So, in this case, it would say "Expired certificate and invalid CA in chain of trust"
It wouldn't in the scenario I described. If you set the clock back the browser wouldn't consider the certificate to have expired. And to the browser the CA looks perfectly valid. Are you thinking about a different setup from the one I described?
Well, it should barf on any site signed by RapidSSL, even legitimate ones. Does anybody have an example of a site signed by RapidSSL?
You can't really be sure that it treats intermediate CA certificates the same way it treats leaf certificates unless you actually verified it.
Another way to test it would be would to set up your own CA using openssl, import it into your browser, then create an MD5-signed sub CA certificate for it, and finally use the sub CA to make a certificate for your website. But does anybody know how to convince openssl to use MD5 rather than SHA-1 for signing certificates?
I probably should try that, it would also give a slightly better feeling for how the signing process works in practice. But right now it would be nice to be able to verify this setting without going through the steps of setting up the entire chain.
Not only is it a bad format, but it is also virtually impossible to get word to display the screenshot 1:1 on your screen, so you are going to be reading some text that is blurry because it was scaled up or down a few percent. Well, I have experienced worse. A user once did the following to me:
Took a screen shot of internetexplorer
Inserted the screen shot in a word document (scaled down so the text was hardly readable)
Used the vector graphics features in word to cover up a few pieces of sensitive information, and put a mark around some text that was wrong
Took a screen shot of word
Inserted the screen shot in a word doucment
Typed an explanation of the problem into that word document as well
Sent the second word document to me
The screen shot in that form was useless, but at least the explanation was a bit of use. So then one have to open an external application to read a piece of text they didn't bother to put in the body and only in an attachment.
I don't think it is a good idea to teach people that it is ok to enter their username and password in windows that unexpectedly pop up on their screen. As for accountability, you don't need that for messages that were just providing information which the user only had to see and didn't give them any choices to make. Besides the way you'd achieve accountability would be to log the information, but if all such warnings were logged the original problem would already be solved, so no need to come up with creative ways to prevent the user from closing the window.
They delibarately created their root certificate with an expiry date of 2004, in case it leaked. So there was no point creating a proof-of-concept as it wouldn't work anyway.
You'd of course have to set the clock on your machine back to the time where the certificate was valid if you wanted to see the proof of concept. It wouldn't mean you could access the site directly with any normal browser, but at least you'd be able to see it if you really wanted to, and you could test any countermeasures against it. Come to think of it, they could also just publish such a signed certificate along with the secret key. An expired leaf certificate for an uninteresting domain is not useful for any phishing or mitm attacks anyway.
Wouldn't setting security.ssl3.rsa_rc4_128_md5 to false prohibit these kind of attacks?
Interesting question. From the name it does sound like this option would do. But frankly I don't know how I would verify it. The article doesn't link to any proof of concept site. I wonder why they didn't setup an https server with a certificate signed by their rogue certificate. (They could have done so for a server they already control, so no mitm attack would be involved).
but it's only really reasonable to produce two strings with the same MD5 hash
Strictly speaking you can produce multiple strings with the same MD5 hash. I think the 2007 attack actually demonstrated 10 or more choosen prefixes leading to the same hash, they just had to add more garbage to the end.
not to produce a single string with a given MD5 hash.
Correct, that is still not feasible. And I don't see any indication that it is going to be any time soon.
So there is another check which would prevent this attack. The CA should verify the public key passed on to them, it would be a lot harder to create a request which would cause a collision.
According to the article, the CA does verify it. Only the first part of the modulus is random garbage created by the collision algorithm. Once they have a collision, they can choose the rest of the certificate, so they choose the remaining part of the modulus in a way that together with the random garbage make up a valid RSA modulus.
That's just how banks work. You can yell at them how insecure their online banking is 'til you're blue, but you won't change a thing.
Banks have no part in this. The parties at fault are the CAs for using MD5, and the browsers for supporting MD5 as well as trusting CAs that use it. A bank cannot do anything about this attack. Even if the bank choose a CA which is using secure algorithms it won't help. The attacker don't have to use the same CA as the bank, in this study they explain how they found which CA would be the easiest target.
What you can do as a user is to actually look on the certificate chain. Whenever I am using online banking, I always look on the certificate chain at the beginning of each session before I log in. Seems that practice is not paranoia after all. (I also quit the browser before starting, check for security updates, and then start the browser and use a bookmark to go to the login page. I visit no other sites while doing the online banking, and when done I quit the browser and start over before accessing any other sites).
windows boxes running things like etheral would get the truncated packet and then request the rest of the packet even though it wasn't addressed to them.
No network protocol I have ever heard of works that way. Malformed packets are ignored, and there is no way to request the rest of a packet, because a packet either arrives at the destination or it doesn't. So what obscure protocol was he talking to those Windows boxes?
Interesting. I didn't know about that before. I had heard about cases where there were duplicates of all chromosomes. I also knew that even though a fertilized egg will quickly change its membrane to accept no more sperm cells, there is a race condition where another sperm cell can enter the egg if it does so within a split second. Both conditions lead to an offspring that will not survive, but AFAIK they may sometimes survive until shortly after birth. So which time counts as the conception? Is the conception when the first sperm cell enters the egg, or is it when the membranes have fully closed and won't accept another sperm cell?
Consider a 2 cell embryo. Is it 1 human, or 2? Those 2 cells could potentially split and implant separately generating 2 babies in about 9 months (usually less since it'll be a multiple pregnancy). If it doesn't split and implants by itself, it could turn into 1 baby.
I would have brought up that point myself if you hadn't beaten me to it. It could turn into one or two babies, it could even turn into one and a half baby. Consider that if they only split partially, the outcome will be Siamese twins, and it certainly does happen that such a pair of twins don't come with a full set of body parts. For example sometimes there will be two heads but only one torso, or one baby turns into just a pair of legs that happens to be attached to its twin. Does a baby without a head have a right to live? That pair of legs might be kept alive for quite a while if they remained connected to the fully developed twin. Is it murder to detach a baby incapable of surviving on its own from a fully developed baby? How about a case where there is one torso but two heads? Is it OK to remove one of the heads?
Drawing a line at the conception is just an attempt to apply a black and white view on something that isn't just black and white. Some people want to draw a line somewhere, and conception was the only one they could come up with. But it is just too early a stage, a lot of the outcome is not yet given at conception. I really think the correct place to draw the line is when the baby has consciousness/self awareness. It is harder to know when that happens, but it is a more reasonable point to draw a line. We could draw a line at the point where the first nerve cell is formed, still too early, but closer to the place where a line should be drawn. I have wondered how often does a fertilized egg not turn into a pregnancy, and how often does a fertilized egg split, but one half dies at such an early state that nobody ever notices that it happened.
I hope the same thing is true in Linux - if defragging your swap drive helps, someone has done something very wrong to begin with.
A typical Linux system will use a swap partition, not a swap file. The swap partition has no structure, just a header indicating it is a swap partition, how large it is, and optionally a list of bad blocks. When the system boots, the kernel have the entire partition (except from the header) free for its usage as it sees fit. In other words one linear area of disk space. The actual data that goes there could easily end up being fragmented (I don't know those algorithms well enough to tell you how often that happens).
If you were to actually use a swap file, the file itself has a header just like a swap partition. There just happens to be a file system underneath mapping the file to physical disk space in a way that isn't necessarily contiguous. If you were to defragment a Linux file system, it would be a file like any other. The vm system could either use the file system to do the mapping on each access to swap, or it could do it all in advance such that the physical locations of swap pages would be known from the time swap was activated. Each method have advantages and disadvantages. Obviously online defragmentation would get tricky if the vm system was going to remember where swap pages were located, but at least both are happening inside the kernel, so the file system and the vm could coordinate if you wanted to do online defragmentation of a file system with a swap file.
Defragmentation has been something that you wouldn't typically do on Linux. The file systems were designed to not get very fragmented to begin with. But I think we'll soon see file systems for Linux that can do online defragmentation.
That's not quite true actually. Microsoft measured the overhead of doing page table translations and kernel mode switching at about 30%.
I suppose that is not overhead of the translation, but rather overhead of reading page tables whenever there is a TLB miss. If that's the case, the percentage would depend a lot on the workload. And the optimizations you'd do to reduce the performance hit from TLB misses would then be the same optimizations you'd do to improve cache hit ratio. I find it hard to believe that an optimized algorithm would take a 30% performance hit from TLB misses. Of course flushing the TLB on context switches have a cost, but how large a percentage of a time slice can you spend filling up the TLB again?
I tried it. It turned out to be lacking a few important features. I could not configure it to run in master mode. And it could not be configured to be part of a bridge. And when upgrading from 2.6.23.14-115.fc8 to 2.6.24.3-34.fc8 it just stopped working.
This is often not the case. If your NAT device uses iptables the random port is typically preserved.
You are right. I should have made it clear that this does not apply to all NAT implementations. There are NAT implementations which will preserve the port number, unless it is already in use. I'm not sure exactly how it chooses port number if it is already in use.
This is however not the only problem with NAT. Another problem is the handling of the IPID field, but I don't know if that will lead directly to security problems.
Even complicated software *can* be bug free.
Yes, but the more complicated the software is, the less likely it is to happen.
I don't know exactly what to think about those protocols you really want to stay within your own network. On one hand I think that you are not going to share your resources with the entire world, so why would you need to do that with a protocol that allows you to communicate with the entire world. Some people even go as far as using protocols that you can't even route across an IPv4 router. On the other hand I know this is not the right way to do it. You may have a network that is large enough that you have multiple segments, so you do need something that can be routed between those segments. And using IPv4 doesn't really protect you from communicating with the outside world. Also we do want the use of both IPv4 and IPv6 at the same time to be a temporary solution for the transition. Running these protocols over IPv6 and filtering them at the edge of the network does sound like the correct solution. But of course each machine acting as a server should also verify that the client is authorized, filtering at the edge of the network is supposed to be an additional layer of security, not the only one. Getting all of that right seems like an awful lot of work, and I can understand why you would not make that your first priority. After all there is no need for that to be fully done before a world wide deployment of IPv6 happens. The point where supporting those protocols over IPv6 become a high priority is when you are no longer using IPv4 to communicate across the backbone and you consider turning it off completely within your local network.
I have been thinking about PXE booting as well. That is something you rarely want to involve more than a single ethernet segment, and which is currently done over IPv4. And there is hardware around that have a ROM which is unlikely to ever be upgraded to IPv6. But OTOH, does it really hurt to keep things like that on IPv4 indefinitely. Maybe some time in the future the IPv4 stack gets ripped out of the kernel and replaced with a socket interface that will allow one application to receive all IPv4 packets from an ethernet interface and generate IPv4 replies as well. At that point the IPv4 stack could live inside an application that does DHCP, TFTP, and what other things you need to boot diskless machines.
But again this is low priority. We should focus on what we need to get the backbone communication to be all IPv6. Supporting IPv6 only hosts can happen at a later point.
You can work around this by picking a different 6to4 gateway for outgoing packets. By default there is an IPv4 anycast address used, 192.88.99.1.
It seems you did not understand the question. We don't know how those Vista machines are configured, but most likely they are using the standard anycast address for packets to the native IPv6 backbone, and probably that is not where the problem lies, there is little reason to believe that Vista would behave better if you configured it to use a fixed gateway for communication with native IPv6 addresses. The question wasn't about how to setup an 6to4 gateway, but rather about how to avoid a broken 6to4 gateway. The question didn't indicate if the problem was with peers on native IPv6 addresses, or with peers on other 6to4 addresses. But I got the impression that it was both.
All these things mean nothing when you're over at a someone elses computer and just want to copy a friggin' file from or to the stick.
Some of them don't matter, some of them do matter. However when I am using the disks on my own system, all of those things do matter. And you can't suddenly change the file system at that point.
FAT will work every time.
Unless the files are larger than 4GB. And if you don't copy the files from the USB disk, but instead use them directly from the disk, then the performance will be what you can get from FAT.
Any other filesystem will simply not work on some of the computers that you come across without installing extra drivers.
For that reason I keep a small FAT partition on the beginning of each USB disk, where I can put the drivers. But maybe I should just start bringing a small Linux machine along with my USB disks, then I know it will work, and from a security perspective it is also better. Will of course only give me 100Mbit/s, which is about half the speed of a USB disk, but I suppose I can live with that.
Except there are still no good IPv6 capable load balancers, that'll stop most serious ISP's.
Honestly I don't know what load balancers we use for our IPv6 servers, but they seem to be working fine. However that shouldn't stop your ISP. They don't have to have IPv6 load balancers to enable IPv6 for their customers, all they need is the routers. Sure they usually do run a few servers, but that is only supposed to be a minor part of their business. They can just make the host names only resolve to IPv4 addresses and keep them running on IPv4 for now. Their core business is to provide connectivity between their customers' computers and the backbone, for that you don't need servers and load balancers, you need routers.
Depending on what kind of servers the ISP is running, they can keep running them on IPv4 long after the majority of the internet has switched to IPv6 traffic. For communication between the ISP's servers and their customers, they can use 10/8, which would be sufficient to most ISPs. For communication between this ISP's servers and other ISP's, there are enough public IPv4 addresses for a while to come. It is only when this ISP's servers need to communicate with other ISP's customers, that they really have to move them to IPv6.
I always thought NAT was a good solution from a security perspective for most homes and organizations.
It does help against some security problems, but it also introduces new security problems (for example DNS is sometimes done from a random port to help against poisoning, but if that goes through a NAT the random port is replaced with a non-random port). And the workarounds needed because of NAT are not improving security either. They make software more complicated for no good reason, and more complicated means more bugs, including security vulnerabilities.
NAT forces the router to do connection tracking, and it is also forced to filter out incoming packets that don't match a known connection. The security it provides is just by coincidence, not by design. You can do all the connection tracking and filtering without translation, that way you'd get the benefits without the drawbacks. The vendors just have to start making routers that support IPv6 and does connection tracking and filtering by default. Apple already makes routers that will do 6to4 tunneling by default, I don't know if they also do connection tracking and filtering on IPv6 by default.
I don't recall seeing that on OS X. But then again, the times I have actually put a GUI program on an OS X machine can be counted on one hand. Turns out that for work a browser and a terminal will suffice most of the time. And the laptop came with firefox, terminal, and ssh client all installed.
MS and Apple have wasted a lot of resources on a lot of systems for the past 5yrs then, since IPv6 hasn't been used on ~99.9% of the systems it has been installed on.
Slashdot Mirror
It wouldn't in the scenario I described. If you set the clock back the browser wouldn't consider the certificate to have expired. And to the browser the CA looks perfectly valid. Are you thinking about a different setup from the one I described?
You can't really be sure that it treats intermediate CA certificates the same way it treats leaf certificates unless you actually verified it.
I probably should try that, it would also give a slightly better feeling for how the signing process works in practice. But right now it would be nice to be able to verify this setting without going through the steps of setting up the entire chain.
Not only is it a bad format, but it is also virtually impossible to get word to display the screenshot 1:1 on your screen, so you are going to be reading some text that is blurry because it was scaled up or down a few percent. Well, I have experienced worse. A user once did the following to me:
The screen shot in that form was useless, but at least the explanation was a bit of use. So then one have to open an external application to read a piece of text they didn't bother to put in the body and only in an attachment.
I don't think it is a good idea to teach people that it is ok to enter their username and password in windows that unexpectedly pop up on their screen. As for accountability, you don't need that for messages that were just providing information which the user only had to see and didn't give them any choices to make. Besides the way you'd achieve accountability would be to log the information, but if all such warnings were logged the original problem would already be solved, so no need to come up with creative ways to prevent the user from closing the window.
You'd of course have to set the clock on your machine back to the time where the certificate was valid if you wanted to see the proof of concept. It wouldn't mean you could access the site directly with any normal browser, but at least you'd be able to see it if you really wanted to, and you could test any countermeasures against it. Come to think of it, they could also just publish such a signed certificate along with the secret key. An expired leaf certificate for an uninteresting domain is not useful for any phishing or mitm attacks anyway.
Interesting question. From the name it does sound like this option would do. But frankly I don't know how I would verify it. The article doesn't link to any proof of concept site. I wonder why they didn't setup an https server with a certificate signed by their rogue certificate. (They could have done so for a server they already control, so no mitm attack would be involved).
Strictly speaking you can produce multiple strings with the same MD5 hash. I think the 2007 attack actually demonstrated 10 or more choosen prefixes leading to the same hash, they just had to add more garbage to the end.
Correct, that is still not feasible. And I don't see any indication that it is going to be any time soon.
According to the article, the CA does verify it. Only the first part of the modulus is random garbage created by the collision algorithm. Once they have a collision, they can choose the rest of the certificate, so they choose the remaining part of the modulus in a way that together with the random garbage make up a valid RSA modulus.
Why? It would be much better to just remove the MD5 support from the browser.
Banks have no part in this. The parties at fault are the CAs for using MD5, and the browsers for supporting MD5 as well as trusting CAs that use it. A bank cannot do anything about this attack. Even if the bank choose a CA which is using secure algorithms it won't help. The attacker don't have to use the same CA as the bank, in this study they explain how they found which CA would be the easiest target.
What you can do as a user is to actually look on the certificate chain. Whenever I am using online banking, I always look on the certificate chain at the beginning of each session before I log in. Seems that practice is not paranoia after all. (I also quit the browser before starting, check for security updates, and then start the browser and use a bookmark to go to the login page. I visit no other sites while doing the online banking, and when done I quit the browser and start over before accessing any other sites).
No network protocol I have ever heard of works that way. Malformed packets are ignored, and there is no way to request the rest of a packet, because a packet either arrives at the destination or it doesn't. So what obscure protocol was he talking to those Windows boxes?
Interesting. I didn't know about that before. I had heard about cases where there were duplicates of all chromosomes. I also knew that even though a fertilized egg will quickly change its membrane to accept no more sperm cells, there is a race condition where another sperm cell can enter the egg if it does so within a split second. Both conditions lead to an offspring that will not survive, but AFAIK they may sometimes survive until shortly after birth. So which time counts as the conception? Is the conception when the first sperm cell enters the egg, or is it when the membranes have fully closed and won't accept another sperm cell?
I would have brought up that point myself if you hadn't beaten me to it. It could turn into one or two babies, it could even turn into one and a half baby. Consider that if they only split partially, the outcome will be Siamese twins, and it certainly does happen that such a pair of twins don't come with a full set of body parts. For example sometimes there will be two heads but only one torso, or one baby turns into just a pair of legs that happens to be attached to its twin. Does a baby without a head have a right to live? That pair of legs might be kept alive for quite a while if they remained connected to the fully developed twin. Is it murder to detach a baby incapable of surviving on its own from a fully developed baby? How about a case where there is one torso but two heads? Is it OK to remove one of the heads?
Drawing a line at the conception is just an attempt to apply a black and white view on something that isn't just black and white. Some people want to draw a line somewhere, and conception was the only one they could come up with. But it is just too early a stage, a lot of the outcome is not yet given at conception. I really think the correct place to draw the line is when the baby has consciousness/self awareness. It is harder to know when that happens, but it is a more reasonable point to draw a line. We could draw a line at the point where the first nerve cell is formed, still too early, but closer to the place where a line should be drawn. I have wondered how often does a fertilized egg not turn into a pregnancy, and how often does a fertilized egg split, but one half dies at such an early state that nobody ever notices that it happened.
A typical Linux system will use a swap partition, not a swap file. The swap partition has no structure, just a header indicating it is a swap partition, how large it is, and optionally a list of bad blocks. When the system boots, the kernel have the entire partition (except from the header) free for its usage as it sees fit. In other words one linear area of disk space. The actual data that goes there could easily end up being fragmented (I don't know those algorithms well enough to tell you how often that happens).
If you were to actually use a swap file, the file itself has a header just like a swap partition. There just happens to be a file system underneath mapping the file to physical disk space in a way that isn't necessarily contiguous. If you were to defragment a Linux file system, it would be a file like any other. The vm system could either use the file system to do the mapping on each access to swap, or it could do it all in advance such that the physical locations of swap pages would be known from the time swap was activated. Each method have advantages and disadvantages. Obviously online defragmentation would get tricky if the vm system was going to remember where swap pages were located, but at least both are happening inside the kernel, so the file system and the vm could coordinate if you wanted to do online defragmentation of a file system with a swap file.
Defragmentation has been something that you wouldn't typically do on Linux. The file systems were designed to not get very fragmented to begin with. But I think we'll soon see file systems for Linux that can do online defragmentation.
I suppose that is not overhead of the translation, but rather overhead of reading page tables whenever there is a TLB miss. If that's the case, the percentage would depend a lot on the workload. And the optimizations you'd do to reduce the performance hit from TLB misses would then be the same optimizations you'd do to improve cache hit ratio. I find it hard to believe that an optimized algorithm would take a 30% performance hit from TLB misses. Of course flushing the TLB on context switches have a cost, but how large a percentage of a time slice can you spend filling up the TLB again?
I tried it. It turned out to be lacking a few important features. I could not configure it to run in master mode. And it could not be configured to be part of a bridge. And when upgrading from 2.6.23.14-115.fc8 to 2.6.24.3-34.fc8 it just stopped working.
You are right. I should have made it clear that this does not apply to all NAT implementations. There are NAT implementations which will preserve the port number, unless it is already in use. I'm not sure exactly how it chooses port number if it is already in use.
This is however not the only problem with NAT. Another problem is the handling of the IPID field, but I don't know if that will lead directly to security problems.
Yes, but the more complicated the software is, the less likely it is to happen.
I don't know exactly what to think about those protocols you really want to stay within your own network. On one hand I think that you are not going to share your resources with the entire world, so why would you need to do that with a protocol that allows you to communicate with the entire world. Some people even go as far as using protocols that you can't even route across an IPv4 router. On the other hand I know this is not the right way to do it. You may have a network that is large enough that you have multiple segments, so you do need something that can be routed between those segments. And using IPv4 doesn't really protect you from communicating with the outside world. Also we do want the use of both IPv4 and IPv6 at the same time to be a temporary solution for the transition. Running these protocols over IPv6 and filtering them at the edge of the network does sound like the correct solution. But of course each machine acting as a server should also verify that the client is authorized, filtering at the edge of the network is supposed to be an additional layer of security, not the only one. Getting all of that right seems like an awful lot of work, and I can understand why you would not make that your first priority. After all there is no need for that to be fully done before a world wide deployment of IPv6 happens. The point where supporting those protocols over IPv6 become a high priority is when you are no longer using IPv4 to communicate across the backbone and you consider turning it off completely within your local network.
I have been thinking about PXE booting as well. That is something you rarely want to involve more than a single ethernet segment, and which is currently done over IPv4. And there is hardware around that have a ROM which is unlikely to ever be upgraded to IPv6. But OTOH, does it really hurt to keep things like that on IPv4 indefinitely. Maybe some time in the future the IPv4 stack gets ripped out of the kernel and replaced with a socket interface that will allow one application to receive all IPv4 packets from an ethernet interface and generate IPv4 replies as well. At that point the IPv4 stack could live inside an application that does DHCP, TFTP, and what other things you need to boot diskless machines.
But again this is low priority. We should focus on what we need to get the backbone communication to be all IPv6. Supporting IPv6 only hosts can happen at a later point.
It seems you did not understand the question. We don't know how those Vista machines are configured, but most likely they are using the standard anycast address for packets to the native IPv6 backbone, and probably that is not where the problem lies, there is little reason to believe that Vista would behave better if you configured it to use a fixed gateway for communication with native IPv6 addresses. The question wasn't about how to setup an 6to4 gateway, but rather about how to avoid a broken 6to4 gateway. The question didn't indicate if the problem was with peers on native IPv6 addresses, or with peers on other 6to4 addresses. But I got the impression that it was both.
I'm talking about USB disks.
Some of them don't matter, some of them do matter. However when I am using the disks on my own system, all of those things do matter. And you can't suddenly change the file system at that point.
Unless the files are larger than 4GB. And if you don't copy the files from the USB disk, but instead use them directly from the disk, then the performance will be what you can get from FAT.
For that reason I keep a small FAT partition on the beginning of each USB disk, where I can put the drivers. But maybe I should just start bringing a small Linux machine along with my USB disks, then I know it will work, and from a security perspective it is also better. Will of course only give me 100Mbit/s, which is about half the speed of a USB disk, but I suppose I can live with that.
Honestly I don't know what load balancers we use for our IPv6 servers, but they seem to be working fine. However that shouldn't stop your ISP. They don't have to have IPv6 load balancers to enable IPv6 for their customers, all they need is the routers. Sure they usually do run a few servers, but that is only supposed to be a minor part of their business. They can just make the host names only resolve to IPv4 addresses and keep them running on IPv4 for now. Their core business is to provide connectivity between their customers' computers and the backbone, for that you don't need servers and load balancers, you need routers.
Depending on what kind of servers the ISP is running, they can keep running them on IPv4 long after the majority of the internet has switched to IPv6 traffic. For communication between the ISP's servers and their customers, they can use 10/8, which would be sufficient to most ISPs. For communication between this ISP's servers and other ISP's, there are enough public IPv4 addresses for a while to come. It is only when this ISP's servers need to communicate with other ISP's customers, that they really have to move them to IPv6.
He already did that. Now what should he do about the other computers on the network?
It does help against some security problems, but it also introduces new security problems (for example DNS is sometimes done from a random port to help against poisoning, but if that goes through a NAT the random port is replaced with a non-random port). And the workarounds needed because of NAT are not improving security either. They make software more complicated for no good reason, and more complicated means more bugs, including security vulnerabilities.
NAT forces the router to do connection tracking, and it is also forced to filter out incoming packets that don't match a known connection. The security it provides is just by coincidence, not by design. You can do all the connection tracking and filtering without translation, that way you'd get the benefits without the drawbacks. The vendors just have to start making routers that support IPv6 and does connection tracking and filtering by default. Apple already makes routers that will do 6to4 tunneling by default, I don't know if they also do connection tracking and filtering on IPv6 by default.
I don't recall seeing that on OS X. But then again, the times I have actually put a GUI program on an OS X machine can be counted on one hand. Turns out that for work a browser and a terminal will suffice most of the time. And the laptop came with firefox, terminal, and ssh client all installed.
I wouldn't say Apple's time spent on this has been wasted. After all more than 50% of the client machines on the IPv6 network are Macs.