grack.com

UPDATE: Sprint just pushed an OTA update for these phones that may patch the root hole we’re using. Don’t install any OTA updates yet if you want root!

We (ozzeh, joshua, shadowmite and I) just put the teaser site together for the EVO root. More info coming soon!

Web: http://unrevoked.com, Twitter: @unrevoked

Painless root for your HTC EVO 4G.

UPDATE: Sprint’s OTA release last night fixes the serious vulnerability we reported to them. Kudos to them for moving so quickly. As an end-user, you’ll have to decide between being more secure with the OTA update or having root access to the device you own for now.

In the comments, Sean Doherty says:

We want to reassure everybody about some questions that have been raised about HTC EVO 4G.

We have a software update being deployed that corrects an issue with some MicroSD cards and also deploys a patch that will fix a potential security vulnerability. Users can install this update by going to Settings > System Updates > HTC Software Update on their EVO and following the instructions as prompted.

Sprint moved swiftly to make sure this was addressed.

Sean Doherty Sprint Corporate Communications @srdoherty

As you might know, I’ve been poking around in the guts of the HTC EVO with some other developers during the last few weeks of early EVO ownership looking to get access to root. It turned out to be fairly easy - a few hours into the investigation and we had access to root.

It turns out that this is a really, really bad thing for users. The Sprint customizations of Android are so bad that an Android application could get access to all of your data with very little work. It’s so bad that I would not recommend purchasing the Sprint EVO or Hero.

You are putting your data at risk of theft from not just one vulnerability (the one we’re releasing tomorrow), but a whole suite of vulnerabilities!

The hardest part of this is that we’re now in competition with Sprint trying to keep root access to the phone, so the idea of “responsible disclosure” works against what you’re trying to do. If end-users had full access to the phone, we’d be sending these vulnerabilities straight to Sprint. Since Sprint has decided to take the anti-user approach and lock down the phone, we’re basically holding all of these exploits close to our chest.

It hurts me to say this, but to help users take control of hardware they own, we have to expose them to security holes.

To handset manufacturers and carriers: if you give users to freedom to customize their devices, we’ll work with you directly to make sure those same users aren’t vulnerable out-of-the-box. Be more like Google and less like Apple and you’ll get an army of white-hats working to improve your product.

To end-users: choose phones that don’t make you jump through hoops to take control like the Nexus One. You bought it, it should be yours to hack and customize.

We’ll be releasing the unrevoked exploit tomorrow, but holding the details for a week or so. It’s such a blatant and dangerous hole that we felt that responsible disclosure was our only choice.

For the record, both Google and Sprint have been very proactive in plugging this hole. It would, however, be a lot easier for all parties involved if these devices weren’t locked down and we were all working to improve the user’s experience instead of building better mice and mousetraps.

First quick impressions of Safari extensions:

1. Close enough to Chrome extensions that it won’t take much to port something over. (good)
2. Settings API is interesting. I missed the point originally, but apparently Safari will build you a settings page from these. Will probably work for simple settings, but not sure if it’ll scale.
3. Different API for buttons/context menus, but no real winner in terms of API design.
4. Really don’t like having to get a certificate from Apple to develop. Regardless of Apple’s policies, this is the first browser that you need central approval to deploy to (not IE, Firefox, Chrome or Opera needed it).
5. No solution provided to build from command-line (we had to hand-roll one for Chrome too). Browser vendors need to get their act together here.
6. The extension builder is a strange experience: you need to drop files in the directory, then head back to the builder to update things.

I can’t imagine it’ll take us longer than a few days to port the DotSpots extension from Chrome to Safari. It’ll take a while for us to integrate this into our automated build process though.

I signed up for a Balanced Copyright for Canada account to see what sort of astroturfing points they had in their “Daily Action Items” section. My account was deleted shortly after taking these screenshots.

You can see that they instruct their members to swarm any anti-Bill-C32 articles as well as engaging anyone who retweets them. Members are instructed to support any pro-Bill-C-32 articles or comments.

While the screenshots here are copyrighted by the owner of balancedcopyrightforcanada.ca, I believe that I have a fair dealing defence for publishing them here for analysis.

The Purpose of the Dealing Is it for research, private study, criticism, review or news reporting? It expresses that “these allowable purposes should not be given a restrictive interpretation or this could result in the undue restriction of users’ rights.” In particular, the Court gave a “a large and liberal interpretation” to the notion of research, stating that “lawyers carrying on the business of law for profit are conducting research”.

Apparently he denied this remark in messages to Michael Geist (and the video posted on balancedcopyrightforcanada.ca conveniently omits it):