Im sure RedHat engineers have no frigging clue what theyre doing, they should troll the slashdot boards more often for the grains of wisdom found here,.
I dont believe I ever used the word trivial in this comment thread, and your incredible hostility doesnt really make me want to respond to the question on 2012 / 2013. Congrats, you figured out how to "win" a discussion!
I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.
This is not entirely correct, and is his entire point. Someone who is directly connected to the WAN of your router COULD access a port on the inside by manually supplying a route to your private network.
The security value of NAT is that WAN hosts do not generally have a way of routing traffic to your internal private subnet. However, if an attacker had control of every router between them and you, they could manually set up a route into your network.
In that sense he is correct: NAT doesnt provide any guarantees, because hypothetically a hacker could first hack your ISP, and set up static routes to your internal NATted network, and then directly access your internal network remotely.
The reason I continue to say it IS security is because NO security measures are absolute, and security is about layering to reduce risk. Taking the set of attackers from "Everyone on the internet" to some subset of that is an increase in security.
To demonstrate how this all works, lets use the following:
Your private network: Computer: 192.168.50.5 (listening on port 80) Router: 192.168.50.1
WAN: Your router: 1.1.1.1 Your ISP's router: 1.1.1.2 My ISP's router: 9.9.9.2 My router: 9.9.9.1
If I wanted to access your computer, and you had no active connections, I would be unable to: your router would not automatically map any connections to 192.168.50.5, so any connections to 1.1.1.1 / port 80 would just get discarded with your router saying "WTF am I supposed to do with this?". However, if a packet arrived at your router addressed to 192.168.50.5 directly, your router would happily pass that packet on through.
The security here comes from the fact that if my router addresses a packet to 192.168.50.5, it will not know where to send it and will drop it. If I added a manual route to my router saying "packets to 192.168.50.5 go to 9.9.9.2", it will route it to my ISP's router-- who wont know where to send it, and will drop it (I believe it will send a "no route to host" ICMP message). Similarly, traceroute 192.168.50.5 will give "no route to host".
In order for me to break into your network, I would need to take control of both ISP routers (9.9.9.2 and 1.1.1.2), and add a manual route indicating how to route those packets (or modify the OSPF or BGP configuration to distribute those routes). The spec around private addressing in general is where the real security comes from, as it indicates that proper behavior is to not route packets addressed to a private RFC1918 address on the internet.
NAT isnt broken; it isnt designed as a security function, but as a way of stretching addresses. Its ability to hide network details is somewhat of a side effect of that, and that provides the security function-- but its much simpler to just set up a stateful firewall than to set up NAT if all you care about is security.
* RFC1918-- in case this term isnt clear, it refers to non-routable subnets which are not tracked by the public internet addressing authority (IANA). These subnets are what most consumer routers come preconfigured with:
+ 10.0.0.0 - 10.255.255.255 (10/8 prefix)
+ 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
+ 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
If you want to run a test, I will turn off my stateful firewall and give you my current WAN address, and the private IP of a host running a web server; the test would be to see whether you are able to determine what the text of that webserver is.
You wont be able to, however, because as we all know no ISP in the world is going to route your packet because the destination address will be RFC1918-- not because theyre good guy ISPs, but because they cant. This proves the point: The use of NAT-- even in the absence of a firewall-- removes you from the pool of potential attackers, along with anyone not living in the same geographical area as me.
On the first page of Google results, more than half the tutorials for setting up a NAT router leave people with a configuration that allows inbound connections into their entire LAN.
Thats not my deal. People shouldnt rely on NAT solely; I do not disagree. Stateful firewalls are a dime a dozen. But your constant statement that NAT has no security value whatsoever is clearly incorrect.
You dont fight ignorance with half truths. You can combat incorrect configurations by saying "yea, this is better than nothing, but its extremely poor practice in any case."
I dont admit Im wrong not because Im stubborn, but because the security value given by NAT is affirmed by several vendors, none of whom dispute the potential vulnerability you present, but who nevertheless would mark NAT as a part of a security strategy alongside a firewall. If you want me to reject everything I know about routing, and public / private addressing, and everything these vendors are saying, you need to come in here with a lot more than a simple experiment that wont work on the production internet.
The issue is also whether you allow society to dicatate what medical procedures are performed on your body.
Lets not forget the fine history of unethical human medical experimentation in the United States. And people think we should just give the government carte blanche to dicate medical procedures?
Unbelievable. Something about history, and being doomed to repeat it...
Its not about someones snowflake not tolerating a needle, its about living in a society where such things as "what medical procedures we perform" are family decisions rather than societal ones.
I can tell you that if my memory serves me correctly NAT works by changing the last two digits of the mac address on the packets going out so that when they come back in the box knows which port to traffic to.
Thats not really what it does, though its sort of close.
NAT covers a large number of different scenarios; the specific one we are discussing is known as Source NAT, or dynamic NAT (or PAT, in the Cisco world).
In this scenario you have a range of private IP addresses that are not publicly routable, and a single publicly routable WAN IP address to be shared among those private hosts. Each IP packet sent will have a source IP, source port, destination IP, and destination port. The router takes each outbound packet, tears down the layer 2, 3, (and possibly 4) headers, and re-writes the "source" port and IP address using a "pool" of NAT IPs and ports. It forwards the rewritten packet on, and stores in a table the mapping of the private host's IP and source port to the NAT IP/port. Return packets matching that pair of NAT IP/port will be translated (rewritten) to target the private host that originally sent them.
The argument being made is that technically this mechanism does not, in itself, identify and block unsolicited traffic-- which is correct. Technically if you were to guess a mapped pair, you could sneak an unsolicited packet through; if I've opened a connection to Google, (my private IP: 192.168.50.5) and my NAT'd IP/port is "5.5.5.5 / 5238", ANYONE could send a packet to that pair and it should get forwarded through.
In reality, there are problems with this that make it difficult to do, the most obvious being that the private host will simply reject that packet as it does not match an active TCP connection that it recognizes. Additionally, this does not work with listening services (which will not have a PAT mapping, as they arent generally initiating connections), and if there are no active conversations no one on the internet will be able to get their traffic to the private host as the router simply wont have any active NAT mappings-- it wont know what to do with the unsolicited traffic, and will dump it.
The "attack" being described is simply to set up a static route on your machine which tells it "ah, but _I_ know how to get to 192.168.50.5-- its through 5.5.5.5!". This could work, as indeed the router would know how to handle the 192.168.50.5 address; the problem is that no other router on the internet will accept a packet destined for that IP address, and you cant just tell those routers how to route the packet. So this attack only works if you are right next to your target-- either their ISP, or some hacker who is on the same cable drop as your neighborhood.
This is why I call it security: if you have no other firewall, NAT (of the sort we mean when discussing consumer routers) will at least ensure that no geographically removed attackers can access your private network, simply by virtue of every other router on the internet refusing to carry the traffic.
The real crux of this argument is that the AC is being pedantic and obnoxious, and conflating static NAT (his iptables examples) with the sort of NAT found on every consumer firewall. If someone is setting up an iptables NAT, they almost certainly are aware of what doing a default policy of ACCEPT will do: it will remove any sort of filtering and all security. But thats not what the context of the conversation was, which is why theres a disagreement here.
1) Security measures are measures which mitigate vulnerabilities. Mitigations can involve avoiding an issue, or reducing risk. When you take the potential pool of attackers from "the entire internet" and reduce it to "People with direct access to the link between me and my ISP", you have reduced risk. This is Security 101 stuff, its called "risk assessment".
2) No one is suggesting NAT is the best security ever-- just that it provides some degree of security by way of mitigating some threats. Other threats it does not mitigate, and that doesnt really matter because almost no one relies exclusively on NAT anyways.
3) I've provided sources to a number of vendors; I could easily find more. You still have yet to explain why we should toss out Cisco and SANS' explicit statements that NAT constitutes security, and trust your random internet rant. Put up, or shut up.
Because people think the dog is what is doing the detection, when it is not. Like a placebo drug, there may be a beneficial effect, and it may involve the placebo, but it is not due to any characteristic inherent to that placebo. Rather, it is the knowledge that the placebo is present that is useful.
To spell it out more clearly, cops may have very good hunches that someone has drugs, but they cant legally stop that person. The dog acts as a placebo: he "signals" that there are drugs, and everyone believes the dog has detected drugs, but its not the dog doing the detection, its his handler who triggered him.
Im sure some dogs DO detect drugs, but the above scenario has been reported a number of times.
He actually does know what placebo means, because I've seen articles suggesting what he's saying.
That is, however good a dog's scent of smell is, the real successes come from cops with hunches whose attitude towards the suspect triggers the dog into a "response". Apparently a drug dog response constitutes probable cause, and its well known that dogs are quite attuned to the behavior / stance of their handlers/owners and can be triggered into an aggressive response by the handler.
The Federal Times also notes that the drone is 10 lbs, which further cements my belief that the massive drone in the picture is a mockup or test device.
LoL and Starcraft have been doing esports for many many years now. LoL in particular has been growing quite a bit even as SC2 tapers off in enthusiasm.
Heck, check the page for LoL eSports' Spring 2015 playoffs. Playoff games are getting 250,000 viewers.
Siri does not work with all applications like a keyboard does. I cannot open an arbitrary app's arbitrary text field and dictate into it; this means the only reason I can dicatate youtube searches is because the Youtube app specifically implemented it.
Try SwiftKey for android and you will see what I mean. Dictation is a part of the keyboard, and does not rely on the "personal assistant" app knowing where to stick text.
Interesting, I hadnt seen the 840/50 pro reviews. Theyre somewhat exceptional in that regard, though, Im not aware of general consumer SSDs being able to hold that level of performance.
In any case I was responding to someone discussing the 840 EVO, which is an entirely different animal than the 840 pro, and certainly cannot hold 30k IOPS.
The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses.
Im pretty sure thats what I said, and no one is arguing that point. You're just insisting on being pedantic and condescending.
Your original statement was that NAT is not security. This post of yours agrees that it is security in some shape. If we're agreeing there, then I dont think theres any reason to keep arguing. If youre disagreeing with that, Id ask you to take it up with the links I provided and with stackexchange. I dont have the time to try to make Cisco and SANS' cases on their behalf, if you are unwilling to take their word on it.\
. Besides, why do you trust your ISP not to snoop around on your network?
Because it is an unusual attack scenario, and it would be illegal. It does happen, sure, and defending against a malicious ISP is far beyond the scope of most home security. Luckily for us every consumer OS made in the last 10 years has a stateful firewall, and every consumer router built in the last 10 years has a firewall, so its not an issue.
I mean good grief, 99% of home users are using the ISP provided DNS, and you're worried about probing through NAT in violation of the RFCs? DNS snooping is something that actually happens, and is actually legal. Risk assessment 101: focus on the probable threats.
Without mentioning the need to filter incoming packets, that tutorial concludes: "A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best." Wrong, and leaves anyone who follows the tutorial vulnerable. As mentioned already, it is impossible in the absence of a published route to your network for someone to reliably send packets directly into a dynamically natted network. The fact that someone could splice onto your cable network is irrelevant, because at that level of effort they could probably climb in through your window and just steal all of your equipment. You're talking about extremely esoteric attacks.
You're really doing people a disservice by perpetuating the myth that NAT adds security.
Im perpetuating the stance of major infrastructure vendors. Argue with them. I imagine you could contact support@cisco.com and explain why their statement that NAT fulfills a security role is incorrect.
In the meantime I would suggest you cut the condescending attitude.
If you're asking "what is my proof", check out any anandtech review's "consistency" test on SSDs.
If you're asking what the cause is, I would assume theres a buffer thats getting saturated, or else a cache that is exhausted, or perhaps the SSD controller's CPU gets pegged. Whatever the cause, most SSDs will sustain very high IOPs for a short period of time before falling into a "steady state pattern". For some SSDs it is a wildly swinging pattern, others (higher quality) hold a pretty steady rate around 5-6 IOPS.
Android lets you change keyboards. IOS has something that appears to do this, but it randomly reverts (such as when entering passwords) and is terribly limited compared to Android, not even supporting dictation.
Its worth remembering that that 98k IOPS will rapidly drop to 2-10k for basically every SATA based SSD on the market. The 750 being advertised here is the first one I've seen sustain 20k.
Slashdot Mirror
Im sure RedHat engineers have no frigging clue what theyre doing, they should troll the slashdot boards more often for the grains of wisdom found here,.
I dont believe I ever used the word trivial in this comment thread, and your incredible hostility doesnt really make me want to respond to the question on 2012 / 2013. Congrats, you figured out how to "win" a discussion!
Its done every year at Pwn2Own.
I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.
This is not entirely correct, and is his entire point. Someone who is directly connected to the WAN of your router COULD access a port on the inside by manually supplying a route to your private network.
The security value of NAT is that WAN hosts do not generally have a way of routing traffic to your internal private subnet. However, if an attacker had control of every router between them and you, they could manually set up a route into your network.
In that sense he is correct: NAT doesnt provide any guarantees, because hypothetically a hacker could first hack your ISP, and set up static routes to your internal NATted network, and then directly access your internal network remotely.
The reason I continue to say it IS security is because NO security measures are absolute, and security is about layering to reduce risk. Taking the set of attackers from "Everyone on the internet" to some subset of that is an increase in security.
To demonstrate how this all works, lets use the following:
Your private network:
Computer: 192.168.50.5 (listening on port 80)
Router: 192.168.50.1
WAN:
Your router: 1.1.1.1
Your ISP's router: 1.1.1.2
My ISP's router: 9.9.9.2
My router: 9.9.9.1
If I wanted to access your computer, and you had no active connections, I would be unable to: your router would not automatically map any connections to 192.168.50.5, so any connections to 1.1.1.1 / port 80 would just get discarded with your router saying "WTF am I supposed to do with this?". However, if a packet arrived at your router addressed to 192.168.50.5 directly, your router would happily pass that packet on through.
The security here comes from the fact that if my router addresses a packet to 192.168.50.5, it will not know where to send it and will drop it. If I added a manual route to my router saying "packets to 192.168.50.5 go to 9.9.9.2", it will route it to my ISP's router-- who wont know where to send it, and will drop it (I believe it will send a "no route to host" ICMP message). Similarly, traceroute 192.168.50.5 will give "no route to host".
In order for me to break into your network, I would need to take control of both ISP routers (9.9.9.2 and 1.1.1.2), and add a manual route indicating how to route those packets (or modify the OSPF or BGP configuration to distribute those routes). The spec around private addressing in general is where the real security comes from, as it indicates that proper behavior is to not route packets addressed to a private RFC1918 address on the internet.
NAT isnt broken; it isnt designed as a security function, but as a way of stretching addresses. Its ability to hide network details is somewhat of a side effect of that, and that provides the security function-- but its much simpler to just set up a stateful firewall than to set up NAT if all you care about is security.
* RFC1918-- in case this term isnt clear, it refers to non-routable subnets which are not tracked by the public internet addressing authority (IANA). These subnets are what most consumer routers come preconfigured with:
+ 10.0.0.0 - 10.255.255.255 (10/8 prefix)
+ 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
+ 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
If you want to run a test, I will turn off my stateful firewall and give you my current WAN address, and the private IP of a host running a web server; the test would be to see whether you are able to determine what the text of that webserver is.
You wont be able to, however, because as we all know no ISP in the world is going to route your packet because the destination address will be RFC1918-- not because theyre good guy ISPs, but because they cant. This proves the point: The use of NAT-- even in the absence of a firewall-- removes you from the pool of potential attackers, along with anyone not living in the same geographical area as me.
On the first page of Google results, more than half the tutorials for setting up a NAT router leave people with a configuration that allows inbound connections into their entire LAN.
Thats not my deal. People shouldnt rely on NAT solely; I do not disagree. Stateful firewalls are a dime a dozen. But your constant statement that NAT has no security value whatsoever is clearly incorrect.
You dont fight ignorance with half truths. You can combat incorrect configurations by saying "yea, this is better than nothing, but its extremely poor practice in any case."
I dont admit Im wrong not because Im stubborn, but because the security value given by NAT is affirmed by several vendors, none of whom dispute the potential vulnerability you present, but who nevertheless would mark NAT as a part of a security strategy alongside a firewall. If you want me to reject everything I know about routing, and public / private addressing, and everything these vendors are saying, you need to come in here with a lot more than a simple experiment that wont work on the production internet.
The issue is also whether you allow society to dicatate what medical procedures are performed on your body.
Lets not forget the fine history of unethical human medical experimentation in the United States. And people think we should just give the government carte blanche to dicate medical procedures?
Unbelievable. Something about history, and being doomed to repeat it...
Its not about someones snowflake not tolerating a needle, its about living in a society where such things as "what medical procedures we perform" are family decisions rather than societal ones.
The real problem is that the medical community has done a lot over the years to make people justifiably hesitant to blindly trust their every whim.
That said this headline is misleading, immunization is a requirement to use public schools, but public schooling is not required.
You want a lot of progress, quickly? Get a dictator.
Want a free society? Accept that changes are going to be slow because there isnt a dictator.
I can tell you that if my memory serves me correctly NAT works by changing the last two digits of the mac address on the packets going out so that when they come back in the box knows which port to traffic to.
Thats not really what it does, though its sort of close.
NAT covers a large number of different scenarios; the specific one we are discussing is known as Source NAT, or dynamic NAT (or PAT, in the Cisco world).
In this scenario you have a range of private IP addresses that are not publicly routable, and a single publicly routable WAN IP address to be shared among those private hosts. Each IP packet sent will have a source IP, source port, destination IP, and destination port. The router takes each outbound packet, tears down the layer 2, 3, (and possibly 4) headers, and re-writes the "source" port and IP address using a "pool" of NAT IPs and ports. It forwards the rewritten packet on, and stores in a table the mapping of the private host's IP and source port to the NAT IP/port. Return packets matching that pair of NAT IP/port will be translated (rewritten) to target the private host that originally sent them.
The argument being made is that technically this mechanism does not, in itself, identify and block unsolicited traffic-- which is correct. Technically if you were to guess a mapped pair, you could sneak an unsolicited packet through; if I've opened a connection to Google, (my private IP: 192.168.50.5) and my NAT'd IP/port is "5.5.5.5 / 5238", ANYONE could send a packet to that pair and it should get forwarded through.
In reality, there are problems with this that make it difficult to do, the most obvious being that the private host will simply reject that packet as it does not match an active TCP connection that it recognizes. Additionally, this does not work with listening services (which will not have a PAT mapping, as they arent generally initiating connections), and if there are no active conversations no one on the internet will be able to get their traffic to the private host as the router simply wont have any active NAT mappings-- it wont know what to do with the unsolicited traffic, and will dump it.
The "attack" being described is simply to set up a static route on your machine which tells it "ah, but _I_ know how to get to 192.168.50.5-- its through 5.5.5.5!". This could work, as indeed the router would know how to handle the 192.168.50.5 address; the problem is that no other router on the internet will accept a packet destined for that IP address, and you cant just tell those routers how to route the packet. So this attack only works if you are right next to your target-- either their ISP, or some hacker who is on the same cable drop as your neighborhood.
This is why I call it security: if you have no other firewall, NAT (of the sort we mean when discussing consumer routers) will at least ensure that no geographically removed attackers can access your private network, simply by virtue of every other router on the internet refusing to carry the traffic.
The real crux of this argument is that the AC is being pedantic and obnoxious, and conflating static NAT (his iptables examples) with the sort of NAT found on every consumer firewall. If someone is setting up an iptables NAT, they almost certainly are aware of what doing a default policy of ACCEPT will do: it will remove any sort of filtering and all security. But thats not what the context of the conversation was, which is why theres a disagreement here.
Then go get a job at cisco or SANS as their chief security engineer, because you clearly know better than them.
I mean, hey, what would Cisco know. Theyre just the folks behind the PIX, the first device to support NAT.
3 points.
1) Security measures are measures which mitigate vulnerabilities. Mitigations can involve avoiding an issue, or reducing risk. When you take the potential pool of attackers from "the entire internet" and reduce it to "People with direct access to the link between me and my ISP", you have reduced risk. This is Security 101 stuff, its called "risk assessment".
2) No one is suggesting NAT is the best security ever-- just that it provides some degree of security by way of mitigating some threats. Other threats it does not mitigate, and that doesnt really matter because almost no one relies exclusively on NAT anyways.
3) I've provided sources to a number of vendors; I could easily find more. You still have yet to explain why we should toss out Cisco and SANS' explicit statements that NAT constitutes security, and trust your random internet rant. Put up, or shut up.
Because people think the dog is what is doing the detection, when it is not. Like a placebo drug, there may be a beneficial effect, and it may involve the placebo, but it is not due to any characteristic inherent to that placebo. Rather, it is the knowledge that the placebo is present that is useful.
To spell it out more clearly, cops may have very good hunches that someone has drugs, but they cant legally stop that person. The dog acts as a placebo: he "signals" that there are drugs, and everyone believes the dog has detected drugs, but its not the dog doing the detection, its his handler who triggered him.
Im sure some dogs DO detect drugs, but the above scenario has been reported a number of times.
A lawyer wont be able to queue up an alert because the dog hasnt bonded with him.
He actually does know what placebo means, because I've seen articles suggesting what he's saying.
That is, however good a dog's scent of smell is, the real successes come from cops with hunches whose attitude towards the suspect triggers the dog into a "response". Apparently a drug dog response constitutes probable cause, and its well known that dogs are quite attuned to the behavior / stance of their handlers /owners and can be triggered into an aggressive response by the handler.
Wouldnt you want that to return a boolean or a pointer?
Im 90% sure that image is a mockup. The link to Federal times has a much more realistic image.
The Federal Times also notes that the drone is 10 lbs, which further cements my belief that the massive drone in the picture is a mockup or test device.
LoL and Starcraft have been doing esports for many many years now. LoL in particular has been growing quite a bit even as SC2 tapers off in enthusiasm.
Heck, check the page for LoL eSports' Spring 2015 playoffs. Playoff games are getting 250,000 viewers.
Siri does not work with all applications like a keyboard does. I cannot open an arbitrary app's arbitrary text field and dictate into it; this means the only reason I can dicatate youtube searches is because the Youtube app specifically implemented it.
Try SwiftKey for android and you will see what I mean. Dictation is a part of the keyboard, and does not rely on the "personal assistant" app knowing where to stick text.
Interesting, I hadnt seen the 840/50 pro reviews. Theyre somewhat exceptional in that regard, though, Im not aware of general consumer SSDs being able to hold that level of performance.
In any case I was responding to someone discussing the 840 EVO, which is an entirely different animal than the 840 pro, and certainly cannot hold 30k IOPS.
The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses.
Im pretty sure thats what I said, and no one is arguing that point. You're just insisting on being pedantic and condescending.
Your original statement was that NAT is not security. This post of yours agrees that it is security in some shape. If we're agreeing there, then I dont think theres any reason to keep arguing. If youre disagreeing with that, Id ask you to take it up with the links I provided and with stackexchange. I dont have the time to try to make Cisco and SANS' cases on their behalf, if you are unwilling to take their word on it.\
. Besides, why do you trust your ISP not to snoop around on your network?
Because it is an unusual attack scenario, and it would be illegal. It does happen, sure, and defending against a malicious ISP is far beyond the scope of most home security. Luckily for us every consumer OS made in the last 10 years has a stateful firewall, and every consumer router built in the last 10 years has a firewall, so its not an issue.
I mean good grief, 99% of home users are using the ISP provided DNS, and you're worried about probing through NAT in violation of the RFCs? DNS snooping is something that actually happens, and is actually legal. Risk assessment 101: focus on the probable threats.
Without mentioning the need to filter incoming packets, that tutorial concludes: "A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best."
Wrong, and leaves anyone who follows the tutorial vulnerable.
As mentioned already, it is impossible in the absence of a published route to your network for someone to reliably send packets directly into a dynamically natted network. The fact that someone could splice onto your cable network is irrelevant, because at that level of effort they could probably climb in through your window and just steal all of your equipment. You're talking about extremely esoteric attacks.
You're really doing people a disservice by perpetuating the myth that NAT adds security.
Im perpetuating the stance of major infrastructure vendors. Argue with them. I imagine you could contact support@cisco.com and explain why their statement that NAT fulfills a security role is incorrect.
In the meantime I would suggest you cut the condescending attitude.
If you're asking "what is my proof", check out any anandtech review's "consistency" test on SSDs.
If you're asking what the cause is, I would assume theres a buffer thats getting saturated, or else a cache that is exhausted, or perhaps the SSD controller's CPU gets pegged. Whatever the cause, most SSDs will sustain very high IOPs for a short period of time before falling into a "steady state pattern". For some SSDs it is a wildly swinging pattern, others (higher quality) hold a pretty steady rate around 5-6 IOPS.
Android lets you change keyboards. IOS has something that appears to do this, but it randomly reverts (such as when entering passwords) and is terribly limited compared to Android, not even supporting dictation.
Theres certainly a bandwidth penalty.
Its worth remembering that that 98k IOPS will rapidly drop to 2-10k for basically every SATA based SSD on the market. The 750 being advertised here is the first one I've seen sustain 20k.