|
craisins posted:best part about it is always shifting the blame to whoever made it that's literally my job right now because the "10x engineer" quit and left me with a monstrosity
|
# ? Jan 29, 2016 00:07 |
|
|
# ? May 25, 2024 09:53 |
|
667 neighbor of the beast
|
# ? Jan 29, 2016 00:07 |
|
Power Ambient posted:that's literally my job right now because the "10x engineer" quit and left me with a monstrosity
|
# ? Jan 29, 2016 00:42 |
|
computer toucher posted:lol probably not: this would be more efficient if you reverse-sorted a first, so that you could assume the best s was always the first element of a
|
# ? Jan 29, 2016 00:46 |
|
I'm working on an IoThing that comes up as a wifi AP on first boot. The user connects to the AP, then uses our app to send the SSID and password of their home network to the IoThing (as the IoThing doesn't have a display or keyboard of its own). The IoThing scans in-range wifi networks and presents a user with a list of SSIDs, to improve the ~user experience~. This whole thing is done using a small webserver running on the IoThing and HTTP GETs, PUT, etc. If you know the URL, you can connect to the AP and get JSON back with a list of nearby SSIDs. It turns out if there's an SSID named "*", you'll get the following in your JSON: code:
|
# ? Jan 29, 2016 00:49 |
meatpotato posted:I'm working on an IoThing that comes up as a wifi AP on first boot. The user connects to the AP, then uses our app to send the SSID and password of their home network to the IoThing (as the IoThing doesn't have a display or keyboard of its own). NICE!
|
|
# ? Jan 29, 2016 01:42 |
|
craisins posted:"sorry there's no good js framework"
|
# ? Jan 29, 2016 02:13 |
|
meatpotato posted:I'm working on an IoThing that comes up as a wifi AP on first boot. The user connects to the AP, then uses our app to send the SSID and password of their home network to the IoThing (as the IoThing doesn't have a display or keyboard of its own). what the literal gently caress what does an ssid like '"; rm -rf * #' do?
|
# ? Jan 29, 2016 02:44 |
|
meatpotato posted:I'm working on an IoThing that comes up as a wifi AP on first boot. The user connects to the AP, then uses our app to send the SSID and password of their home network to the IoThing (as the IoThing doesn't have a display or keyboard of its own). screenshot and send to @internetofshit pls
|
# ? Jan 29, 2016 02:49 |
|
Soricidus posted:what the literal gently caress probably happens pretty easily given that the tools are written in bash
|
# ? Jan 29, 2016 02:50 |
|
A recently-departed (quit, not dead) coworker wrote most of the IoThing code and I'm attempting to clean up some of the mess. Our IoThing hasn't shipped yet (and this will be fixed when it does), so I don't think it counts for InternetOfShit, as much as I wish it would. I'm sure I'll see our stuff there eventually because the product is ridiculous. We paid for ten grand for a security audit and they didn't find this --so I'm sure there will be lots of other, better bugs uncovered soon. For those interested, the hole comes from using the shell builtin "read" to go line-by-line through the wifi site survey, I guess read globs the *. I don't think there's a remote-execution by a carefully-crafted SSID vulnerability but since I'm an idiot at shell-scripting I don't know for sure. I tried making an SSID named $(echo "owned" > /tmp/owned) but it did nothing. I'm fixing the problem with a C++ program that uses ioctl to get the nearby APs and output JSON directly instead of this shell script string manipulation garbage. Hunter2 Thompson fucked around with this message at 03:34 on Jan 29, 2016 |
# ? Jan 29, 2016 03:10 |
|
yeah i can totally see making some lovely bash scripts like that to get the project up and running when its in early development.
|
# ? Jan 29, 2016 03:21 |
|
meatpotato posted:A recently-departed (quit, not dead) coworker wrote most of the IoThing code and I'm attempting to clean up some of the mess. security audits are the most useless poo poo
|
# ? Jan 29, 2016 04:31 |
|
Shaggar posted:security audits are the most useless poo poo It's now my impression security audits like this exist only for CYA reasons, not to actually find or fix issues. One "critical" issue the audit uncovered was that you could get a root console on the device --if you had physical access, opened the case and soldered a serial cable to the right test pads. Give me a break. From all the crazy poo poo I read on the internet I've learned that if somebody really wants to reverse-engineer your lovely IoT product, a password on the serial console isn't going to stop them. They're going to unsolder your flash memory and dump it over SPI...
|
# ? Jan 29, 2016 05:16 |
|
Shaggar posted:security audits are the most useless poo poo security audits are a great way to convert an unforgivable process failure (no security audits) into an understandable human error (no one saw that vulnerability). the absence of an audit is far harder to explain away than its failure to find anything.
|
# ? Jan 29, 2016 06:01 |
|
i forgot IoT was still a thing that's so 2013-14
|
# ? Jan 29, 2016 08:01 |
|
meatpotato posted:They're going to unsolder your flash memory and dump it over SPI... And... and you didn't use an address-based hash to obscure the contents from such an attack.. *clucks and marks clipboard*
|
# ? Jan 29, 2016 08:50 |
|
meatpotato posted:I'm working on an IoThing that comes up as a wifi AP on first boot. The user connects to the AP, then uses our app to send the SSID and password of their home network to the IoThing (as the IoThing doesn't have a display or keyboard of its own). by catching this before deploy you are in the top 10%
|
# ? Jan 29, 2016 14:29 |
|
MeruFM posted:i forgot IoT was still a thing i was at an iot talk earlier this week and the speaker was excited about the possibility of his microwave tweeting at him when it was done cooking
|
# ? Jan 29, 2016 14:59 |
|
i want my drat dishwasher to tweet at me when it gets yet another d14 error and i have to restart the cycle until it works
|
# ? Jan 29, 2016 15:03 |
|
Maluco Marinero posted:security audits are a great way to convert an unforgivable process failure (no security audits) into an understandable human error (no one saw that vulnerability). my favorite security audit thing is explaining to them for the 100th time why they cant use the version numbers their network scanner found to determine centos patch levels
|
# ? Jan 29, 2016 15:29 |
|
ive updated my BLE stack the old version smuggled functions around by hiding them behind #define's with \'s at endline to club a few of them together that obfuscation wasn't good enough for the vendor. so now they're handling those callback inits with a 20 entry array passed in with mostly NULLs and I can't find the index definitions anywhere
|
# ? Jan 29, 2016 20:44 |
|
JawnV6 posted:ive updated my BLE stack Please name this vendor so I can avoid them tia
|
# ? Jan 29, 2016 21:20 |
|
meatpotato posted:I'm fixing the problem with a C++ program that uses ioctl to get the nearby APs and output JSON directly instead of this shell script string manipulation garbage. No I'm not. The ioctl returns the same column-formatted data that 'iwpriv iface scan' (or w/e) returns. Why try? I looked into the wifi driver source code, dug around until I found a 900-line struct an noped the gently caress out. Edit: I'm so amazed that operating systems don't crash more often due to terrible drivers. Does the kernel protect against drivers doing stupid poo poo? Hunter2 Thompson fucked around with this message at 21:41 on Jan 29, 2016 |
# ? Jan 29, 2016 21:27 |
|
Another great bug: Sometimes the system would get into a state where HTTP GETs to our CGI handler would instead return the handler executable (!!!) rather than executing the handler and replying with its output.
|
# ? Jan 29, 2016 22:16 |
|
meatpotato posted:No I'm not. you could at least parse the column-formatted data in a language that doesn't helpfully treat strings as filesystem globs?
|
# ? Jan 29, 2016 22:37 |
|
meatpotato posted:Please name this vendor so I can avoid them tia who out there is super happy with their BLE folks? nordic seems like a moving target, TI's great if you're big enough to get support, broadcom/csr/etc won't talk to you until you're in the millions vendor's been great for everything else, but this one part smells like a recent acquisition. and i should've been dealing with this stuff a while ago, but I kept the tools frozen until the last release
|
# ? Jan 29, 2016 22:56 |
|
Soricidus posted:you could at least parse the column-formatted data in a language that doesn't helpfully treat strings as filesystem globs? Available tools: awk, sed, etc., C++ std lib. Which do I use? I'm proficient at none, gonna learn something though. Side note: Sorry people with leading or trailing spaces in your SSID, I guess we can't connect to you.
|
# ? Jan 29, 2016 22:57 |
|
meatpotato posted:Side note: Sorry people with leading or trailing spaces in your SSID, I guess we can't connect to you. wait until you have to deploy where this formatting is enforced by corp IT
|
# ? Jan 29, 2016 22:59 |
|
JawnV6 posted:who out there is super happy with their BLE folks? nordic seems like a moving target, TI's great if you're big enough to get support, broadcom/csr/etc won't talk to you until you're in the millions I was very happy with Nordic's nRF51822 when I did a project based on it. The SoftDevice was really easy to use and fit most of our non-exotic needs. We used CrossWorks' toolchain/IDE but if I had to go back I'd probably just make a GCC and CMake toolchain myself.
|
# ? Jan 29, 2016 23:00 |
|
fritz posted:i was at an iot talk earlier this week and the speaker was excited about the possibility of his microwave tweeting at him when it was done cooking like literally tweeting or just notifications because i would follow Bob's Microwave to see when his stuff finishes
|
# ? Jan 29, 2016 23:17 |
|
what possible use-case is there for a tweeting microwave other than "has a vested interest in selling IoT hardware, software, or support"
|
# ? Jan 29, 2016 23:30 |
|
Barnyard Protein posted:what possible use-case is there for a tweeting microwave other than "has a vested interest in selling IoT hardware, software, or support" deaf people who can't look up from their phones?
|
# ? Jan 29, 2016 23:33 |
|
Barnyard Protein posted:what possible use-case is there for a tweeting microwave other than "has a vested interest in selling IoT hardware, software, or support" people that have a vested interest in their hot pockets being hot
|
# ? Jan 29, 2016 23:34 |
|
what would you microwave that would be tedious enough, or possible to get far away from, in its cooking time to require that "Gotta live an optimized life, better refresh Twitter/LinkedIn/Facebook in these five minutes, but not in the food work zone, tha'ts unoptimal"
|
# ? Jan 29, 2016 23:34 |
|
I'd really like it if these hot pockets were ready when i walked in the door rather than wait 4 minutes, let me schedule this over the internet
|
# ? Jan 29, 2016 23:34 |
|
yawn. wake me up when my microwave is paying the freezer in bitcoins for permission to cook its food.
|
# ? Jan 29, 2016 23:38 |
|
Ludwig van Halen posted:deaf people who can't look up from their phones? oh thats actually a good one
|
# ? Jan 29, 2016 23:41 |
|
Barnyard Protein posted:what possible use-case is there for a tweeting microwave other than "has a vested interest in selling IoT hardware, software, or support" yeah, make absolutely every call blocking and never take advantage of an ISR to determine when something's interesting
|
# ? Jan 30, 2016 01:06 |
|
|
# ? May 25, 2024 09:53 |
|
out of the 6 wordpress sites this company made, 3 have been hacked. out of the 3 that haven't been hacked, 2 aren't in production yet. jfc
|
# ? Jan 30, 2016 16:56 |