Talk:SHSH blob

Untitled

can someone comment on the recent changes (around Sept-Oct 2012) that are now preventing install or downgrade to iOS 5.x (or earlier)? — Preceding unsigned comment added by Tarakihi (talk • contribs) 7 November 2012

Excess emphasis on iOS alteration with contents referenced to those who have stake in promoting iOS tampering

"Apple's digital signature protocol for iOS restores and updates,Apple's digital signature protocol for iOS restores and updates" is the title and what it is about. There's more discussed about exploitations and self published citations of those involved in jailbreaking that go about tampering/exploitation of Apple devices/programs. I think it strays too far and balance needs to be considered Cantaloupe2 (talk) 01:29, 13 December 2012 (UTC)

Apple has published few details about SHSH blobs other than in its security whitepaper, which is referenced in this article, which makes sense, since it's not supposed to be publicly discussed in detail. Most of the available information about this system is from independent security researchers, which isn't uncommon for security-related topics - for example, a large portion of RSA (algorithm) is about attacks to the algorithm, and there are entire articles about particular kinds of attacks, such as Coppersmith's Attack. The attacks on the SHSH blob system are most of what make this system notable. I'd be happy to see more information added to the "technical details" part of this article though.

Regarding iH8sn0w's presentation, it's not uncommon for reputable hackers to prefer going by pseudonyms (see Mark Abene, John Draper, etc.), and you can easily find his full name with a Google search. iH8sn0w presented what is basically a research paper at a conference about jailbreaking - not as useful as a peer-reviewed paper, but it shows that he has standing in the community. iH8sn0w's work has also been covered by independent sources: see PCWorld on his jailbreaking tool and another PCWorld article, along with TUAW's similar posts on the topic and Engadget's also-similar posts. More specifically, he maintains a tool for manipulating SHSH blobs - see this Engadget post for example, TUAW, RedmondPie, etc. It's not a bad source for uncontroversial claims about technical details. Dreamyshade (talk) 01:55, 13 December 2012 (UTC)

Maybe this is a good candidate for Wikipedia:Third opinion? It seems too trivial for a RfC, but it'd be nice to get some more perspectives on the balance/POV and sourcing issues. Dreamyshade (talk) 02:30, 20 December 2012 (UTC)

WP:3O

I come here as a third opinion Wikipedian. I would like to point out that notability is not inherent. SHSH blob is not notable because its associated with iOS and barely deserves its own article. The only reason it does is because of the significant independent coverage it has received as a result of jailbreaking and exploits. With out, it struggles to find reliable and independent sources where it is the direct focus of the publication. I would either recommend keeping the section in full and possibly shifting the focus of the article to weight towards how its an important part of that aspect, or simply merge the information into iOS and iOS jailbreaking. At which point the remaining page (even with only the exploit information reduced) is a very likely candidate for WP:AfD -- it almost is as present a candidate for merge. Mkdw^talk 00:20, 30 December 2012 (UTC)

Thanks! I'm not entirely opposed to merging this material into iOS jailbreaking, but I'm not sure it'd fit, since this topic is associated with jailbreaking but not actually part of jailbreaking - you can cache and re-use SHSH blobs without ever exploiting the operating system on the device. Jailbreaking older iOS versions is the primary reason for fooling around with SHSH blobs, but other reasons include testing apps on older versions and reverting if you don't like the newer iOS version. I think it'd be weird to put more than a sentence or two about this topic into iOS though, since like you've noted, this protocol is a tiny part of iOS. A while ago I thought about merging this material into Hardware restrictions#Apple devices (see its talk page), but now I think it has too much detail to fit neatly into that article. Would you be up for explaining the other idea a little more - "shifting the focus of the article to weight towards how its an important part of that aspect"? Do you mean adding more material about exploiting the protocol, and revising the introduction to explain that the exploits are the notable aspect? Dreamyshade (talk) 01:34, 30 December 2012 (UTC)

I think regardless of where you decide to merge the information, at present the current article barely has enough to warrant a standalone article. All the sources are about exploits. As such, you could probably keep everything as it is, but the alternate proposal to make the article more about the technical data and less about the exploits seems not to be supported by the coverage and thus WP:BALANCE. I haven't heard from the other editor, which I would like, before going any further. Mkdw^talk 06:28, 30 December 2012 (UTC)

OK, I'll post on their talk page to invite them back. It sounds like you agree that the balance tag should remain on the article for now; any thoughts on the primary sources and NPOV tags? Dreamyshade (talk) 07:52, 30 December 2012 (UTC)

I'd also be interested in opinions on this phrasing change intended to help with neutrality - the results seem equivalent in neutrality to me but a little more confusing/unclear, but I know I'm COI, so it's hard for me to tell. And an unrelated issue I just noticed is that early articles about this topic refer to it as "ECID SHSH" instead of "SHSH blobs" (see here, here, and here), so the article should probably include both phrases. Dreamyshade (talk) 20:59, 30 December 2012 (UTC)

I agree that this technical jargon is not notable enough on its own merits to warrant a stand alone article and I think that it more or less serve as a vehicle to spread names of iPhone tampering software, their developers, and direct stake holders like Cydia which stands to gain from sell of Apps through its program. Cantaloupe2 (talk) 22:46, 30 December 2012 (UTC)

Just for reference, here's how the article looked before I revised it based on sources. The content was approximately the same as in the current version, minus some technical details that I removed since I couldn't find secondary sources to confirm them. For example, it'd be great to include details on early iBEC and iBSS caching tools from July 2009, but George Hotz's original blog post is no longer available, and the remaining sources are weak: iHackintosh tutorial, another iHackintosh tutorial, ModMyi copy of Hotz's post, iClarified tutorial, another iClarified tutorial, GDGT forum post, Dev Team blog post, etc. I believe my COI mostly applies here in influencing my thinking that this topic is interesting/significant; publishing technical and historical details about this topic doesn't really help users install Cydia, since the article doesn't include how-to information (note that actually saving and using SHSH blobs requires rather complicated and unintuitive steps, not suitable to include in an encyclopedia article). Dreamyshade (talk) 23:41, 30 December 2012 (UTC)

They're all poor quality quasi-anonymous websites, especially the ihackintosh one which is registered to an unqualified individual person. I counted CYDIA mentioned four times in the article, and repeated references in citation to SaurikIT the company you work for. I see this article as extension to Cydia to disseminate its presence into other articles. Cantaloupe2 (talk) 05:49, 31 December 2012 (UTC)

I agree on the weakness of those sources. This article had four mentions of Cydia before I started editing it, and four mentions of Cydia after I revised it; it's just part of the topic, which you can verify by reading the sources. It has three references to one post by the Cydia developer, but I think that makes sense for referencing technical information because of his expertise in this subject and Cydia's role in SHSH blob usage, and each use of that reference is accompanied by an additional reference. Dreamyshade (talk) 06:31, 31 December 2012 (UTC)

I find the presence of "Cydia" as an example as a form of masqueraded product placement. "To subvert that system using a man-in-the-middle attack, Cydia requests SHSH blobs from Apple for jailbroken devices and caches those SHSH blobs on Cydia's servers". The use of Cydia in explanation infers that use of that particular vendor of yours with COI is a requisite. Can this not be generized with the use of word like "platform" "interface" or "provider"? "Cydia" in this prose means two different things. First, it means the software, second the company. If you replace it with program and provider, then a source that is not tainted with Cydia, we'll have a neutral section. Cantaloupe2 (talk) 08:29, 31 December 2012 (UTC)

I like the idea of expanding that sentence to cover the general case as well as the common case; several of the article's sources discuss Cydia specifically, but it's not the only way to do this process. (Also note that Cydia is just the name of the software; the company is called SaurikIT.) Here's the current text:

"To subvert that system using a man-in-the-middle attack, Cydia requests SHSH blobs from Apple for jailbroken devices and caches those SHSH blobs on Cydia's servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to Cydia's servers instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.^[1][2]"

Here's a revision:

"To subvert that system using a man-in-the-middle attack, a user can request SHSH blobs from Apple while a specific iOS version is being signed for a device, save those SHSH blobs, and then reuse them later to restore that device to that iOS version.^[2][3] On jailbroken devices, Cydia automatically requests available SHSH blobs from Apple and saves them on Cydia's servers,^[4][5] so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to Cydia's servers instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.^[2][6]"

Here are quotes from additional references to verify the usefulness of the expanded text:

• PCWorld 2010: "don't forget to back up your SHSH ‘blobs,’...Once you're jailbroken, it's easiest just to back them up through Cydia. Alternatively, this method, using a program called Firmware Umbrella, works whether or not you are jailbroken, and is a good idea if you haven't yet but think you might want to in the future."
• Ars Technica 2011: "Users can save their SHSH blobs using a tool such as Cydia or TinyUmbrella before upgrading to a new version of the OS so that they can eventually restore that specific device to that firmware via iTunes."
• MacWorld 2011: "For a downgrade to work, a redirect line must be added to the hosts file; the added line forces a connection to a Cydia server rather than Apple's server."

Dreamyshade (talk) 09:37, 31 December 2012 (UTC)

References

1. Jay Freeman (saurik) (September 2009). "Caching Apple's Signature Server". Saurik.com. Retrieved December 3, 2012.
2. Hoog, Andrew; Strzempka, Katie (2011). iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Elsevier. pp. 47–50. ISBN 9781597496599. Retrieved December 3, 2012.
3. Stern, Zack (July 5, 2010). "How to jailbreak your iPad and start multitasking immediately". ITBusiness.ca. Retrieved December 30, 2012.
4. Morris, Paul (December 24, 2011). "Cydia Is Now Saving SHSH Blobs For iOS 5.0.1 Firmware". Redmond Pie. Retrieved December 30, 2012.
5. Page, Sebastien (April 2, 2010). "How to Save Your iPhone ECID SHSH". iDownloadBlog. Retrieved December 30, 2012.
6. Asad, Taimur (April 30, 2010). "Save SHSH Blobs (ECID SHSH) of iPhone 3.1.3 and iPad 3.2". Redmond Pie. Retrieved December 30, 2012.

Dubious

The iH8sn0w reference's dubious tag is being discussed above already, but I thought I'd start a discussion for the two other dubious tags on the article currently. I'm a little confused by the dubious tag on "First released in 2009 (as TinyTSS and Umbrella)" - it's referenced to a self-published blog, but it's a blog by the developer of the software, and the reference only needs to support the claim that the software was released in a particular year with particular names, so I believe this complies with WP:ABOUTSELF. I just added another reference (also to the developer's blog) to support the name merge claim better. I'm also puzzled by the dubious tag on the first sentence in the technical details section - it's supported by both a secondary source and a self-published source by an expert on the topic, and it's not a controversial claim; references for other parts of the article can also support it. Dreamyshade (talk) 20:19, 1 January 2013 (UTC)

You may want to read the definition of expert on WP:SPS and WP:RS. This article is about SHSH blob, so I'm finding that going in depth with information from iOS altering(not POV, this is the term used by Apple, media, etc) software is straying off topic. Cantaloupe2 (talk) 22:51, 1 January 2013 (UTC)

I believe that since saurik's work on this topic hasn't been independently published (just quoted/referenced by reliable sources), it shouldn't be used as the sole source for this, but that it can be used as a supporting reference for technical information. I think that if you consider this sentence to be an off-topic statement instead of a dubious statement, something more like Template:Off-topic would be useful.

I agree that this is an awkward article, but I don't know where we'd merge this information - as discussed above, it wouldn't fit neatly into iOS, iOS jailbreaking, or hardware restrictions. What would you think of renaming this article "iOS signature protocol exploitation" or similar? Dreamyshade (talk) 23:08, 1 January 2013 (UTC)

Why wouldn't it fit into iOS? If this is a specific protocol unique to iOS, it seems appropriate. What am I missing? Cantaloupe2 (talk) 23:22, 1 January 2013 (UTC)

This protocol is a small part of iOS, so I believe it'd cause undue weight to put more than a short section about it (and its exploitation) into the iOS article. I'll post to the talk page there though to see what other editors think. Dreamyshade (talk) 00:16, 4 January 2013 (UTC)

I'm having a bit of trouble following some of this discussion, but if you want an opinion about [1], then I would highly recommend eliminating this as a source. It's self published material that could be largely considered original research. Unless an alternate, independent and reliable source cites this work as reliable itself, then it should be excluded. Even though the information it supports is minor, its been contested.

It still seems that merging would be the best option. Taking it to another article and changing the wording to explain how it fits into the OS or exploiting would be pertinent. The community may very well view the addition as trivia to the actual concept and debate whether in an encyclopedia such a mention is even worthwhile. A valid discussion to have before merging it with the target article. Mkdw^talk 23:40, 1 January 2013 (UTC)

OK, I removed the material referenced to iH8sn0w. I'll post to the iOS and iOS jailbreaking talk pages to see if anyone interested in those articles has thoughts on merging some information. Just to verify, does the renaming idea sound non-useful? Dreamyshade (talk) 00:16, 4 January 2013 (UTC)

excess details in off topic area, undue weight, product placement

So, SHSH blob is a digital signature from what I gather. The discussion in exploits and countermeasures should focus around what is involved in exploits and what counter measures are in general technical explanation. It should not refer to the process by brand name.

To use another example, "a runner maintains proper hydration and electrolyte replenishment by drinking Gatorade." This works because Gatorade contains a proper blend of necessary electrolytes, carbohydrates and water. (reference: gatorade.com, ref2 an article by a gatorade sponsored person). This sends a message that Gatorade is the only product capable of doing this.

Independently published by reliable source is something used to evaluate the validity of the statement. Undue weight is a different ball game. If you gather around specific sources and even if all of them are credible, the article can very well be built to advance a certain position, including advocating for specific action or product placement. I suggest you read the article chiropractic. There's a huge controversy there, despite the fact it has a lot of highly credible sources. Cantaloupe2 (talk) 23:20, 1 January 2013 (UTC)

What do you think of my suggestion above to expand the sentence you found particularly problematic? I believe that it makes sense to include neutral descriptions of significant tools when discussing a technical topic - see how energy drink discusses several brands. I agree that it's possible to cherrypick sources to advance a particular position, but do you have evidence that this is happening with this article? I know my COI makes the article seem suspicious, but I'd again like to point out that before I started editing it, other editors had added material mentioning the same tools. Dreamyshade (talk) 00:33, 4 January 2013 (UTC)

Or you could look at a beverage mix. It usually refer by generic liquor name like tequila. It doesn't use Patron® in lieu of "tequila", and doing so is WP:UNDUE as is the case with CYDIACantaloupe2 (talk) 01:20, 4 January 2013 (UTC)

I agree that it can be undue weight to include brand names where they aren't warranted, but I believe they're warranted in this case, as shown by the non-COI edits and secondary sources. See margarita - it mentions Cointreau and Grand Marnier, not as product placement, but because those brands are relevant to the topic. Dreamyshade (talk) 01:34, 4 January 2013 (UTC)

But then, it mentions as "tequila" in general recipe, not brand name. In this article, the process is described exclusively based on CYDIA, rather than vendor server and software. Cantaloupe2 (talk) 02:21, 4 January 2013 (UTC)

Cydia's servers were the first unofficial SHSH blob servers, and they're the only unofficial servers covered by multiple independent sources, but I believe my suggestion above (at the end of #WP:3O) helps clarify that they're not vital to the exploitation process. Looking for sources to double-check all of this, I found a mention of iFaith maintaining its own SHSH servers for iFaith-retrieved SHSH blobs: "iFaith works by backing up blobs from old firmwares, currently running on the device for later use, onto iFaith’s own remote server". That's the only independent source I can find that covers it, but I can add it to the article it if you think that's enough. There are several tools that offer ways of saving SHSH blobs, and the article mentions ones that have been covered by secondary sources - Cydia, TinyUmbrella, iFaith, and redsn0w. There are other tools that didn't seem notable enough to cover by name, such as AutoSHSH and iSHSHit - although looking up iSHSHit again, it was covered by Redmond Pie in December 2010, July 2011, and August 2011. I can add them if you think it's a good idea. Dreamyshade (talk) 02:58, 4 January 2013 (UTC)

pulling aside prose for discussion over the coverage by brand name/COI SaurikIT "Cydia"

So, after reading the sources, it looks like Umbrella is simply a Java program for storing security hash locally and Cydia's role here is merely as a remote cloud backup. The author's site specifically mentions the lack of dependence on Cydia so you can still restore the device if Cydia capsizes. It is not deserving of by brand name mention. Does anyone else care to comment on this? My understanding from reading the sources is that devices simply need to think that it is "calling home" and the local or remote host emulate the host. Am I wrong?

As specifically stated on Umbrella's page, the utilization of CYDIA's service is not a requisite nor a critical part of this process. Cantaloupe2 (talk) 03:27, 4 January 2013 (UTC) In question:

Top Part:

For iOS 3 and 4, SHSH blobs were made of static keys (such as the device type, iOS version, and ECID), which meant that the SHSH blobs for a specific iOS version and device would be the same upon every restore. To subvert that system using a man-in-the-middle attack, Cydia requests SHSH blobs from Apple for jailbroken devices and caches those SHSH blobs on Cydia's servers, so that if a user changes the hosts file on a computer to redirect the SHSH blobs check to Cydia's servers instead of Apple's servers, iTunes would be tricked into checking those cached SHSH blobs and allowing the device to be restored to that version.^[1][2]

Bottom Part:

First released in 2009 (as TinyTSS and Umbrella),^{[3][4][dubious ]} TinyUmbrella is a tool for finding out information about SHSH blobs saved on Cydia's servers, saving SHSH blobs locally,^[5]

References

1. Jay Freeman (saurik) (September 2009). "Caching Apple's Signature Server". Saurik.com. Retrieved December 3, 2012.
2. Hoog, Andrew; Strzempka, Katie (2011). iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Elsevier. pp. 47–50. ISBN 9781597496599. Retrieved December 3, 2012.
3. notcom (September 19, 2009). "TinyTSS -- All your iphone restores are belong to you". The Firmware Umbrella. Retrieved 3 December 2012.^{[self-published source?]}
4. notcom (May 20, 2010). "TinyUmbrella - Unified TinyTSS and The Firmware Umbrella in ONE!". The Firmware Umbrella. Retrieved 1 January 2013.
5. Brownlee, John (November 15, 2011). "TinyUmbrella Updated To Support Backing Up iPhone 4S And iOS 5.0.1 SHSH Blobs". Cult of Mac. Retrieved December 30, 2012.

You're right that TinyUmbrella doesn't rely on Cydia's servers, but it includes features for downloading and uploading SHSH blobs on Cydia's servers - in other words, it lets you work without Cydia's servers or with Cydia's servers, depending on your preferences and goals. The TinyUmbrella developer's FAQ has some information on this - see "are there any options or solutions to fix this problem?" and "How do I save my SHSHs on Cydia?" Dreamyshade (talk) 05:49, 4 January 2013 (UTC)

Another prospective target merge target is Cryptographic_hash_function or other articles that have something to do with digital signature keys. Mention of Cydia is unnecessary and the current state is WP:UNDUE over representation. Further research shows there are a handful of SHSH blob handling tools. iFaith, SHSH Extractor, Auto SHSH grabber and such. So from my reading, user can get Apple to sign the SHSH Blob for the device's iOS version or if Apple won't sign for it anymore, then it can be extracted from the device. I have no knowledge if there's any financial gain by SaurikIT, either through contract or indirectly for some backup program vendors from designating it as the preferred service provider, though if there is, it just thickened the degree of COI. Explicit mention of Cydia may sway users to use it in lieu of more established and reliable option such as Google Drive or other cloud backup setup. What I really don't understand is the motive behind remitting unique device ID along with the hash key to Cydia by default in some programs, as opposed to download to user's computer or have it sent as an attachment to user via email. I speculate there's some kind of financial incentive for Cydia in this transaction as I doubt they're donating the necessary bandwidth at their expense as a community service. This website which appears to be of comparable quality to some of sources within this article describes it in a very neutral manner. Dreamyshade, does CYDIA hold any financial or R&D stake in hosting this cloud service? Does Cydia touch(inspect) any of the files for development purposes?

"I simply think that I would rather have my shsh blobs on my personal machine AND on his server for safe keeping. This way if something happens to cydia, I can still restore my phone to the version I want to restore to. Plus I have the peace of mind knowing that my files are safely in my possession."2009 9 This is a very valid concern. Since Cydia is under no legal obligations to provide this service; aside from the user losing the cell phone; Cydia is also the weak link, and if for some reason the need for accessing the file increases due to some future event, there's nothing to prevent Cydia to require user to "buy" the only copy of file unique to the customer. Therefore, I present serious potential COI motive. Cantaloupe2 (talk) 07:30, 4 January 2013 (UTC)

I don't think this material would fit into cryptographic hash function - the protocol does include a hashing formula, but it's not particularly significant to the history of hashing formulas. It could probably be mentioned if that article had a list of examples of uses, but the article doesn't have that right now.

Yes, there are multiple tools that handle SHSH blobs, and I believe all the significant ones should be mentioned. Note that SHSH blobs can only be extracted from the device in limited circumstances - only on iPhone 4 and older devices, and only for the currently-installed iOS version.

SaurikIT maintains the SHSH servers because helping people preserve the ability to restore to older iOS versions means that people have more freedom to jailbreak their devices - in other words, so that even if they have to restore to fix a problem, they can restore to a jailbreakable iOS version instead of to the newest iOS version. saurik has discussed the economics of his work a few times - search for "SHSH" in this article from 2011 (which also says "Cydia's 'profits' largely go back to 'shoring up' the community...If I were somehow in this 'for the money' I would just be doing my old consulting job, which paid /much/ more, had more reasonable hours, and involved far less political negotiation") and this one from 2012. I'm not sure what you mean by touching/inspecting the files - the servers store them, and anyone can download them.

Regarding Google Drive - you need to use a specialized tool to save SHSH blobs, and you also need to use a specialized service or tool to use them; you could store them on Google Drive between saving them and using them, but you'd have to write your own saving and replaying tools or use the available ones (Cydia, Cydia's servers, redsn0w, TinyUmbrella, iFaith, iSHSHit, AutoSHSH, etc). MacHackPC seems to be a self-published blog by authors not recognized as reliable by any other sources, but that page also includes mentions of using Cydia and Cydia's servers.

Yes, a number of people use tools such as TinyUmbrella to make local backups of their SHSH blobs, which is sensible and not discouraged by anyone. I am a little puzzled by your speculation about Cydia someday charging for SHSH blob access; it sounds like it stems from being suspicious of my motives instead of being based on evidence. Dreamyshade (talk) 08:42, 4 January 2013 (UTC)

Yes MacHackPC looks SPS, but the phrasing is very neutral in the first paragraph and it was shown as an example. imore, givememind etc aren't necessarily personal homepage, but they're not quite up there as reliability published secondary source, because it often reflects the author's opinion and often time they're non-credential'd contributing editors.

I don't know why your motives, nor d I know why you have such vested interest on topics that go around SaurikIT's CYDIA. Am I not understanding it correctly that Cydia can disable access and hang users to dry at its discretion? Doesn't the accessibility get lost if Saurik IT is shattered? It's just my instinct that there's direct or long term indirect financial incentive behind this by SaurikIT to try to get users to do it this way, not necessarily, you as the editor. Cantaloupe2 (talk) 09:50, 4 January 2013 (UTC)

Perhaps you mean "such strong interest" instead of "such vested interest"? I believe I've explained that I find these topics personally interesting. I also like helping with these articles because I have an understanding of the material and some experience with technical writing for general audiences; I like contributing my expertise.

I agree that the iMore and GiveMeMind articles shouldn't be used as references; I just linked to them because they quote saurik explaining his reasons for working on Cydia and the SHSH servers - I believe they help explain that SaurikIT isn't really a traditional business trying to maximize profits. You're right that he could someday stop providing access to stored SHSH blobs; most maintainers of free services can choose to do that. If that happens, or if anything else changes related to the servers, it'll probably be covered by secondary sources, and then we can include that information in the article. Dreamyshade (talk) 01:06, 6 January 2013 (UTC)

Revision replacing "Cydia" with server/cache/third-party

I have a few concerns with this edit from yesterday ("since its been established that local storage, is an option and that the use of proprietary vendor Cydia is not a technical requirement, it has been genericized").

The previous version of the article didn't say that Cydia and Cydia's servers were required to save SHSH blobs or do SHSH blob restores, just that they are among the most notable tools for doing these things. For my effort to improve the article to make that more clear, see my comment at 09:37, 31 December 2012 (UTC) in #WP:3O, where I suggested rewriting part of the article to mention the general case before mentioning the Cydia-specific case. I don't think you responded to that suggestion though, so I don't know if you considered it insufficient in some way.

I believe that my comments in #WP:3O and #excess details in off topic area, undue weight, product placement have explained that Cydia's servers are the only notable SHSH blob servers, and that Cydia is notable as a tool for saving SHSH blobs. I can provide more lists of quotes from sources to support this if you like.

Another problem with this revision is that the sources don't support changing "Cydia" to "server" or "third party", since the sources specifically discuss Cydia and its servers. Dreamyshade (talk) 11:47, 9 January 2013 (UTC)

"Proprietary vendor" also seems like an unusual way to describe a piece of free open-source software and a free service run by a developer who has shared code and implementation advice with other developers of similar tools/services, even if it's all supported by a company. :) Dreamyshade (talk) 12:04, 9 January 2013 (UTC)

For reference, here's the TUAW chat post from September 2009 where saurik shared code for this: "Users who want to get this information from either my server or Apple's server need only make a standard Apple signature server request: if the firmware is "current" they can get it from Apple, and if not they will need to get it from me (if I have it stored, of course)...I will be offering a mechanism for users to do this more easily in the future, but for right now users who wish to do this can do so using the following Python program: http://svn.saurik.com/repos/menes/trunk/cysts/tss.py". The post has other background material that might be helpful too. Dreamyshade (talk) 03:06, 10 January 2013 (UTC)

Third opinion

Hi Dreamyshade and Cantaloupe2. Here is a third opinion for you.

1. Please note that I have no expertise in this area. I am not even an Apple user.
2. I do not think that the "Exploits and countermeasures" section is well-written to be understood by the general reader. Fixing it so that it gives clearer explanations of what different bit of software do and why people might want to do that should be given priority.
3. The current version with "server" replacing "Cydia" is no good at all. It doesn't even result in acceptable English and it is not clear what "server" is being talked about. This may involve moving content between paragraphs in the section.
4. Since Cydia is not the only application that handles SHSH blobs, and since caching them on a server does not even appear to a necessary part of the process, the content should be re-organised. Firstly, it should be explained that there are apps that will subvert the iOS process by cashing SHSH blobs. It should then be explained that there are services that will cash these to a dedicated remote server (eg Cydia). Stuff to do with bypassing iOS's auto-update fetish should also be mentioned (this is not currently mentioned, but seems to be an alternative way of handling what is currently described in paragraph 2 of the section - apols if this is my misunderstanding).
5. Once the content is made a little less wordsalady, I don't think it matters a great deal whether Cydia is mentioned or not. However, it should be made clear that it is a common application for a particular purpose, rather than a core and essential part of the jailbreaking process (recent versions of the article seem to have wrongly given this impression). Cydia does seem to be a standard enough part of the process, though, for a mention not to be UNDUE.
6. Please note that third opinions are not binding and you are free to pursue other means of dispute resolution if my comments solve nothing.

Thanks. Formerip (talk) 17:41, 2 February 2013 (UTC)

Phrasing changes

I asked this above in #WP:3O, but I think it got buried among the other discussions, so I'll start a new section for it. I'm interested in opinions on this phrasing change intended to help with neutrality - to me, the results seem equivalent in neutrality but more confusing.

That edit changed "SHSH blobs are small pieces of data" to "The phrase SHSH blobs is a technical jargon for small pieces of data". This doesn't sound right to me - it's normal for articles to start with the term itself, and saying "a technical jargon" isn't quite grammatical. Here's a compromise that also corresponds better to the article's current title: "SHSH blob is a jargon term for a small piece of data that is part of".

The edit also changed "The term "SHSH blobs" is jailbreaking jargon (not an official Apple term)" to "The phrase "SHSH blobs" is an unofficial jargon". This removes the useful detail that it's a jargon term used by jailbreakers (useful because jargon is "defined in relationship to a specific activity, profession, group, or event"), and it replaces that information with the more vague statement of it being an unofficial term. I believe it's important to convey that it's unofficial from the perspective of Apple, since there's no official registry of words in general. Dreamyshade (talk) 02:00, 9 January 2013 (UTC)

No objection. I wouldn't mind if you went with it. Cantaloupe2 (talk) 02:07, 9 January 2013 (UTC)

Thanks, implemented. Dreamyshade (talk) 02:09, 9 January 2013 (UTC)

I'm confused - why approve these suggestions and then change the phrasing again? Changing "The term "SHSH blobs" (also called "ECID SHSH") is jailbreaking jargon (not an official Apple term)" to "The term "SHSH blobs" (also called "ECID SHSH") "SHSH blob" is a non-Apple official term" produces a confusing sentence, and the jailbreaking aspect is a significant fact about the term - not undue weight. According to the available sources, the only people who use the term are people in the jailbreaking community. Dreamyshade (talk) 11:24, 9 January 2013 (UTC)

Also, I've said this before, but it seems relevant to bring it up again in response to your edit summary: I'm also a little puzzled by how you've frequently said "tampering" when discussing jailbreaking, which implies that jailbreaking is improper, foolish, or harmful, instead of using a neutral word (Apple uses the words "unauthorized modification", for example). Dreamyshade (talk) 11:29, 9 January 2013 (UTC)

Reviewing article tags

There are currently five warning tags on this relatively short article, and four of them seem similar/redundant (unbalanced, COI, off-topic, and spam); the fifth is a primary sources tag. The essay Wikipedia:Tagging pages for problems suggests: "It is best to provide the fewest number of the most specific possible tags. Placing too many tags on an article is "tag-bombing", disruptive, or may be a violation of Do not disrupt Wikipedia to make a point. Placing vague tags on articles results in confusion and discouragement more often than it results in improving the encyclopedia." and "It is very rare that more than two or three tags are needed, even on the worst articles. Adding more tags usually results in all of them being ignored. Focus your attention on the most important one or two issues."

I agree that the article is awkward in terms of balance, and I can't speak about the appropriateness of the COI tag, so those are the two I'd pick as the tags to leave on the article. The spam tag seems to be implied by the COI tag, and the off-topic tag seems to be implied by the balance tag, so I'd suggest removing those two.

I believe that the article no longer has a pressing problem with primary sources. Like I said above at #WP:3O, it has three references to one post by the Cydia developer, but I think that makes sense for referencing technical information because of his expertise in this subject and Cydia's role in SHSH blob usage, and each use of that reference is accompanied by an additional reference. Also, as I mentioned in #Dubious, the TinyUmbrella blog posts seem to count as WP:ABOUTSELF. That leaves the Stefan Esser reference, and he's a recognized expert in this subject, including contributing to iOS Hacker's Handbook ("a PHP security expert and leading researcher of iOS security topics"), so I believe it's acceptable to cite his presentation for non-controversial technical information. The bulk of the article is referenced to secondary sources. Dreamyshade (talk) 02:30, 9 January 2013 (UTC)

If I pick up the litter I suspect you would object on the "editors may object to remove of [dubious] contents. This is not a pass to litter an article, then say "you can't remove it without getting consensus first!!" If I add tags which I think reasonably represent the concerns I have (had) in regard to this article, you complain that its unnecessary tags. So, which do you prefer? If source is objected, policy does say that onus is on reinserting editor. WP:PROVEIT Cantaloupe2 (talk) 10:41, 9 January 2013 (UTC)

I think that removing referenced parts of the article for being off-topic isn't a good idea while the topic of the article (and potentially merging or renaming it) is being discussed in multiple places, but I also think that having both "unbalanced" and "off-topic" tags on the article is somewhat redundant. (Calling referenced parts of the article "litter" seems a bit harsh, by the way.) I'm a little confused about your comment about sourcing - since you objected to the sources, I provided more information to support using them, so hopefully now we can discuss whether you still consider the article to improperly rely on primary sources. Dreamyshade (talk) 11:06, 9 January 2013 (UTC)

Recently tagged and removed sources

Responding to concerns in your recent edits:

• "pull disreputable site called idownloadblog" - Can you explain this a bit more? iDownloadBlog is an independent blog with hired writers, editorial oversight, and a decent reputation; I wouldn't use it as the only reference for something controversial, but as an additional source for supporting uncontroversial material, I believe it's useful.
• "we're not certain of this grad student is a reliably published expert on this subject to have exemption from WP:SPS policy" - As noted by this edit removing a "self-published" tag on a different article by saurik, "neutral description of features is OK to come from self-published sources (unless there is a reason to believe the data is falsified)".
• "WP:RS, no i think not. about author; "Sayam Aggarwal is a 18-year-old student living in India who has been an Apple fan for almost 5 years."" and "reliable? no. author bio: "a 18-year-old student living in India who has been an Apple fan for almost 5 years"" - that article is from a non-self-published blog that has a decent reputation, and it's only supporting technical details that can be confirmed in other sources. It's not the best reliable source, but I believe it's fine for supporting those claims.

• I escalated this to RS/N. Your patience is appreciated until we have sufficient community consensus. Cantaloupe2 (talk) 05:15, 10 January 2013 (UTC)

• Just to follow up on this for anyone watching, here's the archived RS/N discussion - no third opinions were volunteered, unfortunately. Dreamyshade (talk) 07:23, 22 January 2013 (UTC)

• "per my suggestion as well as 3PO input" and tagging the Stefan Esser presentation as a primary source with the note "this author should have been published in a reliable secondary source on this matter, such as a computer engineering journal" - I believe the iOS Hacker's Handbook book, mentioned above, is sufficient to show that he's an expert source. I don't know why a security researcher would publish his work in a computer engineering journal - perhaps you mean a computer science or information security journal? I don't think that's a requirement for an expert source on software topics though, just that his "work in the relevant field has previously been published by reliable third-party publications" (WP:SPS). Also, I'm puzzled by your mention of "3PO input" - I believe User:Mkdw just discussed the iH8sn0w source, not this source, unless I missed something?
• "inclusion of this by SaurikIT(Cydia)'s Dreamyshade maybe COI because this program just happens to auto-install its software, and also utilize saurikIT server" - redsn0w is a notable tool for handling SHSH blobs, and it was the first public tool that could stitch SHSH blobs in a way that bypasses the nonce requirement, so I believe including it is justified. All recently-released jailbreaking tools install Cydia by default, so I don't have any special reason to recommend redsn0w instead of a different tool. Also, as I believe I've explained, my COI is pretty indirect here.

Maybe we're getting to the point where I should start a Wikipedia:Reliable sources/Noticeboard post listing the article's disputed sources, to get more opinions? Dreamyshade (talk) 02:47, 10 January 2013 (UTC)

inherent notability

user mkdw brought a very valid point that notability is not inherent. It appears that "SHSH blob" is a cryptographic nonce and the in-depth discussion of jail breaking or describing the term as "jailbreaking" related term is highly WP:BIASED and just because SHSH became widely known for jailbreaking alteration to iPhone does not mean its worthy of inclusion. Cydia is a software as well as namesake service that provide online service related to it. Editor disputing the tag is an employee of the said small company. Use of Cydia is requires jailbreaking. Handling of "SHSH blob" is a part of Cydia function. I can't help but notice hidden COI. Cantaloupe2 (talk) 10:50, 9 January 2013 (UTC)

I believe that the secondary sources covering this topic show that it's notable, and I believe they support including discussion of jailbreaking and Cydia. I could provide a list of quotes from the sources if you'd like. I'll also point out again that there was an equivalently detailed article on this topic before I started editing it; multiple unaffiliated editors over multiple years considered it worthy of an article. (Also, SHSH blobs are not cryptographic nonces.) Dreamyshade (talk) 11:18, 9 January 2013 (UTC)

please don't imply that this kind of system is made for security

Saying this would be biased in favour of Apple's interests, this over-engineered system is obviously made to stop the user from freely installing old OS version (which are most likely jailbreak-able) and Apple for some reason doesn't like their users making arbitrary use of their legally-owned device. 5.90.60.215 (talk) 09:38, 8 April 2024 (UTC)