Kindle Touch Gets World's Simplest Jailbreak

Nate the greatest writes "Can you play an MP3 file? Then you can jailbreak the new Kindle Touch. A new hack was posted this morning that roots the Kindle Touch/K5 and opens the way for future hacks. The hacker also reveals that the K5 runs on HTML5, which should make it a lot easier to come up with new apps. Epub, anyone?"

World's simplest?

[subreality]

By what metric?

For the user, rooting the iPhone was pretty easy with jailbreakme.com. Go there, click the button.

Or do you mean easy for the developer? On HTC phones you basically say "Jailbreak please" and it says "OK."

Re:World's simplest?

[Anonymous Coward]

It has the shortest name.

"Jail ... break .. me ... dot ... com ... this is really complicated."

"MP3 ?? ooh snazzy"

Re:World's simplest?

[ClioCJS]

That assumes you know jailbreakme is the right site with the right kind of jailbrake. I spent about 3-5 hours trying to figure out how to jailbrake my iPhone (given to me; I'd never buy one) and having gone through several different jailbrake methods before I got one that worked right. And I'm not somebody who doesn't know how to do things. I ultimately had to pop in an IRC channel and speak to actual people. There was a site - jailbrakematrix - which helped explain which jailbrakes work for which versions. Mine was a 2G/iPhone Original. And the jailbrake only worked with the latest firmware, which I had to update.

So uh, yeah. Playing an mp3 is easier than that.

Re:World's simplest?

[Anonymous Coward]

Maybe if you knew how to spell it you wouldn't have had to waste hours.

Re:

[Anonymous Coward]

Gaol-break.

Re:

[ClioCJS]

No. You did not read my comment. It's not just magically that easy. There are several different jailbrakes, and certain ones are only valid for certain versions of the phone. A cursory google gets you to a lot of help sites that redirect you to bullshit like megaupload to download a rar, where you fill a captcha and wait 30 seconds only to find out your time was wasted.

https://www.google.com/search?q=jailbrake+iphone+++++++ [google.com]

Hell -- even the first result there talks about how you may have to use one type

Re:World's simplest?

[Filip22012005]

iPhone fragmentation is becoming a real problem.

Re:

[tehcyder]

iPhone fragmentation is becoming a real problem.

Stop hitting the little bastards with hammers then.

Re:

[jones_supa]

It's jailbreak, not jailbrake, honey...

Re:

[ClioCJS]

I'm putting the brakes on apple's jailing! lol

Re:World's simplest?

[Atzanteol]

http://unrevoked.com/ [unrevoked.com]

Plug in phone. Run app. Make tea. Really the last part was the difficult step.

Re:

[sFurbo]

You don't say [spc.org] (pdf warning). 11 pages (to be fair, the actual manual is only 6 of those).

On the N900 there is no jail

[dbIII]

I think there should be more devices like that where you don't have to go through hoops to make changes to your own devices.

Re:

[tixxit]

More examples: To soft mod my Wii, I just viewed a JPEG. For my phone I installed an app then clicked the "root" button.

Re:

[Kozz]

On HTC phones you basically say "Jailbreak please" and it says "OK."

Actually if that's true, I'd like to know. It seems there are plenty of HTC phones mentioned in forums and there are dozens of jailbreak methods listed, and they don't all seem entirely "simple" (certainly far from a one-click).

Re:

[subreality]

It's not simple for the end user, but it's officially supported on their new phones: http://htcdev.com/bootloader/ [htcdev.com]

Most of the older ones can be easily rooted by the usual shenanigans; then once you install Cyanogenmod it's yours for life. It's much more pleasant than Apple's obsession with keeping you locked out.

Re:

[makomk]

jailbreakme.com was quite complicated behind the scenes; IIRC it had a very carefully implemented exploit for a kernel-mode vulnerability that had to be crafted so as not to crash anything.

Re:World's simplest?

[History's Coming To]

It seems to be part of a trend towards relatively obvious and open DRM. Lock out your everyday users, but set the DRM at a level where you tend to get good amateur developers crawling all over it and doing some free R&D for you. Hell, even Microsoft are up to it with the Kinect.

Re:World's simplest?

[sound+vision]

There's no way they did this intentionally. The execution of arbitrary scripts from an MP3 file has far-ranging implications for normal users. Someone's going to end up using this exploit to write malware. If that becomes widespread, you'll get "Kindles get viruses" into the mind of the consumer. They did not want this bug/security flaw. Coincidentally, it's a "happy accident" for people who want to jailbreak their devices (which are a miniscule minority with no impact on Amazon's bottom line). But there's no reason why Amazon would want this type of vulnerability in their device.

Re:World's simplest?

[Pharmboy]

I can't believe Amazon is shipping this crap.

So, a system that is designed to be 100% Amazon supported for everyone who wants it to be, but is designed intentionally to be easy to jailbreak for those that don't, is automatically crap? This is idiotic. The fact that it is easy to jailbreak isn't a bug, IT IS A FEATURE.

I own a Kindle Fire, and it kicks ass. I don't expect to jailbreak it for now, as that wouldn't help me do anything that I can't already do, except maybe install an ssh client. But it is great that Amazon is keeping it easy to jailbreak, ON PURPOSE, so when I do, I can quickly and easily. I hope they sell millions of them.

Re:World's simplest?

[gnapster]

Why the deuce is this rated higher than its parent?

I can't believe Amazon is shipping this crap.

So, a system that is designed to be 100% Amazon supported for everyone who wants it to be, but is designed intentionally to be easy to jailbreak for those that don't, is automatically crap? This is idiotic. The fact that it is easy to jailbreak isn't a bug, IT IS A FEATURE.

The reason the GP called it crap is that now I have to worry about MP3s running arbitrary code on my tablet. Not only can they execute code, but they can gain root access and then execute code! Until I know more about the security of this device, it is making me very nervous. I want jailbreaking to be easy, but I don't want it to be effected by the same kind of action that I use every day for non-jailbreaking activities.

Re:

[SomePgmr]

Jailbreaking the fire was really quick and easy, and allowed me to run the tablet like a regular android device. The greatest benefit of which is not having to deal with the annoying amazon launcher. Personal preference, I know.

Since cm7 is largely working for the fire and ICS is in progress, that'll be pretty important soon. Just not yet. :)

Re:

[yelvington]

You don't need to jailbreak a Kindle Fire to replace the launcher. You can sideload an alternative launcher and set it as the default without root access.

Re:

[R.Mo_Robert]

I own a Kindle Fire ... it is great that Amazon is keeping it easy to jailbreak, ON PURPOSE, so when I do, I can quickly and easily.

Unfortunately for you, the article (and TFS even mentions it) refers to the Kindle Touch, not the Kindle Fire. This is essentially the fifth-generation eInk Kindle.

Re:World's simplest?

[ceoyoyo]

"Here, go to this website" is pretty simple. Simpler than "here, download this mp3 and play it."

Both are bad. Neither visiting a website nor playing an mp3 should be able to root your device. I'm all for making jailbreaking easy, but it should absolutely require a wired connection to the device.

Re:World's simplest?

[subreality]

Yes, I actually did RTFA.

jailbreakme.com isn't "follow these instructions". If you go there on an iPhone it gives you a big friendly button labelled "Jailbreak Me". You click it. Done.

Yes, I know the Kindle one is really easy too, but the bar for "World's Simplest" is one click. That's a tough act to beat. :)

Re:

[subreality]

http://htcdev.com/bootloader/ [htcdev.com]

Doubleplusgood!

[PopeAlien]

Could this hack be used to protect your ebook purchases so they can't be revoked after the fact 1984 style?

Re:

[durrr]

I find it moderately unlikely that amazon would start revoking your/mine ebooks.
If you however absolutely need your books free then it shouldn't be all that hard to use the kindle-for-pc version and OCR software to pull them out of the proprietary format. See it as a coding challenge.

Re:Doubleplusgood!

[subreality]

When the GP said "1984 style", they were referring to the fact that Amazon actually revoked some copies of 1984 in a flash of brilliant irony.

Re:

[Professr3]

...it shouldn't be all that hard to use the kindle-for-pc version and OCR software to pull them out of the proprietary format...

Actually, that sounds kinda hard to me :P

Re:

[similar_name]

I find it moderately unlikely that amazon would start revoking your/mine ebooks.

They pulled/deleted 1984 [pocket-lint.com]

Re:

[Anonymous Coward]

True, but they had legally good grounds for doing so, and really bent over backwards to make it right. I don't like the idea that they can do it at all, but I don't see how they really did anything morally wrong.

http://news.softpedia.com/news/Amazon-Makes-Amends-for-039-1984-039-Incident-120948.shtml

If they removed paid for copies and refused to return the money, you'd have an excellent argument. But they didn't, so I'm not sure what the big deal is now.

Re:Doubleplusgood!

[causality]

True, but they had legally good grounds for doing so, and really bent over backwards to make it right. I don't like the idea that they can do it at all, but I don't see how they really did anything morally wrong.

What's morally wrong is they didn't even attempt to obtain consent. The entire notion of a marketplace is based on a willing buyer and a willing seller doing business without coercion of any kind. The initial sale of the book was done in this consentual, voluntary fashion. The revocation of the book and refunds etc. were done against the will of many customers. It was not a voluntary transaction.

If you don't want to sell something of yours to me, I don't have the right to simply take it against your will and leave you the money. If I did that but you didn't want to sell it then I just coerced you into a sale. I am certain you have some possession you are unwilling to part with and would be outraged if someone did this to you. Others feel the same way about other things they purchase.

That they sold a book they didn't have the right to sell is their problem, to be resolved between them and the rightsholder. It's not like Amazon is struggling to financially survive and couldn't have possibly worked out some kind of royalty. To make that your customers' problem is a shitty way to do business. A good business looks after their customers better than that and cleans up its own messes without involving unwilling third parties. Even if the only reason they do it is selfish, to avoid losing sales from pissed off former customers.

I'm sure it's not legally wrong since they almost definitely had the multiple pages of fine-print legalese in some kind of EULA to legally cover their asses. So no surprise the state isn't intervening here. The idea here is that coming up with a clever legal way to coerce someone into a bargain is still morally wrong. It makes some people not want to do business with you.

I don't understand this trend of making apologetics for large organizations. At all. It's as though they have to murder kittens or something before some of you will say "hey, that doesn't look right to me!". To make your problem into your customers' problem when the customers did nothing wrong (while you did) is simply unethical.

Re:

[fafaforza]

I'd like to see the argument you put up when a stolen car you buy gets taken away from you. Two consenting adults, right?

As said already, this was ONE frigging book in the existence of their ebook store, and people got full refunds to purchase the very same book, word from word, from a source that was legally able to sell it.

You decry the apologists. But quite the contrary, I think you just want to find fault in anything a "big evil corporation" does.

Re:Doubleplusgood!

[causality]

I'd like to see the argument you put up when a stolen car you buy gets taken away from you. Two consenting adults, right?

That scenario involves a quite unwilling third party. That's exactly the problem I have with Amazon's action -- the issue was between Amazon and the rightsholder. They chose to involve unwilling third parties (their own customers at that). You are only reinforcing my point here.

That isn't two consenting adults. That's two consenting adults, one of which is using fraud, and a third adult who's very much not consenting. It's a big difference.

As said already, this was ONE frigging book in the existence of their ebook store, and people got full refunds to purchase the very same book, word from word, from a source that was legally able to sell it.

That's a most amicable way to handle it. I appreciate you highlighting the goodwill that Amazon showed once the situation happened. That part is easy to underappreciate and was worth a reminder.

I still don't find it acceptable to make this your customers' problem. You didn't do your homework and vet the product you offered for sale, that's your fault, you get to sort it out on your own. There are records of how many copies were sold, so you remit payments to the actual rightsholder plus some negotiated fee for accidentally infringing on their copyright and you're done. To put it another way, if this happened with a physical paper book would you support them breaking into your home to take it back as long as they leave an envelope with the money on your kitchen table? After all, on page 37 of the EULA you clearly gave them that right...

Why is this so acceptable in the digital world? If it's intellectual _property_ let's treat it like property. If it's zeroes and ones, let's treat it like zeroes and ones. This is a desire to have one's cake and eat it too. It's not reasonable.

To make a more minor point ... instead of going through a refund process and all the transactions that involves... why not just overwrite the book on the device and replace it with the legal copy? Customers might not even notice it happened. Why inconvenience them if you're going to have such remote capabilities at all?

You decry the apologists. But quite the contrary, I think you just want to find fault in anything a "big evil corporation" does.

When they do things the hard way for no good reason, and cause problems that could have been prevented, then the fault is there whether I find it or not.

Re:

[LordLucless]

I'd like to see the argument you put up when a stolen car you buy gets taken away from you.

What, like for instance, if I woke up in the morning, and Ford's come and taken the car I bought from them because they didn't license a fuel-injection patent? But hey, they refunded me my money - I could go buy the car again from a source with a proper license.

Two consenting adults, right?

Yeah, because being stolen from is such an awesome example of consent.

Re:

[tehcyder]

What, like for instance, if I woke up in the morning, and Ford's come and taken the car I bought from them because they didn't license a fuel-injection patent? But hey, they refunded me my money - I could go buy the car again from a source with a proper license.

Amazon didn't take your Kindle away, though, they just removed one book. It's more like Ford remotely disabling one of the choice of notification sounds on your alarm/key fob

Re:

[tehcyder]

That they sold a book they didn't have the right to sell is their problem, to be resolved between them and the rightsholder

I'm sure it would have pleased everyone on slashdot if the rightsholder had decided to sue each customer of Amazon individually for copyright infringement.

Re:Doubleplusgood!

[causality]

I hate to say things like this but you're a fuckwit.

You hate to say such things because it's a sorry excuse for having your own point of view. I'd hate to be that way myself; that's why I'm not. I don't know if it's some kind of jealousy or what, but I see lots of posts like this written by people who clearly could not articulate their own position and why they believe it's better.

It reminds me of a post I made some weeks back about Mohandas Gandhi. I misremembered how the man's name was spelled and I wrote it as "Ghandi". So what does some useless little AC come along and do? He points this out and calls me a liar, saying obviously I never read the man's autobiography as I had said. This appeals to the bitchy base nature of a lot of people so he even got modded up. Of course, he didn't dispute anything I said about Gandhi's life, beliefs, or impact on the world. That would have required substance, something he obviously lacked. It would have also required me being wrong about the important part of the post and he knew I wasn't. His entire contribution was "you made a spelling error, therefore you're wrong and I'm right!" I guess to him that represented some kind of conquest or victory.

You're just like him.

It's that desperate need of nothing-human-beings to look down their nose at something and judge it less worthy than themselves. No power to uplift and edify, only to try to degrade in order to relieve the pain of their wretched, stressful, purposeless existence. Little do they understand it makes it worse. Enjoy your perverse, imaginary sense of superiority, if you can. I can see how my love of reason makes me an unusually tempting target. Meanwhile, my works speak for themselves and are open to constructive discourse.

Personally, I couldn't stand being like you. It would burden me with the kind of inner conflict I very much love being free from. That's why I bother to write this -- certainly not for you, as that would be pearls before swine. It's for people who see this going on everywhere and struggle with self-doubt, who might appreciate knowing they really are seeing it correctly.

Re:

[causality]

You responded to a troll, with a long, pompous, self-righteous rant. I thought the first post was preachy and a little misguided, but I didn't think you were a fuckwit. Now I do. You're a fuckwit.

It doesn't work twice in the same thread :-)

Re:Doubleplusgood!

[causality]

Wow, for the guy who thinks that in response to being offended, that one should suck it up and move on [slashdot.org], you are not very good at it.

I have to agree with the AC on this one: a pompous, self-righteous fuckwit. Try taking your own advice and grow a pair.

I did take my own advice. I argued why I think there's something wrong with that.

Those who cannot grow a pair? You know what they do? They look to the site admin, or a government agent, or some other authority figure to censor whatever it is they don't like. Is that what I did? No. I countered bad speech with more speech, not with censorship.

You fail to comprehend the point. Not because it is beyond your comprehension; it isn't. You fail because that way and only that way do you get to bitch about something and feel "right" even if only for the interval between that time and my setting you straight.

If by "pompous and self-righteous" you mean "I'll tell the truth and I won't make any apologies for it" then yes, that I am. What you want is for someone to kiss your ass and say things delicately to suit your tastes, to mince words and be diplomatic to avoid your ire. What you want is a people-pleaser who cares about your approval. Sorry, but fuck you, I won't play that game. Go ahead and hate me just as much as you like. Call me some more names if that fulfills your puerile needs. That's what is called having a pair. Not kow-towing to hyperemotional sensitives such as yourself who must make everything personal.

Re:

[tehcyder]

I really hate to say this, but you sound even more like a fuckwit than you did originally.

Re:

[tehcyder]

say thanks for the government creating and enforcing copyright (and patent) law, which is what allows the monopolists to maintain their monopolies.

It would have been much better without government, the would-be monopolists could have just gone around shooting those who stole/copied their work.

Re:Doubleplusgood!

[Culture20]

True, but they had legally good grounds for doing so

&@$^ their "legally good" grounds. If Star Trek Replicators ever become a reality, I don't want Amazon using a team of transporter technicians to dematerialize stuff from my house that was replicated with the wrong copyright license. They shouldn't have the *ability* to do this because it is likely to be abused (again).

Re:

[fafaforza]

Perhaps you should consider the fact that with the digital sales of books, mistakes are much more easily made. With printed books, it is a more arduous process and therefore likely harder for a simple mistake to take place, like poor editing, scanning, and spelling that you find in ebooks, and possibly like incorrectly uploading a 300kb ebook to the online store, whereas making the physical counterpart would involve a lot more bureaucracy and time between making the decision and the book showing up on shel

Re:

[LordLucless]

Perhaps you should consider the fact that with the digital sales of books, mistakes are much more easily made.

Perhaps you should consider the fact that if I own something, the creator has no right to take it back just to correct a "mistake". If they made a mistake, they need to pay for it.

a simple mistake to take place, like poor editing, scanning, and spelling that you find in ebooks

Because ebooks are produced entirely separately to physical books. They don't just edit it once and produce two separate formats, no, they go through the entire process twice.

Re:

[tehcyder]

Perhaps you should consider the fact that if I own something, the creator has no right to take it back just to correct a "mistake". If they made a mistake, they need to pay for it.

You don't own a book's contents, since you can't republish them without permission. you pay for the privlelege of copying it and the physical paper if it is a print book.

Re:

[tehcyder]

If you could replicate any object for free, it would hardly be worth Amazon or anyone else's while fucking around with your struff, as presumably by that stage we would have abandoned the ideas of copyright, patensts and indeed "property" altogether.

Re:

[hedwards]

No, they didn't have legally good grounds for doing it. They sold copies they weren't authorized to sell then took them back to avoid paying a big fine. It doesn't matter whether they returned the money or not, sales are an inherently no backsies situation.

I'm not sure this is fundamentally any different from them coming over and demanding that I give back any other item I got from them in exchange for my money back.

Re:

[fafaforza]

So you'd be against, for example, a vehicle recall? After all, that's the vehicle you bought. The dealing between you and the car company is over. And I'm sure you'd mention the warranty, but that likely only covers things that break. You bought that car with that faulty battery from the getgo. That's the vehicle you inspected and bought. Your problem now, no backsies.

Re:

[sixsixtysix]

in your situation, if there was a recall, the car seller would just come and take your vehicle, and leave a check and any personal items, whenever/wherever they wanted to. parent is saying that, once sold, the car seller should contact the buyers and let them know, and IF they wanted to, they can bring back the car with the faulty battery. you know, because of ownership and all.

Re:

[fafaforza]

But that's the thing people forget. You don't own the eBook you buy. You buy what's effectively a license. You can't lend it (the 2 week lending thing is a joke), you can't resell it, you can't donate it to a library or thrift store. If you have a problem with that, then stick with paper books.

Re:

[MLCT]

So you'd be against, for example, a vehicle recall?

A vehicle recall is voluntary - ultimately you don't have to take it back if you don't want to. What Amazon did was the equivalent of turning up at your house and using their own set of keys to get in to and drive away your car because it had a fault - all without telling you until they had left.

Re:

[hedwards]

Recalls are not generally mandatory even if the defect is potentially extremely dangerous. Plus, you don't give them back the car typically you drive it to a dealership and they provide the service. Good dealers will often even loan you a car while you're waiting for yours to get out of the shop.

Additionally, they're not obligated to take the car back except under very specific cases and the terms will indicate that they won't buy it back for the same price they sold it for and even then it's treated as a n

Re:

[damiangerous]

Really? If someone steals your car and sells it to an innocent third party, you would be fine with never getting your car back because "sales are an inherently no backsies situation"?

Re:

[hedwards]

That's a completely different situation. You're talking about somebody that's guilty of receiving stolen merchandise and having to look the other way over the issue of the title. Versus buying from a generally reputable place of business that's selling a digital copy.

Yeah, that's totally the same thing. The latter could be remedied simply by Amazon paying the owner for the rights and the former is a felony.

Re:

[damiangerous]

It's not "completely different". It's not identical, no, but it's similar. You were the one speaking in absolutes. There are plenty of situations where a sale does in fact have "backsies". Replace car with "Playstation 3" or any other consumer product without a title trail. The point is that someone was damaged by Amazon's actions and Amazon had the ability to correct the situation because it was a digital sale. Paying compensation is generally second best to remedying the actual damage,

Re:Doubleplusgood!

[Hotweed Music]

They were hosting illegal content. I know it's nice to get outraged about (especially because of the books banned), but you're picking a fight.

Re:

[Anonymous Coward]

On this you are wrong. Why is it all of a sudden "ok" when it is digital content? If they were selling physical books they could still have had no right to sell them, but they would not have had any means (nor would they have tried) to track down who had the illegal book and repossess it. Now, just because these books were digital, why is it OK? I posit that it is NOT OK. As more and more of "our" content goes digital - what makes it OK for folks to remotely decide we can't have it anymore?

Re:

[LordLucless]

So they should stop hosting it. Great.

What they shouldn't do is break into other peoples' property, and take their stuff.

Re:

[cellocgw]

Except that you are completely wrong. They were providing copyrighted (not illegal) content, and there is no provision in any copyright law that either allows the vendor (Amazon) to pull copies back from owners of Kindles, nor to require said owners to delete the copies they received.
More to the point: it should be flat out illegal for any content provider to be able to remove any content from a user's device. Cue the "own vs. license" flame war here...

Re:

[thePowerOfGrayskull]

Because surely nobody knew what ggp was talking about without the link.

Here's another spin: Out of hundreds of thosuands of titles sold, they only had to pull on and it was over two years ago. Based pn past performance I would say that it"s pretty unlikely indeed. I just can't say it's impossible, because clearly it is. (Also worth noting: purchasers got their money back. Without even having to fight or ask.)

And news flash: they hated as much as the purchasers did if not more - really bad pr when they're

Re:

[causality]

And news flash: they hated as much as the purchasers did if not more - really bad pr when they're trying to build a business around how safe and reliable it is to make electronic manuscript purchases. You think there wasn't some serious internal policy changes to ensure that chances of it happenin g again areas close to zero as possible?

How to make it absolutely zero: don't build devices with this kind of remote-deletion functionality. When negotiating with publishers, tell them up-front that any such option is off the table, that you (the business) will settle any copyright disputes with them, without dreaming of making this your customers' problem. It's not like Amazon doesn't have the resources. Imagine the great PR they could have had if they positioned themselves as protecting their customers from such errors.

I'm just not impres

Re:

[thePowerOfGrayskull]

That would be the ideal solution, but considering that it was a relatively new approach with no critical mass of support, it seems unlikely to me that they would have gotten any large-ish publisher to sign on without it.

Re:

[artor3]

First of all, it is highly unlikely that Amazon would ever make that mistake again. But if you're really worried, and not just pandering for karma, then simply copy the ebooks to your computer via USB. Ta-da! You've got a back up. For bonus points, use Calibre to break the (trivial) DRM and convert to your file format of choice.

Re:

[caseih]

Backing up your kindle purchases and storing them in a way that Amazon cannot control is easy I've been told, and doesn't depend on any particular Kindle.

XSS

[Anonymous Coward]

So the Kindle was jailbroken by a XSS vulnerability?
That's cool

Re:XSS

[hey!]

Pretty much. The hack was simply embedding javascript in an MP3 id3 tag.

While I'm in favor of jail breaking devices, this does NOT make me want to rush out and buy a Kindle Touch (although I was considering it before), because it reveals a flaw in the the device's basic use. Short of restricting myself to Amazon content, I'd have to check every file I use on it for malware.

Re:

[jones_supa]

thin_lizzy-jailbreak.mp3

Garden Picnic

[mugnyte]

The walled gardens are full of splendor, as we pay the entrance fee for a reason. Bringing your own picnic, despite the guards, will never be prevented.

Explanation (It's quite clever)

[mshenrick]

for the lazy, the title just contains HTML code to create a button, which runs DD to the MP3 (minus the title tag) to a script, as the author tag is the script source, which is then executed. If you open the properties of the MP3 (OS X's 'get info' works, or you could cat it) the source is pretty well commented

I would think that this was a major problem.

[geekprime]

It dosen't disturb anyone that an mp3 can be used to crash this thing and run arbitrary code on it?

It seems like the fact that everyone "knows" that mp3's are safe and can not give you a virus is not at all true for this device.

Re:I would think that this was a major problem.

[izomiac]

It disturbs me that Amazon would include a javascript command to execute arbitrary native code as root, and doesn't sanitize input. An ID3 tag should not be rendered, especially not with javascript, and especially not in the privileged mode the GUI is given. Making any one of those mistakes is amateurish and indicates that whoever designed this system knows absolutely nothing about security. Beyond that, obviously that person/team was given the autonomy to do this without any kind of oversight, so the device is surely riddled with such defects!

IMHO, most likely some web developer came up with that idea and is unused to even considering security issues. While you can write a GUI in DHTML and its ilk, it's not necessarily a good idea. When they ran into the easily predicted performance issues, this was their solution. Suddenly, they're no longer playing in the sandbox, but apparently they weren't quite cognizant of the implications.

Re:

[DeathFromSomewhere]

Urban dictionary says you're wrong. [urbandictionary.com]

Re:

[DeathFromSomewhere]

Except humble is listed first. Cool fail bro.

Re:

[Anachragnome]

I once downloaded some MP3 files (about 4 years ago) and one of the files puzzled me.

I had gotten into the habit of deleting all the metadata (and replacing it with my own in order to standardize all my MP3 files). When I deleted the metadata and replaced it with my own, this certain file went from roughly 25kb in size down to 15kb. Of the 14-15 or so files in that group, only one file acted in this manner. The rest in the group either registered no change or 1kb less in size. I actually downloaded the enti

Re:

[Anonymous Coward]

You can stick album art in the id3 tag if you want; that could easily be several kb in size. Nowadays people put the cover art in every track: the redundant data isn't half as annoying as trying to manage it separately.

Re:

[maeka]

Most likely you cleared album art (as the poster above mentioned) or your tagger was set to remove padding.

With ID3 tags residing at the start of the file it is common to pad the tags with blank space so that future (longer) edits don't necessitate the rewriting of the entire file. Too Many shitty taggers remove padding by default.

Re:

[Ethanol-fueled]

It doesen't disturb anyone that an mp3 can be used to crash this thing and run arbitrary code on it?

Not really. MP3's have been rooting Windows for years now. Ooh, gotta go. Just downloaded Pamela_Anderson_Naked_jpg.exe .

Re:

[Em Adespoton]

One of the first exploits for OS X back in the day was actually malware dressed up as an MP3 with the appropriate headers. It took advantage of a flaw in the header reading code of iTunes to buffer overflow and then use the iTunes memory space to escalate privilege.

Of course, the flaw in the library was patched pretty quickly, and nobody's tried it again since, but mp3s have been attack vectors for at least 10 years.

don't browse the web

[kervin]

...with your ebook reader.

Not because a browser is included means it's a good idea to do so.

Re:

[Nimey]

The newer e-Ink Kindles are limited to only visiting Amazon and Wikipedia, IIRC. Don't have that limitation with the old keyboard versions or the Fire.

Re:

[jones_supa]

genius programmers thought it was great to blindly map color to grayscale

Huh, what do you mean?

g = (r + g + b) / 3;

I dunno.

Re:

[jones_supa]

I see. Good information.

Re:I would think that this was a major problem.

[complete loony]

This isn't a buffer overflow, it's a XSS scripting attack. The mp3's meta data is inserted into a HTML document without cleansing it.

Re:

[zegota]

Absolutely they are. I use Calibre, and I have absolutely no trouble reading whatever I want.

Re:

[fafaforza]

Meh, calibre is fine, but it's so bloated, and resource hungry, and every week, there is a new version that requires you downloading the whole frigging 25-30mb binary. I try to avoid it, personally.

Re:

[Blue Stone]

Just don't update it unless there's a real need. Most of the updates are irrelevant. Turn off the auto-update option, and it tells you there's an update in the lower right, but it lets you ignore it. Once in a while check the change log and see it's worth the bother of updating.

But you're right about bloated. I'm not short of Ram these days, but Calibre seems unnecessarily weighty.

Re:

[ceoyoyo]

It does do rather a lot of conversions. 20 to 30 MB isn't that much. It also takes up a lot of memory, but it's written in Java, isn't it?

Re:

[Blue Stone]

Calibre is written in Python.

Re:

[ceoyoyo]

Is it? I like it better already. Makes sense that it's a little bigger than might be expected then - it has to have a copy of Qt.

Re:

[wygit]

Kindles read the epub format? Really? I haven't been able to find a reference to that on Amazon or anywhere else.

Re:

[Guspaz]

If it's not DRM encrypted, there's software like Calibre that will convert between all the different formats. DRM-free eBook formats haven't been an issue for years, I don't know why everybody is so obsessed with ePub on the kindle. As the OP, I've been reading non-Amazon DRM-free ePubs for ages.

There are a lot of stuff that's annoying about the kindle, the format support is not one of them. Not being able to set my own screensaver image on my non-advertising kindle is a bigger annoyance to me.

Re:

[fafaforza]

So it can read ePubs, as long as you convert them to Amazon's format? That's not quite reading ePubs.

Re:

[damiangerous]

The Kindle does not support the ePub format. Amazon does not sell ePubs and has never wrapped one in their own DRM.

Re:

[damiangerous]

But it does not support the ePub format, which was the point. I am well aware that ePub can be converted to another format, but that's not really relevant to the statement at hand, which was that "it reads ePubs".

Re:

[shutdown -p now]

Actually, format support is still annoying, because it means that you can't just download ePubs using Kindle's built-in web browser and immediately start reading them, as you can with Mobi files - you need a PC to convert them.

Re:

[damiangerous]

My wife's un-modded Kindle reads her non-Amazon epubs just fine.

No it doesn't.

Re:

[jones_supa]

And if we get the source, it's only the standard GNU parts of it...