I don't think this really helps evad3rs build credibility.
They put a giant, user-facing blob payload into their jailbreak with no transparency about how it got there or what it is. Reading between the lines they were paid for it, but they don't even manage to come out and say that outright in this "letter."
There's always some level of faith involved in installing an early iOS jailbreak, because exploits often aren't documented or open-sourced until long after their release (for a variety of reasons - vanity, ripoffs, weaponization, etc.). But at least most of the jailbreaks released in the past have been transparent and configurable.
In the Dev Team jailbreaks, all userland packages were optional and if a user wanted, they could uncheck the "Install Cydia" box in the payload configuration, configure their own Cydia (because the source is open, imagine that!), or install a completely different set of user-land applications. Plus a variety of parties with various interests in the development community were given previous jailbreaks early, which provides at least a cursory level of auditing and sign-off. This evad3rs release offers none of these reassurances.
I certainly wouldn't call any iOS jailbreak "trustworthy" in the truest sense but this one is definitely the worst so far.
I think one point you are making is unfair. Many (most?) previous jailbreaks not named PwnageTool or redsn0w have had a single, non-configurable payload containing Cydia and various Unix tools, with the understanding that once it's installed, the user can use Cydia to do whatever they want. In the case of my jailbreaks (years ago), I don't remember anyone ever expressing a desire for an alternate payload, presumably for that reason.
Of course there's a difference between Cydia and a closed source, less generally useful application that the jailbreakers were paid a large amount of money to include, but I wouldn't call it an issue of transparency/configurability as such.
Good point. I am unfairly using a subset of jailbreaks (PwnageTool and redsn0w) as an example of the community norm when that's really not the case.
I think the important distinction in the evad3rs release is indeed the one you make in the second paragraph of your post.
I do still think there's an issue of transparency, though: this letter carefully dances around the actual exchange of money for an unaudited blob in exchange for a lot of "we wanted to beat Saurik to a release" fluff.
Just to point out that evad3rs are basically the core group within the iPhone Dev Team. I wouldn't really trust future Dev Team jailbreaks anymore either.
> SaurikIT had been in talks with Chinese companies regarding potential partnerships, made a counteroffer. We believe they share our views on how a relationship with companies in China currently utilizing jailbreaking might benefit everyone in the community. Unfortunately, the negotiations did not work out. A few days later, we received information that SaurikIT was working with another group to release a jailbreak ahead of us. We decided to release, knowing that Cydia, MobileSubstrate, and jailbreak tweaks would be updated after a few days, just as it always has in the course of jailbreaking.
Which seems honest and clear enough (financial incentives and potential loss of the contract motivated the release) without the whole "shame on saurik" thing.
Read the paragraph you accurately summarized again: you managed to make the inference, but what they actually wrote was akin to "we decided to release because we didn't want Saurik to be first," not "we decided to release because we could lose our contract and money."
Payment was conditional on being first and being exclusive. You do not pay 1 million dollars to be second out the gate, particularly because you can simply copy the first guy's work.
Unless the evad3rs released first, they would not get paid. Or, more accurately, they would have to return money. I don't think they were excited by that prospect.
This evad3rs letter is, to use clapper-ism, "the least untruthful statement"
I'm confused as to why some people in the community believe a party was "backstabbed". Each team/group operated with its own intentions and goals; there's no reason why there had to be cooperation amongst them.
I feel like the reaction to this is more due to a general mistrust of Chinese software and a worship of MobileSubstrate.
Am I the only one who thinks this makes evad3rs look even more shady?
One example: they carefully avoid denying the presence of malware in their jailbreak. Instead,
"We are saddened by the accusations that we would ever do such a thing, or sell weaponized exploits.
If anyone ever attempted to include malware in a jailbreak, we are confident that the many
security experts combing through jailbreak software would find it."
The explanations about Saurik and piracy in their Chinese pals' app store comes off as similarly evasive.
"Yes, we have benefitted financially from our work, just as many others in the jailbreak community have, including tweak developers, repo owners, etc. Any jailbreak from us will always be free to the users but we believe we have a right to be compensated in an ethical way, just as any other developer. "
In my world view people do work in exchange for money, there are two sets of people, people who make money through legal means, and people who make money through illegal means. On the border of those two realms are people who walk back and forth over the line between legal and illegal. If you're 'productizing' a jailbreak (nominally legal in some countries, illegal in others) the people you're going to get money from are the folks on the illegal side of the line.
Given that world view you want to be compensated in an 'ethical way' by people who threw ethics out the window? That is what I have trouble with.
It's almost certainly a copyright violation in the US, but is it illegal in China for a Chinese company to pay developers to modify another company's software for commercial gain?
Another relevant question, would developers in another country be breaking their country's laws by accepting such work?
Edit: note that I'm not intending to equate ethicality with legality.
Nitrogen is correct, the fuzzyness in the US is around whether or not jailbreaking your own phone is a violation of the DMCA or not (ruled "no", then ruled "yes", not sure where it is at the moment), and then the contractual (civil vs non-civil) issues with running software on your phone without Apple's permission) It is that "grey" area, where folks can give themselves a credible story about how it is "perfectly legal" and so take the money. My point was that they are dealing with people who don't care if its legal or not. (remember they don't "charge" the end users, they charge the app store bundle guy). That guy (or gal) doesn't care about what is or is not legal, they care about money any way they can get it so that the person they got it from can't get it back. Period.
AIUI, jailbreaking (or any modification of software) creates a derivative work, which is a right protected by copyright. In other areas of copyright law, it seems commercial uses are more stringently restricted than personal uses.
This is interesting. The jailbreak community is a weird place on the edge of free software- normally, "just open source it" is an easy answer to security concerns, but there are understandable reasons not to open-source exploits. However, the whole competition thing between evad3rs and saurik seems kind of strange. Honestly, I wish Apple would just get with the times and allow an appropriate degree of freedom on their devices; even if evad3rs are as innocent as they claim in this instance, forcing users to install potentially sketchy obfuscated third-party system-level code in order to do basic things like set default apps seems like a recipe for eventual disaster.
> Honestly, I wish Apple would just get with the times and allow an appropriate degree of freedom on their devices
An appropriate degree of freedom is different for you and eight year old children or grandparents. The majority of iOS users have no use for the freedom jailbreakers desire and Apple is creating software for the majority of its customers.
> The majority of iOS users have no use for the freedom jailbreakers desire and Apple is creating software for the majority of its customers.
That's not quite true.
There's a bunch of minor tweaks that many people would really like that they can only get if they jail break. Since most people are scared of jailbreaking they don't do it.
It's hard to understand how different keyboards[1] is inappropriate degree of software freedom.
[1] to pick one example of a simple, minor, tweak that many people want.
"It's hard to understand how different keyboards[1] is inappropriate..."
"[1] to pick one example of a simple, minor, tweak that many people want."
Agree with your point except calling it a "minor tweak". From personal experience, the difference between the stock iOS keyboard and something like Swype on Android is huge. This third party keyboard on Android was so popular and influential that Google finally added swype like functionality in the base OS (I think starting with JB). This is one of the biggest frustrations I have with the iOS experience (whenever I do use iOS, e.g. on my iPad).
I like the developer options in android. Just go to about phone and click the build number a large number of times. You basically have to know this exists to seek out the how online and then do it. Almost no one is going to enable this by accident.
The non-technical iOS users I know would never change a setting in Settings they do not understand (unless someone they trust, namely me, tells them to do it).
If that is not enough, the unlocking process can be as complicated as needed to discourage careless unlocking. Most people, when asked, e.g., to convert a decimal to a hexadecimal or to engage their frontal lobes in some other way, stop being careless.
Remember that the only point I'm trying to make is that it is not strictly necessary for Apple to do their best to keep motivated technical users from escaping their "jail" to prevent kids and grandmothers from harming themselves.
And does anyone actually believe that protecting naive users is the only reason Apple makes it as hard as possible to jailbreak iOS?
> The non-technical iOS users I know would never change a setting in Settings they do not understand
I wish I had your circle of non-technical folks. I've been called (from other people's phones, no less) numerous times asking why data doesn't work (they deleted all the APNs from an Android phone), why their picture messages don't go through (they changed the MMSC URL to their homepage), why voicemails stopped (they set the voicemail service number to their own number), and several more. Changeable settings are like mountains; they're messed with because they are there.
I understand this, but there should at least be a way to access that freedom. I'm a developer; I'm going to hack and tweak my phone. That's not going to change. What can change is whether Apple makes me install a 3rd-party exploit or lets me flip a switch somewhere deep in my settings.
Yeah, what voltagex said. Same reason you shouldn't open-source a zero day exploit on any website without responsibly disclosing it to the company and giving them a reasonable amount of time to patch it.
They've basically made it open to the world, Apple has worked out closed sourced jailbreaks before with no help. Jailbreaks like Star (jailbreak.me) were just a PDF binary with absolutely no clue as to the contents or method of exploitation.
This is true, but making an exploit open source, as opposed to merely available, makes it significantly easier to weaponize for people who might not already be experts in exploiting iOS.
I'm still baffled as to why someone would want to buy a locked up device and be forced to use frequent / complicated measures to be somewhat freed...
I understand if you didn't get a choice at first, but I people realizing they are really stuck in a jail anyway, without any jailbreaks, might do more good than having them.
(Though I encourage breaking things! ;)
Sometimes you buy it because you like the hardware and know the software is coming down the line. I've done this twice.
- I bought an Android phone that had terrible reviews on Amazon come, knowing that there was a cyanogenmod ROM that'd solve everything.
- I bought the new Kindle Fire HDX because I love the hardware design and knew a hack would show up for it eventually. Sure enough, the "put_user" kernel memory write exploit was found and now I have root on it. I'm sure cyanogenmod ROMs will be coming later on. Until then, I don't even use the HDX. Why didn't I just wait until the root showed up first before purchasing? Because updates to firmware might seal the exploit. So, just like I did with Sony PSP, it's best to get the hardware with early firmware and just never bring the device online for any updates. Just wait for the hack. My HDX still hasn't been exposed to the interwebz. That won't happen until Cyanogenmod is flashed on it. Until then, I'm still using my firstgen Kindle Fire.
I bet some people bought an iPhone fully expecting that one day a jailbreak would show up.
I wish we'd collectively only buy things where the root exploit was like ticking an "I want root" checkbox. If buyers collectivized their buying power we wouldn't need to worry about "down the line" companies would release it with root or the product would fail.
Sigh. While I'm at it, I'd also like a sack full of hundreds and a unicorn.
I look at it this way: if enough people wanted that checkbox to move the needle in the market, then my skillset that a lot of employers find extremely valuable would probably be a lot more common and hence less valuable.
There are hundreds of millions of happy iPhone users out there. For the overwhelming majority of people, the restrictions on the device are not burdensome.
For many people the restrictions protect them from installing malware, and is a huge benefit. For the majority of us reading, I think we know enough to not install weird applications and the restrictions are incredibly burdensome.
Because sometimes it's simpler to get what you want by subtraction rather than by addition.
More formally, my ideal device is x. The iPhone (4s) is at x + δ and all the other smartphones are at x - δn (where δ > 0 and n is a really big number)†.
I like the App Store but I don't like the restriction against installing non-approved apps (including my own).
I love Safari/Webkit but I don't like the restriction against using other rendering engines.
I like the the default apps (mail and maps are fine) but I don't like the restriction against changing those defaults.
I like tethering and don't even mind paying a little extra for the bandwidth, but I do not like the fact that my carrier can preempt that ability at the OS layer rather than the network layer.
On the other hand, I do acknowledge that buying and owning an iPhone basically supports eco-system that I despise, and for that reason, my next phone will probably be a Nexus or MotoX.
I just wanted to write that I like the iOS platform and devices when jailbroken, but I am also sick of their walled garden bullshit. So, cheers for standing up for your principles over your convenience, it takes a strong person to do so.
I do not believe that helping a Chinese company that is related to Qihoo360, which has a very bad ethical record will in anyway benefit the Chinese users. I also don't see how is this benefiting the jailbreak community, except for the compensation they took in.
One thing I don't understand... why do you think it is wrong for them to make money out of their work? I am not saying that what they did was good for the community but what if the alternative was not getting anything? They are still offering it for free...
I don't think I said that it is wrong for them to take the money. It is more about who to take it from and what are they asked to do. They claimed including TaiG is good for the Chinese user and a positive thing for the jailbreak community. I personally don't think that's the case.
Their own app store have lots pirated apps and they have their own ad platform. e.g. One app publisher pay xM Chinese yuan for making their app to the top n in a app store.
Chrome (and Firefox for that matter) are doing what they should be. The default encoding for HTTP is ISO-8859-1 and the Content-Type header doesn't specify a charset, so that is what the browsers are displaying it as.
Well, like most things on the Web, they're not doing what the HTTP standard says, they're doing something related to what the standards say they should do but with some concessions to reality.
Look at "We don’t believe it’s right". There's no Euro sign in ISO-8859-1. The Euro symbol was not even dreamed up when ISO-8859-1 was standardized.
But there's a Euro sign -- retroactively -- in Windows-1252, and it's been a long-standing tradition among Web browsers to pretend ISO-8859-1 and Windows-1252 are equivalent even though in Unicode they clearly aren't. It's why you can write … and usually get the same ellipsis as ….
So you can forgive me for expecting another long-standing tradition, which is to auto-detect encodings that aren't specified. Maybe browsers have stopped doing that. It's a bit of a loss when it comes to UTF-8, a clear choice for an encoding to try by default in 2013.
Of course the page should ideally be written better, but that's a push and pull between HTML writers and browser developers that will never be over.
BTW, if anyone was going to post this to reddit, don't bother. I posted it to /r/technology and /r/apple but davidreiss666 removed both links with no explanation.
The justification of their actions, to renumerate developers for their work, is of course a sentiment of paramount importance. However, clearly, the way in which it was executed (bundling a questionable foreign App Store) wasn't the best, and in my opinion they should look to more interesting monetisation avenues than sponsorship.
Malware should be easy enough to detect by MiTMing the device, assuming the baseband is unmodified and cellular is shut down. (edit: no, it doesn't-- shouldn't post before I'm awake) I have just updated my phone and I have no traces of the chinese app store mentioned here, for what it's worth.
How do you know the data will be sent when you are looking, how do you know what the encoding will be? Maybe it exports your AppleID password by using the unused bit ("evil bit") in IPv4 packets, maybe it encodes your keychain into every screenshot you take, maybe it's using high frequency audio (haha) to send out copies of your photos when you're not looking.
Treating the iPhone like a black box it would be impossible to deny the existence of malware, you can only confirm it's existence. Given that the evad3rs didn't even know what the binary they included with their exploits contained, we can assume that there's possibly a backdoor or two in there as well.
Fair point, I didn't think it through very much. Jailbreak is inherently risky and the risk increases as the effort required to achieve becomes unsustainable without financial help.
They put a giant, user-facing blob payload into their jailbreak with no transparency about how it got there or what it is. Reading between the lines they were paid for it, but they don't even manage to come out and say that outright in this "letter."
There's always some level of faith involved in installing an early iOS jailbreak, because exploits often aren't documented or open-sourced until long after their release (for a variety of reasons - vanity, ripoffs, weaponization, etc.). But at least most of the jailbreaks released in the past have been transparent and configurable.
In the Dev Team jailbreaks, all userland packages were optional and if a user wanted, they could uncheck the "Install Cydia" box in the payload configuration, configure their own Cydia (because the source is open, imagine that!), or install a completely different set of user-land applications. Plus a variety of parties with various interests in the development community were given previous jailbreaks early, which provides at least a cursory level of auditing and sign-off. This evad3rs release offers none of these reassurances.
I certainly wouldn't call any iOS jailbreak "trustworthy" in the truest sense but this one is definitely the worst so far.