5.6.5 Jailbreak (closed-kindle) -- released! - Page 12

Nausicaa · 10-22-2015, 02:33 PM

Just a quick question about the ad supported kindle. If I do not upgrade the firmware, and keep it in airplane mode, but later jailbreak disable automatic firmware upgrades, purchase the ad removal, do I need to upgrade my firmware in order to get rid of the ads?

joblack · 10-22-2015, 02:36 PM

Quote:

Originally Posted by Nausicaa

Just a quick question about the ad supported kindle. If I do not upgrade the firmware, and keep it in airplane mode, but later jailbreak disable automatic firmware upgrades, purchase the ad removal, do I need to upgrade my firmware in order to get rid of the ads?

Probably yes.

The Amazon support removed the adds on my Kindle for free.

eschwartz · 10-22-2015, 02:42 PM

No, I just needed to connect to WiFi to have the ads removed.

Firmware upgrades are generic and apply to every device out there. You don't need a firmware upgrade to disable ads.

It would be like needing a firmware upgrade to register your device.

Nausicaa · 10-22-2015, 03:04 PM

Ok, thanks. What do you mean you by

Quote:

just needed to connect to WiFi to have the ads removed.

Does firmware upgrades only apply through 3G or you just had to connect to wifi with a jailbroken kindle to remove the ads?

I wasn't sure if it was a firmware upgrade that made it ad free, or if was just a registration issue.

knc1 · 10-22-2015, 04:38 PM

Quote:

Originally Posted by Nausicaa

Ok, thanks. What do you mean you by
Does firmware upgrades only apply through 3G or you just had to connect to wifi with a jailbroken kindle to remove the ads?

I wasn't sure if it was a firmware upgrade that made it ad free, or if was just a registration issue.

The only firmware upgrades deleivered over 3G are for the "3G only" devices.
None of those are going to be getting an upgrade again in our lifetime.

Jailbroken Kindle is not required to remove ads, just pay the fee (if any) and connect to Amazon.

Your batting a perfect game - neither.

You don't need a firmware upgrade to remove the ads after opting out with Amazon.
S.O. program is just an entry in their database and a matching one in your Kindle.
But you do have to let the device connect with Amazon so that Amazon can record your opt-out on the device itself.

Removing ads is not (directly) related to device registration.
It is in-directly - -
It has to be registered so that the "manage my Kindle" page works at the Amazon site for that device.
It is that page that allows you to opt-out of the service.

charleski · 10-23-2015, 08:36 AM

Quote:

Originally Posted by knc1

Individuals threatening a billion dollar corporation is usually a poor strategy.
Your more likely to stay dry, pissing into the wind, than sway a large corporation with threats.

We are not waiting until they issue a fix,
we are waiting a "reasonable length of time" (in the author's judgement as to what is "reasonable").

There are industry standards for responsible disclosure of security bugs. The time allowed for a patch varies from 45 days to 3 months or more. It is irresponsible and inaccurate to label these as 'threats', and this mechanism does work in stimulating a response to the defects discovered.

knc1 · 10-23-2015, 09:43 AM

Quote:

Originally Posted by charleski

There are industry standards for responsible disclosure of security bugs. The time allowed for a patch varies from 45 days to 3 months or more. It is irresponsible and inaccurate to label these as 'threats', and this mechanism does work in stimulating a response to the defects discovered.

There are industry policies followed by established organizations, agreed.

But the context got lost (our comments on NoExpert's post).

A statement like:
"If not fixed by <deadline> then we will do <something>" is a threat.

I think that you will see that our rational in withholding publication while the vendor has time to evaluate the situation is exactly the same as the cert's description of their policy.
Both the first and second paragraphs of the page you linked to.

The only significant difference is the author has not published an exact time period.
The reasoning here is that a responsible vendor does not need to be pressured into correcting a potentially harmful software error.

If it needs fixing (in the vendor's opinion), then it will get fixed.
And just for the record, here is the last time our members found an exploitable error:
http://www.kb.cert.org/vuls/id/122656
https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4248
https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4249

If the vendor feels they need a specific amount of working time, then they will coordinate that with the author.
I can think of no reason that the author need publish any of those negotiations.

Also, keep in mind that Amazon/Lab126 actively follows the discussions on this site.
A thread that gathers an average of 1,000 views per day gets their attention.

operat0r · 10-23-2015, 12:42 PM

Keep up the great work ! let me know if you guys ever need anything

Branch Delay · 10-23-2015, 05:31 PM

Amazon security team isn't responding to my e-mails at this point. Will release Oct 31st.

induna · 10-23-2015, 05:43 PM

Quote:

Originally Posted by Branch Delay

Amazon security team isn't responding to my e-mails at this point. Will release Oct 31st.

That seems very fair.

knc1 · 10-23-2015, 05:55 PM

Quote:

Originally Posted by Branch Delay

Amazon security team isn't responding to my e-mails at this point. Will release Oct 31st.

At about the same time:
https://forms.cert.org/VulReport/

I think you have more than met the "... make a reasonable attempt to contact the affected vendor." requirement.

I have never used it myself, but it seems straight forward:
https://forms.cert.org/VulReport/sta...tructions.html

thatworkshop · 10-23-2015, 07:46 PM

Quote:

Originally Posted by Branch Delay

Amazon security team isn't responding to my e-mails at this point. Will release Oct 31st.

I didn't mention earlier, but TBH, I guessed Amazon won't respond.

Rizla · 10-23-2015, 08:54 PM

Out of interest, how does the hack represent a threat? Presumably the hack can only be used by a user on their own device. Would it possible for a hacker to access someone else's device?

knc1 · 10-23-2015, 09:50 PM

Quote:

Originally Posted by Rizla

Out of interest, how does the hack represent a threat? Presumably the hack can only be used by a user on their own device. Would it possible for a hacker to access someone else's device?

The full answer should be obvious in a week's time.

But consider what has to happen to install our developer's signature certificate; execution of arbitrary code with 'root' privileges. Never a nice thing on any computer system.

For instance, the 2012 vulnerability was not under the user's control, which is why it could represent a threat. (See links above for details of that one).

Rizla · 10-24-2015, 09:20 AM

Quote:

Originally Posted by knc1

The full answer should be obvious in a week's time.

But consider what has to happen to install our developer's signature certificate; execution of arbitrary code with 'root' privileges. Never a nice thing on any computer system.

For instance, the 2012 vulnerability was not under the user's control, which is why it could represent a threat. (See links above for details of that one).

Seeing as it's installed by a user on their device (presumably connected to their computer via a cable), and another user cannot access it remotely, I don't see any practical threat, but obviously you know a lot more about it than me, and I understand your reluctance to discuss the details.

Edit: Okay, I see that if the device is rooted, theoretically connecting to a malicious web page could be a threat.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
KINDLE DEAL: Released: A Story of God’s Power Released in Pro Baseball ($	gospelebooks	Deals and Resources (No Self-Promotion or Affiliate Links)	0	07-14-2011 09:12 PM
iPad iPad jailbreak released	scottjl	Apple Devices	25	05-08-2010 02:20 PM

10-22-2015, 02:33 PM	#166
Nausicaa Connoisseur Posts: 92 Karma: 2222222 Join Date: Sep 2011 Device: Kindle	Just a quick question about the ad supported kindle. If I do not upgrade the firmware, and keep it in airplane mode, but later jailbreak disable automatic firmware upgrades, purchase the ad removal, do I need to upgrade my firmware in order to get rid of the ads?

10-22-2015, 02:42 PM	#168
eschwartz Ex-Helpdesk Junkie Posts: 19,421 Karma: 85400180 Join Date: Nov 2012 Location: The Beaten Path, USA, Roundworld, This Side of Infinity Device: Kindle Touch fw5.3.7 (Wifi only)	No, I just needed to connect to WiFi to have the ads removed. Firmware upgrades are generic and apply to every device out there. You don't need a firmware upgrade to disable ads. It would be like needing a firmware upgrade to register your device.

10-23-2015, 12:42 PM	#173
operat0r Junior Member Posts: 3 Karma: 10 Join Date: Oct 2015 Device: PW3	Keep up the great work ! let me know if you guys ever need anything

10-23-2015, 05:31 PM	#174
Branch Delay Connoisseur Posts: 95 Karma: 1699999 Join Date: Aug 2015 Device: Voyage	Amazon security team isn't responding to my e-mails at this point. Will release Oct 31st.

10-23-2015, 08:54 PM	#178
Rizla Member Retired Posts: 3,183 Karma: 11721895 Join Date: Nov 2010 Device: Nook STR (rooted) & Sony T2	Out of interest, how does the hack represent a threat? Presumably the hack can only be used by a user on their own device. Would it possible for a hacker to access someone else's device?