So, yes: someone approached me with a potential jailbreak; the goal being to get a non-piracy-laden jailbreak out; this does not seem bad...
...in particular, I do not see how it is "backstabbing" @evad3rs (as some claim): it was unlikely to work, and was mostly just "having fun".
Also, I am not part of @evad3rs: they made that very clear to me. They never told me anything about their exploit. Should I not help others?
I guess now the argument is that if people come to me with a potential jailbreak, in order to not "backstab", I am not allowed to help them?
Regardless, I gave the iOS 7 Substrate build to evad3rs on September 30th, and all I needed to test was a new copy of redsn0w (not evasi0n).
I guess I don't understand "we really wanted TaiG's deal, so when we heard a rumor of an open jailbreak we were rushed: shame on saurik". :/
> SaurikIT had been in talks with Chinese companies regarding potential partnerships, made a counteroffer. We believe they share our views on how a relationship with companies in China currently utilizing jailbreaking might benefit everyone in the community. Unfortunately, the negotiations did not work out. A few days later, we received information that SaurikIT was working with another group to release a jailbreak ahead of us. We decided to release, knowing that Cydia, MobileSubstrate, and jailbreak tweaks would be updated after a few days, just as it always has in the course of jailbreaking.
Which seems honest and clear enough (financial incentives and potential loss of the contract motivated the release) without the whole "shame on saurik" thing.
> LOL now the @evad3rs say that @saurik backstabbed them and tried to release JB with other people. http://evasi0n.com/l.html
I feel like the reaction to this is more due to a general mistrust of Chinese software and a worship of MobileSubstrate.
They put a giant, user-facing blob payload into their jailbreak with no transparency about how it got there or what it is. Reading between the lines they were paid for it, but they don't even manage to come out and say that outright in this "letter."
There's always some level of faith involved in installing an early iOS jailbreak, because exploits often aren't documented or open-sourced until long after their release (for a variety of reasons - vanity, ripoffs, weaponization, etc.). But at least most of the jailbreaks released in the past have been transparent and configurable.
In the Dev Team jailbreaks, all userland packages were optional and if a user wanted, they could uncheck the "Install Cydia" box in the payload configuration, configure their own Cydia (because the source is open, imagine that!), or install a completely different set of user-land applications. Plus a variety of parties with various interests in the development community were given previous jailbreaks early, which provides at least a cursory level of auditing and sign-off. This evad3rs release offers none of these reassurances.
I certainly wouldn't call any iOS jailbreak "trustworthy" in the truest sense but this one is definitely the worst so far.
Of course there's a difference between Cydia and a closed source, less generally useful application that the jailbreakers were paid a large amount of money to include, but I wouldn't call it an issue of transparency/configurability as such.
I think the important distinction in the evad3rs release is indeed the one you make in the second paragraph of your post.
I do still think there's an issue of transparency, though: this letter carefully dances around the actual exchange of money for an unaudited blob in exchange for a lot of "we wanted to beat Saurik to a release" fluff.
From @Hackl0us: "Taig also uploads users' private data to iphonespirit.com(belongs to Qihoo360 company). @iH8sn0w @pod2g @MuscleNerd @winocm"[0]
Other sources: [1][2]
[0]: https://twitter.com/Hackl0us/status/414835565524422656
[1]: https://twitter.com/JonathanSeals/status/414835993015894020
One example: they carefully avoid denying the presence of malware in their jailbreak. Instead,
"We are saddened by the accusations that we would ever do such a thing, or sell weaponized exploits. If anyone ever attempted to include malware in a jailbreak, we are confident that the many security experts combing through jailbreak software would find it."
The explanations about Saurik and piracy in their Chinese pals' app store comes off as similarly evasive.
"Yes, we have benefitted financially from our work, just as many others in the jailbreak community have, including tweak developers, repo owners, etc. Any jailbreak from us will always be free to the users but we believe we have a right to be compensated in an ethical way, just as any other developer. "
In my world view people do work in exchange for money, there are two sets of people, people who make money through legal means, and people who make money through illegal means. On the border of those two realms are people who walk back and forth over the line between legal and illegal. If you're 'productizing' a jailbreak (nominally legal in some countries, illegal in others) the people you're going to get money from are the folks on the illegal side of the line.
Given that world view you want to be compensated in an 'ethical way' by people who threw ethics out the window? That is what I have trouble with.
Another relevant question, would developers in another country be breaking their country's laws by accepting such work?
Edit: note that I'm not intending to equate ethicality with legality.
An appropriate degree of freedom is different for you and eight year old children or grandparents. The majority of iOS users have no use for the freedom jailbreakers desire and Apple is creating software for the majority of its customers.
That's not quite true.
There's a bunch of minor tweaks that many people would really like that they can only get if they jail break. Since most people are scared of jailbreaking they don't do it.
It's hard to understand how different keyboards[1] is inappropriate degree of software freedom.
[1] to pick one example of a simple, minor, tweak that many people want.
Legit question, What reasons could there be?
* They don't want the exploit "stolen" or reused by another party (for good or evil)
* They don't want to make it too easy for Apple to patch it.
More formally, my ideal device is x. The iPhone (4s) is at x + δ and all the other smartphones are at x - δn (where δ > 0 and n is a really big number)†.
I like the App Store but I don't like the restriction against installing non-approved apps (including my own).
I love Safari/Webkit but I don't like the restriction against using other rendering engines.
I like the the default apps (mail and maps are fine) but I don't like the restriction against changing those defaults.
I like tethering and don't even mind paying a little extra for the bandwidth, but I do not like the fact that my carrier can preempt that ability at the OS layer rather than the network layer.
On the other hand, I do acknowledge that buying and owning an iPhone basically supports eco-system that I despise, and for that reason, my next phone will probably be a Nexus or MotoX.
Even my sister is on cm10.2.
I sold my iPhone when the GS3 came out because I was sick of waiting for an exploit that let me have more than nine icons on my home screen.
- I bought an Android phone that had terrible reviews on Amazon come, knowing that there was a cyanogenmod ROM that'd solve everything.
- I bought the new Kindle Fire HDX because I love the hardware design and knew a hack would show up for it eventually. Sure enough, the "put_user" kernel memory write exploit was found and now I have root on it. I'm sure cyanogenmod ROMs will be coming later on. Until then, I don't even use the HDX. Why didn't I just wait until the root showed up first before purchasing? Because updates to firmware might seal the exploit. So, just like I did with Sony PSP, it's best to get the hardware with early firmware and just never bring the device online for any updates. Just wait for the hack. My HDX still hasn't been exposed to the interwebz. That won't happen until Cyanogenmod is flashed on it. Until then, I'm still using my firstgen Kindle Fire.
I bet some people bought an iPhone fully expecting that one day a jailbreak would show up.
Sigh. While I'm at it, I'd also like a sack full of hundreds and a unicorn.
Jailbroken iPhone > regular iPhone > Android phone
Jailbreaking is not a critical factor for me, but it's nice to have.
Look at "We don’t believe it’s right". There's no Euro sign in ISO-8859-1. The Euro symbol was not even dreamed up when ISO-8859-1 was standardized.
But there's a Euro sign -- retroactively -- in Windows-1252, and it's been a long-standing tradition among Web browsers to pretend ISO-8859-1 and Windows-1252 are equivalent even though in Unicode they clearly aren't. It's why you can write … and usually get the same ellipsis as ….
So you can forgive me for expecting another long-standing tradition, which is to auto-detect encodings that aren't specified. Maybe browsers have stopped doing that. It's a bit of a loss when it comes to UTF-8, a clear choice for an encoding to try by default in 2013.
Of course the page should ideally be written better, but that's a push and pull between HTML writers and browser developers that will never be over.
<meta charset=utf-8>How do you know the data will be sent when you are looking, how do you know what the encoding will be? Maybe it exports your AppleID password by using the unused bit ("evil bit") in IPv4 packets, maybe it encodes your keychain into every screenshot you take, maybe it's using high frequency audio (haha) to send out copies of your photos when you're not looking.
Treating the iPhone like a black box it would be impossible to deny the existence of malware, you can only confirm it's existence. Given that the evad3rs didn't even know what the binary they included with their exploits contained, we can assume that there's possibly a backdoor or two in there as well.