Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
As long as the user changes the root password there is nothing any worms or hackers can do to your iphone.

Unfortunately, the jailbreak community is advertising the jailbreak utilities to millions of users who have no clue what an ssh password is, much less how to change it.

And exactly how do you know that ssh is the only app that is dangerous when run outside the iPhone OS sandbox?
 
How about just changing the password? :rolleyes:

After the phone has already been on the net with the default password? Nuts! The phone could well have already gotten a nasty backdoor and rootkit installed, and is now 0wn3d by some botnet. Changing the ssh password does nothing to clean up that mess. Only way to clean up for sure is to reinstall a new OS using DFU mode, and set up the device as new.
 
One of the best examples is the XBox, which I'll bring up again...

The XBox is an irrelevant example. The courts declared that Microsoft has a monopoly position in personal computer operating systems.

That doesn't affect Microsoft's hardware and other businesses, which are not monopolies.
 
After the phone has already been on the net with the default password? Nuts! The phone could well have already gotten a nasty backdoor and rootkit installed, and is now 0wn3d by some botnet. Changing the ssh password does nothing to clean up that mess. Only way to clean up for sure is to reinstall a new OS using DFU mode, and set up the device as new.

Very good security hint. Thank you, firewood! Updated again Step-by-step guides summary.

So please help me to clarify: When exactly should a jailbreaker change the two SSH default passwords after downloading and installing OpenSSH? Before activating OpenSSH in SBSettings? (Is it possible to change passwords without activating?) What's about using Airplane Mode just to be sure that the iPhone is not online? Bots can be pretty quick. Thx in advance for any hints.

Should I add in the summary:

Change the passwords before activating OpenSSH!
 
So when was the last time you smoked pot? I mean we're talking about The Netherlands. Liberal thinking. Tons of freedom. No way Apple is lucky there.

Never have. Am I missing something?

Answer to your question is below. It's the same, more or less, but with a couple of differences.

http://www.osnews.com/story/19682/The_Legality_of_EULAs_in_The_Netherlands

The dreadful EULA

First, let me explain what an EULA actually is. The End User License Agreement details how you may use the software it applies to. When you go to the store to buy Super Awesome Garden Designer 8.0 Ultimate Edition, you do not actually buy the software in question - you buy the right to use said software. Software falls under copyright law, and as such, the author must grant you the right to use that software - and for that right, you pay money.

In The Netherlands, an EULA constitutes as a contract, and as such, you need to treat an EULA according to Contract Law. According to Engelfriet, this means there are four important steps in the process of establishing the legal power of an EULA: the formation of the contract, the offering of the contract, nullification of terms in the contract, and possible interference of other, possibly higher laws. Let's start at the beginning.

Formation

For a contract to actually be a contract in the first place, there needs to be a party offering something, and a party accepting that offer. In the case of software, the offered something is the right to use that software. If you acquire software via legal means, you technically don't need an EULA at all.

Software distributors solved this issue by forcing you to agree or disagree with the EULA during the installation process, before you can actually use the software - disagreement terminates the installation procedure, meaning you can't use the software. According to Engelfriet, this is a legally sound construction in The Netherlands, as the distributor is not legally obliged to offer you a choice between the terms of the EULA, or the normal user rights regarding software as defined by article 45j and 45k of Dutch copyright Law (you are allowed to run software on one machine, and you are allowed to make a backup).

So, a software distributor may force you to agree or disagree with the EULA, even of if disagreement means you can no longer use that software. This seems awkward, and brings us to step two.

Offering

According to the anonymous source, the terms of an EULA are the same for all customers, and as such, they legally constitute as 'algemene voorwaarden' (conditions/terms of use). Engelfriet agrees with this position. However, for conditions of use to be valid in The Netherlands, they have to meet certain criteria.

The first criterion is that the conditions of use must be presented prior or during the making of the agreement; in case of software bought in retail stores, it would be easy to argue the agreement is made during the actual purchase, which would mean that if an EULA is not presented then, it would be invalid.

However, there is a catch. To make sure that conditions of use (think: "all customers must wear a pink hat while in this store") do not have to be specifically presented to each user, Dutch law states that telling a user that the conditions of use can be found at location xyz, without specifically stating the conditions themselves, is also a valid way of presenting conditions of use, regardless of whether the user actively agrees with the conditions or not. In the case of an electronic sale, there is an extra requirement (besides presenting them electronically): the user must have the ability to save the conditions of use (to a file).

The second criterion states that the conditions of use must be presented in the right way. As Engelfriet explains:

The main rule is that you should get a piece of paper on which the EULA can be found. When an EULA is only presented on-screen, it constitutes as an electronic agreement. Law then states that the EULA must be presented in such a way that it can be saved so that it is accessible at a later time. A .pdf or .doc file included in the zipfile satisfies this demand.

This last demand is crucial. The ability to copy/paste the text into a separate file does not satisfy this demand, as it requires too much effort on the user's end. If there is no straightforward way to reread the EULA at a later date, it is invalid.
 
Obviously someone who installs OpenSSH to copy and move files to his iphone should change the root password. Or not install SSH at all.
Without SSH installed or with the password changed an attacker has no other way or getting remote acess to ones iphone.
Not everyone who jailbreaks has ssh installed.

Unfortunately, the jailbreak community is advertising the jailbreak utilities to millions of users who have no clue what an ssh password is, much less how to change it.

And exactly how do you know that ssh is the only app that is dangerous when run outside the iPhone OS sandbox?
 
This is what happens when you get two idiots who think they are going to do the world a favor and point out the SSH password issue.
You get people who notice the impact and make it far worse.
 
This is what happens when you get two idiots who think they are going to do the world a favor and point out the SSH password issue.
You get people who notice the impact and make it far worse.

Only impacts the idiots who ignore recommendation to change the default password.
 
Unfortunately, the jailbreak community is advertising the jailbreak utilities to millions of users who have no clue what an ssh password is, much less how to change it.

And exactly how do you know that ssh is the only app that is dangerous when run outside the iPhone OS sandbox?

I don't recall reading anywhere that jailbreaking is risk free.

In fact one of the links in my signature is the one where Apple had warned and continues to warn against jailbreaking.

The jailbreaking community is also ensuring the word is getting out about these security issues; on their pages, forums, and posting step by step how to's. There will always be a victims as not everyone chooses or cares to stay up to date on the latest happenings.
 
Well, it's entirely the user's fault for not changing the root password for SSH.

It's like setting up a machine with no firewall and setting up SSH to be usable directly by root, with the root password as 'root.' Who would do that? Only a fool. :)

There's a great book by Cliff Stoll called the Cuckoo's Egg, that is about this very thing - major universities and government agencies being hacked because the default Unix root account password was left unaltered. Sad to say the book was written about 20 years ago, and the situation is still common.

-B
 
So when was the last time you smoked pot? I mean we're talking about The Netherlands. Liberal thinking. Tons of freedom. No way Apple is lucky there.

Always nice to see The Netherlands in once simple phrase with pot....
What do you think we're doing up here... Watch some dutch tv, and see that not all of us are smoking! haha :D

Meanwhile:
Official statement from ING:
http://www.ing.nl/particulier/inter...-update-mijn-ing/update-23-november-2009.aspx (use google translate :p)

And apparently the worm tries to infect other jailbroken iPhones too:
http://macwereld.nl/nieuws/2009/11/nieuwe_jailbreaksshworm_infecteert_ook_andere_iphones (use google translate :p)

Didn't see any message yet on the t-mobile.nlsite
 
The XBox is an irrelevant example. The courts declared that Microsoft has a monopoly position in personal computer operating systems.

That doesn't affect Microsoft's hardware and other businesses, which are not monopolies.

The courts ruled that Microsoft committed acts of monopolization, not that they just happened to have a dominant market share. The difference being that one involves breaking the law (repeatedly, in Microsoft's case) while the other does not.

You said that "many of the things that Apple does would land Microsoft in hot water" yet you're unable to come up with even a single compelling example (your hypothetical collusion example was weak and far-fetched). My point stands: you're peddling a popular but untrue pro-Microsoft myth.
 
You said that "many of the things that Apple does would land Microsoft in hot water" yet you're unable to come up with even a single compelling example (your hypothetical collusion example was weak and far-fetched). My point stands: you're peddling a popular but untrue pro-Microsoft myth.

Apple includes a default web browser with its OS. Microsoft is not allowed to do that in Europe. http://arstechnica.com/microsoft/ne...gation-nears-end-as-eu-oks-browser-ballot.ars

How's that for a single compelling example?
 
Only impacts the idiots who ignore recommendation to change the default password.

Wrong.

It "impacts" a lot of people, especially the people at Apple. It gives them a bad reputation because many people don't even know what jailbreaking is, and will simply associate this as an iPhone worm.
 
Yea, but didn't that all start out because Microsoft was trying to lock in a market with IE? While Safari is completely 100% W3C.

Opera is an EU company, and complained to the EC about IE. The EC is protecting an EU company from the evil monopolizer.

Anyway, the example shows something that Apple is doing, and Microsoft is prohibited from doing the same thing. A simple, compelling example of the point of an earlier post of mine.
 
Opera is an EU company, and complained to the EC about IE. The EC is protecting an EU company from the evil monopolizer.

Anyway, the example shows something that Apple is doing, and Microsoft is prohibited from doing the same thing. A simple, compelling example of the point of an earlier post of mine.

Well maybe they should make Opera suck less. Actually try make a nice UI.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.