Quote:
|
Originally Posted by verbosus
I don’t think it’s a security problem at all
|
The only parties I accept as having a say in the matter are iRex and their customers as a group.
If any of these parties would find that the information could be damaging in any way, it is a security problem, and disclosure should be kept to a minimum, at least until the problem has been verified to be imaginary, or, in other cases, corrected.
A IDS login method, may, for instance, make it possible to do user and password guessing attacks. A well designed system would handle such things but I've seen too many ill-designed systems to believe in miracles. Could such an attack lock me out from receiving updates? If so, it's a security problem.
There may also be protocol problems that may appear once a successful authentication has been done: publishing details may give greater exposure to such problems, and raise the risk for the data on the IDS system. If I wanted to prevent a security patch from reaching the iLiads out there, the IDS system is the system I would attack. Same thing if I wanted to send out my own content.
If, by use of the information, the iLiad can be fooled into logging into a fake IDS server, it's still a security problem: iLiads should not accept unauthorized contents from the net -- it's probably a signature and certificate that's not being verified correctly. Could I attack a router or a DNS server, and inject false information (either route requests to the wrong server, or translate a domain name to the wrong IP address), I can attack all iLiads using that DNS server. Again, a security problem that is not under iRex's control, and usually is regarded as one of the main reasons for verifying signatures of downloaded system software.
iRex is the primary interested part in this question: they should be told first, and in the form generally accepted as part of responsible disclosure. Anything else is simply irresponsible, as security ramifications seldom are obvious outside the main parties involved.