Monday, May 4, 2009

Apple needs to play cat and mouse with pirates, not jailbreakers

Apple spends considerable engineering resources attempting to defeat jailbreakers, but historically, we have always been able to defeat anything they throw at us. In trying to defeat jailbreakers, Apple is fighting against a body of skilled volunteers who feel morally, ethically and legally justifiable in defeating such efforts, and would go so far as to feel a moral and ethical obligation to continue to do so. It's not only fun to try to work around such puzzles, but basic ethical common sense tells us that it is only right to be able to do whatever we want to devices we purchased as long as we're not hurting anyone else.

None of the people who work to defeat Apple's jailbreaking protections believe that pirating App Store applications is EVER justified. Nor do they believe that Apple should have a support burden for modified devices.

Yet Apple and many developers continue to equate jailbreaking with piracy, which is both unjust and unproductive toward their own interests. Piracy doesn't require jailbreaking. The one modification that jailbreaking makes to the iPhone, to allow applications to run unsigned code, is unnecessary for piracy because pirated apps are already signed!

Third-party app stores have successfully deployed copy protection for the applications they carry. These app stores run on jailbroken iPhones and their DRM remains uncracked. In contrast, official App Store applications carry no significant DRM. They are encrypted, but the encryption can be side-stepped with a method that has worked, and continues to work, completely unmodified, since day 1 of the App Store.

Whereas several new hurdles have cropped up against jailbreakers during this time, Apple has developed none for pirates. Developers concerned with piracy need to ask Apple why they have not spent any time protecting them against piracy, instead, focusing on playing cat and mouse games with skilled and motivated jailbreakers. A cat and mouse game that would not guarantee developers protection even if Apple succeeded.

A similar cat and mouse game with pirates is likely to be much easier for Apple to win. Instead of  fighting against people with the most knowledge and the most motivation, Apple would instead be contending against a group of people who are accustomed to using automated scripts (*cough* script kiddies *cough*), and for more complicated jobs using gdb (a debugger). Lord knows what they would do if Apple, say, disabled debugger attachment for encrypted applications, or obfuscated MobileInstallation, or put protections into the kernel. After all, you can't use gdb to attach to the iPhone kernel, can you?

Please, Apple. These suggestions are free. The first one, honestly, is TRIVIAL. Please for goodness' sake, use one of them! You've had a year to do SOMETHING. ANYTHING. I would have made my own anti-piracy patches, but building in DRM by machine language patching an operating system kernel is not fun, and it'd take me twenty times as long to make the same change as you.

Developers: Don't hate on jailbreaking because you think it "enables" App Store piracy. App Store piracy simply wouldn't exist if Apple actually did anything about it instead of being too busy losing games with jailbreakers instead.

Saturday, November 8, 2008

Does anyone know about the T-Mobile G-1?

My friend has one, but he's only getting started on app development using it. I'm wondering how locked down is it and is it as open as the hype says it is.

My understanding of Google's statements with regards to Android is that the initiative is meant to be "open" to carriers and manufacturers. The license is permissive and allows them to add in whatever they want and take away whatever they want. I remember someone from Google saying that they're allowed to completely strip away everything and lock it down completely if they wanted to.

Here is what I understand about the G1:

1. The Android OS is open source. That is, you can read the source, you can modify it and redistribute the modified source code.

2. The T-Mobile G1 requires the OS to be signed before updating it. That means if you modify the Android OS source yourself, you can't install it onto the device.

3. Applications are not allowed root. Getting root is considered an exploit.

4. Applications don't need to be signed by any authority to run on the phone.

Are these facts correct? If they are, the clear advantage over the iPhone seems to be #4, but as for #2 and #3... That's pretty much the same as it is for the iPhone. People seem to want to characterize Google's fixing of the Android jailbreak as security, while the very same people want to characterize Apple's fixing of iPhone jailbreaks as control freak-ness. Guys, it's pretty much the same thing. Google doesn't necessarily care about people modifying their platform, but T-Mobile does and Google is helping them achieve that.

As for #1, the advantage is pretty much entirely negated by the fact that it's Tivoization. After all, many components of the iPhone OS is also open source: XNU, WebKit. Most stuff except for the platform specific things that no one could possibly be interested in (sarcasm). Lots of the iPhone specific frameworks are also closed source, but for the most part, I don't really care about the details of how they manage to read PNG images. It may be interesting to read about the inner workings of SpringBoard (and the analogous Android UI), but if you can't modify those workings, then the knowledge becomes much less useful.

Android may be an open OS, but the T-Mobile G1 is not an entirely open platform. While the situation is much better, since while Google can blacklist apps, they don't have to whitelist them, so individuals are free to do most things on their phone... But in my opinion, it's disingenuous to call it an open platform. An open platform, in my opinion, is one you can modify, not just freely put stuff on.

It's a lot better situation than the Apple iPhone, certainly, but please people stop going up to me and going neener neener my platform is open while the one you choose to hack on isn't. Please. To do the stuff I'm doing with the iPhone on the T-Mobile G1, I'd have to use just as many exploits (or maybe not, since Android's security in that regard is apparently currently a bit swiss cheese, as can be expected on a new platform).

Thursday, September 4, 2008

Hurray, new blog!

And I actually paid some of my own moneyz for the domain name too, even though I didn't think I would ever do something like that. I really wanted this name for my blog, and I was rather pissed when I found out "" and "" were taken by two basically empty ones. Grr.

Anyway, I wanted a blog like this for awhile, just to write random bits about all sorts of different "complicated stuff", not just restricted to iPhone Linux stuff. Also, it gives me a freer hand to participate in the epic troll/gang war that is all our interactions with Zibri nowadays. =P I didn't want to fill up the Linux blog with any more of that garbage, but it will amuse me to respond to his response, I suppose.

With all due respect to Zibri (even if telling me to "STFU" wasn't really nice, or even helpful to his own cause), I really can't believe him.

They say:
"QuickPwn contains all-original code and features a very tiny bootstrapper that allows it to use libraries and code that's already on the iPhone."

Now just know this:
without "bl39.bin" and "bl46.bin" their BOOTNEUTER would NEVER work.

Oh, for Pete's sake. The first word of the quotation he cited is "QuickPwn" and he's objecting to some files that "BOOTNEUTER" needs. They are obviously two separate things. One is a jailbreak and the other is an unlock. Newcomers to the scene can be forgiven for conflating the two, but he's been around long enough. The best part is that we didn't even start packaging BootNeuter with QuickPwn until RC2 or RC3 or something. Actually, no, the best part is that Mac QuickPwn doesn't even include BootNeuter even now.

Addressing his complaint against BootNeuter is easy enough too, (and important to do, since it is also our product), but I and several other people have already done it before. In fact, I already had typed something up for this post, but I know I have a problem with being over-locquacious, and there's no point in belaboring it, so I just deleted it all.

Anyway, please, no more "lol stop fighting", "get back to the unlock", "I don't care", "are you 12?", "you should join forces" comments. (I think that covers about all the possible responses we get.) We know: you are very mature and a big man for being able to rise above the fray. You are the paragon of maturity and impartiality. Now leave us alone, and spare the world your banal sentiments. ;)

You guys have to realize that the point of the post is not to persuade anyone of anything; thus I don't care if you don't care.It was intended to provide information (which I try very hard to make truthful and unbiased) so people have an alternative to the version of reality publishes. Instead, people took it as a "Why you should hate Zibri" post or "Why you should use Dev Team products instead Zibri's products" post.

To be perfectly honest, I don't really care that much. We don't really get anything out of people using dev team stuff. We don't get any donations. We don't get any notoriety, since we do everything as a group. (Admit it, that post was the first time you've heard of my name, or knew I was even remotely involved in QuickPwn. =P) The only thing I get out of people using our products are complaints and bug reports. All of it just adds up to a lot of stress, since a lot of people are depending on us. The one thing I do get out of it is to be able to hang out with some really smart people and share knowledge with them. The way I earn their respect is to do good work, but good work is good work even if no one uses it and bad work is still bad work even if it's the most popular thing in the world.

What we want to do is help people. And personally, I wouldn't have a problem recommending ZiPhone or anything else if I think it would help. I think shortly after ZiPhone was released, I've said either on a forum or in IRC (or in private while helping someone or something) that the exploit used in ZiPhone was the best one we know of and to go ahead and use it. This was, of course, before I investigated his exact implementation.

I applaud the individuals who don't care and use the best tool available. People should use the best tool available; to hell with brand loyalty.

However, there's no point in patting yourself on the back too hard about it. Use the best tool, but be respectful of the ones who do the work. I feel it is completely disrespectful when people accuse us of being immature, or bickering when all that was posted was a list of trivially verifiable facts (which Zibri himself did not bother to refute), and especially when I was careful to avoid even saying anything that could be CONSTRUED as a personal attack against Zibri. I feel that that my post, my response to his "About QuickPwn..." post, was restrained and appropriate. If you disagree, please follow my example and do so in a respectful manner and without ad hominem attacks.

Anyway, I'm currently trying to get back in the rhythm of going to school. Still haven't got Internet in my new apartment yet, so I'm personally not going to be doing much. We're planning a big QuickPwn update that should wrap things up. You can help out by offering to be a beta tester. Be aware that being a beta tester is NOT FUN and requires a lot of time testing, PROMPT RESPONSE TIMES, and possibly filling out LARGE AMOUNTS OF PAPERWORK to our satisfaction.

It is pretty much impossible for us to get good testers. The QuickPwn releases were supposed to be a beta, but people don't seem to realize you're supposed to submit FEEDBACK for betas, hahaha. *sighs*