back to article Apple's top-secret iBoot firmware source code spills onto GitHub for some insane reason

The confidential source code to Apple's iBoot firmware in iPhones, iPads and other iOS devices has leaked into a public GitHub repo. The closed-source code is top-secret, proprietary, copyright Apple, and yet has been quietly doing the rounds between security researchers and device jailbreakers on Reddit for four or so months …

  1. Anonymous Coward
    Anonymous Coward

    It's not that hard to find.

    Link

    1. wolfetone Silver badge

      Who knew the actual code for iBoot were song lyrics?

    2. The Man Who Fell To Earth Silver badge
      FAIL

      Yet another example

      Of why any government mandated backdoors will make everyone insecure in short order. The NSA's tools eventually got exposed, Microsoft's Windows code eventually got exposed, Apple's code eventually got exposed, ...

      1. Anonymous Coward
        Anonymous Coward

        Re: Yet another example

        "Microsoft's Windows code eventually got exposed"

        Microsoft source code to nearly anything is available for inspection on request anyway.

        1. Anonymous Coward
          Anonymous Coward

          Re: Yet another example

          >>>Microsoft source code to nearly anything is available for inspection on request anyway.

          Gonna take them up on that... have a few beers and sit there laughing.

      2. Anonymous Coward
        Anonymous Coward

        Re: Yet another example

        Windows and now iOS, Linux is next.

        1. bombastic bob Silver badge
          Pint

          Re: Yet another example

          "Windows and now iOS, Linux is next."

          subtle. nice! beer for you!

    3. boltar Silver badge

      "It's not that hard to find."

      I'm not sure whats more startling - that this source code escaped from cupertino or that some people still think rick rolling is still amusing in 2018.

      Google "github iboot" for a proper link.

      1. Hollerithevo Silver badge

        what?

        @Boltar, rick rolling is always amusing. It will always be amusing. After nuclear armageedon, the cockroaches will be rick-rolling. It is forever.

      2. disgustedoftunbridgewells Silver badge

        Of all the things he could have linked to, Rick Rolling is pretty courteous.

        1. phuzz Silver badge

          I was expecting it to be a link to "These iBoots Are Made for Walking" by Dolly Parton

          1. JimmyPage Silver badge

            "These iBoots Are Made for Walking" by Dolly Parton

            Nancy Sinatra, surely ?

            1. Gio Ciampa

              Re: "These iBoots Are Made for Walking" by Dolly Parton

              I prefer the Megadeth version...

          2. Mark 56

            Nancy Sinatra - FTW!

          3. Aaron Kulkis

            Optional Title Here

            "I was expecting it to be a link to "These iBoots Are Made for Walking" by Dolly Parton"

            Dolly Parton?

            Don't be a cretin. Nancy Sinatra did it quite well, and there was no need for covers by Tennessee floozies.

        2. Anonymous Coward
          Anonymous Coward

          Yep rick rolling infinitely more preferable to a Lemon party.

      3. Anonymous Coward
        Anonymous Coward

        @boltar

        Oh Boltar, life is full of depressing things all around us so sometimes it's nice to do something silly that even if only a few see the funny side then it's worth it. If people didn't do that we would live in a world devoid of humour. and humour is one of the best escapes from the drudgery that can be life.

        1. VinceH Silver badge

          " if only a few see the funny side then it's worth it"

          Sometimes, if only a few see the funny side, that makes it funnier.

        2. boltar Silver badge

          "If people didn't do that we would live in a world devoid of humour. and humour is one of the best escapes from the drudgery that can be life."

          I thought it was a link to some code but it was a naff 80s pop song instead! Ha ha ha! Hilarious!! OMG is there a doctor in the house, my sides have split!!!

          It was amusing for about 5 minutes the first time around 10 years ago, but hey, if thats your level of humour then good on you. You probably also enjoy Mrs Browns Boys and piss yourself laughing at crazy frog videos too, However some of us have more sophisticated tastes. HTH.

          1. Anonymous Coward
            Anonymous Coward

            So your more of a high brow humour man, eh?

            How about this?

            A programmers wife tells him: "Run to the store and pick up a loaf of bread. If they have eggs, get a dozen." The programmer comes home with 12 loaves of bread.

            or we could go for this?

            Did you hear about the jurisprudence fetishist? He got off on a technicality.

            Lighten up please, I also can't stand Mrs Browns Boys or crazy frog.

          2. Throatwarbler Mangrove Silver badge
            Trollface

            @boltar

            At first, I thought, "This is almost certainly a rickroll. How droll." Reading the comments proved me right, but then I read your replies and now I'm genuinely amused. Who knew that a simple YouTube video could cause such aggravation?

          3. bombastic bob Silver badge
            Trollface

            "You probably also enjoy Mrs Browns Boys and piss yourself laughing at crazy frog videos"

            Ring, ding-ding-ding, ding, ding,

            Ring, ding-ding-ding, bim-bim-bim

            ...

          4. Mat

            @Boltar - you're a knob!

          5. Wayland Bronze badge

            @boltar,

            It's even more amusing that you got Rick Rolled and are annoyed by it.

        3. Someone Else Silver badge
          Coat

          Oh Boltar, life is full of depressing things all around us so sometimes it's nice to do something silly that even if only a few see the funny side then it's worth it. If people didn't do that we would live in a world devoid of humour. and humour is one of the best escapes from the drudgery that can be life.

          And, it is currently the only antidote to Herr Lügenführer Trump.

        4. Serg

          Oh..

          Oh no it's not!

      4. Spacedinvader
        Stop

        Own fault

        Not our fault if you clicked a shortened URL without checking the source...

        1. David Nash Silver badge
          Facepalm

          Re: Own fault

          It was obvious that was what it was going to be. Or worse, I guess. Whatever it was, I wasn't going to click it.

        2. boltar Silver badge

          Re: Own fault

          "Not our fault if you clicked a shortened URL without checking the source..."

          I naively assumed this place was populated by adults, not adolescents.

          1. disgustedoftunbridgewells Silver badge

            Re: Own fault

            I think that makes it even better. It never happens here, it'll hopefully never happen again, but I appreciate it as a one off.

            1. Anonymous Coward
              Anonymous Coward

              Re: Own fault

              I won't be doing it ever again, the delete and re-enable by our esteemed moderators tell me it was a bit naughty but they do have a sense of humour.

          2. BRYN

            Re: Own fault

            and therein was your first mistake

          3. JoshOvki

            Re: Own fault

            "I naively assumed this place was populated by adults, not adolescents."

            What in the world have you that impression?! You have a silver badge and should know better.

        3. JohnFen Silver badge

          Re: Own fault

          How can you check the contents without clicking the link? Personally, I never click on shortened URLs, in part because there's no way of knowing where they'll take you.

          1. Anonymous Coward
            Anonymous Coward

            Re: Own fault

            There are sites that will give info about them, i.e.

            http://www.checkshorturl.com

            1. JohnFen Silver badge

              Re: Own fault

              "http://www.checkshorturl.com"

              Hey, thanks! Good to know. It's still much easier to simply not click them, but I'll keep this in my back pocket in just in case.

      5. Anonymous Coward
        Anonymous Coward

        Perhaps it's a callback to the 2004 MS leak.

      6. jelabarre59 Silver badge

        I'm not sure whats more startling - that this source code escaped from cupertino or that some people still think rick rolling is still amusing in 2018.

        Ah, but this one is so much better (the teal-haired one, obviously).

        https://www.youtube.com/watch?v=orbjuMHZ4k4

    4. Anonymous Coward
      Anonymous Coward

      @AC

      git.

    5. Anonymous Coward
      Anonymous Coward

      I din't click on the Link but it's good to see Rick Rolling is still a thing

    6. tim 13

      That was really annoying, it interrupted me listening to Rick Astley

    7. Lord_Beavis

      RE: It's not that hard to find

      "Anonymous Coward

      It's not that hard to find.

      Link"

      Damn you sir. Damn you to Hell.

    8. Dave Walker 1

      just waiting to be rickrolled...

      (and I hadn't read the rest of the comments...)

    9. Oh Homer Silver badge
      Pint

      Re: "It's not that hard to find."

      "The uploader has not made this video available in your country."

      Ironically the same technology that allows me to anonymously download content from GitHub, whilst pretending to live in Ghana, also prevents me from being Rickrolled.

  2. alain williams Silver badge

    My device - I'll jail break it if I want to ...

    or that should be what happens. I accept that if I jail break it that I loose any guarantee that the software works as Apple/whoever intended - although that is part of the point.

    1. seven of five

      Re: My device - I'll jail break it if I want to ...

      Yes, if you break it, you get to keep the pieces. Or something along these lines.

    2. Anonymous Coward
      Anonymous Coward

      Re: My device - I'll jail break it if I want to ...

      And Apple have the right to prevent your access to the store.

      1. lglethal Silver badge
        Go

        Re: My device - I'll jail break it if I want to ...

        @Lost all faith

        I'm kinda interest why you think that should be the case. A store by its definition is there to sell things. Mostly third party programs. If Apple said you cant buy official Apple things after jailbreaking, thats fine thats a company decision. But saying you cant buy a third party's products because you did something they dont like seems unwarranted and excessive.

        Not an apple user but just curious...

        1. peter_dtm
          FAIL

          Re: My device - I'll jail break it if I want to ...

          Um; no.

          Apple’s AppStore - Apple’s rules.

          Nothing to stop you (or anyone else) writing Apple Hardware based Apps and offering them for sale/giveaway. Just Apple won’t let you do it through their Apple AppStore

          Of course you may have non disclosure issues if you write for the real Apple AppStore; so you may have to make a decision to either play in APPLE’s AppStore under their T&C - or play in some one else’s AppStore. You may have problems getting any ‘Footfall’ though & you may find no one wants to play in your AppStore - especially if you can not/will not warrant your apps as malicious code free

          Your device - jail break it; run it over; feed it to a great white shark - whatever floats your boat. But don’t claim Apple stops you - or prevents you from downloading any old piece of dodgy code if you leave their rather safer walled garden. You just won’t be allowed to use APPLE utilities/web sites/AppStores to do so. But then that is the point you appear to be missing - Apple OWN the infrastructure; you can play - or not - if you want to. See what happens if you get any piece of equipment modified by no approved ‘fixers’ if you then complain to the OEM that it is bust

          1. teknopaul Bronze badge

            Re: My device - I'll jail break it if I want to ...

            Your right, we dont need fair use rules, let the corps make up what ever rules they like as long as they get rich, we consumers dont matter.

            We all have the the right to stop using the Internet if we dont want to be guided by megacorp round their walled garden.

            Apple got away with loads of stuff by being niche provider for those willing to pay the idiot-tax. Not sure that applies any more.

          2. Wayland Bronze badge

            Re: My device - I'll jail break it if I want to ...

            Peter DTM, getting apps outside of the Apple Store is so discouraged there is practically no market except for very determined people wanting very useful tools. So yes there is something stopping you.

            Compare that with Windows where you can download anything from anywhere and install it.

      2. Oh Homer Silver badge
        Headmaster

        Re: "the right to prevent your access to the store"

        Bollocks.

        If you buy a broom from the hardware store, then replace the head with a better one, would you expect to be banned from the store as a result? Do you believe any such ban would be lawful and upheld by the courts?

        No, what actually needs to be banned is using the pretext of "IP" to deny customers full access to their own legally purchased property. It's just another monopolisation device, and in every other context outside of "IP" la-la land, monopolisation is a criminal offence.

        Section 2. Monopolizing trade a felony; penalty

        Every person who shall monopolize, or attempt to monopolize, or combine or conspire with any other person or persons, to monopolize any part of the trade or commerce among the several States, or with foreign nations, shall be deemed guilty of a felony, and, on conviction thereof, shall be punished by fine not exceeding $10,000,000 if a corporation, or, if any other person, $350,000, or by imprisonment not exceeding three years, or by both said punishments, in the discretion of the court.

        1. Glenturret Single Malt

          Re: "the right to prevent your access to the store"

          Apple may be using some kind of restrictive practice but it is not "monopolizing" because you have the option of using other operating systems.

          1. lglethal Silver badge
            Go

            Re: "the right to prevent your access to the store"

            Just as an aside - should Apple have to compensate the sellers on the App Store for potential lost sales when they ban jailbroken phones? Since Apple are the ones preventing access to the third party's apps through the official App Store, and there are no legitimate alternative stores for iphones app sellers to use, it seems reasonable to me that if Apple takes the unilateral decision to ban a portion of iphone users from their store they should have to compensate sellers for lost revenue.

            Thoughts?

  3. Steve Davies 3 Silver badge

    Is it Legit?

    Quote

    Fun thing about the DMCA: it required Apple to state, under penalty of perjury, that the iBoot source code was legit:

    All it needs is for the code to have been written by Apple. The Copyright statements are enough to get it taken down. It does not have to be the real boot code... but probably is.

    We may never know. Apple is probably changing the boot code as we comment (or may have done already) and as the majority of Fanbois update their Apple toys I would not expect their to be much of a risk of mass hacking but it is interesting none the less.

    1. Naselus Silver badge

      Re: Is it Legit?

      Yeah, I wouldn't consider it a global IT security issue. But it may be indicative of some insiders at Apple resisting the fruity firm's notorious internal police-state-style setup. Apple's team structure and corporate culture is more secretive, compartmentalized and restrictive than most intelligence agencies, and many of the engineers have only really put up with it as long as the tech remained exciting to work with.

      Endlessly iterating the same 4-5 basic product lines gets dull quickly, and I wouldn't be surprised if some of the rank-and-file techies are getting fed up with the relatively poor pay and relatively bad working conditions compared to the other tech giants (while still being markedly better than 99% of the world's population have to put up with). And Tim Cook ain't Steve Jobs; people will put up with more shit to work with one of the really big names in technology from the late 20th century (even if he was an asshole) than they will working for an identikit corporate type.

      1. Brewster's Angle Grinder Silver badge

        Re: Is it Legit?

        "...working for an identikit corporate type."

        I think that's a bit unfair. His For The Love of Dogs show is quite good

      2. Wayland Bronze badge

        Re: Is it Legit?

        Secrecy at Apple? Funny how Apple and GCHQ both have the same type of round building.

        Funny how Android comes from an Alphabet agency.

    2. Anonymous Coward
      Anonymous Coward

      Re: Is it Legit?

      Having now glanced at the code, it does appear to be legit and intact. Includes pretty much everything you need to make a working build.

      Heck, even has documentation for fuzzing!

      I'd say with almost complete certainty that this is a real leak, and is complete without missing anything.

      Anon because, well yeah can't let Apple know I have it!

      1. MrDamage

        Re: Is it Legit?

        > "Anon because, well yeah can't let Apple know I have it!"

        I'm not going anon, and I'm going to say I have it.

        Let Apple spend money on lawyers working out if I'm trolling them or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: Is it Legit?

          @MrDamage "I'm not going anon ...... "

          Really? Mr Damage?????

          1. Alister Silver badge

            Re: Is it Legit?

            Really? Mr Damage?????

            His middle name is Heavy.

            Or is it Danger? I forget.

      2. heyrick Silver badge

        Re: Is it Legit?

        "Heck, even has documentation for fuzzing!"

        The amusing thing about all the freaking out and takedowns...

        ...the cat's truly out of the bag.

    3. Steve the Cynic Silver badge

      Re: Is it Legit?

      All it needs is for the code to have been written by Apple. The Copyright statements are enough to get it taken down. It does not have to be the real boot code... but probably is.

      I agree. This was my first thought when I read the statement by "Karl". But as you say, it probably is.

      I'd also be willing to suspect that most of it(1) is still in any new iPhone/iPad you could buy today - bootloader code tends, in my experience, to be much more stable (in the sense of frequency of changes) than OS core and especially application code.

      (1) Except the 32-bit assembler parts on an iPhone X - its processor can't run 32-bit code, they say.

    4. Dan 55 Silver badge

      Re: Is it Legit?

      Apple is probably changing the boot code as we comment (or may have done already)

      Why would they introduce new bugs? Far better to keep it as it is and let a whitehat report something or watch the blackhat marketplaces.

  4. Naselus Silver badge

    Meanwhile, inside Apple HQ

    "Damn it, James, I thought you said the source code file was highly secured!"

    "It was, I set up the file to only open if the user entered the Mac OS root passwo- oh. Shit."

  5. JakeMS Silver badge
    Thumb Up

    Got my copy!

    Downloaded my copy! I'm an Android user, but I've grabbed the code out of educational interest. I like to see how things work.

    If you want it, go get it while you can!

    Anon because of admitting that.

    1. PhilipN Silver badge

      Re: Got my copy!

      Way to go, Jake. Oops - I mean Anon.

      P.S. You may want to consider deleting your post.

      1. Hans 1 Silver badge
        Facepalm

        Re: Got my copy!

        @ PhilipN

        And you yours, for mentionning his name ;-)

        1. PhilipN Silver badge

          Re: Got my copy!

          Agreed, “Hans” - when he does (means he got the hint) so will I.

      2. Hollerithevo Silver badge

        Re: Got my copy!

        Don't tell him, Pike!

    2. gerdesj Silver badge

      Re: Got my copy!

      "Anon because of admitting that."

      Bloody browsers and their convenient auto login features or is the post anon tick box broken?

      1. caffeine addict Silver badge

        Re: Got my copy!

        Someone released ElReg's aNon code on github...

    3. el kabong

      Re: Got my copy!

      I just did that too, thanks for the savvy advice Jake. It is always clever to do these things anonymously as you very opportunely mentioned. God knows what could happen if those bastards found out our real identities.

    4. JakeMS Silver badge
      Facepalm

      Re: Got my copy!

      Oops.

    5. JohnFen Silver badge

      Re: Got my copy!

      "If you want it, go get it while you can!"

      There's no rush. Once it's out, it can't really be taken back.

  6. scrubber

    Leak?

    That's one way to get the FBI off your back.

    1. bombastic bob Silver badge
      Devil

      Re: Leak?

      or, to get the open source community involved in scrutinizing your stuff for vulnerabilities...

  7. Joe Harrison Silver badge

    why

    Seriously, why do people pay (what I consider to be) a ridiculous amount of money for a computing device when the manufacturer openly admits how hard they work to lock you out of it. Security is supposed to keep hostiles out, not to keep you out after you just paid getting on for a thousand quid.

    I can see some benefits of a trusted platform for some people using some applications, but it's just wrong that you can't turn it off.

    1. oldrusty
      Thumb Up

      Re: why

      That because they haven't quite figured it all out yet, they're still trying to understand all the chinks and kinks and when your talking about a load of guys all sitting there trying to watch the population from a Windows desktop, then there's bound to be a few minor issues.

      Democratic law makers are still befuddled and confused - bless!

      Let's clear the AIR and dispel there confusion, firstly the whole issue of lawful intercepts. It's truly the case that you should be very careful what you wish for, because those powers that they crave and covert do not translate into powers they can use against the population they directly translate into powers the population may use against the State.

      If you take the time to do the actual research you gain a better grasp of what's really going on and what it's really all about. The whole issue of the C Library and the issue of Objective C is far better understood when you realize why some people might Object or Objectify the C source code.

      You see in foreign states that are controlled by the iron grip of the "Communist" block, the party itself is not all powerful, you have to remember they are elected into office by the people on behalf of the people and therefore it's those people who placed them in power that hold them to account for there actions.

      1> The issue of illegal wiretaps, yes it's illegal but it never stopped them wanting to do it in the first place, regardless of the fact, that the people who begged for it will find themselves being the ones so deeply watched by the very electorate that placed them in power. This is what is meant by Political stupidity, the very anti-thesis of control. After all just ask yourself one simple question "how do these capabilities, translate into something that you yourself can control when they are capabilities that where never designed for you in the first place?"

      Do you believe these Agencies have any iota or idea? Of course they don't, all they care about is preening about catching bad guys, yet here we see the bad guys, being the very elected representatives, put in place by the People acting against the very will of the People, preening about Special Source collections. There truly is nothing special about where the source of those capabilities came from. They come from the "Communist" block offered out as a special service to the "Democratic" block to spy on the population in a most abusive pattern of abuse that has been going for decades.

      And they are still clueless, going on about needing a Capability which is not a Capability designed with them in mind, it was designed for the people to hold the very political authority to account for its actions and when they finally realize that, they're actually terrified that it's not there Secret Service or there Secret Police that will be listening to there private conversations but the very People who placed them in Office and that very idea is what terrifies them. Because when your making a private phone call and you offer or you accept a Bribe would you feel comfortable knowing that the People who put you in Office know all about what you just did?

      The answer is of course not, they have the illusion of control, the illusion that it's intended for them and when they find out it's not, they become deeply fearful of what will be uncovered and dragged into the light of day and laid bare for the entire world to look at.

      1. Pascal Monett Silver badge

        Re: "in [..] the "Communist" block, the party itself is not all powerful"

        I think you have a rather nebulous grasp of what the Communist block is, and of how elections are held in those kinds of countries.

        You might want to research that, for educational purposes, of course.

        For example, are you going to maintain that Putin got elected for the people ? Did you actually follow his political career ?

        I think not.

        1. oldrusty

          Re: "in [..] the "Communist" block, the party itself is not all powerful"

          Actually yes, I did follow his political career with avid interest, when he say's "I didn't do this!" he is correct, he didn't do it, he's not the one securing multi-million dollar loans and then refusing to pay them back. He's the one sitting there listening to people prattle on about the evils of the Russian population and evil Russian hackers when in fact Russia is blameless and a lot of Russian hackers contribute to Open Source all the time, it has far more to do with the Ukraine and people should instead direct there query to the CEO of Wall-Street and Citibank and the former owner of the Observer newspaper.

          Media tycoons, that probably made the vast majority of there money via blackmail and grand larceny pointing there finger at everybody else going "they did it" praying we'll not look to closely at there own finances and higher interest rates in off-shore banking.

          However you have to laugh, that although the bank lent them loads, the chances are they'll never lend them a penny again.

          1. Hollerithevo Silver badge

            Re: "in [..] the "Communist" block, the party itself is not all powerful"

            @oldtrusty, do you know how much Putin is worth? Go ahead, roun it down to the cloest million of dollars.

            1. oldrusty
              Coffee/keyboard

              Re: "in [..] the "Communist" block, the party itself is not all powerful"

              Million try 2.4 Billion

            2. Voyna i Mor Silver badge

              Re: "in [..] the "Communist" block, the party itself is not all powerful"

              First Corollary of Godwin's Law: In the 21st century any comment thread that lasts long enough will eventually start discussing Vladimir Vladimirovich Putin.

          2. Mooseman Bronze badge

            Re: "in [..] the "Communist" block, the party itself is not all powerful"

            "their"

          3. Pascal Monett Silver badge

            @oldrusty

            You had to drag Ukraine into this discussion, didn't you ? I see, Russia is pure as driven snow, it is the rest of them that are evil.

            Of course.

            Go tell that to Anna Politkovskaya. Or would you prefer some of her friends instead ?

        2. oldrusty
          Devil

          Re: "in [..] the "Communist" block, the party itself is not all powerful"

          Is Cambridge Analytic located in Russia?

          Is Bell-Laboratories located in Russia?

          Good old - Oblast Ukraine and the Spirit of Jewish Israeli Socialism & Communism!

          1. Mooseman Bronze badge

            Re: "in [..] the "Communist" block, the party itself is not all powerful"

            "the Spirit of Jewish Israeli Socialism & Communism!"

            Or, as we call it, the spirit of gold old fashioned anti Semitism and falling for Soviet style propaganda.

      2. JohnFen Silver badge

        Re: why

        What does any of that have to do with Joe's criticism about Apple locking users out of their own devices?

      3. Someone Else Silver badge
        Coat

        Re: why

        @oldrusty:

        I served with amanfrommars1. I knew amanfrommars1. amanfrommars1 was a friend of mine. oldrusty, you're no amanfrommars1.

    2. Anonymous Coward
      Anonymous Coward

      Re: why

      Because having tried 3 generations of android phone and been sick of the lack of updates I tried to avoid Apple. I then bough a windows 10 phone, great device at first but ended up with less and less apps I wanted and did become less reliable over time. I've finally joined the rest of the family with an iphone and guess what - it just works.

      Don't even talk to me about using developer builds, several of the apps I want to use will detect that a droid has been rooted and will then refuse to execute.

      Mi wife was happily using her IPhone 3GS until last year, during the time she owned it I've changed phones 4 times, It looks like her iPhone 6 will last at least another 2-3 years and I'll use the iPhone 7 I bought until it stops receiving IO|S updates. All this and it actually works well with the google play apps and devices, something which was never available on the windows phone.

      1. JohnFen Silver badge

        Re: why

        "Because having tried 3 generations of android phone and been sick of the lack of updates"

        I consider that a feature, not a bug. But then, I run a third-party ROM in part to ensure that I can control when updates happen.

    3. JohnFen Silver badge

      Re: why

      "Seriously, why do people pay (what I consider to be) a ridiculous amount of money for a computing device when the manufacturer openly admits how hard they work to lock you out of it."

      This is the primary reason why an iPhone is a nonstarter for me.

  8. Hans 1 Silver badge
    Thumb Up

    And wonder what else has leaked from Cupertino's highly secretive idiot-tax operations.

    Apple could not be reached for immediate comment. ®

    Cupertino's highly secretive idiot-tax operations.

    Apple could not be reached for immediate comment.

    So, some poor El'Reg scribe calls Apple's operations idiot-tax and wonders why Cupertino fails to respond in time ...

    Note, I think idiot-tax is both quite suitable and funny in this context, but to expect them to get back to you ? Hmmmm ... you could have at least tried to bury that in the article somewhere! Sad, just as you managed to break the ice, last few papers I read here about Apple they had actually gotten back with a comment ... now you are all back to square 1 ...

    Keep Biting the hand that feeds IT!

    1. Frank Gerlach #2

      Yeah

      Why buy a Mercedes if a FIAT drives, too ?

      1. wolfetone Silver badge

        Re: Yeah

        Because with a Mercedes, you don't "Fix It Again Tomorrow" like you do with a FIAT.

        1. tiggity Silver badge

          Re: Yeah

          But its normally total ******* (insert expletive of choice) drive Mercs... so by not driving a Merc someone can hide their ****** features (at least until they spin a few sentences together and reveal what they are like)

          1. Mooseman Bronze badge

            Re: Yeah

            "its normally total ******* (insert expletive of choice) drive Mercs"

            Ah, no. You're thinking of Beemers and Audis. I had a 20 year old S500 W12, it was lovverly. Went like a rocket when I needed it to (mainly to annoy boy racers) but the rest of the time it wafted me along in silent luxury. Just don't look at the eye-watering fuel consumption.

        2. Anonymous Coward
          Anonymous Coward

          Re: Yeah

          Just, FIAT is still alive and saved Chrysler from bankruptcy as well. But I no longer see many British brands, but those sold abroad and rebooted after they utterly failed to deliver modern cars...

          Marchionne anyway steered FIAT away from some old habits inherited by Agnelli family bad management, including the idea that other brands they bough to hinder competition should not shade their family one.

          1. wolfetone Silver badge

            Re: Yeah

            "FIAT is still alive "

            So is Peugeot, doesn't mean the cars are any good.

            1. Hans 1 Silver badge
              Happy

              Re: Yeah

              Honestly, the 2001 Peugeot 106 I have, 1.1L petrol, is indestructible ... I did 200km on three spark plugs, changed the lot and it was back to normal ... I have had the car for 11 years, now, bought it second hand at the time (with a new timing belt), and have changed the timing belt once ... ok, I change oil/filters /tires regularly ... now, after eleven years, the first universal joint went south... apart from that, it just keeps going ... and you still see 205's on the roads ... The Renault I bought at the same time and which was younger, broke its fanbelt on the motorway, which displaced the timing belt less than two years after acquisition and, finally. blew its engine 5 years later ... The MG F my sister had blew its engine, after 3 attempts to change the timing belt ...my other sister had a Rover 200 and my dad was very upset when she asked him to change the spark plugs, not easy to get at, WTF ????? I have a 22 yo Z3 in the garage, still going strong, the wife managed the rip the exhaust off three times, OK, Marseille roads have deep holes and the wife, out of exasperation (her claim) just drove into the holes ... the car is "lowered" , so not a good idea ... no way I can get that into her head and I bought that one for her (so my fault, I know) ... My dad had a W123 Lang, eight seats, that thing went on for decades on end ....British cars suck, always have, I am a Brit and it saddens me ... Italian cars are the worst crap on the roads, Volvo's are driven by idiots who need military-grade armor to survive car crashes THEY cause ... BMW drivers are usually as arrogant arseholes as Audi drivers, except for BMW Z'ers ... Mercedes drivers are usually pretty civilized ... if you ask me, you don't and that is Ok ... I am an old fart, as you can guess from this comment ...

      2. Hans 1 Silver badge
        Coat

        Re: Yeah

        And, FIAT's have Fehler In Allen Teilen and just like Ferraris catch fire unexpectedly. Mercedes have a reliability track record ... In the 80's, their cars even had a breakdown every 900 000km, on average. Sure, it has gotten worse since, but they are still so much more reliable than anything that comes out of Italy.

        The equivalent cannot be said about iPhones, though ;-) After two years, they calculate pi all day (or something silly like that) to drain the battery and get the punter to order a new shiny ...

        Of all brands, FIAT ? ROFL ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Yeah

          Is that the same 80's Mercedes that the glove boxes fell off if you used them?

          And citation on that millage please, bearing their reliability rankings in most surveys are well below the Japanese and Koreans.

          One example:

          https://www.whatcar.com/news/reliability-survey/

          1. Hans 1 Silver badge
            Boffin

            Re: Yeah

            Checkout Mercedes W123, that beast was the most reliable car ever produced, by far and wide, the best car all over ... if you search in google for W123 and "erste Panne" (first breakdown) you get various reports, some rate it over 900 000km, others 850 000 ... basically, right up there with trucks ... so much so Mercedes-Benz mechanics were complaining, back in the day ;-)

            1. wolfetone Silver badge

              Re: Yeah

              It's also worth noting that the Mercedes W124 was attacked by Fifth Gear to see how reliable it was. They blew it up, drowned it, drove it over rubbish roads, and the thing still kept going.

              You can find the clip on YouToob.

            2. Anonymous Coward
              Anonymous Coward

              Re: Yeah

              "Checkout Mercedes W123, that beast was the most reliable car ever produced, by far"

              Volvo got a reputation based on the round-radiator models. Rolls-Royce got a reputation based on pre-war models (that's WW1).

              But a general statement that Mercs do 900 000km before breaking down is exaggerating a bit. One German company I worked with described them as "200/200 cars" - that is to say, they would cruise at 200kph and they would do 200 000km before ceasing to be reliable, but not that they would do that 200 000km at 200kph all the time.

          2. Dwarf Silver badge

            Re: Yeah

            Fiat isn't Japanese !!

        2. bombastic bob Silver badge
          Coat

          Re: Yeah

          "Of all brands, FIAT ? ROFL ..."

          could've been worse - like a Yugo... (THERE's an oxymoronic car name!)

    2. diodesign (Written by Reg staff) Silver badge

      Re: Cupertino's highly secretive idiot-tax operations

      I dunno man, I spent 80 bucks on an Apple wireless mouse for my work MacBook Pro, and I sure feel like I've been taxed like an idiot. Same goes for the RAM and other accessories I've bought for my home Mac gear over the many many many many

      many many many many many

      many

      many many many many many many many many years.

      C.

      (Yes, El Reg hacks use Macs. That's part of the joke. We also have a new rule that you have to split your time between macOS / Linux and Windows, so we get the same daily experience of crap technology our readers face.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Cupertino's highly secretive idiot-tax operations

        "We also have a new rule that you have to split your time between macOS / Linux and Windows, so we get the same daily experience of crap technology our readers face"

        I feel your pain. I'm made to support Windows 8.1 machines at work sometimes. I prefer 7, and can live with 10, but everytime I open up a remote session to Windows 8 I die a little more inside.

      2. bazza Silver badge

        Re: Cupertino's highly secretive idiot-tax operations

        (Yes, El Reg hacks use Macs. That's part of the joke. We also have a new rule that you have to split your time between macOS / Linux and Windows, so we get the same daily experience of crap technology our readers face.)

        Er, you should add Solaris, FreeBSD and OS/2 to your list; I fear you're missing out on the adventure of a lifetime!

        1. bombastic bob Silver badge
          Devil

          Re: Cupertino's highly secretive idiot-tax operations

          actually, Mac userland is a LOT like FBSD (seeing as it was forked from 5.x). And there are 'mac ports' available, last I checked. A few times I've helped mac users with shell things because of that.

        2. JohnFen Silver badge

          Re: Cupertino's highly secretive idiot-tax operations

          Hey, In addition to all that, I also face VMS and AIX. Come on aboard, guys!

    3. David Nash Silver badge

      @Hans 1

      Obligatory "you must be new here" comment

      1. Hans 1 Silver badge
        Pint

        Re: @Hans 1

        @David

        No, I simply think people's sarcasm detector segfaulted on the "note" ... I was starting to get a bit miffed @el reg because they started playing all nice with Apple, so much so, Apple started responding to requests for comment ... I thought that was against the "Biting the hand that feed IT" mantra ... anyway ... the icon on that post clearly indicates that el reg are back on track ... and idiot tax, honestly, hilarious ...

        you must be new here" ? I dunno, sometimes have a silver badge, I think, I don't care, I hate uniforms, decorations and things like that ... I dunno how the system works, if downvotes count toward badges ... either way, I don't care, downvote as much as you like, folks, I am happy to see El Reg back on track with the mantra ... and Idiot Tax it is ;-)

        Icon: The wife's gone with the kids for the weekend, so I can have more beer than usual and comment on el'reg;-)

  9. d3vy Silver badge

    And that Mrs May is why we can't have secret back doors into encrypted systems...

    1. Anonymous Coward
      Anonymous Coward

      I don't know.

      It seems rather secret to me. I mean, how many people could possibly know it is there, read it, and be reverse engineering it right now?

      I tell you! Certainly less than 50% of the population. So IMO that's a massive success and is still a secret!

  10. Anonymous South African Coward Silver badge

    What really happened to those people who peddled WindowsNT and Win2k source code back in the day?

    All the two articles do was to waffle on about the leaked source code, but not a peep about what happened to the people who've had a hand in distributing and peddling said code...

    No matter what you do, what security measures you put up, somebody will always find a way to sneak code out of the backdoor.

    1. Anonymous Coward
      Anonymous Coward

      "What really happened to those people who peddled WindowsNT and Win2k source code back in the day?"

      Bugger-all.

      I got a toothless nastygram via my ISP for the crime of just being in the torrent, signed by Microsoft General Counsel Brad Smith under penalty of perjury.

      Which was rather odd, because when the torrent finished downloading, it turned out to be a gay porn film featuring hunky German bikers, and not a zip of the Win2k source after all.

      1. Naselus Silver badge

        "it turned out to be a gay porn film featuring hunky German bikers, and not a zip of the Win2k source after all."

        No waiiiii, I got that one from a mis-named stream too. Not Win2k, though. Lets just say that all my friends were very surprised when I told them what I thought of V for Vendetta.

        1. Yet Another Anonymous coward Silver badge

          it turned out to be a gay porn film featuring hunky German bikers, and not a zip of the Win2k source after all."

          I think that's the source code to Vista

      2. d3vy Silver badge

        "Which was rather odd, because when the torrent finished downloading, it turned out to be a gay porn film featuring hunky German bikers, and not a zip of the Win2k source after all."

        So.. win win then ?

      3. Rob Daglish
        Gimp

        Well that was a lucky escape then - I know which one I’d rather get caught with!

    2. Anonymous Coward
      Anonymous Coward

      Spelunking the Win2K/NT codebases

      Well the whole code base ( minus network stack - basically BSD) and build scripts where there but unless you were a very experienced Win16/32 and os systems programmer it was not going to make much sense. But the people like me who were both were unlikely to do much with it apart from use it for reference. Which we did.

      Did learn some interesting things from the code base. Such as not only does MS lie to outsiders but there is a chain of lying inside MS management too. I remember some very specific technical statements made by various top people at MS over the years which were proved false by the source code and the call chain. And knowing how MS internal politics works the people at the top must have been lied to by those below. In MS bullshit not only flows down the organizational chain but up it too.

      The other fun fact was that not only was the source code for the whole security stack API's in the wild but also the code for generating all the various certificates etc. Even the code that generated the various OS serial numbers. Product key etc.

      So much for a secure Win32 machine. No such thing.

      Lots of fun nooks and crannies in the two 300M plus source codebase. The source code for MineSweeper for example. Oh, and IE. Still quite a bit of Spyglass code kicking around. It was the NT4 and Win2k/XP transition codebases. Between the two, plus the DDK you had a complete build. Did partial builds as an experiment and as it all seemed to be in there but could not be arsed to build the whole thing.

  11. Christian Berger Silver badge

    So at most this could mean new jailbreaks

    It's not really a security problem, more a business model problem.

  12. Symon Silver badge
    Pirate

    Do DMCAs work on the Pirate Bay?

    Yo ho ho, me hearties!

  13. Anonymous Coward
    Anonymous Coward

    Couple of assumptions worth challenging at some point?

    1. That hiding your source code somehow improves your security (there are valid competitive reasons why you may want to hide some source code at a certain point in time, but that's a different consideration).

    2. That locking users out of their own devices is always a good idea. Discourage by all means, make it contrived enough so as to prevent unsophisticated users from shooting themselves in the foot, educate them not to root their devices under anyone else's request but only of their own accord, tell them that here be dragons. Then give the owner root.

    1. Pascal Monett Silver badge

      Closed source code has a legitimate place in the market. As a developer, if I manage to code an application that has a market to sell to, I do not see any interest for me in posting the code on GitHub or anywhere else because that would remove any incentive to pay me for the application.

      If, however, I want to create an application with the firm intention of giving away the code to ensure maximum adoption, I have the freedom of doing so.

      On the other hand, I firmly believe that closed source is not the way to go in future for creating operating systems. Our computing platforms must be managed by things we can trust, and the only way to trust them is to have them based on open-source platforms.

      Open-source platforms that will run the applications we need or want, whatever source the code is.

      As for giving the owner root, on a PC I totally agree because I've been using one since the first IBM PC 8086. On a consumer item though, I can totally understand that no manufacturer wants to do that because customer complaints are already hard enough without allowing the clueless lusers the ability to royally fuck their hardware up and them come back complaining - which we all know they will do.

      1. Anonymous Coward
        Anonymous Coward

        > Closed source code has a legitimate place in the market.

        Of course it does. We tend to run closed source until we have enough of a competitive advantage then we release most of our code, save for the bits that are more embarrassing than a French car.

        But from a security point of view, closed source buys you sweet fuck all.

      2. jimbo60

        really?

        Re: Pascal Monett

        "Our computing platforms must be managed by things we can trust, and the only way to trust them is to have them based on open-source platforms."

        Really? Do you have some sort of realistic basis for that claim? Recent history of Linux does not exactly support that premise. Just because anyone CAN inspect the source for flaws does not mean that someone DID. At least not someone ready and willing to share the finds back to the open source community. So in that regard open source that enables experts to find and hoard flaws for nefarious purposes makes it less secure.

      3. LDS Silver badge

        "closed source is not the way to go in future for creating operating systems. "

        "Closed source" doesn't mean it can't be accessed and inspected by third parties. Windows code is available for inspection if you meet the requirements. I've often used commercial third party libraries with came with full source code.

        It is still "closed" and not "open" in the sense you can't publish, resell or copy it, and you may be under an NDA.

        Stallman & C. advocated for a much broader definition of "open" - giving it a meaning that you have to "share" it, and in the case of GPL, in a very strict way.

  14. Lee D Silver badge

    Cool.

    I work in a school and we have a bunch of old manky iPad Mini's and the old iPad 2's that nobody would touch with a bargepole nowadays. Would be nice if I could convert them to run Android or something more useful now that they've been pushed onto an unsuitably high iOS version that slows them to a crawl (even pre- the battery life etc. issues that are now common knowledge).

    I mean... I wouldn't pay for them, but I have a bunch of them that are going to go in the bin otherwise (literally not worth enough to bother selling them) and if I could turn them into digital-signage or a CCTV monitor, at least they would have got to do something useful for once in their life.

  15. Walter Bishop Silver badge
    Linux

    The dangers of a monoculture ..

    "The bootloader is highly protected, is stored in an encrypted form on devices, and is key to maintaining the integrity of the operating system."

    Is there any way of scrambling the boot process such that each device is slightly different, rendering generic malware unable to run on different devices. Or at least put a hardware switch on the device then renders the core components read-only.

    The Evolution of Security 'What can nature tell us about how best to manage our risks?'

    1. Lee D Silver badge

      Re: The dangers of a monoculture ..

      Put a hardware switch on - great, now you can NEVER fix a bug in the bootloader.

      Encrypt everything with a unique key? You still need to store the key somewhere and then decrypt and execute pretty much the same code for everything. The key being different doesn't help. Pretty much this is the TPM solution. It doesn't stop things being hacked, it just makes support, troubleshooting and repairs/replacement almost impossible (there's a reason that your Apple store will tend to bin your phone and just give you another of the same model).

      None of that stops people finding flaws in the bootloader, attacking it, thereby getting access to things they shouldn't and using that to subvert the computer.

      1. Walter Bishop Silver badge

        Re: The dangers of a monoculture ..

        @Lee D: "Put a hardware switch on - great, now you can NEVER fix a bug in the bootloader."

        Set the switch to read/write, boot into update mode, update the core components, then reboot back into normal mode.

    2. Anonymous Coward
      Anonymous Coward

      Re: The dangers of a monoculture ..

      The benefits of an open source monoculture.

      Imagine the freedom if android had a near 100% monopoly, where it didn't matter who you got your handset from, all your apps and data would just work... You don't like Samsung's 2018 model, then fine buy a sony or LG..

      That's where we a today, and it s great. The only losers are apple owners, getting shatfted at every opportunity by apple, charging multiple times for the same app on different types of devices simply because they can...

      1. Anonymous Coward
        Anonymous Coward

        "Imagine the freedom if android had a near 100% monopoly, "

        So what was wrong when Windows had a near 100% monopoly? Even then what computer you bought didn't matter, all your apps and data just worked.... you didn't like an IBM? You could buy a Dell or HP, or even build one yourself.

        Is Android really open source? Actually no, the big Google binary blob that allows for critical services makes it a proprietary system anyway. Nor anybody fixes bugs in old releases of Android and delivers them. While if any fork was successful it wouldn't be "a near 100% monopoly".

        So it's fine just because you can read the code to get asleep?

        It's very funny how MS haters turned into Google worshiper - when the two companies act exactly in the same way - just Google has been far better at brainwashing people into believing its monopoly is good.

  16. Anonymous Coward
    Anonymous Coward

    For now, don't panic.

    Hmm, funny how the message varies depending on the vendor.

    I think we all know those words would be VERY different if this was Android source code leak.

    Ahh, the joys of platform biased fanboys....

    1. Destroy All Monsters Silver badge

      Re: For now, don't panic.

      Explain or step out of the airlock.

      1. Anonymous Coward
        Anonymous Coward

        Re: For now, don't panic.

        It would be something like

        "Researchers at checkpoint warn that this could put billions of android owners at risk"

        Or some such similar clickbaiting bullshit

  17. Dinsdale247

    Too darn difficult for the FBI

    https://www.theregister.co.uk/2018/01/09/fbi_boss_backdooring_encryption/

    As I said in the comments to the above article: The gullibility of our society is *SHOCKING*. Perhaps I should have said depressing.

  18. StargateSg7 Bronze badge

    I simply DO NOT HAVE TO CARE!!!!!

    I have a RTNX phone and Workstation Computer --- NOT iOS, MAcOS, WIndows 10, Linux,Android or Windows Mobile !!!! It's a Fully Custom Real-time HARD 4 Millisecond Interrupt OS -- NOTHING ON EARTH can touch it with full ALWAYS ON Shor's Resistant Cryptography onboard for ALL in-memory and storage media operations and datafile storage!

    We don't even use ARM, Intel or AMD chips --- We use our own designs! Plus it's REALLY NICE to have FULL 128-bit Integer and Real number bit-widths on EVERYTHING! It's ALSO rather nice to have unlimited system RAM into the Petabyte+ range!

    PFFFFFTTTTT Phooey on you Apple!!!! We could not care less!!! We'd rather design, build and use our own hardware and software anyways. We even make our own displays at 8k and 16k resolutions!

    1. Anonymous Coward
      1. Naselus Silver badge

        Don't engage with it. Opinion remains divided whether it's some kind of joke Bombastic Bob sock-puppet account, a poor amanfrommars1 tribute act, or a Russian trollbot AI training system.

        Opinion also remains divided over whether those three things are really separate and distinct categories, or just three descriptions of the same thing.

  19. Destroy All Monsters Silver badge
    Linux

    Nobody cares.

    "this document is the property of Apple Inc."

    My Preciousssss!

    (Also completely worthless unless you have the Apple Hardware underneath)

  20. DougS Silver badge

    This is probably a good thing

    Get a lot more eyes on the code, find a lot of bugs, Apple pays out bug bounties, code is more secure. If it was a company other than Apple I'd almost think the leak was deliberate for this reason.

  21. Anonymous Coward
    Anonymous Coward

    Apple Code Now Public........Woo-Hoo.....

    So......you've also got all the (latest) header files, anything mentioned in the header files, the compiler settings, the Makefile, and all the other paraphernalia needed to understand exactly what's going on.

    *

    Maybe I just don't understand.....but does one C source file actually tell anyone anything useful?

  22. martinusher Silver badge

    Sigh....Secrecy is not Security

    Keeping widely distributed code secret is a poor way to secure it. In theory you should be able to open source this code and it would still be secure. In practice it doesn't hurt to add some more work to the reverse engineer's task but the general rule holds -- if you're relying on secret source code for security then sooner or later that code will leak out and you will no longer be secure.

    Incidentally, you can actually tell a lot about what that code does from the include files listed in the header.

    1. LDS Silver badge

      Re: Sigh....Secrecy is not Security

      Sorry, what is valid for cryptographic algorithms is not valid for any piece of code. In cryptography you still have a secret that is the key(s).

      In many other fields, part of the security is exactly not knowing exactly how it works, because you have bot a "simple" data like a key able to protect it all.

      Never extrapolate something outside its context - it may cease to be valid.

    2. DougS Silver badge

      Re: Sigh....Secrecy is not Security

      That's only true if secrecy is the ONLY security. If secret code becomes public you are no worse off than if it had always been public. If it stays secret you have an extra layer of difficulty for people to try to find exploits.

  23. eldakka Silver badge
    Flame

    > It can be abused to jailbreak iOS devices to install unofficial customizations and applications.

    I'm sorry, why is jail-breaking or installing unofficial customizations an abuse?

    It's my device, and I'll do what I want with it, from painting it hot-pink, replacing the battery when it dies or the screen when I drop it, putting my own custom OS on it, up to and including covering it with thermite and igniting it.

    It is an abuse by the vendor to stop me from doing those things to my device.

  24. Someone Else Silver badge
    Coat

    We're not going to link to [the GitHub repo containing the iBoot code].

    Awwww...Killjoys!

    :-þ

  25. Qwertius

    iBoot. Does anyone actually care.... ?

  26. Anonymous Coward
    Anonymous Coward

    The leakage may be cause for concern...

    ...or laughter, if the code is poorly written.

    You wonder the mess the source code for Adobe's Flash must be...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019