"Finally" (in the aforementioned second point), your e-mail makes the argument for the jailbreak tool being open source. You feel like this "could open the doors to greater community contribution, encouraging larger groups of people to work together to solve the problems more quickly". The argument makes sense: if jailbreaking were secretive and closed (which is a bullet you dodged, btw: on Android, where bounties are common, jailbreak tools are not only often closed source but techniques are hoarded and under-described so as to win more bounties <- you actually need this open source clause to not fall into the obvious trap) people are not in a position to learn how all of the systems of Apple's device work in a way that would let them later build their own tools.
Would it surprise you to find out that most of the code in a jailbreak is already open source, and that the only parts that are not tend to be the GUI and the specific exploit technique for that one specific version of iOS?
- All of the libraries that are use to connect to the device in its normal mode are licensed under LGPL (they are part of a suite called libimobiledevice, which was primarily developed by members of the iPhone Dev Team, and now maintained by nikias from evad3rs).
- The libraries used to talk to the device in recovery and DFU mode are open source and licensed under GPL (developed by posixninja, who has been maintaining them recently under the openjailbreak project).
- The libraries used to decrypt and modify image files (kernels, devices trees, disks, and bootloaders) has been open source for years (developed and maintained by planetbeing from evad3rs). The same developer (planetbeing) has released a number of utility libraries like this, including ones to download portions of IPSW files from Apple's servers without having to download the whole file (this is why jailbreaks never need to distribute copyrighted content). All of this code is under GPL.
It is thereby not just useless but insulting that in your e-mail you make the point that "the jailbreaking teams
are not an island—they rely heavily on FOSS software in their work": the people who build these tools (which again, does not include myself) quite often release code for large or critical parts of their work, and almost exclusively do so under "free software" licenses.
In fact, many previous jailbreak tools have been or have become open source, and currently the tool to jailbreak the iPhone 4 on iOS 7 (opensn0w) is itself open source (under GPL). Now, one thing that is really interesting here: this project (which has now existed for years) actually tried to crowd fund itself (which, to be 100% clear, doesn't cause the same kinds of issues as a third-party bounty program) and failed. Out of its $3,000 it got $30.
This, of course, flies in the face of your comment that the goal is to set a precedent of jailbreaks being open source: and in case you think I'm playing up one example, the iOS 4 jailbreaks from comex were open source as well; the source code for both JailbreakMe 2.0 and JailbreakMe 3.0 were released (I believe fairly soon after the jailbreak, but clearly as this was all years ago "soon" is relative: there are tons of open source examples).
The team behind the tool greenpois0n (which includes the aforementioned posixninja) also open sourced much of their work as "syringe". The opensn0w tool in fact uses a lot of this code, as have been a number of third-party tools based on this older limera1n exploit (which, interestingly enough, was itself released to the community by geohot giving everyone a few lines of source code for how to implement it, as he wanted people to use that exploit instead of SHAtter).
The argument that people are somehow not able to learn how to jailbreak things because nothing is open source thereby doesn't make any sense even on the face of it; again: the only things that tend to be closed source are GUIs and transient one-off device-specific techniques. The main reason these things tend to be closed source is that our community has a serious problem with scams: people like to try to charge people for jailbreak tools or claim they have tools that work in places they don't; everyone wants to "build a jailbreak", but in practice people just want "to take someone's tool, change the GUI, claim it works better than it does, and then charge $20 for it".
In your mind, this seems to be related to the idea that "I don't want them making money when I'm not making money: I want to make the money, so that's why it is closed source", but that just demonstrates you are seeing this through the eyes of the wrong kinds of incentives. You say that "getting financial support up front reduces the perverse incentive to keep the source closed so that other groups cannot profit from it without having built it", but in fact that doesn't change that users will get scammed and lose money: the argument made by the jailbreak teams has never been "you should give money to us, not them", but instead "jailbreaks should be free". It is simply clear that you don't understand the incentive structures already in place in this community, even while you feel like you want to change them.
You might then argue that it is horrible that these techniques are hidden, but that itself could not be further from the case: the people who build these jailbreaks generally give talks about how the jailbreaks work at conferences around the world, and they are well documented in the security community through everything from articles on websites to entire books. (At JailbreakCon, Nikias from evad3rs gave an hour and a half long presentation on exactly how the iOS 6 jailbreak worked as part of a time slot that was only a half an hour long, a story which I continue to find absolutely hilarious ;P.)
Really, the only sentence I can come up with from your e-mail that has some weight behind it is the argument that "users of such a jailbreak will be able to audit the changes made to the firmware of one of their most important pieces of hardware". FWIW, this is a cause that I appreciate.
However, you are addressing an audience of people who are primarily getting software from Apple, none of which is itself audited by the community, and which the people you are attacking (and yes: an implication "you can't trust these people" is an attack) have demonstrated on numerous occasions is insecure or actively damaging (such as with the various logging and reporting daemons). The modifications made are also fairly easy for people in the community to pull apart: maybe not to you, but to 99.99% of users the source code isn't helpful anyway... that doesn't mean that results are not able to be "audited".
I feel like the best you could thereby hope for is some kind of "strife" that you want to cause: to pit people against one another, spiting one movement (open hardware) to help another (open software). Open hardware is a much more serious problem that very few people are really fighting for, and iOS jalbreaking is one of the few case examples that can be pointed to when lobbying (such as with Congress, or the Library of Congress) for why these freedoms are important and potentially obtaining laws to guarantee them. It would be an absolute shame to see one of the few weapons we have in that war be sacrificed because you felt that tens of millions of people had incorrectly allocated their trust.
You're missing the point here—we're grateful that people in the jailbreak community release things as FOSS, but the majority of jailbreaks as you yourself mention are not FOSS themselves, which is part of what motivated Chris, who proposed the prize, and myself.
It seems to me that that opensn0w campaign may have been fake (there are a lot of those on IndieGoGo).
And to be clear, in talking to friends in the security space, the auditing the code aspect was a huge concern, so I'm glad we can at least agree on something. :)
We're also planning on helping to fund many open hardware projects, and I'll actually be speaking at the SF Hardware Startup meetup tonight to solicit ideas from the community.
> You're missing the point here—we're grateful that people in the jailbreak community release things as FOSS, but the majority of jailbreaks as you yourself mention are not FOSS themselves, which is part of what motivated Chris, who proposed the prize, and myself.
In other places you've stated the reason he wanted this prize was to get software on his iPhone so he could help with some accessibility issues. This is an incentive that aligns with long-term open hardware, not short term open software. You can't have it both ways. If you are really dropping all of the incentive arguments I'm making and want to concentrate on open source, that's fine: but let's get our stories straight.
> It seems to me that that opensn0w campaign may have been fake (there are a lot of those on IndieGoGo).
I just contacted the developer of opensn0w: no, that was not fake, it just didn't take off. I personally can assert to you that opensn0w (which many people are using right now) is not itself a fake (and I'm one of the people who generally are asked to determine this ;P).
> And to be clear, in talking to friends in the security space, the auditing the code aspect was a huge concern, so I'm glad we can at least agree on something. :)
I talked about auditing changes, not auditing code, and I even explicitly stated that the code was not in any way a concern to someone who really knows what they are doing, so no: we don't really agree on this :/. I have on many occasions, in articles and talks, made the argument that open source is overrated, and that what really matters is open hardware: that in addition to the gap between source code and machine code decreasing over time due to better analysis tools and frameworks, that as long as hardware is capable of being closed off it doesn't matter how much of the code is open <- the iOS jailbreak community is at the front line of this particular battle.
> We're also planning on helping to fund many open hardware projects, and I'll actually be speaking at the SF Hardware Startup meetup tonight to solicit ideas from the community.
FWIW, having third-parties construct open hardware doesn't really help the cause of forcing large companies who make closed hardware to provide means of opening it; that said, I do appreciate that you have future goals, but it may have been more useful to start with them.
"Finally" (in the aforementioned second point), your e-mail makes the argument for the jailbreak tool being open source. You feel like this "could open the doors to greater community contribution, encouraging larger groups of people to work together to solve the problems more quickly". The argument makes sense: if jailbreaking were secretive and closed (which is a bullet you dodged, btw: on Android, where bounties are common, jailbreak tools are not only often closed source but techniques are hoarded and under-described so as to win more bounties <- you actually need this open source clause to not fall into the obvious trap) people are not in a position to learn how all of the systems of Apple's device work in a way that would let them later build their own tools.
Would it surprise you to find out that most of the code in a jailbreak is already open source, and that the only parts that are not tend to be the GUI and the specific exploit technique for that one specific version of iOS?
- All of the libraries that are use to connect to the device in its normal mode are licensed under LGPL (they are part of a suite called libimobiledevice, which was primarily developed by members of the iPhone Dev Team, and now maintained by nikias from evad3rs).
- The libraries used to talk to the device in recovery and DFU mode are open source and licensed under GPL (developed by posixninja, who has been maintaining them recently under the openjailbreak project).
- The libraries used to decrypt and modify image files (kernels, devices trees, disks, and bootloaders) has been open source for years (developed and maintained by planetbeing from evad3rs). The same developer (planetbeing) has released a number of utility libraries like this, including ones to download portions of IPSW files from Apple's servers without having to download the whole file (this is why jailbreaks never need to distribute copyrighted content). All of this code is under GPL.
It is thereby not just useless but insulting that in your e-mail you make the point that "the jailbreaking teams are not an island—they rely heavily on FOSS software in their work": the people who build these tools (which again, does not include myself) quite often release code for large or critical parts of their work, and almost exclusively do so under "free software" licenses.
In fact, many previous jailbreak tools have been or have become open source, and currently the tool to jailbreak the iPhone 4 on iOS 7 (opensn0w) is itself open source (under GPL). Now, one thing that is really interesting here: this project (which has now existed for years) actually tried to crowd fund itself (which, to be 100% clear, doesn't cause the same kinds of issues as a third-party bounty program) and failed. Out of its $3,000 it got $30.
http://www.indiegogo.com/opensn0w
This, of course, flies in the face of your comment that the goal is to set a precedent of jailbreaks being open source: and in case you think I'm playing up one example, the iOS 4 jailbreaks from comex were open source as well; the source code for both JailbreakMe 2.0 and JailbreakMe 3.0 were released (I believe fairly soon after the jailbreak, but clearly as this was all years ago "soon" is relative: there are tons of open source examples).
http://www.idownloadblog.com/2011/07/19/jailbreakme-now-open...
The team behind the tool greenpois0n (which includes the aforementioned posixninja) also open sourced much of their work as "syringe". The opensn0w tool in fact uses a lot of this code, as have been a number of third-party tools based on this older limera1n exploit (which, interestingly enough, was itself released to the community by geohot giving everyone a few lines of source code for how to implement it, as he wanted people to use that exploit instead of SHAtter).
http://www.ijailbreak.com/applications/greenpois0n-jailbreak...
The argument that people are somehow not able to learn how to jailbreak things because nothing is open source thereby doesn't make any sense even on the face of it; again: the only things that tend to be closed source are GUIs and transient one-off device-specific techniques. The main reason these things tend to be closed source is that our community has a serious problem with scams: people like to try to charge people for jailbreak tools or claim they have tools that work in places they don't; everyone wants to "build a jailbreak", but in practice people just want "to take someone's tool, change the GUI, claim it works better than it does, and then charge $20 for it".
In your mind, this seems to be related to the idea that "I don't want them making money when I'm not making money: I want to make the money, so that's why it is closed source", but that just demonstrates you are seeing this through the eyes of the wrong kinds of incentives. You say that "getting financial support up front reduces the perverse incentive to keep the source closed so that other groups cannot profit from it without having built it", but in fact that doesn't change that users will get scammed and lose money: the argument made by the jailbreak teams has never been "you should give money to us, not them", but instead "jailbreaks should be free". It is simply clear that you don't understand the incentive structures already in place in this community, even while you feel like you want to change them.
You might then argue that it is horrible that these techniques are hidden, but that itself could not be further from the case: the people who build these jailbreaks generally give talks about how the jailbreaks work at conferences around the world, and they are well documented in the security community through everything from articles on websites to entire books. (At JailbreakCon, Nikias from evad3rs gave an hour and a half long presentation on exactly how the iOS 6 jailbreak worked as part of a time slot that was only a half an hour long, a story which I continue to find absolutely hilarious ;P.)
Really, the only sentence I can come up with from your e-mail that has some weight behind it is the argument that "users of such a jailbreak will be able to audit the changes made to the firmware of one of their most important pieces of hardware". FWIW, this is a cause that I appreciate.
However, you are addressing an audience of people who are primarily getting software from Apple, none of which is itself audited by the community, and which the people you are attacking (and yes: an implication "you can't trust these people" is an attack) have demonstrated on numerous occasions is insecure or actively damaging (such as with the various logging and reporting daemons). The modifications made are also fairly easy for people in the community to pull apart: maybe not to you, but to 99.99% of users the source code isn't helpful anyway... that doesn't mean that results are not able to be "audited".
I feel like the best you could thereby hope for is some kind of "strife" that you want to cause: to pit people against one another, spiting one movement (open hardware) to help another (open software). Open hardware is a much more serious problem that very few people are really fighting for, and iOS jalbreaking is one of the few case examples that can be pointed to when lobbying (such as with Congress, or the Library of Congress) for why these freedoms are important and potentially obtaining laws to guarantee them. It would be an absolute shame to see one of the few weapons we have in that war be sacrificed because you felt that tens of millions of people had incorrectly allocated their trust.