PDA

View Full Version : Reeftronics Question


orcus
03/03/2012, 05:36 PM
I recently learned about reeftronics. It looks like a really nice service, but I'm wondering about security.

I'm really not trying to criticize what looks like a cool service, and apologize if this question causes any offense.

From what I can gather, the reeftronics site will poll the Apex at regular intervals. What I'm wondering about is whether someone could alter the configuration of an Apex if they were able to hack into the Reeftronics site. If so, it seems like a bad guy could to try to crash the tanks of everyone using the service.

To some extent, it probably depends on the protocol Apex uses. If there's a way to limit a remote connection to only read information, then that lowers, if not eliminates, this risk. Anyone familiar enough with the protocol to know whether this is the case?

A nice enhancement to the Apex might be to have an option so that settings can only be changed on the local subnet, but data could still be read from outside.

Meslo
03/03/2012, 05:53 PM
If you have recent updates then it just takes its info fromthe read only part. You do not need to give loging info to them.

I am not a network person by anymeans so I cant talk about how secrue it really is.

Xcali1985
03/03/2012, 06:10 PM
If you enable Open XML Access in the Network settings you should be able to use some of their services.

RussM
03/04/2012, 12:26 AM
I operate Reeftronics.

I take no offense - I understand the concern, being an IT guy with a background in information security.

I strongly encourage the use of the Open XML access option by Reeftronics members and Reeftronics Tools users. When you enable this feature, it permits anonymous read-only access only to the RSS and XML data (what you see in the Apex web pages under XML); everything else still requires login with username and password. It was added by Neptune at the request of myself and a few others, so that third-party sources do not need to have credentials to retrieve status data from peoples' controllers.

For Reeftronics members with older models of controllers (like the AC3) and those who have older firmware on their Apex, Reeftronics still need to be provided with the username and password. I have taken great pains to ensure that that information is secure to the best of my ability. In the interest of security, I won't go into detail about how that is done. ;)

The various Apex tools available to anyone (not just members) work fine without username and password if you have Open XML access enabled. If not enabled, and you do enter your username and password, they are not stored.... just held in memory for a brief moment.

If you have additional questions, please contact me directly via Reeftronics (http://www.reeftronics.net/comments).

aquamanic
03/04/2012, 08:03 AM
I wouldn't worry about Reeftronics. Russ is a security Nazi! You probably have a dozen other areas in your home network that could be exploited easier than Russ's site.