> SaurikIT had been in talks with Chinese companies regarding potential partnerships, made a counteroffer. We believe they share our views on how a relationship with companies in China currently utilizing jailbreaking might benefit everyone in the community. Unfortunately, the negotiations did not work out. A few days later, we received information that SaurikIT was working with another group to release a jailbreak ahead of us. We decided to release, knowing that Cydia, MobileSubstrate, and jailbreak tweaks would be updated after a few days, just as it always has in the course of jailbreaking.
Which seems honest and clear enough (financial incentives and potential loss of the contract motivated the release) without the whole "shame on saurik" thing.
I'm confused as to why some people in the community believe a party was "backstabbed". Each team/group operated with its own intentions and goals; there's no reason why there had to be cooperation amongst them.
I feel like the reaction to this is more due to a general mistrust of Chinese software and a worship of MobileSubstrate.
I don't think this really helps evad3rs build credibility.
They put a giant, user-facing blob payload into their jailbreak with no transparency about how it got there or what it is. Reading between the lines they were paid for it, but they don't even manage to come out and say that outright in this "letter."
There's always some level of faith involved in installing an early iOS jailbreak, because exploits often aren't documented or open-sourced until long after their release (for a variety of reasons - vanity, ripoffs, weaponization, etc.). But at least most of the jailbreaks released in the past have been transparent and configurable.
In the Dev Team jailbreaks, all userland packages were optional and if a user wanted, they could uncheck the "Install Cydia" box in the payload configuration, configure their own Cydia (because the source is open, imagine that!), or install a completely different set of user-land applications. Plus a variety of parties with various interests in the development community were given previous jailbreaks early, which provides at least a cursory level of auditing and sign-off. This evad3rs release offers none of these reassurances.
I certainly wouldn't call any iOS jailbreak "trustworthy" in the truest sense but this one is definitely the worst so far.
I think one point you are making is unfair. Many (most?) previous jailbreaks not named PwnageTool or redsn0w have had a single, non-configurable payload containing Cydia and various Unix tools, with the understanding that once it's installed, the user can use Cydia to do whatever they want. In the case of my jailbreaks (years ago), I don't remember anyone ever expressing a desire for an alternate payload, presumably for that reason.
Of course there's a difference between Cydia and a closed source, less generally useful application that the jailbreakers were paid a large amount of money to include, but I wouldn't call it an issue of transparency/configurability as such.
Just to point out that evad3rs are basically the core group within the iPhone Dev Team. I wouldn't really trust future Dev Team jailbreaks anymore either.
Am I the only one who thinks this makes evad3rs look even more shady?
One example: they carefully avoid denying the presence of malware in their jailbreak. Instead,
"We are saddened by the accusations that we would ever do such a thing, or sell weaponized exploits.
If anyone ever attempted to include malware in a jailbreak, we are confident that the many
security experts combing through jailbreak software would find it."
The explanations about Saurik and piracy in their Chinese pals' app store comes off as similarly evasive.
"Yes, we have benefitted financially from our work, just as many others in the jailbreak community have, including tweak developers, repo owners, etc. Any jailbreak from us will always be free to the users but we believe we have a right to be compensated in an ethical way, just as any other developer. "
In my world view people do work in exchange for money, there are two sets of people, people who make money through legal means, and people who make money through illegal means. On the border of those two realms are people who walk back and forth over the line between legal and illegal. If you're 'productizing' a jailbreak (nominally legal in some countries, illegal in others) the people you're going to get money from are the folks on the illegal side of the line.
Given that world view you want to be compensated in an 'ethical way' by people who threw ethics out the window? That is what I have trouble with.
It's almost certainly a copyright violation in the US, but is it illegal in China for a Chinese company to pay developers to modify another company's software for commercial gain?
Another relevant question, would developers in another country be breaking their country's laws by accepting such work?
Edit: note that I'm not intending to equate ethicality with legality.
This is interesting. The jailbreak community is a weird place on the edge of free software- normally, "just open source it" is an easy answer to security concerns, but there are understandable reasons not to open-source exploits. However, the whole competition thing between evad3rs and saurik seems kind of strange. Honestly, I wish Apple would just get with the times and allow an appropriate degree of freedom on their devices; even if evad3rs are as innocent as they claim in this instance, forcing users to install potentially sketchy obfuscated third-party system-level code in order to do basic things like set default apps seems like a recipe for eventual disaster.
> Honestly, I wish Apple would just get with the times and allow an appropriate degree of freedom on their devices
An appropriate degree of freedom is different for you and eight year old children or grandparents. The majority of iOS users have no use for the freedom jailbreakers desire and Apple is creating software for the majority of its customers.
I'm still baffled as to why someone would want to buy a locked up device and be forced to use frequent / complicated measures to be somewhat freed...
I understand if you didn't get a choice at first, but I people realizing they are really stuck in a jail anyway, without any jailbreaks, might do more good than having them.
(Though I encourage breaking things! ;)
There are hundreds of millions of happy iPhone users out there. For the overwhelming majority of people, the restrictions on the device are not burdensome.
Because sometimes it's simpler to get what you want by subtraction rather than by addition.
More formally, my ideal device is x. The iPhone (4s) is at x + δ and all the other smartphones are at x - δn (where δ > 0 and n is a really big number)†.
I like the App Store but I don't like the restriction against installing non-approved apps (including my own).
I love Safari/Webkit but I don't like the restriction against using other rendering engines.
I like the the default apps (mail and maps are fine) but I don't like the restriction against changing those defaults.
I like tethering and don't even mind paying a little extra for the bandwidth, but I do not like the fact that my carrier can preempt that ability at the OS layer rather than the network layer.
On the other hand, I do acknowledge that buying and owning an iPhone basically supports eco-system that I despise, and for that reason, my next phone will probably be a Nexus or MotoX.
Sometimes you buy it because you like the hardware and know the software is coming down the line. I've done this twice.
- I bought an Android phone that had terrible reviews on Amazon come, knowing that there was a cyanogenmod ROM that'd solve everything.
- I bought the new Kindle Fire HDX because I love the hardware design and knew a hack would show up for it eventually. Sure enough, the "put_user" kernel memory write exploit was found and now I have root on it. I'm sure cyanogenmod ROMs will be coming later on. Until then, I don't even use the HDX. Why didn't I just wait until the root showed up first before purchasing? Because updates to firmware might seal the exploit. So, just like I did with Sony PSP, it's best to get the hardware with early firmware and just never bring the device online for any updates. Just wait for the hack. My HDX still hasn't been exposed to the interwebz. That won't happen until Cyanogenmod is flashed on it. Until then, I'm still using my firstgen Kindle Fire.
I bet some people bought an iPhone fully expecting that one day a jailbreak would show up.
I do not believe that helping a Chinese company that is related to Qihoo360, which has a very bad ethical record will in anyway benefit the Chinese users. I also don't see how is this benefiting the jailbreak community, except for the compensation they took in.
One thing I don't understand... why do you think it is wrong for them to make money out of their work? I am not saying that what they did was good for the community but what if the alternative was not getting anything? They are still offering it for free...
Their own app store have lots pirated apps and they have their own ad platform. e.g. One app publisher pay xM Chinese yuan for making their app to the top n in a app store.
Chrome (and Firefox for that matter) are doing what they should be. The default encoding for HTTP is ISO-8859-1 and the Content-Type header doesn't specify a charset, so that is what the browsers are displaying it as.
BTW, if anyone was going to post this to reddit, don't bother. I posted it to /r/technology and /r/apple but davidreiss666 removed both links with no explanation.
The justification of their actions, to renumerate developers for their work, is of course a sentiment of paramount importance. However, clearly, the way in which it was executed (bundling a questionable foreign App Store) wasn't the best, and in my opinion they should look to more interesting monetisation avenues than sponsorship.
Malware should be easy enough to detect by MiTMing the device, assuming the baseband is unmodified and cellular is shut down. (edit: no, it doesn't-- shouldn't post before I'm awake) I have just updated my phone and I have no traces of the chinese app store mentioned here, for what it's worth.
How do you know the data will be sent when you are looking, how do you know what the encoding will be? Maybe it exports your AppleID password by using the unused bit ("evil bit") in IPv4 packets, maybe it encodes your keychain into every screenshot you take, maybe it's using high frequency audio (haha) to send out copies of your photos when you're not looking.
Treating the iPhone like a black box it would be impossible to deny the existence of malware, you can only confirm it's existence. Given that the evad3rs didn't even know what the binary they included with their exploits contained, we can assume that there's possibly a backdoor or two in there as well.
saurik|12 years ago
So, yes: someone approached me with a potential jailbreak; the goal being to get a non-piracy-laden jailbreak out; this does not seem bad...
...in particular, I do not see how it is "backstabbing" @evad3rs (as some claim): it was unlikely to work, and was mostly just "having fun".
Also, I am not part of @evad3rs: they made that very clear to me. They never told me anything about their exploit. Should I not help others?
I guess now the argument is that if people come to me with a potential jailbreak, in order to not "backstab", I am not allowed to help them?
Regardless, I gave the iOS 7 Substrate build to evad3rs on September 30th, and all I needed to test was a new copy of redsn0w (not evasi0n).
I guess I don't understand "we really wanted TaiG's deal, so when we heard a rumor of an open jailbreak we were rushed: shame on saurik". :/
Goopplesoft|12 years ago
> SaurikIT had been in talks with Chinese companies regarding potential partnerships, made a counteroffer. We believe they share our views on how a relationship with companies in China currently utilizing jailbreaking might benefit everyone in the community. Unfortunately, the negotiations did not work out. A few days later, we received information that SaurikIT was working with another group to release a jailbreak ahead of us. We decided to release, knowing that Cydia, MobileSubstrate, and jailbreak tweaks would be updated after a few days, just as it always has in the course of jailbreaking.
Which seems honest and clear enough (financial incentives and potential loss of the contract motivated the release) without the whole "shame on saurik" thing.
gluxon|12 years ago
I feel like the reaction to this is more due to a general mistrust of Chinese software and a worship of MobileSubstrate.
bri3d|12 years ago
They put a giant, user-facing blob payload into their jailbreak with no transparency about how it got there or what it is. Reading between the lines they were paid for it, but they don't even manage to come out and say that outright in this "letter."
There's always some level of faith involved in installing an early iOS jailbreak, because exploits often aren't documented or open-sourced until long after their release (for a variety of reasons - vanity, ripoffs, weaponization, etc.). But at least most of the jailbreaks released in the past have been transparent and configurable.
In the Dev Team jailbreaks, all userland packages were optional and if a user wanted, they could uncheck the "Install Cydia" box in the payload configuration, configure their own Cydia (because the source is open, imagine that!), or install a completely different set of user-land applications. Plus a variety of parties with various interests in the development community were given previous jailbreaks early, which provides at least a cursory level of auditing and sign-off. This evad3rs release offers none of these reassurances.
I certainly wouldn't call any iOS jailbreak "trustworthy" in the truest sense but this one is definitely the worst so far.
comex|12 years ago
Of course there's a difference between Cydia and a closed source, less generally useful application that the jailbreakers were paid a large amount of money to include, but I wouldn't call it an issue of transparency/configurability as such.
Macha|12 years ago
minimalist|12 years ago
From @Hackl0us: "Taig also uploads users' private data to iphonespirit.com(belongs to Qihoo360 company). @iH8sn0w @pod2g @MuscleNerd @winocm"[0]
Other sources: [1][2]
[0]: https://twitter.com/Hackl0us/status/414835565524422656
[1]: https://twitter.com/JonathanSeals/status/414835993015894020
[2]: http://bbs.weiphone.com/read-htm-tid-7417919.html
rubbingalcohol|12 years ago
One example: they carefully avoid denying the presence of malware in their jailbreak. Instead,
"We are saddened by the accusations that we would ever do such a thing, or sell weaponized exploits. If anyone ever attempted to include malware in a jailbreak, we are confident that the many security experts combing through jailbreak software would find it."
The explanations about Saurik and piracy in their Chinese pals' app store comes off as similarly evasive.
ChuckMcM|12 years ago
"Yes, we have benefitted financially from our work, just as many others in the jailbreak community have, including tweak developers, repo owners, etc. Any jailbreak from us will always be free to the users but we believe we have a right to be compensated in an ethical way, just as any other developer. "
In my world view people do work in exchange for money, there are two sets of people, people who make money through legal means, and people who make money through illegal means. On the border of those two realms are people who walk back and forth over the line between legal and illegal. If you're 'productizing' a jailbreak (nominally legal in some countries, illegal in others) the people you're going to get money from are the folks on the illegal side of the line.
Given that world view you want to be compensated in an 'ethical way' by people who threw ethics out the window? That is what I have trouble with.
nitrogen|12 years ago
Another relevant question, would developers in another country be breaking their country's laws by accepting such work?
Edit: note that I'm not intending to equate ethicality with legality.
schneidmaster|12 years ago
greenlakejake|12 years ago
An appropriate degree of freedom is different for you and eight year old children or grandparents. The majority of iOS users have no use for the freedom jailbreakers desire and Apple is creating software for the majority of its customers.
elboru|12 years ago
Legit question, What reasons could there be?
killahpriest|12 years ago
RRRA|12 years ago
UVB-76|12 years ago
noblethrasher|12 years ago
More formally, my ideal device is x. The iPhone (4s) is at x + δ and all the other smartphones are at x - δn (where δ > 0 and n is a really big number)†.
I like the App Store but I don't like the restriction against installing non-approved apps (including my own).
I love Safari/Webkit but I don't like the restriction against using other rendering engines.
I like the the default apps (mail and maps are fine) but I don't like the restriction against changing those defaults.
I like tethering and don't even mind paying a little extra for the bandwidth, but I do not like the fact that my carrier can preempt that ability at the OS layer rather than the network layer.
On the other hand, I do acknowledge that buying and owning an iPhone basically supports eco-system that I despise, and for that reason, my next phone will probably be a Nexus or MotoX.
stevewillows|12 years ago
Even my sister is on cm10.2.
I sold my iPhone when the GS3 came out because I was sick of waiting for an exploit that let me have more than nine icons on my home screen.
smtddr|12 years ago
- I bought an Android phone that had terrible reviews on Amazon come, knowing that there was a cyanogenmod ROM that'd solve everything.
- I bought the new Kindle Fire HDX because I love the hardware design and knew a hack would show up for it eventually. Sure enough, the "put_user" kernel memory write exploit was found and now I have root on it. I'm sure cyanogenmod ROMs will be coming later on. Until then, I don't even use the HDX. Why didn't I just wait until the root showed up first before purchasing? Because updates to firmware might seal the exploit. So, just like I did with Sony PSP, it's best to get the hardware with early firmware and just never bring the device online for any updates. Just wait for the hack. My HDX still hasn't been exposed to the interwebz. That won't happen until Cyanogenmod is flashed on it. Until then, I'm still using my firstgen Kindle Fire.
I bet some people bought an iPhone fully expecting that one day a jailbreak would show up.
mikeash|12 years ago
Jailbroken iPhone > regular iPhone > Android phone
Jailbreaking is not a critical factor for me, but it's nice to have.
chengyinliu|12 years ago
duiker101|12 years ago
songco|12 years ago
rspeer|12 years ago
breser|12 years ago
schneidmaster|12 years ago
glasshead969|12 years ago
unknown|12 years ago
[deleted]
nilved|12 years ago
jrockway|12 years ago
sarreph|12 years ago
rolleiflex|12 years ago
nwh|12 years ago
How do you know the data will be sent when you are looking, how do you know what the encoding will be? Maybe it exports your AppleID password by using the unused bit ("evil bit") in IPv4 packets, maybe it encodes your keychain into every screenshot you take, maybe it's using high frequency audio (haha) to send out copies of your photos when you're not looking.
Treating the iPhone like a black box it would be impossible to deny the existence of malware, you can only confirm it's existence. Given that the evad3rs didn't even know what the binary they included with their exploits contained, we can assume that there's possibly a backdoor or two in there as well.
zhufenggood|12 years ago
songco|12 years ago
Fire_30|12 years ago