First of all: I am not a big fan of this idea. But it seems iRex is closely watching us and trying to make our lives miserable by fixing any potential security exploit on the iLiad. So what do you think if we made this forum sections "invite-only", and gave access to everyone who is actively involved in hacking the iLiad? It would give us more time to examine our options, and when we come up with better solutions, we could present them to everyone in the other iLiad section(s).

I really don't like this. But it seems it's our better chance to stand against current and future iRex efforts to sabotage our work.

I don't like it, because I would like to honor that...

* ...they dared to sell us the unsecured device
* ...they will provite a SDK for free
* ...they seem to follow a reasonable approach so far

But I would like to get them someone on this board and to broaden the "partnership". I really do not want them to perceive us as their enemies.

From a distanced point of view I would also not say, that they sabotage our work. Because if you are honest: Wouldn't you have remove unprotected root access to a device now sold to "normal" users? I would have.

I would suggest, that we kindly ask them to share their visions about root access and SDK. Maybe Alexander could initiate that?

Here are my two cents:

We don't really want to restrict any parts of this forum. It's been a lot of fun so far, and I think we would only annoy our fellow readers if we'd do something like this. So that's really a no.

I've been in contact with a developer from iRex. Although I promised not to say anything about it, I can say so much that I think iRex is currently not interested in participating in our hacking efforts. The guy is actually quite nice; but I think it's his company who doesn't want him to join us (for now).

Yap, no restrictions here.
Lets have fun trying to get back in. :)
But seriously, i could wait for the SDK.

But it seems iRex is closely watching us and trying to make our lives miserable by fixing any potential security exploit on the iLiad.

I would be surprised and quite a lot disappointed if the 2.5 fixes are based only on what has appeared in this forum: that would indicate that iRex itself has no sense of security, as well as none of its B2B customers.

I do expect that some B2B customers have made their own security assessments, and reported their findings to iRex. And I do very much expect iRex to have asked a third party to do a full independent assessment by now: it's just the thing to hand over to propsective customers concerned with security. It tends to be that way: a service is developed, prospective customers want assurance that the service is secure, and the developers call in independent experts to do that evaluation. If everyone are serious, vulnerability reporting is made -- and I have been looking very eagerly for the first Bugtraq or Secunia report about the iLiad. As none has appeared, I suspect that noone involved here has made any vulnerability reports to iRex. But I may be too hasty.

But it seems it's our better chance to stand against current and future iRex efforts to sabotage our work.

From iRex's point ov view, and that of their customers (in which group I only include B2B customers), it probably appears the other way around. Personally, I can't help wondering if describing attempts to subvert a mobile device really is in the intererest of mobile reading in general. That it may be interesting, I'm sure of ... but I would rather see that the results were handed over to iRex than published here (see http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Repo rting%20and%20Response%20V2.0.pdf for some related information.)

I really don't like this. But it seems it's our better chance to stand against current and future iRex efforts to sabotage our work.

There has been no sabotage as far as I can see. The root password was a real security problem to be fixed even in their architecture: most university networks (and other unsecure industries) are crowned of worms in the local network, randomly trying for trivial holes in any connected machine. Worse, it is unlikely that a worm rightly identifies an ARM machine, so a sucessful authomated attack could install wrong binaries.

The second isue is the pdf. It is not actually a sabotage but a bug: if they do not react to hotlinks, they are not following the full pdf specifications; and there are a lot of pdfs having jumps to the footnotes and back and similar, such kind of pdf will we problematic in the iRex reader. Of course if they allow pdf-originated jumps, they have problems to control the page number. But a swift approach would be to patch the xpdf itself to output the current page number.

The 2.4 OS took control of user input over after some button was pressed; now the 2.5 takes control before, at visualisation time.


As for the question of this thread: the answer, if we are advocating for free software (with 'free' in the sense of freedom, the four freedoms and all that), the logical answer is a 'no'; the whole point is that the adventages of open development largely outweight any potential disadventage (furthermore in this particular case, where hardware patents protect iRex, one can not see how potential disadventages apply, but that should be another history to discuss).

i wonder what irex require to get the extended SDK?
* developers visit this web-site to register themselves as a developer;
* after registration, the iDS will send a file to your iLiad that will install the development environment automatically;
* by connecting the iLiad to your PC using the network connection you can logon to the developer environment;
* tools and an example of existing viewers can be downloaded from this web-site;
* all functions including communication, file access, touch screen input and display access are made available for the developer.

so anyone that follows that can become a developer or rather they will just entertain companies like mobipocket etc?

i wonder what irex require to get the extended SDK?

so anyone that follows that can become a developer or rather they will just entertain companies like mobipocket etc?

Not sure but you could always try registering and giving them a good reason to entertain you...!

I am happy with the unextended it the API is explained. Extended should include support, emulation and all that.