently trying to acquire one so I can do more hands-on reverse engineering, but for now I'm focusing on the software and how it all interacts

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:28:59 JST Foone🏳️‍⚧️

     in reply to

     and I'm told Doom has already been run on them. It's windows 7, it can run many doom sourceports.

     With a little extra work you could probably play native MS-DOS Doom on them

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:31:13 JST Foone🏳️‍⚧️

     in reply to

     MORE FUN FACTS:

     it turns out the device has a database on it which lists the location of every single other redbox machine. full addresses.

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 13:35:32 JST Foone🏳️‍⚧️

     in reply to

     • rk: not a typewriter

     @rk there's no info, but there are some samples. I don't have access to the full ones right now, but here's a snippet from the discord:

     GRIPPER STATUS
     POP GRIPPER-STATUS
     IF "FULL" == GRIPPER-STATUS
     LOG "The gripper is full - please fix."
     APPLOG "The gripper is obstructed - exiting."
     RESULT CODE="ItemStuckInGripper" MESSAGE="There is a disc stuck in the picker."
     EXIT "Gripper is obstructed."
     ENDIF

   • rk: not a typewriter (rk@mastodon.well.com)'s status on Wednesday, 16-Oct-2024 13:35:33 JST rk: not a typewriter

     in reply to

     @foone

     Ohhh I do love me an embedded scripting language. Do you know if there’s any info on the HS language, or if you have time would you mind posting a sample or two?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 16:18:15 JST Foone🏳️‍⚧️

     in reply to

     • SirMino

     @sirmino go ahead!

   • SirMino (sirmino@mastodon.uno)'s status on Wednesday, 16-Oct-2024 16:18:16 JST SirMino

     in reply to

     @foone oh god I wanna make a poster out of this toot

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 16-Oct-2024 17:36:11 JST Foone🏳️‍⚧️

     in reply to

     If you got here from hackernews, you can pay me here:

     https://ko-fi.com/fooneturing

     I mean, it'd be nice if anyone else gave me money, I could really use it. But it's not required, unless you found this on hackernews.