Sure, but a lot of the people taking classes at the Extension School don't want a degree. For example, I had students whose employers were paying for them to take a single course to give them some background knowledge or insight into their jobs. They're not looking to graduate; just to take a class or two that will help them with their careers.
That is a good point and the numbers aren't measuring the exact same thing (on the flip side of your example is the number of applicants to Harvard College who might not attend even if accepted). I didn't intend to reference them as some justification that the two schools are in any way equal. The only reason to really compare the two rates is because they have similar values and highlight the differences between the two schools. The toughest part of the College is getting in, the toughest part of the Extension School is getting out.
As a grad student at Harvard I was involved in teaching several courses at Harvard Extension School. While the students were generally motivated and enthusiastic about the course material, it was a very different academic environment, one that was not as intellectually rigorous.
You are right about grade inflation, but the difference in the level of rigor between the two schools means that not all As are equal.
And one of the key questions is, does this make sense for, say 1000 abandoned dogecoin (current value $0.24) on tipdoge.info? This is why we proposed de minimis exceptions.
Policy is always about tradeoffs. Is it your stance that the creator of Reddit tip bots should have to register fingerprints with the FBI, hand over personal financial info, send quarterly reports with to the Superintendent with audited financial statements, collect the real identities and physical addresses of all senders and recipients, assign a compliance officer, hire an outside firm to do pentesting, get permission before releasing a new product, service, or features, and have an undisclosed amount of USD funds bonded to NY State along with an undisclosed amount on hand just to operate a simple app? What about open source projects that are not corporations?
We're in the process right now of writing up a more in-depth policy proposal, but you're spot on in terms of different levels of risk management. And we're not at all against security testing, which is also one of the great benefits of FOSS. ("Given enough eyeballs, all bugs are shallow.")
And the audits comprise financial audits as well, which surely make sense for bitcoin exchanges and companies holding funds, but not so much for open source projects or technologies that are built around bitcoin but where no funds are held.
That said, the actual regulatory proposal has many more requirements than even mentioned in the article (including quarterly reports to the NY State Superintendent, collecting of user data, and the possibility of being denied a license without a system for due process in place), and things that the creator of a Reddit tip bot surely couldn't comply with.
This is great to hear. The best way for software to keep itself relatively unburdened by (poorly implemented) regulation is for industry to hold itself to high standards. And why wouldn't we? We're proud of what we build.
I'll be very curious to see how companies built up around client software but not directly handling money are treated in your proposal. I think safety-critical industries cover these in various different ways, normally under the assumption that the companies are producing either a) "components" for use in safety-critical systems; or b) tools which will be used for QA processes. I'm not sure either applies well, especially in the case of OSS. And I don't know of anything similar in finance.
Indeed he's attempting to apply an existing regulatory framework to new technology, which rarely works well.
The point of the article was not to focus on the consumer protection issues, but instead to point out how it could kill startups in the name of consumer protection. We are both in favor of avoiding another Mt. Gox, and the numerous other cases where user funds were lost, which includes escrow of the funds held for users. I'd be curious to get your thoughts as to what you consider the most pressing consumer protection issues, as we're working on another piece that will focus more on these.
Given the way that some Bitcoin startups have crashed and burned with people's money, I don't think that it's unreasonable to raise the bar significantly in the name of consumer protection.
If that eliminates small startups in the space from directly offering services to consumers, so be it.
Part of the problem is that the regulations aren't just seeking to cover companies that hold peoples' funds (aka private keys), but instead any technology touching the ecosystem. New York doesn't have to and shouldn't conflate the two.
It makes sense to regulate and, for example, require escrow for companies that are holding user funds in order to avoid the exact situation you point out. It doesn't make sense for a web wallet where the user is storing her own keys client-side.
> Indeed he's attempting to apply an existing regulatory framework to new technology, which rarely works well.
I think this sounds more true than it actually is. "Works" is a fairly ambiguous word, but new technology is released into existing regulatory frameworks every day.
It certainly is an "ask for the moon" type proposal, which is how regulators often like to start. Part of the problem, though, is that it's so far skewed to one side that getting it back to even somewhat reasonable is going to take a lot of work.
To our knowledge, no one was working on an open source jailbreak, and given that the site I'm building is designed to incentivize things like free and open source software, this was a huge component. I've also been told there are a good number of people that have jailbreaks, and it's possible that they might be motivated to release it as FOSS if enough funds are raised.
And it's not like anything is keeping evad3rs from getting donations if they release a closed source jailbreak, or even if they or anyone else releases a FOSS one and claims the prize (in fact with other related campaigns, lots of donations came in after the fact).
> To our knowledge, no one was working on an open source jailbreak...
(responded to elsewhere, maybe with more emphasis on openjailbreak.org)
> ...and given that the site I'm building is designed to incentivize things like free and open source software, this was a huge component. I've also been told there are a good number of people that have jailbreaks, and it's possible that they might be motivated to release it as FOSS if enough funds are raised.
I believe my response to this notion (when it was brought up by the other person who contacted me about your bounty a few weeks ago) was that you would be better off then attempting to do this for a later version of iOS, as the kinds of numbers that had been thrown around as "the magic number" to make that happen was hundreds of thousands of dollars... it will take a lot of time and a lot of really hungry users that don't see jailbreaks (open or closed) on the horizon, to generate that kind of money. Releasing this now kind of calls that goal into question: that goal incentivizes waiting.
Hi Saurik, I'd love to hear your response to the substantive aspects of my email as opposed to an ad hominem attack. I didn't send it until this morning because I was sick and traveling for the holidays.
Look, claiming I made an ad hominem attack means that I said "X is bad because X was made by person Y and Y is bad". I did not do that: I stated first a concrete (yet highly summarized reason) why I felt that X was bad (specifically regarding incentive changing). I then also explained the reason behind the project (which is a property of X, not of Y), which I have multiple sources close to the project (including you) backing up (so it isn't like I'm lying or something: this isn't like someone claiming a study is flawed because the author is biased <- instead, I'm more like someone showing a study is flawed because the author actually stated they did the study for biased reasons). If you are going to throw around logical fallacies as weapons, as least know what they mean :(. (I will now provide more responses, but separately, as I felt the need to get this out more quickly as it was such a slap and people might not pay enough attention to realize it was wrong ;P.)
(Also, on the last point about when you sent the e-mail, which is the closest you can get in my comments to "ad hominem" and to me was a defense against why I wasn't more prepared for this: you were more than willing to get involved in a "synchronous conversation" with me at the time, which would have taken even longer and been even more difficult ;P.)
[Some context for others: when I first was responding to the idea of this bounty program, it was to someone else who had previously been considering working with Elizabeth; I was contacted in a kind of after-the-fact/"FYI" style. This was when the only real information was "bounty for iOS 7 jailbreak", without most of the extra restrictions that are now in place on the program, such as "open source". At the time, it for example seemed clear that evad3rs--the group that has been making the jailbreaks for the last two years--was going to get the bounty anyway. I already had started to bring up the incentive structure issues, and managed to get this other person to drop his involvement with the project. My original e-mail to Elizabeth thereby only talked about these issues, which is why this comment has to delve so deeply into the "final" point.]
So, your e-mail seems to make four points. The first point, taking up two paragraphs, is related to your career and your project. In these paragraphs, you did not address any of the specific example reasons I could come up with for why you were involved, and if anything simply raised a few more. These paragraphs, however, are largely ignorable.
The third point (setting off the second for a minute) was the argument made to attempt to address an incentive change on the side of the people building jailbreaks. This argument hinges on a specific example of a previous bounty, claiming that it did not cause the ramifications I am predicting.
> While I am sensitive to your concerns around community incentives, it’s unlikely that our approach will threaten them. For example, when Adafruit created a prize for open Kinect drivers, instead of devolving into a community of mercenaries, it enabled an ecosystem of Kinect hackers to flourish.[1]
The problem with this argument is that it is looking at entirely the wrong level: you are claiming that by having the driver for Kinect get constructed, people were able to start hacking on Kinect, causing an ecosystem on the other side of the driver to flourish. We already have that ecosystem on the other side of the jailbreak.
Instead, we are looking at the actual construction of the jailbreaks here; the correct analogy is to instead look at the market for construction of drivers for closed video game controllers. What you need to demonstrate is that a "success" for that crowd funding doesn't lead the people who were working on that driver to end up with different incentives, or cause other people watching to expect the same (again, in a "success" situation: I know people who work with Kinect, and I'd never heard the driver was crowd funded, so any community effects would be quite narrow due to the limited reach; likely as it was so little money).
FWIW, that people's incentives change in these situations is well documented: this isn't just my assertion, this is something you can read about in books like "Punished by Rewards". Given that a new jailbreak is needed at least once a year (and in a perfect world, would happen no less than twice a year), this is critical: you are playing an iterative game, and have to think about the ramifications on incentives not immediately, but a few steps ahead.
In reality, the community is already anticipating the release of an iOS 7 jailbreak (evad3rs has already publicly stated that they have all the pieces they need and are just working on implementing and finalizing). We (the community of people who use these jailbreaks: I do not build them myself) thereby are not in a position where this bounty is going to change anything: it is just going to change how funds are directed (5%, for example, will be given directly to your new company, rather than all of it to the people who build the tools) and the expectations people have related to them, it isn't going to incentive construction of a new community that otherwise wouldn't exist.
You then had a forth point, the goal of which was to assuage concerns that people leaving contributions would have different expectations. This argument was just "we state this clearly on the website"; <sarcasm>which, as we all know, works out wonderfully in the case of Kickstarter projects: it isn't like I've ever heard of people angry that they didn't get the thing they wanted, or that it didn't work well, as Kickstarter is very clear that they are not a way to preorder products</sarcasm>. You will need to come up with a much stronger argument here... if anything, I think you've just dug a deeper hole ;P.
[my comment is apparently too long for Hacker News; given that I often write very very long comments, I'm really surprised I've never run into this limitation before, and so wonder if it is new ;P. however, this comment is thereby split and I will reply with the rest]
"Finally" (in the aforementioned second point), your e-mail makes the argument for the jailbreak tool being open source. You feel like this "could open the doors to greater community contribution, encouraging larger groups of people to work together to solve the problems more quickly". The argument makes sense: if jailbreaking were secretive and closed (which is a bullet you dodged, btw: on Android, where bounties are common, jailbreak tools are not only often closed source but techniques are hoarded and under-described so as to win more bounties <- you actually need this open source clause to not fall into the obvious trap) people are not in a position to learn how all of the systems of Apple's device work in a way that would let them later build their own tools.
Would it surprise you to find out that most of the code in a jailbreak is already open source, and that the only parts that are not tend to be the GUI and the specific exploit technique for that one specific version of iOS?
- All of the libraries that are use to connect to the device in its normal mode are licensed under LGPL (they are part of a suite called libimobiledevice, which was primarily developed by members of the iPhone Dev Team, and now maintained by nikias from evad3rs).
- The libraries used to talk to the device in recovery and DFU mode are open source and licensed under GPL (developed by posixninja, who has been maintaining them recently under the openjailbreak project).
- The libraries used to decrypt and modify image files (kernels, devices trees, disks, and bootloaders) has been open source for years (developed and maintained by planetbeing from evad3rs). The same developer (planetbeing) has released a number of utility libraries like this, including ones to download portions of IPSW files from Apple's servers without having to download the whole file (this is why jailbreaks never need to distribute copyrighted content). All of this code is under GPL.
It is thereby not just useless but insulting that in your e-mail you make the point that "the jailbreaking teams
are not an island—they rely heavily on FOSS software in their work": the people who build these tools (which again, does not include myself) quite often release code for large or critical parts of their work, and almost exclusively do so under "free software" licenses.
In fact, many previous jailbreak tools have been or have become open source, and currently the tool to jailbreak the iPhone 4 on iOS 7 (opensn0w) is itself open source (under GPL). Now, one thing that is really interesting here: this project (which has now existed for years) actually tried to crowd fund itself (which, to be 100% clear, doesn't cause the same kinds of issues as a third-party bounty program) and failed. Out of its $3,000 it got $30.
This, of course, flies in the face of your comment that the goal is to set a precedent of jailbreaks being open source: and in case you think I'm playing up one example, the iOS 4 jailbreaks from comex were open source as well; the source code for both JailbreakMe 2.0 and JailbreakMe 3.0 were released (I believe fairly soon after the jailbreak, but clearly as this was all years ago "soon" is relative: there are tons of open source examples).
The team behind the tool greenpois0n (which includes the aforementioned posixninja) also open sourced much of their work as "syringe". The opensn0w tool in fact uses a lot of this code, as have been a number of third-party tools based on this older limera1n exploit (which, interestingly enough, was itself released to the community by geohot giving everyone a few lines of source code for how to implement it, as he wanted people to use that exploit instead of SHAtter).
The argument that people are somehow not able to learn how to jailbreak things because nothing is open source thereby doesn't make any sense even on the face of it; again: the only things that tend to be closed source are GUIs and transient one-off device-specific techniques. The main reason these things tend to be closed source is that our community has a serious problem with scams: people like to try to charge people for jailbreak tools or claim they have tools that work in places they don't; everyone wants to "build a jailbreak", but in practice people just want "to take someone's tool, change the GUI, claim it works better than it does, and then charge $20 for it".
In your mind, this seems to be related to the idea that "I don't want them making money when I'm not making money: I want to make the money, so that's why it is closed source", but that just demonstrates you are seeing this through the eyes of the wrong kinds of incentives. You say that "getting financial support up front reduces the perverse incentive to keep the source closed so that other groups cannot profit from it without having built it", but in fact that doesn't change that users will get scammed and lose money: the argument made by the jailbreak teams has never been "you should give money to us, not them", but instead "jailbreaks should be free". It is simply clear that you don't understand the incentive structures already in place in this community, even while you feel like you want to change them.
You might then argue that it is horrible that these techniques are hidden, but that itself could not be further from the case: the people who build these jailbreaks generally give talks about how the jailbreaks work at conferences around the world, and they are well documented in the security community through everything from articles on websites to entire books. (At JailbreakCon, Nikias from evad3rs gave an hour and a half long presentation on exactly how the iOS 6 jailbreak worked as part of a time slot that was only a half an hour long, a story which I continue to find absolutely hilarious ;P.)
Really, the only sentence I can come up with from your e-mail that has some weight behind it is the argument that "users of such a jailbreak will be able to audit the changes made to the firmware of one of their most important pieces of hardware". FWIW, this is a cause that I appreciate.
However, you are addressing an audience of people who are primarily getting software from Apple, none of which is itself audited by the community, and which the people you are attacking (and yes: an implication "you can't trust these people" is an attack) have demonstrated on numerous occasions is insecure or actively damaging (such as with the various logging and reporting daemons). The modifications made are also fairly easy for people in the community to pull apart: maybe not to you, but to 99.99% of users the source code isn't helpful anyway... that doesn't mean that results are not able to be "audited".
I feel like the best you could thereby hope for is some kind of "strife" that you want to cause: to pit people against one another, spiting one movement (open hardware) to help another (open software). Open hardware is a much more serious problem that very few people are really fighting for, and iOS jalbreaking is one of the few case examples that can be pointed to when lobbying (such as with Congress, or the Library of Congress) for why these freedoms are important and potentially obtaining laws to guarantee them. It would be an absolute shame to see one of the few weapons we have in that war be sacrificed because you felt that tens of millions of people had incorrectly allocated their trust.
You're missing the point here—we're grateful that people in the jailbreak community release things as FOSS, but the majority of jailbreaks as you yourself mention are not FOSS themselves, which is part of what motivated Chris, who proposed the prize, and myself.
It seems to me that that opensn0w campaign may have been fake (there are a lot of those on IndieGoGo).
And to be clear, in talking to friends in the security space, the auditing the code aspect was a huge concern, so I'm glad we can at least agree on something. :)
We're also planning on helping to fund many open hardware projects, and I'll actually be speaking at the SF Hardware Startup meetup tonight to solicit ideas from the community.
> You're missing the point here—we're grateful that people in the jailbreak community release things as FOSS, but the majority of jailbreaks as you yourself mention are not FOSS themselves, which is part of what motivated Chris, who proposed the prize, and myself.
In other places you've stated the reason he wanted this prize was to get software on his iPhone so he could help with some accessibility issues. This is an incentive that aligns with long-term open hardware, not short term open software. You can't have it both ways. If you are really dropping all of the incentive arguments I'm making and want to concentrate on open source, that's fine: but let's get our stories straight.
> It seems to me that that opensn0w campaign may have been fake (there are a lot of those on IndieGoGo).
I just contacted the developer of opensn0w: no, that was not fake, it just didn't take off. I personally can assert to you that opensn0w (which many people are using right now) is not itself a fake (and I'm one of the people who generally are asked to determine this ;P).
> And to be clear, in talking to friends in the security space, the auditing the code aspect was a huge concern, so I'm glad we can at least agree on something. :)
I talked about auditing changes, not auditing code, and I even explicitly stated that the code was not in any way a concern to someone who really knows what they are doing, so no: we don't really agree on this :/. I have on many occasions, in articles and talks, made the argument that open source is overrated, and that what really matters is open hardware: that in addition to the gap between source code and machine code decreasing over time due to better analysis tools and frameworks, that as long as hardware is capable of being closed off it doesn't matter how much of the code is open <- the iOS jailbreak community is at the front line of this particular battle.
> We're also planning on helping to fund many open hardware projects, and I'll actually be speaking at the SF Hardware Startup meetup tonight to solicit ideas from the community.
FWIW, having third-parties construct open hardware doesn't really help the cause of forcing large companies who make closed hardware to provide means of opening it; that said, I do appreciate that you have future goals, but it may have been more useful to start with them.
That text is referring to section 512(f) of the DMCA, which states that any person that knowingly misrepresents a claim of infringement is liable for any damages including costs and attorneys' fees of the alleged infringer.
Basically it's just restating what's already in the law.
