Hi Saurik, I'd love to hear your response to the substantive aspects of my email as opposed to an ad hominem attack. I didn't send it until this morning because I was sick and traveling for the holidays.
Look, claiming I made an ad hominem attack means that I said "X is bad because X was made by person Y and Y is bad". I did not do that: I stated first a concrete (yet highly summarized reason) why I felt that X was bad (specifically regarding incentive changing). I then also explained the reason behind the project (which is a property of X, not of Y), which I have multiple sources close to the project (including you) backing up (so it isn't like I'm lying or something: this isn't like someone claiming a study is flawed because the author is biased <- instead, I'm more like someone showing a study is flawed because the author actually stated they did the study for biased reasons). If you are going to throw around logical fallacies as weapons, as least know what they mean :(. (I will now provide more responses, but separately, as I felt the need to get this out more quickly as it was such a slap and people might not pay enough attention to realize it was wrong ;P.)
(Also, on the last point about when you sent the e-mail, which is the closest you can get in my comments to "ad hominem" and to me was a defense against why I wasn't more prepared for this: you were more than willing to get involved in a "synchronous conversation" with me at the time, which would have taken even longer and been even more difficult ;P.)
[Some context for others: when I first was responding to the idea of this bounty program, it was to someone else who had previously been considering working with Elizabeth; I was contacted in a kind of after-the-fact/"FYI" style. This was when the only real information was "bounty for iOS 7 jailbreak", without most of the extra restrictions that are now in place on the program, such as "open source". At the time, it for example seemed clear that evad3rs--the group that has been making the jailbreaks for the last two years--was going to get the bounty anyway. I already had started to bring up the incentive structure issues, and managed to get this other person to drop his involvement with the project. My original e-mail to Elizabeth thereby only talked about these issues, which is why this comment has to delve so deeply into the "final" point.]
So, your e-mail seems to make four points. The first point, taking up two paragraphs, is related to your career and your project. In these paragraphs, you did not address any of the specific example reasons I could come up with for why you were involved, and if anything simply raised a few more. These paragraphs, however, are largely ignorable.
The third point (setting off the second for a minute) was the argument made to attempt to address an incentive change on the side of the people building jailbreaks. This argument hinges on a specific example of a previous bounty, claiming that it did not cause the ramifications I am predicting.
> While I am sensitive to your concerns around community incentives, it’s unlikely that our approach will threaten them. For example, when Adafruit created a prize for open Kinect drivers, instead of devolving into a community of mercenaries, it enabled an ecosystem of Kinect hackers to flourish.[1]
The problem with this argument is that it is looking at entirely the wrong level: you are claiming that by having the driver for Kinect get constructed, people were able to start hacking on Kinect, causing an ecosystem on the other side of the driver to flourish. We already have that ecosystem on the other side of the jailbreak.
Instead, we are looking at the actual construction of the jailbreaks here; the correct analogy is to instead look at the market for construction of drivers for closed video game controllers. What you need to demonstrate is that a "success" for that crowd funding doesn't lead the people who were working on that driver to end up with different incentives, or cause other people watching to expect the same (again, in a "success" situation: I know people who work with Kinect, and I'd never heard the driver was crowd funded, so any community effects would be quite narrow due to the limited reach; likely as it was so little money).
FWIW, that people's incentives change in these situations is well documented: this isn't just my assertion, this is something you can read about in books like "Punished by Rewards". Given that a new jailbreak is needed at least once a year (and in a perfect world, would happen no less than twice a year), this is critical: you are playing an iterative game, and have to think about the ramifications on incentives not immediately, but a few steps ahead.
In reality, the community is already anticipating the release of an iOS 7 jailbreak (evad3rs has already publicly stated that they have all the pieces they need and are just working on implementing and finalizing). We (the community of people who use these jailbreaks: I do not build them myself) thereby are not in a position where this bounty is going to change anything: it is just going to change how funds are directed (5%, for example, will be given directly to your new company, rather than all of it to the people who build the tools) and the expectations people have related to them, it isn't going to incentive construction of a new community that otherwise wouldn't exist.
You then had a forth point, the goal of which was to assuage concerns that people leaving contributions would have different expectations. This argument was just "we state this clearly on the website"; <sarcasm>which, as we all know, works out wonderfully in the case of Kickstarter projects: it isn't like I've ever heard of people angry that they didn't get the thing they wanted, or that it didn't work well, as Kickstarter is very clear that they are not a way to preorder products</sarcasm>. You will need to come up with a much stronger argument here... if anything, I think you've just dug a deeper hole ;P.
[my comment is apparently too long for Hacker News; given that I often write very very long comments, I'm really surprised I've never run into this limitation before, and so wonder if it is new ;P. however, this comment is thereby split and I will reply with the rest]
"Finally" (in the aforementioned second point), your e-mail makes the argument for the jailbreak tool being open source. You feel like this "could open the doors to greater community contribution, encouraging larger groups of people to work together to solve the problems more quickly". The argument makes sense: if jailbreaking were secretive and closed (which is a bullet you dodged, btw: on Android, where bounties are common, jailbreak tools are not only often closed source but techniques are hoarded and under-described so as to win more bounties <- you actually need this open source clause to not fall into the obvious trap) people are not in a position to learn how all of the systems of Apple's device work in a way that would let them later build their own tools.
Would it surprise you to find out that most of the code in a jailbreak is already open source, and that the only parts that are not tend to be the GUI and the specific exploit technique for that one specific version of iOS?
- All of the libraries that are use to connect to the device in its normal mode are licensed under LGPL (they are part of a suite called libimobiledevice, which was primarily developed by members of the iPhone Dev Team, and now maintained by nikias from evad3rs).
- The libraries used to talk to the device in recovery and DFU mode are open source and licensed under GPL (developed by posixninja, who has been maintaining them recently under the openjailbreak project).
- The libraries used to decrypt and modify image files (kernels, devices trees, disks, and bootloaders) has been open source for years (developed and maintained by planetbeing from evad3rs). The same developer (planetbeing) has released a number of utility libraries like this, including ones to download portions of IPSW files from Apple's servers without having to download the whole file (this is why jailbreaks never need to distribute copyrighted content). All of this code is under GPL.
It is thereby not just useless but insulting that in your e-mail you make the point that "the jailbreaking teams
are not an island—they rely heavily on FOSS software in their work": the people who build these tools (which again, does not include myself) quite often release code for large or critical parts of their work, and almost exclusively do so under "free software" licenses.
In fact, many previous jailbreak tools have been or have become open source, and currently the tool to jailbreak the iPhone 4 on iOS 7 (opensn0w) is itself open source (under GPL). Now, one thing that is really interesting here: this project (which has now existed for years) actually tried to crowd fund itself (which, to be 100% clear, doesn't cause the same kinds of issues as a third-party bounty program) and failed. Out of its $3,000 it got $30.
This, of course, flies in the face of your comment that the goal is to set a precedent of jailbreaks being open source: and in case you think I'm playing up one example, the iOS 4 jailbreaks from comex were open source as well; the source code for both JailbreakMe 2.0 and JailbreakMe 3.0 were released (I believe fairly soon after the jailbreak, but clearly as this was all years ago "soon" is relative: there are tons of open source examples).
The team behind the tool greenpois0n (which includes the aforementioned posixninja) also open sourced much of their work as "syringe". The opensn0w tool in fact uses a lot of this code, as have been a number of third-party tools based on this older limera1n exploit (which, interestingly enough, was itself released to the community by geohot giving everyone a few lines of source code for how to implement it, as he wanted people to use that exploit instead of SHAtter).
The argument that people are somehow not able to learn how to jailbreak things because nothing is open source thereby doesn't make any sense even on the face of it; again: the only things that tend to be closed source are GUIs and transient one-off device-specific techniques. The main reason these things tend to be closed source is that our community has a serious problem with scams: people like to try to charge people for jailbreak tools or claim they have tools that work in places they don't; everyone wants to "build a jailbreak", but in practice people just want "to take someone's tool, change the GUI, claim it works better than it does, and then charge $20 for it".
In your mind, this seems to be related to the idea that "I don't want them making money when I'm not making money: I want to make the money, so that's why it is closed source", but that just demonstrates you are seeing this through the eyes of the wrong kinds of incentives. You say that "getting financial support up front reduces the perverse incentive to keep the source closed so that other groups cannot profit from it without having built it", but in fact that doesn't change that users will get scammed and lose money: the argument made by the jailbreak teams has never been "you should give money to us, not them", but instead "jailbreaks should be free". It is simply clear that you don't understand the incentive structures already in place in this community, even while you feel like you want to change them.
You might then argue that it is horrible that these techniques are hidden, but that itself could not be further from the case: the people who build these jailbreaks generally give talks about how the jailbreaks work at conferences around the world, and they are well documented in the security community through everything from articles on websites to entire books. (At JailbreakCon, Nikias from evad3rs gave an hour and a half long presentation on exactly how the iOS 6 jailbreak worked as part of a time slot that was only a half an hour long, a story which I continue to find absolutely hilarious ;P.)
Really, the only sentence I can come up with from your e-mail that has some weight behind it is the argument that "users of such a jailbreak will be able to audit the changes made to the firmware of one of their most important pieces of hardware". FWIW, this is a cause that I appreciate.
However, you are addressing an audience of people who are primarily getting software from Apple, none of which is itself audited by the community, and which the people you are attacking (and yes: an implication "you can't trust these people" is an attack) have demonstrated on numerous occasions is insecure or actively damaging (such as with the various logging and reporting daemons). The modifications made are also fairly easy for people in the community to pull apart: maybe not to you, but to 99.99% of users the source code isn't helpful anyway... that doesn't mean that results are not able to be "audited".
I feel like the best you could thereby hope for is some kind of "strife" that you want to cause: to pit people against one another, spiting one movement (open hardware) to help another (open software). Open hardware is a much more serious problem that very few people are really fighting for, and iOS jalbreaking is one of the few case examples that can be pointed to when lobbying (such as with Congress, or the Library of Congress) for why these freedoms are important and potentially obtaining laws to guarantee them. It would be an absolute shame to see one of the few weapons we have in that war be sacrificed because you felt that tens of millions of people had incorrectly allocated their trust.
You're missing the point here—we're grateful that people in the jailbreak community release things as FOSS, but the majority of jailbreaks as you yourself mention are not FOSS themselves, which is part of what motivated Chris, who proposed the prize, and myself.
It seems to me that that opensn0w campaign may have been fake (there are a lot of those on IndieGoGo).
And to be clear, in talking to friends in the security space, the auditing the code aspect was a huge concern, so I'm glad we can at least agree on something. :)
We're also planning on helping to fund many open hardware projects, and I'll actually be speaking at the SF Hardware Startup meetup tonight to solicit ideas from the community.
> You're missing the point here—we're grateful that people in the jailbreak community release things as FOSS, but the majority of jailbreaks as you yourself mention are not FOSS themselves, which is part of what motivated Chris, who proposed the prize, and myself.
In other places you've stated the reason he wanted this prize was to get software on his iPhone so he could help with some accessibility issues. This is an incentive that aligns with long-term open hardware, not short term open software. You can't have it both ways. If you are really dropping all of the incentive arguments I'm making and want to concentrate on open source, that's fine: but let's get our stories straight.
> It seems to me that that opensn0w campaign may have been fake (there are a lot of those on IndieGoGo).
I just contacted the developer of opensn0w: no, that was not fake, it just didn't take off. I personally can assert to you that opensn0w (which many people are using right now) is not itself a fake (and I'm one of the people who generally are asked to determine this ;P).
> And to be clear, in talking to friends in the security space, the auditing the code aspect was a huge concern, so I'm glad we can at least agree on something. :)
I talked about auditing changes, not auditing code, and I even explicitly stated that the code was not in any way a concern to someone who really knows what they are doing, so no: we don't really agree on this :/. I have on many occasions, in articles and talks, made the argument that open source is overrated, and that what really matters is open hardware: that in addition to the gap between source code and machine code decreasing over time due to better analysis tools and frameworks, that as long as hardware is capable of being closed off it doesn't matter how much of the code is open <- the iOS jailbreak community is at the front line of this particular battle.
> We're also planning on helping to fund many open hardware projects, and I'll actually be speaking at the SF Hardware Startup meetup tonight to solicit ideas from the community.
FWIW, having third-parties construct open hardware doesn't really help the cause of forcing large companies who make closed hardware to provide means of opening it; that said, I do appreciate that you have future goals, but it may have been more useful to start with them.
(Also, on the last point about when you sent the e-mail, which is the closest you can get in my comments to "ad hominem" and to me was a defense against why I wasn't more prepared for this: you were more than willing to get involved in a "synchronous conversation" with me at the time, which would have taken even longer and been even more difficult ;P.)