One Retina-X feature didn't make it into Family Orbit, as far as I can tell: the ability to hide itself on monitored devices.

This is less bad. It's explicitly designed for parents, which makes it a bit less likely to empower abusers.

It's still an awful idea to spy on your kids. If you trust RSPL to do it for you, that's a threat itself.

Show thread

Screenshots from the Rackspace file containers show that RSPL focused on Family Orbit after Retina-X shut down their services. Here's Zeeshan working on it in April.

Family Orbit now has almost all the features that Retina-X's creepy services offered. And they're just as insecure.

Show thread

Retina-X Studios co-founder Zeeshan Alam ran Retina Software Private Limited, their India office that built all RXS apps and Family Orbit too.

I don't know who owns AppOBit LLC, Family Orbit's publisher in the US. They claim to be separate from Retina-X Studios and their app wasn't as creepy, so I left it alone at the time.

Show thread

While digging through the Retina-X breach data, I saw their developers were also building an app called Family Orbit, but not under the Retina name.

Here's an example from the second Retina-X breach. PhoneSheriff uploaded this photo, taken while someone was testing Family Orbit's photo upload function in 2015. The IDE shows they also worked on Teenshield.

Show thread

I hacked a spyware company again.

Here's why: After Retina-X Studios shut down their operations, I said this: "maybe they'll just resurface under another name, in which case I'll be watching."

Family Orbit has a lot in common with the Retina-X products I breached (twice). It has the same design patterns and it's developed by the same people.

RXS: "Retina-X Studios is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products."


(2/2) These are just two examples of how you aren't capable of protecting personal data and don't deserve to hold it.

Morally: Everyone deserves privacy. You empowered domestic abusers and enabled dystopia, I put a stop to it.

Show thread

RXS: "The perpetrators of these illegal acts have been motivated by their unfounded opposition to the private activities of parents and employers on devices they own and with the consent of users of the devices."

Your software is both technically and morally awful.

Technically: Your design choices left the intimate photos of thousands open to the entire internet. You had a password change API that would reset the password on any Net-Orbit account without checking the old one. (1/2)

RXS: "some photographic material of TeenShield and PhoneSheriff customers has been exposed"

I know you don't have any respect for this concept, but those photos are extremely personal too.

RXS: "No personal data was accessed"

You didn't even realize you'd been hacked. Twice. Want to bet that you're right this time?

RXS is probably going to say something like this again: "Our child and employee monitoring software shows up as an icon and in the Installed Apps list on devices. There are also notifications to let the user of the device know that activities are being monitored."

Here's their install guide explaining how to turn that off.

Just for fun, here's the PhoneSheriff database SQL schema from the 2017 breach, before the entire thing was wiped. And no, they had no backups. They had to build a new DB from scratch.

Jumping to the present, some things are just too vulnerable to leave online. Time to pull out the old wiping script.

Starting to scratch the surface of Retina-X Studios breach data. These are the wiped Rackspace Cloud Files containers that held 1TB of captured photos and screenshots.

One of the screenshots captured by Net-Orbit and stored on that Rackspace account exposed this file on a developer's desktop with credentials for Information found on that server was used to pivot to several other systems.

How the Retina-X breach started: Teenshield APK had plaintext credentials for Rackspace containers used to store surveillance images for Net-Orbit, PhoneSheriff, and Teenshield

Show older

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!