Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > More E-Book Readers > iRex > iRex Developer's Corner

Notices

View Poll Results: Should we post everything we know even if iRex can circumvent us again?
Yes, the more we know, the stronger we get. 29 96.67%
No, keep it closed and use it to gain broader knowledge first. 1 3.33%
Voters: 30. You may not vote on this poll

Reply
 
Thread Tools Search this Thread
Old 08-23-2006, 10:04 AM   #1
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Should we post everything we know even if iRex can circumvent us again?

I want to report here how you can actually communicate with the iDS server without the iLiad.

My only worry: giving out this information might make iRex try everything possible again to sabotage our newly gained knowledge.

So what do you think we should do? --> It's a poll!
TadW is offline   Reply With Quote
Advert
Old 08-23-2006, 10:30 AM   #2
yvanleterrible
When books can fly!
yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.
 
yvanleterrible's Avatar
 
Posts: 8,569
Karma: 7565662
Join Date: May 2006
Location: Que Nada
Device: Kobo Mini, iPad Air
Please be responsible.

Advise Irex and leave it be...
yvanleterrible is offline   Reply With Quote
Old 08-23-2006, 10:39 AM   #3
Riocaz
Fulfilled but not by iRex
Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.Riocaz ought to be getting tired of karma fortunes by now.
 
Posts: 932
Karma: 286846
Join Date: May 2006
Location: London
Device: Far too many
I agree with Yvanletterrible. I feel it's better that we are upfront in whats being done, than make it look like we are trying to hide things from them.
Riocaz is offline   Reply With Quote
Old 08-23-2006, 11:08 AM   #4
yvanleterrible
When books can fly!
yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.yvanleterrible ought to be getting tired of karma fortunes by now.
 
yvanleterrible's Avatar
 
Posts: 8,569
Karma: 7565662
Join Date: May 2006
Location: Que Nada
Device: Kobo Mini, iPad Air
Better yet, find a way to secure the process and tell Irex.
You'll have a big place in our hearts !

Last edited by yvanleterrible; 08-23-2006 at 11:10 AM.
yvanleterrible is offline   Reply With Quote
Old 08-23-2006, 11:19 AM   #5
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
It's not really insecure in the way that your data could be compromised, since you'd still need your username and password to access individual information. But one thing you could do with it is, for instance, to download firmware upgrades to your PC.
TadW is offline   Reply With Quote
Advert
Old 08-23-2006, 11:32 AM   #6
DHer
Addict
DHer doesn't litterDHer doesn't litter
 
Posts: 261
Karma: 156
Join Date: Jul 2006
Device: iliad
Well, i think full disclosure makes it a fair game. And, in the end, we don't want to work against them, we'd just like to do, well, whatever we feel like doing, on this really sweet piece of hardware. (and without paying 75€ for every mistake - even if this makes it way more exciting)

But, on the other hand, if iRex doesn't play by the GPL rules, i don't see a reason why we should.

What do you think about offering the non-disclosure against a reflash tool? Or a description how the engineers do it? Or just the information how you can boot it over ethernet?

Hacking iDS isn't really something we should be interested in.
DHer is offline   Reply With Quote
Old 08-23-2006, 11:35 AM   #7
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Quote:
Originally Posted by DHer
Hacking iDS isn't really something we should be interested in.
Yes, unless it's our only current option to flash update the iLiad with our own software (redirect ids server to our own dummy server comes to mind).

But if iDS is not interesting to us, I won't make the effort to describe further what I've discovered so far. And definitely no hard feelings I understand that it's our primary goal to get our own software on the iLiad.
TadW is offline   Reply With Quote
Old 08-23-2006, 12:02 PM   #8
ath
Addict
ath doesn't litterath doesn't litter
 
Posts: 222
Karma: 110
Join Date: Jun 2006
Location: Malmo, Sweden
Device: iLiad, Sony PRS-505, Kindle
Quote:
Originally Posted by TadW
So what do you think we should do? --> It's a poll!
Report it to *iRex* as a security problem -- follow the usual guidelines for
responsible vulnerability disclosure, which you can find on the net..
ath is offline   Reply With Quote
Old 08-23-2006, 12:28 PM   #9
verbosus
Unicoder
verbosus began at the beginning.
 
Posts: 15
Karma: 10
Join Date: Aug 2006
Location: Sassuolo, Modena, Italy
Device: iRex iLiad
I don’t think it’s a security problem at all, as long as the username and password are not sent in the clear via the wireless connection. The iLiad must be simply opening some kind of data connection (FTP, scp, rsync?) to the iRex servers with your username and password, and the address of that FTP server must be hardcoded somewhere in the flashed-system of the iLiad.

TadW: I’m for full disclosure in this case, it doesn’t look like a very secret thing to hide, anyway.

(BTW: hello, everyone, this is my first post on the MobileRead forum! I just got my iLiad yesterday and I love it!)
verbosus is offline   Reply With Quote
Old 08-24-2006, 03:25 AM   #10
Janus
Member
Janus began at the beginning.
 
Posts: 20
Karma: 35
Join Date: Jul 2006
Device: iRex iLiad
Quote:
Originally Posted by yvanleterrible
Please be responsible.

Advise Irex and leave it be...
I second that, communicate with them on the developers forum, it will create a trust relation, and this way we might be allowed more in time.

Last edited by Janus; 08-24-2006 at 03:32 AM.
Janus is offline   Reply With Quote
Old 08-24-2006, 03:33 AM   #11
ath
Addict
ath doesn't litterath doesn't litter
 
Posts: 222
Karma: 110
Join Date: Jun 2006
Location: Malmo, Sweden
Device: iLiad, Sony PRS-505, Kindle
Quote:
Originally Posted by verbosus
I don’t think it’s a security problem at all
The only parties I accept as having a say in the matter are iRex and their customers as a group.

If any of these parties would find that the information could be damaging in any way, it is a security problem, and disclosure should be kept to a minimum, at least until the problem has been verified to be imaginary, or, in other cases, corrected.

A IDS login method, may, for instance, make it possible to do user and password guessing attacks. A well designed system would handle such things but I've seen too many ill-designed systems to believe in miracles. Could such an attack lock me out from receiving updates? If so, it's a security problem.

There may also be protocol problems that may appear once a successful authentication has been done: publishing details may give greater exposure to such problems, and raise the risk for the data on the IDS system. If I wanted to prevent a security patch from reaching the iLiads out there, the IDS system is the system I would attack. Same thing if I wanted to send out my own content.

If, by use of the information, the iLiad can be fooled into logging into a fake IDS server, it's still a security problem: iLiads should not accept unauthorized contents from the net -- it's probably a signature and certificate that's not being verified correctly. Could I attack a router or a DNS server, and inject false information (either route requests to the wrong server, or translate a domain name to the wrong IP address), I can attack all iLiads using that DNS server. Again, a security problem that is not under iRex's control, and usually is regarded as one of the main reasons for verifying signatures of downloaded system software.

iRex is the primary interested part in this question: they should be told first, and in the form generally accepted as part of responsible disclosure. Anything else is simply irresponsible, as security ramifications seldom are obvious outside the main parties involved.
ath is offline   Reply With Quote
Old 08-24-2006, 03:47 AM   #12
TadW
Uebermensch
TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.TadW ought to be getting tired of karma fortunes by now.
 
TadW's Avatar
 
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
Please let me repeat: What I know is not a security problem, but it is the basic pattern how the iLiad communicates with the iDS server.

I would basically describe the protocol used. Think about all the Yahoo! IM chat clones out there. Are they a security threat to Yahoo? No. But they use the underlying Yahoo! IM protocol to establish connections through the Yahoo network.

As ath pointed out, some people might start digging around the protocol to find possible security holes and exploits. But this is always the case when information is revealed. As soon as iRex will release the iLiad SDK and the source files, new information is out, and likewise people will examine these files for possible exploits.

I don't see a reason to talk to the iRex guys, because it's nothing new to them - they should know best how the protocol works, and I have nothing else to add to it.

Last edited by TadW; 08-24-2006 at 04:06 AM.
TadW is offline   Reply With Quote
Old 08-24-2006, 04:48 AM   #13
Alexander Turcic
Fully Converged
Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.
 
Alexander Turcic's Avatar
 
Posts: 18,143
Karma: 12896890
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
Also look at our recent announcement regarding iRex to open up the specs for iDS.
Alexander Turcic is offline   Reply With Quote
Old 08-24-2006, 05:31 AM   #14
ath
Addict
ath doesn't litterath doesn't litter
 
Posts: 222
Karma: 110
Join Date: Jun 2006
Location: Malmo, Sweden
Device: iLiad, Sony PRS-505, Kindle
Quote:
Originally Posted by TadW
As ath pointed out, some people might start digging around the protocol to find possible security holes and exploits. But this is always the case when information is revealed.
My worry was that there might be security issues involved, and if so, such information should be revealed in a manner that iRex could influence, particularly if there are time dependencies involved (such as 'fixed in the new release which will install next week so please wait until then').

I passed my general concern on to iRex, and learned that they have no problems sleeping at nights over this; that extra piece of information makes the question a non-issue for me. I learned, as Alexander just has pointed out, they will release the information themselves, along with the SDK, reasonably soon.

I underestimated iRex :-) -- I have no problems with that: then, I hate to learn that I overestimated anyone on a security matter.

Last edited by ath; 08-24-2006 at 05:37 AM.
ath is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sell iREX DR 1000S + iREX Flip book cover (and ZeroShock sleeve). Uthred Flea Market 7 05-23-2010 07:28 AM
IREX DR800SG 2.0 Beta feedback to IREX sordie iRex 25 04-12-2010 04:19 PM
do the softwares work on iRex Digital Reader as they do on iRex iLiad HiSoC8Y iRex 1 07-02-2009 10:03 AM
Easiest drm to circumvent echoleaf Workshop 23 02-08-2009 10:58 PM
iRex Digital Reader: Going to receive a review unit - post your questions Adam B. iRex 80 10-18-2008 02:28 AM


All times are GMT -4. The time now is 04:17 PM.


MobileRead.com is a privately owned, operated and funded community.