Which was then used to enable privilege escalation in an exploit.
https://mrnbayoh.github.io/basicsploit/
Nintendo is doing far more to prevent piracy and homebrew than they ever have before. It's no surprise to anybody who's familiar with this stuff that they aren't okay with arbitrary code execution, especially if none of the interpreter code was vetted/audited by anybody security conscious. I'm even surprised so many people here aren't getting it.
I will point out that the Switch already supports untrusted and unvetted code execution—it's called Javascript. The Nintendo Switch may appear to not have a web browser, but it pops up when you try to log into a captive portal. Without it, no one would be able to use public wifi hotspots.
I will also note that Nintendo hasn't exactly done a great job at preventing piracy or homebrew on the Switch—both are available provided you have a somewhat older model, and on the latest firmware even.
They did make efforts to hide the browser and I assume they were constrained by the need to enable users to access captive portals. A random Ruby interpreter by some developer not part of Nintendo is not in any way necessary for them, so there's no reason for them not to take the game down. Which they did. The reason why should be obvious.
As for their efforts: They've made far more effort than they ever have before. Using homebrew or custom firmware effectively means you can't ever use that device online again (which wasn't the case for earlier consoles).
Are you suggesting that just because they've made mistakes that they would be in any way inclined to let the Ruby thing go?
> Are you suggesting that just because they've made mistakes that they would be in any way inclined to let the Ruby thing go?
I didn't mean to suggest that! Sneaking a Ruby interpreter into a game without telling Nintendo was stupid, and Nintendo's response was entirely logical and acceptable.
However, if Nintendo had known about the Ruby interpreter and had reviewed it beforehand, but denied it anyway... well, I still wouldn't find that particularly scandalous, but I would say it's a bit of a dumb precaution on a device with a Javascript engine.
And if Nintendo is hiding the web browser on security grounds, that's dumb too! Who cares if the browser is hidden—as long as it's accessible, the people who'd use it to hack their consoles will jump through whatever hoops are necessary. Making the browser hard to open only hurts regular users.
I find it more likely that the browser is hidden because it's too buggy and unstable for widespread use. I've played with it, and it likes to crash. A lot.
Show me a captive portal that exploits a hole in the security of the Switch, and I'll show you a whole line of captive portals that will very soon no longer load on a patched Switch. Also, I don't think JavaScript is required by most captive portals. Form tags don't require JavaScript.
Recovery Mode was the fault of Nvidia, not Nintendo. Soon after that was discovered, the silicon for the Switch was iterated and now you need a signed binary, even in recovery mode.
They plug holes as soon as they find them. I don't think it's fair to compare the relatively limited number of people that work at Nintendo to the literal army of people that work to break Nintendo's work every day.
Edit: Oh, the particular article I linked has you use a public, specially-crafted DNS server, instead of setting one up on your home network as I've done in the past. Oh well, same principle.
Plenty of captive portals do indeed require Javascript, which is why the Switch's web browser supports Javascript.
