I've been using UNIX for 30 years, I've worked on safety-critical software and in the control systems industry for 20 years, and I was solely responsible for network security for over a decade of that. I'm pretty familiar with this stuff.
On OS X, sandboxing is different. Please read couple of pages from Apple mailing lists before comparing it to its bad photocopy.
The problem is that it is not in principle possible to build a sandbox around an application like Safari that would both permit it to do the useful things it is supposed to do and prevent it from doing malicious things.
* If Safari can make connections to websites, then Safari can make connections to botnet peers and engage in attacks on websites.
* If Safari can send mail, it can send spam.
* If Safari can read my keychain, it can read my website passwords and pass them to an attacker.
* If Safari can open my bank's web page, it can transfer money out of my account.
* If Safari can upload files, it can upload them places I don't want it to access.
* If Safari can download files, it can "download" garbage over the files I value.
* If Safari can do the things I need Safari to do, a compromised Safari can do the things I don't want it to do.
A sandbox can not protect the things in my computer that I care about from the applications that manipulate them. The only sandbox that is secure is one that does not allow the application the ability to access any non-volatile resources on my computer, except those that are strictly restricted to the sandbox and not used by any other application. Oh, and it can't make network connections, except in very specific conditions... for example, the Java sandbox lets the application connect back to the originating site.
THAT is a security sandbox.
I don't think I would be happy running Safari or Mail under something like that.
OS X "stupid security" dialogue works well, so damn well that it is able to figure out Adobe AIR Applications user installed over the web.
But you want to run them, don't you, so you go ahead and approve them, and you are trained to approve these dialogs. I've watched that scenario play out time and time again, with the same people coming back to me saying "I clicked the wrong button again, I think I've got a virus".
By signing it, you just make sure your files aren't tampered after user trusts it so no lamers taking advantage of your application (and users trust).
I was building the tripwire configuration for my Cheswick-Bellovin bastion firewall back when Steve Jobs was still at NeXT. I know about the capabilities, restrictions, limitations, and drawbacks of far more pervasive and complete file security mechanisms than what Apple has implemented. Particularly the drawbacks...
If an attacker is in a position to modify my applications, then there is nothing OS X can do to stop him, he has already got he keys to the kingdom. He already has remote root access, however achieved, and he's not going to hide a trojan horse inside Mail.app, he's going to hide it in/private/etc/somethingobscure, running as root, and use Mach injection to patch Mail.app on the fly.
As for your linked story: "If you mess with the Adium binary in any way, you will invalidate the signature, and access to secure resources -- specifically keychain items where your passwords are stored -- will be disallowed by Mac OS X."
That's a hell of a drawback. That by itself is enough to make me hold off installing Leopard until I've got time to look up how to disable that paranoid security theatre.
There's a flaw in the design. If a component is signed, that doesn't mean that it's safe to run, it just means that it's signed.
An attacker could provide a signed executable that has a known flaw, and attack that after it was run. So even if an executable is signed, and it's from an untrusted source, you still have to pop up a dialog and make the user decide whether you're going to run it based on what you know about it. Most people are going to just say "yes", because Microsoft has trained them to say "yes" to everything otherwise they can't get any bloody thing done.
So, basically, signed executables reduce security.
So if they open up an old box of Legos, does that make it less valuable in a court case?
Yes. If it's unopened, that's more convincing proof that the weird shaped piece the suit is about really was in that set as it was shipped. If it's been opened then they might have slipped it in after the suit.
Well, maybe not impervious, but OS X is water-resistant (to a depth of 15 meters) and fire-retardant (up to 451F, this may be reduced if fans are present).
Yes, those are also security dialogs. Yes, that was supposed to be a security feature.
The first ones were in Internet Explorer and Outlook, asking if you wanted to open or download a file, and if you wanted to allow executable content to run.
UAC is as much about putting social pressure on application vendors to write applications that take advantage of the multi-user security as it is about backwards compatibility.
I'm not talking about UAC. I'm talking about all the stupid security dialogs that Microsoft has added to Windows over the years. I could have made this comment any time in the last decade... in fact I have. Many times.
UAC is nothing more than the latest player to tread the boards of Microsoft's Security Theater.
Address space randomization and no-execute are useful tols.
Code signing and sandboxing are nothing more than speedbumps, like the stupid security dialogs in Windows that are leaking into OS X.
The places to strengthen are the front lines, because once the attacker's gotten into a place where he can modify applications or attack an OS sandbox he's already running local code and he's already gotten virtually everything he needs to **** you.
It's a local-only root privilege escalation exploit.
If you're in a position to exploit this, you're already running code with full local user privileges.
Once the system is penetrated, it's game over. You don't need to get root access, or Administrator access, or even break out of the "Reduced Security" sandbox to win basically everything that the guy writing the malware actually needs. Multiuser security is there to protect users from each other, not from themselves.
Recent studies of anti-lock brakes and safety have discovered that ABS doesn't improve safety in general. It improves braking, by letting people brake faster and smoother, but people get used to it and enough people end up depending on ABS that they end up just braking later and when they need the extra edge from ABS they've already used it up.
Before going off half cocked proposing more layers of complex software that has to work correctly to maintain system integrity (because if it's there, enough software developers will end up depending on it) how about looking at what features of systems promote malware distribution? Design applications so they are inherently safe, rather than filling them with holes and backfilling with kernel patches and warning dialogs?
With MS split up, they couldn't "collectively" do anything.
Are you familiar with the concept of a public stock company?
Bill Gates could have stayed with the OS side, or the Apps side, but not both.
And right now he's with neither side.
You know, I can't really summon up a lot of worry about the idea that the richest man in the world might have retired a few years earlier. My heart fair bleeds for the boor bastard, it does.
Hey, I was all about opening up the TLDs back in the '80s, I worked on getting one of the first open TLDs (.dot) running under The Internet Namespace Cooperative (TINC). But it doesn't matter any more.
Because "COM" is "the" top level. Who the hell cares about "name" or "per" or the rest of the "we are not COM, but..." domains? It's too late, it's a done deal, "COM" is the top level, everything else is parochial.
So don't fight over who's going to be ".sex", people will still pay more for "sex.com", and when you say your email address is "you@yourname" you better make sure that "you@yourname.com" works as well.
Everyone is stupid except for you. You never had made a stupid mistake or had a bug or a volnerability.
Oh no, I've been stupid, often enough. I'll happily admit that, because concentrating on the "stupid" but is completely missing the point.
The point isn't that it's stupid to worry about buffer overflows.
The point is that the mechanism you're talking about, code injection attacks similar to the SQL injection attacks, don't need buffer overflows. Because once you've pulled a Ruby code injection attack you've already got full control. It's like the skit about the burglar who needs a knife, so he opens the kitchen door of the house he's breaking into, grabs a knife, then goes back out to work on the window he's trying to lever open...
I fail to see how any of the companies spawned from MS break up would be competing though.
Well, the Windows group is competing with the Embedded group, and managed to scuttle a bunch of WinCE-based devices in favor of NT-based ones that couldn't be made cheaply enough to compete.
The Excel group were still a bit of a rogue division in 2000, trying to make the best product instead of trying to best support the Windows-Office codependant monopoly.
Windows Service for UNIX is in direct competition with Win32 and.NET, and of course.NET and Win32 are competing with each other.
Split them up and the bits that have been muzzled lest they step on the monopoly's toes would have a chance at actually competing. Maybe not directly competing with each other, but no longer avoiding the appearance of becoming part of that competition.
Otherwise, well, remember DEC? Used to have some great products, but they refused to get serious about the personal computer market for fear of losing mini and mainframe sales, so their personal products were overpriced and underpowered. Where are they now?
The kernel of the Vista operating system includes machine learning to predict, by user, the next application that will be opened, based on past use and the time of the day and week. "We looked at over 200 million application launches within the company," Horvitz says. "Vista fetches the two or three most likely applications into memory, and the probability accuracy is around 85 to 90%."
How about doing something about the still-horrible VM page replacement algorithm in NT instead?
Invest a little in someone to make MySpace something people want to visit, instead of something that people go out of their way to avoid. Well, I go out of my way to avoid it, when I've got a choice fo going to a MySpace page or trying another Google search I'll generally do another search.
I mean, not only is it slow to fetch all the images and painful to navigate but it's about the only thing that's uglier than Apple's "Platinum File Sharing".
The same people that let remote users enter arbitrary data into an SQL query [...]
You mean "if you're stupid enough to let someone sneak arbitrary Ruby code in via a form, then they can use this complex memory corruption attack instead of just opening up a backdoor shell"? Or what?
Which other country could have invented 'SuperMan', a mythical magic being who defeats America's enemies?
Superman mostly fought domestic crime. I think you're thinking of Captain America, or maybe Mallory's King Arthur... whoops, he's not an American, is he?
1. Why would it make a difference whether the payment processor is using open source software or not? If they won't take donations from certain countries they can implement that on a closed source platform just as easily.
2. Only open source software can be misconfigured, or has problems with commas in unexpected places?
This has nothing to do with open source, and everything to do with not looking under the hood before you buy a used car.
Shouting the opponent down is an ecumenical problem.
However, this sort of thing has LONG been a major part of liberal actions - you pretty much can't voice a conservative idea at a college without be shouted down
This isn't just a problem for conservatives, nor is THAT new. I've watched a left-wing rally at Berkeley of all places being upstaged by a conservative group, and that was over 20 years ago. I thought it was amusing, but then it wasn't my ox getting gored.
And that's the bottom line, you notice when your ox gets gored. You don't notice when it's doing the goring.
RMS has been talking that way for years. There's essentially no chance of him changing his ways at this point. This is especially true considering the fact that RMS' zealotry has netted him an impressive string of wins including a GPLed version of Java.
You sure that didn't happen *despite* his zealotry?
I've been using UNIX for 30 years, I've worked on safety-critical software and in the control systems industry for 20 years, and I was solely responsible for network security for over a decade of that. I'm pretty familiar with this stuff.
On OS X, sandboxing is different. Please read couple of pages from Apple mailing lists before comparing it to its bad photocopy.
The problem is that it is not in principle possible to build a sandbox around an application like Safari that would both permit it to do the useful things it is supposed to do and prevent it from doing malicious things.
* If Safari can make connections to websites, then Safari can make connections to botnet peers and engage in attacks on websites.
* If Safari can send mail, it can send spam.
* If Safari can read my keychain, it can read my website passwords and pass them to an attacker.
* If Safari can open my bank's web page, it can transfer money out of my account.
* If Safari can upload files, it can upload them places I don't want it to access.
* If Safari can download files, it can "download" garbage over the files I value.
* If Safari can do the things I need Safari to do, a compromised Safari can do the things I don't want it to do.
A sandbox can not protect the things in my computer that I care about from the applications that manipulate them. The only sandbox that is secure is one that does not allow the application the ability to access any non-volatile resources on my computer, except those that are strictly restricted to the sandbox and not used by any other application. Oh, and it can't make network connections, except in very specific conditions... for example, the Java sandbox lets the application connect back to the originating site.
THAT is a security sandbox.
I don't think I would be happy running Safari or Mail under something like that.
OS X "stupid security" dialogue works well, so damn well that it is able to figure out Adobe AIR Applications user installed over the web.
But you want to run them, don't you, so you go ahead and approve them, and you are trained to approve these dialogs. I've watched that scenario play out time and time again, with the same people coming back to me saying "I clicked the wrong button again, I think I've got a virus".
By signing it, you just make sure your files aren't tampered after user trusts it so no lamers taking advantage of your application (and users trust).
I was building the tripwire configuration for my Cheswick-Bellovin bastion firewall back when Steve Jobs was still at NeXT. I know about the capabilities, restrictions, limitations, and drawbacks of far more pervasive and complete file security mechanisms than what Apple has implemented. Particularly the drawbacks...
If an attacker is in a position to modify my applications, then there is nothing OS X can do to stop him, he has already got he keys to the kingdom. He already has remote root access, however achieved, and he's not going to hide a trojan horse inside Mail.app, he's going to hide it in /private/etc/somethingobscure, running as root, and use Mach injection to patch Mail.app on the fly.
As for your linked story: "If you mess with the Adium binary in any way, you will invalidate the signature, and access to secure resources -- specifically keychain items where your passwords are stored -- will be disallowed by Mac OS X."
That's a hell of a drawback. That by itself is enough to make me hold off installing Leopard until I've got time to look up how to disable that paranoid security theatre.
There's a flaw in the design. If a component is signed, that doesn't mean that it's safe to run, it just means that it's signed.
An attacker could provide a signed executable that has a known flaw, and attack that after it was run. So even if an executable is signed, and it's from an untrusted source, you still have to pop up a dialog and make the user decide whether you're going to run it based on what you know about it. Most people are going to just say "yes", because Microsoft has trained them to say "yes" to everything otherwise they can't get any bloody thing done.
So, basically, signed executables reduce security.
So if they open up an old box of Legos, does that make it less valuable in a court case?
Yes. If it's unopened, that's more convincing proof that the weird shaped piece the suit is about really was in that set as it was shipped. If it's been opened then they might have slipped it in after the suit.
(don't you mean Inconceivable?)
Well, maybe not impervious, but OS X is water-resistant (to a depth of 15 meters) and fire-retardant (up to 451F, this may be reduced if fans are present).
Yes, those are also security dialogs. Yes, that was supposed to be a security feature.
The first ones were in Internet Explorer and Outlook, asking if you wanted to open or download a file, and if you wanted to allow executable content to run.
You can run it via SSH as long as someone is logged into the console.
If you can ssh in, you already have local access.
"Local" is the counterpart of "remote". A "remote exploit" is one that you can perform without already having local execution access on the machine.
What you are talking about is "physical access".
UAC is as much about putting social pressure on application vendors to write applications that take advantage of the multi-user security as it is about backwards compatibility.
I'm not talking about UAC. I'm talking about all the stupid security dialogs that Microsoft has added to Windows over the years. I could have made this comment any time in the last decade... in fact I have. Many times.
UAC is nothing more than the latest player to tread the boards of Microsoft's Security Theater.
Address space randomization and no-execute are useful tols.
Code signing and sandboxing are nothing more than speedbumps, like the stupid security dialogs in Windows that are leaking into OS X.
The places to strengthen are the front lines, because once the attacker's gotten into a place where he can modify applications or attack an OS sandbox he's already running local code and he's already gotten virtually everything he needs to **** you.
It's a local-only root privilege escalation exploit.
If you're in a position to exploit this, you're already running code with full local user privileges.
Once the system is penetrated, it's game over. You don't need to get root access, or Administrator access, or even break out of the "Reduced Security" sandbox to win basically everything that the guy writing the malware actually needs. Multiuser security is there to protect users from each other, not from themselves.
Recent studies of anti-lock brakes and safety have discovered that ABS doesn't improve safety in general. It improves braking, by letting people brake faster and smoother, but people get used to it and enough people end up depending on ABS that they end up just braking later and when they need the extra edge from ABS they've already used it up.
Before going off half cocked proposing more layers of complex software that has to work correctly to maintain system integrity (because if it's there, enough software developers will end up depending on it) how about looking at what features of systems promote malware distribution? Design applications so they are inherently safe, rather than filling them with holes and backfilling with kernel patches and warning dialogs?
With MS split up, they couldn't "collectively" do anything.
Are you familiar with the concept of a public stock company?
Bill Gates could have stayed with the OS side, or the Apps side, but not both.
And right now he's with neither side.
You know, I can't really summon up a lot of worry about the idea that the richest man in the world might have retired a few years earlier. My heart fair bleeds for the boor bastard, it does.
Hey, I was all about opening up the TLDs back in the '80s, I worked on getting one of the first open TLDs (.dot) running under The Internet Namespace Cooperative (TINC). But it doesn't matter any more.
Because "COM" is "the" top level. Who the hell cares about "name" or "per" or the rest of the "we are not COM, but..." domains? It's too late, it's a done deal, "COM" is the top level, everything else is parochial.
So don't fight over who's going to be ".sex", people will still pay more for "sex.com", and when you say your email address is "you@yourname" you better make sure that "you@yourname.com" works as well.
Everyone is stupid except for you. You never had made a stupid mistake or had a bug or a volnerability.
Oh no, I've been stupid, often enough. I'll happily admit that, because concentrating on the "stupid" but is completely missing the point.
The point isn't that it's stupid to worry about buffer overflows.
The point is that the mechanism you're talking about, code injection attacks similar to the SQL injection attacks, don't need buffer overflows. Because once you've pulled a Ruby code injection attack you've already got full control. It's like the skit about the burglar who needs a knife, so he opens the kitchen door of the house he's breaking into, grabs a knife, then goes back out to work on the window he's trying to lever open...
I fail to see how any of the companies spawned from MS break up would be competing though.
Well, the Windows group is competing with the Embedded group, and managed to scuttle a bunch of WinCE-based devices in favor of NT-based ones that couldn't be made cheaply enough to compete.
The Excel group were still a bit of a rogue division in 2000, trying to make the best product instead of trying to best support the Windows-Office codependant monopoly.
Windows Service for UNIX is in direct competition with Win32 and .NET, and of course .NET and Win32 are competing with each other.
Split them up and the bits that have been muzzled lest they step on the monopoly's toes would have a chance at actually competing. Maybe not directly competing with each other, but no longer avoiding the appearance of becoming part of that competition.
Otherwise, well, remember DEC? Used to have some great products, but they refused to get serious about the personal computer market for fear of losing mini and mainframe sales, so their personal products were overpriced and underpowered. Where are they now?
If Microsoft had been split into separate competing companies back when they lost the original DoJ lawsuit then:
(1) Microsoft would collectively be bigger and more profitable than they are now.
(2) Microsoft would be largely free of this kind of oversight.
Why did they fight so hard to remain a regulated monopoly instead?
What does government oversight of Windows 7 have to do with making viruses harder to spread?
The kernel of the Vista operating system includes machine learning to predict, by user, the next application that will be opened, based on past use and the time of the day and week. "We looked at over 200 million application launches within the company," Horvitz says. "Vista fetches the two or three most likely applications into memory, and the probability accuracy is around 85 to 90%."
How about doing something about the still-horrible VM page replacement algorithm in NT instead?
Invest a little in someone to make MySpace something people want to visit, instead of something that people go out of their way to avoid. Well, I go out of my way to avoid it, when I've got a choice fo going to a MySpace page or trying another Google search I'll generally do another search.
I mean, not only is it slow to fetch all the images and painful to navigate but it's about the only thing that's uglier than Apple's "Platinum File Sharing".
The same people that let remote users enter arbitrary data into an SQL query [...]
You mean "if you're stupid enough to let someone sneak arbitrary Ruby code in via a form, then they can use this complex memory corruption attack instead of just opening up a backdoor shell"? Or what?
20 years ago it wasn't happening everywhere like it is today
Are you kidding? Or just too young to remember what it was like 20 years ago?
He's saying that this class of black holes must be be created so frequently that there wouldn't be any stars if they were stable.
Which other country could have invented 'SuperMan', a mythical magic being who defeats America's enemies?
Superman mostly fought domestic crime. I think you're thinking of Captain America, or maybe Mallory's King Arthur... whoops, he's not an American, is he?
This was at Berkeley, one of the most liberal (hell, radical) colleges in the country.
1. Why would it make a difference whether the payment processor is using open source software or not? If they won't take donations from certain countries they can implement that on a closed source platform just as easily.
2. Only open source software can be misconfigured, or has problems with commas in unexpected places?
This has nothing to do with open source, and everything to do with not looking under the hood before you buy a used car.
Shouting the opponent down is an ecumenical problem.
However, this sort of thing has LONG been a major part of liberal actions - you pretty much can't voice a conservative idea at a college without be shouted down
This isn't just a problem for conservatives, nor is THAT new. I've watched a left-wing rally at Berkeley of all places being upstaged by a conservative group, and that was over 20 years ago. I thought it was amusing, but then it wasn't my ox getting gored.
And that's the bottom line, you notice when your ox gets gored. You don't notice when it's doing the goring.
RMS has been talking that way for years. There's essentially no chance of him changing his ways at this point. This is especially true considering the fact that RMS' zealotry has netted him an impressive string of wins including a GPLed version of Java.
You sure that didn't happen *despite* his zealotry?