> Highlighting (repeatedly) the ease and breadth of access is a basic writing technique to illustrate the weakness of a security system.

It's a firmware distribution system. It's read-only access to a public storage account designed to provide open access to software deployment packages that the company wishes to broadcast to all products. Of course there is no auth requirement at all. The system is designed to allow everyone in the world to install updates. What compells anyone to believe the system would be designed to prevent public access?

▲

lmz 2 days ago | parent [-]

Maybe listing shouldn't be enabled even if all the files are public.

▲

dns_snek 2 days ago | parent | next [-]

Why not? It's just an annoyance step that is predicated on obfuscating information that has already been made publicly available.

▲

locknitpicker 2 days ago | parent | prev [-]

> Maybe listing shouldn't be enabled even if all the files are public.

I don't see why. Support for firmware upgrades literally involve querying available packages and downloading the latest ones (i.e., apply upgrades). Either you use something like the S3 interface, or you waste your time implementing a clone of what S3 already supports.

Sometimes simple is good, specially when critics can't even provide any concrete criticism.

▲

lmz a day ago | parent [-]

It's not a necessary interface. Do the clients actually use S3 listing to determine what the latest firmware is? Personally I would put a service in the middle that takes in the model number, region, etc and then returned the most recent firmware URL. There's no reason to have historical versions be easily listable by curious people.

	▲	tyami94 18 hours ago \| parent [-]
		Why not? The firmware was already public at one point. If people are analyzing your app to find an S3 bucket full of firmware, I'd assume they'd have a pretty good reason to go through the effort.