It's probably regional targeting. I suspect Bing is a lot better in America. I'm in Spain, which explains the Spanish result and to some extent explains the German results (though they're terribly useless: even though English literacy levels are pretty mediocre around here, German is definitely worse off).
However, I did miss something: my Google settings were configured to an English UI, which I've noticed changes the targeting of the results (said targeting exists even if you're not using any of the "show me results in such and such language" options). The updated Google results for the default (Spanish) targeting are:
"Wii homebrew":
Spanish site about Wii homebrew
Homebrew channel subpage
Homebrew Channel at Wiibrew (former first result)
Main Page at Wiibrew (former second result)
Some Spanish tutorial on installing the Homebrew Channel
Another Spanish tutorial
Clearly more emphasis on Spanish results, but the good English results are still there and there are no random results in other languages that happen to be spoken in other parts of the continent. No scams either.
"Homebreware" results: two "did you mean 'homebrew'" results, followed by antiscam, spanish-antiscam, antiscam, video:[antiscam, scam, scam, scam (scammers love videos)], antiscam, unrelated, scam,...
Still primarily antiscam results (lots of scam videos because not many make videos about how these products are a scam).
I believe that at least for Google you can replicate these results by simply changing your UI language to Spanish (or adding hl=es to the URL), and maybe try using google.es. I don't know whether there's an equivalent for Bing.
I find that Bing falls for marketing scams and SEO much worse than Firefox. Random download sites and outright scams show up in Bing first with lots of searches, while Google is much more successful at ignoring marketingese and just giving you the site you want.
For example, searching for Wii homebrew gives: Google:
Homebrew Channel page on Wiibrew (very relevant starting place)
Main Page of Wiibrew (probably THE best result)
Wii homebrew on Wikipedia (actually a pretty bad page, but understandably high result)
Homebrew Channel page on Wikipedia (decent)
Some random broken site that probably sucks, but has a good domain name
The Homebrew Channel's homepage
Bing:
Some random German wii homebrew site (not "official" in any way), but with a good domain
Wikipedia entry
Another random German homebrew site
A random Spanish homebrew site
An affiliate of a huge (and successful) scam getting people to pay for homebrew and warez tools
Another affiliate of the scam
Another affiliate
So basically, people looking for Wii homebrew and using Bing are at a much higher chance of getting scammed. Seriously, Wiibrew isn't even in the first page of results.
Going the other way, searching for the name of the scam (homebreware) yields (antiscam = site that explains that homebreware is a scam): Google: antiscam, antiscam, antiscam, scam, scam, antiscam, scam,... Bing: scam, scam, scam, scam, scam, scam, scam...
Someone using Bing and doublechecking on what they're about to buy isn't going to remotely realize they're being scammed.
Uh, no. Talking to a baseband chip is like talking to a 3G USB modem. Barring exploits and other ways to actually run code on the chip and mess with the radio, there's nothing you can do to break FCC rules.
On the iPhone it's still a separate chip. As far as I know, the interface isn't a serial line. Instead, it's a higher-bandwidth interface with a multiplexing protocol for several channels. Some of these virtual channels do emulate good old serial lines, and the AT command part is completely true.
A5/1 is initialised using a 64-bit key together with a publicly-known 22-bit frame number. In fielded GSM implementations 10 of the key bits are fixed at zero, resulting in an effective key length of 54 bits.
I'm pretty sure the routinely draw stuff in high-res anyway, for promotional material. However, the versions on the disc are always downsampled to more reasonable levels, to save disc space and RAM.
Ah, law, that sneaky confusing bastard. At least everyone seems to agree on the fundamental issue though, which is that copying non-software copyrighted works for private, non-profit use is legal.
Software gets a separate treatment, you can make backup copies but you can't share it around, even "privately" (this is something too many people fail to mention - lots of clueless people associate software/videogame/etc piracy with the SGAE and the levies, when they have little to do with each other). This is why I do discourage and do not support videogame piracy, for those who (formerly) know me from the Wii homebrew development community.
If something isn't illegal then it's legal. Some people call it the "right to a private copy", but this is questionable - there's no such "right" spelled out. Instead, the law simply sets up the illegality of copies sold for a profit. So it's not a right or guaranteed to be legal by the law, but it's legal.
A few notes for those not aware of how things have been going around here lately (I'm Spanish):
The current Spanish government is in bed with the local equivalent of the MAFIAA (the SGAE).
Downloading copyrighted audio/video works is legal in spain, as long as no profit is made (this does not apply to software). Whether uploading is legal or not (or how illegal it is) is somewhat debated. There have been plenty of people "turning themselves" in for downloading, with no arrests made.
To offset the legal downloads, just about everything relevant to copying has a levy on it, including writable optical media (the levies there are ridiculous), but also the writers, hard drives, USB sticks, MP3 players, cellphones, printers, scanners, photocopiers, etc. For example, you're paying the SGAE €12 for each hard drive, except for those bundled as master drives on new systems. These profits are then theoretically distributed by the SGAE to artists in highly controversial ways.
Nonetheless, there is constant FUD claiming that "pirating" music and movies is illegal and will get you jailed (there are some pretty ridiculous advertising campaigns by the SGAE)
The SGAE is nothing new, they're the usual corrupt mafia-like organization that you'd expect. They're just trying to screw over both consumers and artists as much as they can. They'd love to have it both ways (making downloads illegal and keeping the levies).
Funny tidbit: the SGAE used to claim that Linux was a shareware version of UNIX on their glossary page. They later "fixed" it by lifting a paragraph from Wikipedia, in violation of the GFDL.
I'd say neither article is any good. TFA is very scarce on details and put too much emphasis on "looking for ET", while yours has some pretty silly claims. The picture of the lack of cable management is rather unremarkable (sure, it could be improved, but it's hardly a huge mess: most of the wiring looks fine, it's just that large bundle to that one switch with lots of extra wire hanging down), and the "firewall" story is bull (SETI@home probably requires a hole out, not in, which already suggests that the network setup is paranoid if they default to blocking all unknown outgoingports). They also make it sound like SETI@home is malware, with the "hard to uninstall" stuff. And the dollar estimates are clearly crap too: it doesn't take millions of dollars to clean out the same program out of all your computers. If your setup is any good, you can just reimage them. If it isn't, just make a script to do it for you and slap it onto a dozen USB drives that you can plug in and out.
Did he deserve to be fired? Probably. Should he have installed SETI@home on those computers? Nope. But all this crappy media spin and criminal charges stuff is way over the top. So he took some stuff home and downloaded some porn, fire him and move on.
Precisely. Even more important is that emulators do not themselves constitute copyright infringement (unless they contain a ripped BIOS or the like), nor do they bypass copy protection (that's the job of the game ripper, not the emulator), so Nintendo can do squat about the application itself. At most, Nintendo is pulling a PR move here. The only real claim they have relates to whether some employee at Nokia illegally downloaded games that he does not own for the purposes of this demostration.
Not really. Compilers these days do a better job at optimizing most code than most assembly programmers (for well-supported CPUs anyway), mostly because instruction timing and dependency issues in modern complex CPUs are quite complicated, and compilers are able to take a lot more into account (just because the code 'looks' tighter doesn't mean it'll run faster). The only place where it really makes sense to use asm is for tight inner algorithm loops, especially when you can use SIMD instructions.
No program should install a backdoor on any system, and this is what openssh on the iPhone did by default!
But it doesn't. It does exactly the same thing installing OpenSSH on any other non-iPhone system does. The only difference is that on other systems you typically have set the passwords yourself, while on the iPhone Apple (not the jailbreak) set them for you.
Then to think that this is on the iPhone platform, where people are expecting to just download an app and look at it maybe later, this is a nightmare to happen.
This is a different debate, whether network services should be enabled by default on install. I believe Debian says yes and Fedora says no, for example. The reasoning for the iPhone is probably that since it's a graphical platform and there's no "service manager" by default, it makes sense to default to on when something is installed (enabling and disabling services involves a non-trivial launchctl command). Keep in mind that OpenSSH isn't in the "clueless user" section of Cydia.
Furthermore, even when in the process of jailbreaking, the openssh app itself is being promoted for install.
On PwnageTool at least, OpenSSH is hardly promoted; AFAIR it's hidden somewhere in the expert mode among tons of other oddly named packages. In fact, last time I used it, I ended up with a broken OpenSSH install because the PwnageTool installer didn't handle dependencies (cue weirdo hacks via the root AFC to copy in the missing libs without having to reinstall everything). Dunno about other jailbreak tools. It isn't exactly a flashing "installing this will make your iPhone cooler" icon. If there are jailbreak tools out there that actively promote OpenSSH on the default install and do not warn appropriately about the password issue (or better yet, prompt you for a new pair of passwords), then I agree that should be improved.
As for solving this, yes this is nontrivial but given the way the platform works (no shell by default), a necessity. The best approach is probably to bundle it with a terminal program like Mobile Terminal that you have to fire up to set the ssh password manually before you can log in remotely. That his would make openssh impossible to use for the real 'dumb user' is an additional benefit.
I'll break the abbreviation and throw in a new argument: if you're smart enough to get that SSH == Secure SHell and you know what a shell is, then you ought to be smart enough to change your password. If you're the kind of user that installs anything that sounds cool even though though you don't really know what it does, then you should work on fixing that;)
You can install MobileTerminal and change the password before enabling OpenSSH, which isn't rocket science. OpenSSH need not be enabled with an insecure password for any amount of time.
Anyway, this is a nontrivial issue to solve. There could be a GUI-based password change request, but that doesn't hook very well into the apt-based installer. OpenSSH could enable pubkey authentication by default, but that's incredibly inconvenient to get your public key into in the first place. A better solution might be to patch OpenSSH to disable login with the default passwords, but that's ugly (and it goes against letting the user use default passwords, if they really know they want that). Keep in mind that these aren't default OpenSSH passwords, they're default Apple passwords: iPhones are alredy login-insecure by default (non-jailbroken), it's just that there's no way to log in remotely.
Either way, my point still applies that this isn't a jailbreak issue, just an issue with a specific non-default package. Chances are it will be dumb-user-proofed some more in the future.
I love how everyone pretends that recent trojan targeted "jailbroken" iPhones.
It didn't. It targeted stupid users who happened to have a jailbroken iPhone. Specifically, it targeted users who install OpenSSH without changing the default password (ignoring warnings to the effect). There's no vulnerability here, and a stock jailbroken iPhone is not vulnerable. The same exact kind of malware can affect every poorly configured UNIX system out there - for example, that router-based botnet that infected routers with default SSH passwords running Linux. There are tons of Linux rootkits out there too, and servers with poor passwords are rooted all the time. Does that mean we urgently need craptacular AV software on all Linux boxes?
On the other hand, it is true that a non-jailbroken iPhone has an extra layer of protection in the form of compulsive executable signing. Apple ostensibly has superior security (in non-jailbroken devices), but that's just because they lock down the device tight. It's "good" old Trusted Computing, the kind that does not trust the user. By jailbreaking the device, you're freeing yourself from nanny Apple's oversight. If it turns out you were better off with it, well, that's your own fault.
Common, default admin passwords are present on all phones, jailbroken or not (it's just that they're basically useless with Apple's firmware). Jailbreaking it doesn't make you any more vulnerable, that only happens after you (manually) install OpenSSH. If anything, the OpenSSH package should force users to change their passwords (or refuse to work otherwise), but jailbreaking itself has nothing to do with this. People appear to be equating jailbreaking with having OpenSSH installed, which is entirely untrue.
The former. These days, jailbreaking is a prerequisite to sim-unlock (because you need to access the software to talk dirty to the GSM chipset, a.k.a. baseband). You may or may not be able to unlock the phone once you're jailbroken, especially if you've applied an Apple update that updates the GSM chipset to close holes. For example, AFAIR, the iPhone 3GS can be thoroughly pwned as far as software goes after any update (ROM bootloader bugs), but updating the baseband will lock you out of unlocks until new exploits come out (and no, downgrading is not possible).
Slashdot Mirror
LyX is your friend. It's a wonderful WYSIWYM(ean) editor for LaTeX.
It's probably regional targeting. I suspect Bing is a lot better in America. I'm in Spain, which explains the Spanish result and to some extent explains the German results (though they're terribly useless: even though English literacy levels are pretty mediocre around here, German is definitely worse off).
Here's a screenshot for the paranoid.
However, I did miss something: my Google settings were configured to an English UI, which I've noticed changes the targeting of the results (said targeting exists even if you're not using any of the "show me results in such and such language" options). The updated Google results for the default (Spanish) targeting are:
"Wii homebrew":
Clearly more emphasis on Spanish results, but the good English results are still there and there are no random results in other languages that happen to be spoken in other parts of the continent. No scams either.
"Homebreware" results: two "did you mean 'homebrew'" results, followed by antiscam, spanish-antiscam, antiscam, video:[antiscam, scam, scam, scam (scammers love videos)], antiscam, unrelated, scam, ...
Still primarily antiscam results (lots of scam videos because not many make videos about how these products are a scam).
I believe that at least for Google you can replicate these results by simply changing your UI language to Spanish (or adding hl=es to the URL), and maybe try using google.es. I don't know whether there's an equivalent for Bing.
And by Firefox I meant Google of course. That'll teach me to actually read my preview text, not just look for formatting screwups.
I find that Bing falls for marketing scams and SEO much worse than Firefox. Random download sites and outright scams show up in Bing first with lots of searches, while Google is much more successful at ignoring marketingese and just giving you the site you want.
For example, searching for Wii homebrew gives:
Google:
Bing:
So basically, people looking for Wii homebrew and using Bing are at a much higher chance of getting scammed. Seriously, Wiibrew isn't even in the first page of results.
Going the other way, searching for the name of the scam (homebreware) yields (antiscam = site that explains that homebreware is a scam): ...
Google: antiscam, antiscam, antiscam, scam, scam, antiscam, scam,
Bing: scam, scam, scam, scam, scam, scam, scam...
Someone using Bing and doublechecking on what they're about to buy isn't going to remotely realize they're being scammed.
Try reading the first page of the "de-redacted" file. It has the URL to the original.
Uh, no. Talking to a baseband chip is like talking to a 3G USB modem. Barring exploits and other ways to actually run code on the chip and mess with the radio, there's nothing you can do to break FCC rules.
On the iPhone it's still a separate chip. As far as I know, the interface isn't a serial line. Instead, it's a higher-bandwidth interface with a multiplexing protocol for several channels. Some of these virtual channels do emulate good old serial lines, and the AT command part is completely true.
From Wikipedia:
Way to make an already weak cipher even weaker.
Just wait until some console maker decides that Australia needs to be a separate region-locking region.
I'm pretty sure the routinely draw stuff in high-res anyway, for promotional material. However, the versions on the disc are always downsampled to more reasonable levels, to save disc space and RAM.
Ah, law, that sneaky confusing bastard. At least everyone seems to agree on the fundamental issue though, which is that copying non-software copyrighted works for private, non-profit use is legal.
Software gets a separate treatment, you can make backup copies but you can't share it around, even "privately" (this is something too many people fail to mention - lots of clueless people associate software/videogame/etc piracy with the SGAE and the levies, when they have little to do with each other). This is why I do discourage and do not support videogame piracy, for those who (formerly) know me from the Wii homebrew development community.
If something isn't illegal then it's legal. Some people call it the "right to a private copy", but this is questionable - there's no such "right" spelled out. Instead, the law simply sets up the illegality of copies sold for a profit. So it's not a right or guaranteed to be legal by the law, but it's legal.
A few notes for those not aware of how things have been going around here lately (I'm Spanish):
The SGAE is nothing new, they're the usual corrupt mafia-like organization that you'd expect. They're just trying to screw over both consumers and artists as much as they can. They'd love to have it both ways (making downloads illegal and keeping the levies).
Funny tidbit: the SGAE used to claim that Linux was a shareware version of UNIX on their glossary page. They later "fixed" it by lifting a paragraph from Wikipedia, in violation of the GFDL.
I'd say neither article is any good. TFA is very scarce on details and put too much emphasis on "looking for ET", while yours has some pretty silly claims. The picture of the lack of cable management is rather unremarkable (sure, it could be improved, but it's hardly a huge mess: most of the wiring looks fine, it's just that large bundle to that one switch with lots of extra wire hanging down), and the "firewall" story is bull (SETI@home probably requires a hole out, not in, which already suggests that the network setup is paranoid if they default to blocking all unknown outgoingports). They also make it sound like SETI@home is malware, with the "hard to uninstall" stuff. And the dollar estimates are clearly crap too: it doesn't take millions of dollars to clean out the same program out of all your computers. If your setup is any good, you can just reimage them. If it isn't, just make a script to do it for you and slap it onto a dozen USB drives that you can plug in and out.
Did he deserve to be fired? Probably. Should he have installed SETI@home on those computers? Nope. But all this crappy media spin and criminal charges stuff is way over the top. So he took some stuff home and downloaded some porn, fire him and move on.
Precisely. Even more important is that emulators do not themselves constitute copyright infringement (unless they contain a ripped BIOS or the like), nor do they bypass copy protection (that's the job of the game ripper, not the emulator), so Nintendo can do squat about the application itself. At most, Nintendo is pulling a PR move here. The only real claim they have relates to whether some employee at Nokia illegally downloaded games that he does not own for the purposes of this demostration.
This is 1.18TeV each way, so if they start colliding the total energy will be 2x1.18 TeV.
Not really. Compilers these days do a better job at optimizing most code than most assembly programmers (for well-supported CPUs anyway), mostly because instruction timing and dependency issues in modern complex CPUs are quite complicated, and compilers are able to take a lot more into account (just because the code 'looks' tighter doesn't mean it'll run faster). The only place where it really makes sense to use asm is for tight inner algorithm loops, especially when you can use SIMD instructions.
But it doesn't. It does exactly the same thing installing OpenSSH on any other non-iPhone system does. The only difference is that on other systems you typically have set the passwords yourself, while on the iPhone Apple (not the jailbreak) set them for you.
This is a different debate, whether network services should be enabled by default on install. I believe Debian says yes and Fedora says no, for example. The reasoning for the iPhone is probably that since it's a graphical platform and there's no "service manager" by default, it makes sense to default to on when something is installed (enabling and disabling services involves a non-trivial launchctl command). Keep in mind that OpenSSH isn't in the "clueless user" section of Cydia.
On PwnageTool at least, OpenSSH is hardly promoted; AFAIR it's hidden somewhere in the expert mode among tons of other oddly named packages. In fact, last time I used it, I ended up with a broken OpenSSH install because the PwnageTool installer didn't handle dependencies (cue weirdo hacks via the root AFC to copy in the missing libs without having to reinstall everything). Dunno about other jailbreak tools. It isn't exactly a flashing "installing this will make your iPhone cooler" icon. If there are jailbreak tools out there that actively promote OpenSSH on the default install and do not warn appropriately about the password issue (or better yet, prompt you for a new pair of passwords), then I agree that should be improved.
Something like that would be reasonable, yes.
I'll break the abbreviation and throw in a new argument: if you're smart enough to get that SSH == Secure SHell and you know what a shell is, then you ought to be smart enough to change your password. If you're the kind of user that installs anything that sounds cool even though though you don't really know what it does, then you should work on fixing that ;)
You could have installed MobileTerminal and changed the password locally on the device.
You can install MobileTerminal and change the password before enabling OpenSSH, which isn't rocket science. OpenSSH need not be enabled with an insecure password for any amount of time.
Anyway, this is a nontrivial issue to solve. There could be a GUI-based password change request, but that doesn't hook very well into the apt-based installer. OpenSSH could enable pubkey authentication by default, but that's incredibly inconvenient to get your public key into in the first place. A better solution might be to patch OpenSSH to disable login with the default passwords, but that's ugly (and it goes against letting the user use default passwords, if they really know they want that). Keep in mind that these aren't default OpenSSH passwords, they're default Apple passwords: iPhones are alredy login-insecure by default (non-jailbroken), it's just that there's no way to log in remotely.
Either way, my point still applies that this isn't a jailbreak issue, just an issue with a specific non-default package. Chances are it will be dumb-user-proofed some more in the future.
I love how everyone pretends that recent trojan targeted "jailbroken" iPhones.
It didn't. It targeted stupid users who happened to have a jailbroken iPhone. Specifically, it targeted users who install OpenSSH without changing the default password (ignoring warnings to the effect). There's no vulnerability here, and a stock jailbroken iPhone is not vulnerable. The same exact kind of malware can affect every poorly configured UNIX system out there - for example, that router-based botnet that infected routers with default SSH passwords running Linux. There are tons of Linux rootkits out there too, and servers with poor passwords are rooted all the time. Does that mean we urgently need craptacular AV software on all Linux boxes?
On the other hand, it is true that a non-jailbroken iPhone has an extra layer of protection in the form of compulsive executable signing. Apple ostensibly has superior security (in non-jailbroken devices), but that's just because they lock down the device tight. It's "good" old Trusted Computing, the kind that does not trust the user. By jailbreaking the device, you're freeing yourself from nanny Apple's oversight. If it turns out you were better off with it, well, that's your own fault.
[citation needed]
Common, default admin passwords are present on all phones, jailbroken or not (it's just that they're basically useless with Apple's firmware). Jailbreaking it doesn't make you any more vulnerable, that only happens after you (manually) install OpenSSH. If anything, the OpenSSH package should force users to change their passwords (or refuse to work otherwise), but jailbreaking itself has nothing to do with this. People appear to be equating jailbreaking with having OpenSSH installed, which is entirely untrue.
The former. These days, jailbreaking is a prerequisite to sim-unlock (because you need to access the software to talk dirty to the GSM chipset, a.k.a. baseband). You may or may not be able to unlock the phone once you're jailbroken, especially if you've applied an Apple update that updates the GSM chipset to close holes. For example, AFAIR, the iPhone 3GS can be thoroughly pwned as far as software goes after any update (ROM bootloader bugs), but updating the baseband will lock you out of unlocks until new exploits come out (and no, downgrading is not possible).