iLiad Should we post everything we know even if iRex can circumvent us again?

[TadW]

I want to report here how you can actually communicate with the iDS server without the iLiad.

My only worry: giving out this information might make iRex try everything possible again to sabotage our newly gained knowledge.

So what do you think we should do? --> It's a poll!

[yvanleterrible]

Please be responsible.

Advise Irex and leave it be...

[Riocaz]

I agree with Yvanletterrible. I feel it's better that we are upfront in whats being done, than make it look like we are trying to hide things from them.

[yvanleterrible]

Better yet, find a way to secure the process and tell Irex.
You'll have a big place in our hearts !

[TadW]

It's not really insecure in the way that your data could be compromised, since you'd still need your username and password to access individual information. But one thing you could do with it is, for instance, to download firmware upgrades to your PC.

[DHer]

Well, i think full disclosure makes it a fair game. And, in the end, we don't want to work against them, we'd just like to do, well, whatever we feel like doing, on this really sweet piece of hardware. (and without paying 75€ for every mistake - even if this makes it way more exciting)

But, on the other hand, if iRex doesn't play by the GPL rules, i don't see a reason why we should.

What do you think about offering the non-disclosure against a reflash tool? Or a description how the engineers do it? Or just the information how you can boot it over ethernet?

Hacking iDS isn't really something we should be interested in.

[TadW]

Quote:

Originally Posted by DHer

Hacking iDS isn't really something we should be interested in.

Yes, unless it's our only current option to flash update the iLiad with our own software (redirect ids server to our own dummy server comes to mind).

But if iDS is not interesting to us, I won't make the effort to describe further what I've discovered so far. And definitely no hard feelings I understand that it's our primary goal to get our own software on the iLiad.

[ath]

Quote:

Originally Posted by TadW

So what do you think we should do? --> It's a poll!

Report it to *iRex* as a security problem -- follow the usual guidelines for
responsible vulnerability disclosure, which you can find on the net..

[verbosus]

I don’t think it’s a security problem at all, as long as the username and password are not sent in the clear via the wireless connection. The iLiad must be simply opening some kind of data connection (FTP, scp, rsync?) to the iRex servers with your username and password, and the address of that FTP server must be hardcoded somewhere in the flashed-system of the iLiad.

TadW: I’m for full disclosure in this case, it doesn’t look like a very secret thing to hide, anyway.

(BTW: hello, everyone, this is my first post on the MobileRead forum! I just got my iLiad yesterday and I love it!)

[Janus]

Quote:

Originally Posted by yvanleterrible

Please be responsible.

Advise Irex and leave it be...

I second that, communicate with them on the developers forum, it will create a trust relation, and this way we might be allowed more in time.

[ath]

Quote:

Originally Posted by verbosus

I don’t think it’s a security problem at all

The only parties I accept as having a say in the matter are iRex and their customers as a group.

If any of these parties would find that the information could be damaging in any way, it is a security problem, and disclosure should be kept to a minimum, at least until the problem has been verified to be imaginary, or, in other cases, corrected.

A IDS login method, may, for instance, make it possible to do user and password guessing attacks. A well designed system would handle such things but I've seen too many ill-designed systems to believe in miracles. Could such an attack lock me out from receiving updates? If so, it's a security problem.

There may also be protocol problems that may appear once a successful authentication has been done: publishing details may give greater exposure to such problems, and raise the risk for the data on the IDS system. If I wanted to prevent a security patch from reaching the iLiads out there, the IDS system is the system I would attack. Same thing if I wanted to send out my own content.

If, by use of the information, the iLiad can be fooled into logging into a fake IDS server, it's still a security problem: iLiads should not accept unauthorized contents from the net -- it's probably a signature and certificate that's not being verified correctly. Could I attack a router or a DNS server, and inject false information (either route requests to the wrong server, or translate a domain name to the wrong IP address), I can attack all iLiads using that DNS server. Again, a security problem that is not under iRex's control, and usually is regarded as one of the main reasons for verifying signatures of downloaded system software.

iRex is the primary interested part in this question: they should be told first, and in the form generally accepted as part of responsible disclosure. Anything else is simply irresponsible, as security ramifications seldom are obvious outside the main parties involved.

[TadW]

Please let me repeat: What I know is not a security problem, but it is the basic pattern how the iLiad communicates with the iDS server.

I would basically describe the protocol used. Think about all the Yahoo! IM chat clones out there. Are they a security threat to Yahoo? No. But they use the underlying Yahoo! IM protocol to establish connections through the Yahoo network.

As ath pointed out, some people might start digging around the protocol to find possible security holes and exploits. But this is always the case when information is revealed. As soon as iRex will release the iLiad SDK and the source files, new information is out, and likewise people will examine these files for possible exploits.

I don't see a reason to talk to the iRex guys, because it's nothing new to them - they should know best how the protocol works, and I have nothing else to add to it.

[Alexander Turcic]

Also look at our recent announcement regarding iRex to open up the specs for iDS.

[ath]

Quote:

Originally Posted by TadW

As ath pointed out, some people might start digging around the protocol to find possible security holes and exploits. But this is always the case when information is revealed.

My worry was that there might be security issues involved, and if so, such information should be revealed in a manner that iRex could influence, particularly if there are time dependencies involved (such as 'fixed in the new release which will install next week so please wait until then').

I passed my general concern on to iRex, and learned that they have no problems sleeping at nights over this; that extra piece of information makes the question a non-issue for me. I learned, as Alexander just has pointed out, they will release the information themselves, along with the SDK, reasonably soon.

I underestimated iRex :-) -- I have no problems with that: then, I hate to learn that I overestimated anyone on a security matter.