Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest.
This may be true (in fact my opinion is that most Linux desktop distros ship with only the ASLR in the generic kernel which last I heard was limited) but you still haven't provided any citation for this. You later claim it was somehow a solved question in another Slashdot thread, but don't link to that thread. Google doesn't seem to have much in the way of comparisons either, just a lot of articles on flaws in the Windows implementation and how people bypass it.
However, it is far superior to OSX's, which appears to not really do anything useful...
What's really funny is that Charlie Miller has repeatedly complained that Apple's implementation is only good for stopping the most common kind of return to libc exploits and not other kinds of attacks ASLR is useful for. So claiming it is useless is like claiming seatbelts are useless since they don't protect against anything but the most common kind of injuries from car crashes.
Please try to keep up, or don't comment.
Keep up with what? Your assertions, half of which you haven't been able to back up and half of which are demonstrably wrong. I don't mind people being assertive, opinionated, arrogant creeps, but if you're going to be one, at least be a competent one.
The issue isn't whether the statement was true or not, but rather whether or not the logic used to describe the improvement was correct.
Quicktime has had bugs and those bugs have created vulnerabilities which were security risks. Can we agree to that much? Knowing this and knowing how it was rewritten, to allow each potentially buggy codec to be sandboxed and knowing that it was rewritten as a 64 bit app and that 64 bit apps gain several other security benefits in 10.6; Miller's statement makes complete sense and is logical. The only way it doesn't make sense is if you don't have the facts he outlined at the time and which the article did not bother to recreate.
Yes, but what does that have to do with what we're talking about... getting ARM processors implemented in netbooks? Unless someone takes it and provides an entire solution for netbooks like Apple did for smartphones, it is unlikely to overcome the barriers introduced by Windows domination of the desktop OS market and subsequent influence on current netbook manufacturers.
I think this is incorrect. I don't think they do address randomization at all.
OS X 10.5 and later apply ASLR selectively to some libraries on both PowerPC and Intel processors. 10.6 applies it to most libraries, but does not run on PPC at all and still leaves some things like the dynamic linker without randomization.
As for only working on a 64 bit processor... Maybe you're thinking of the NX bit?
That and a few other techniques were what I was referring to. If you read my post you'll note I said "other security features" were applied based upon whether you were using a 64 bit processor, kernel, or application as different methods apply for different combinations of the above.
There are a lot of barriers to Windows adoption on the ARM processor that go beyond MS not really wanting it. If they really want to gain market share above and beyond cell phones and PDA's, ARM needs a strong partner to create a real, integrated, polished solution. And by solution I don't mean a device. They need to do something akin to the iPhone, in creating a nice device or set of devices with a consistent polished operating system and with an integrated ecosystem of solutions. The project is large in scope and they need a partner that preferably has an existing position to leverage, experience, money, and which is not beholden to Microsoft. A cell phone service company might be a viable partner or Canonical and someone, or RIM or Google or an appliance maker that has not entered the netbook market yet.
If they really want to sell netbooks with ARM processors in them they have to think big. They need to better than hope MS is scared. They need to commit to building a system that bypasses MS's core monopolies through vertical integration. This is no small task. They need the hardware, which has to be cheap and hit a sweet spot. They need an OS and applications. They need dev tools for applications and services. They need Web and network services integrated with the device. More than all those pieces which are out there, they need someone to put it all together in a nice package and usability test the whole user experience from buying to opening the box right up through using it for all the common tasks: Web surfing, E-mail, chat, word processing, potentially phone calls and videophone, playing games, playing music and video, and adding new applications. The problem with a lot attempts at this sort of thing is the assumption that someone else will take care of parts or that blaming someone else somehow makes a failure better.
Others have pointed out why your comments on DEP are a bit off base.
"[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."
bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)
Bugs may be potential holes, but the rewrite included a lot of security additions, such as those 64 bit applications on OS X gain automatically as well as sandboxing for the codecs, making exploitation via overflows in media a lot harder to pull off. While the article doesn't explain why the rewrite was a security improvement, that doesn't mean those reasons don't exist. They relied upon the fact that a security researcher was telling us, as an expert opinion, but nothing stops you from looking it up.
I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters.
There are several parts to this that are interesting. Is Apple slacking off on implementing new security, or are users like you just not learning about the security improvements Apple has made. Do you remember hearing about when Apple's sandboxing made them just about the only vendor to not be vulnerable to a local service exploit a few years back? Have you ever seen a mainstream article mentioning Apple uses sandboxing?
That said, at last some of Apple obviously pays no attention to security, but that's normal in any large organization. It would be great if Apple would devote more resources to trying to hack their own OS and applications and then lock down those holes. It would be great if Apple would go whole hog with ASLR and sandboxing and handle auto updates for third party apps and smoke test third party apps on OS X and do a lot of others things.
So here's why I don't worry too much about security for Linux or OS X compared to Windows. It's all in the motivation. Apple is highly motivated to implement security that is good enough so that their average users are happy. Linux developers have the same motivation. No matter ow the security climate changes, they will quickly adapt because if they don't they're going to lose money. It's the same reason I think security on Windows is so problematic. Sure some smart guys there are implementing some cool security ideas, but as a company MS is not very motivated to fix security because it doesn't really lose them money. It's cheaper to provide the appearance of working towards security or to spend money building more ways to lock in their customers and make it hard to switch than it is to actually create security solutions. Because MS is not really competing due to their monopoly position, they will not be forced to provide effective security by the free market.
Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?
Apple already uses mmap in OS X. Apple has actually borrowed a lot of cool security features from BSD (like the trusted BSD MAC implementation). What people are complaining about is not that Apple doesn't have ASLR, but that they haven't done the work to apply it to the dynamic linker, which is admittedly a tricky thing to do.
I read somewhere that the OSX had ASLR, but only for the PowerPC
This is incorrect. OS X uses ASLR on all chips. Some other security features dealing with memory only work using a 64 bit processor, kernel, or application or combination thereof.
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
What's interesting is how in the same paper where Miller mentioned the ASLR in Leopard, he also praised Apple for getting rid of a lot of the setuid use.
Even so, adding ASLR to the Apple OS is something they could do with relative ease...
...And is something they did years ago. The issue being discussed here is Apple did not use ASLR to randomize the dynamic loader, which is a significant and juicy target. Applying it to the dynamic loader, however, is a nontrivial task.
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
I forgot to point out that the primary example given in the article is about Medicare not paying for the Iphone but paying for a much more expensive device. So, the profit motive of the insurer is not the problem.
How's that reading comprehension? Reread the paragraph ending in "Even with the few expensive payouts, the insurance companies save money so they keep the policies." and try again.
That means that your entire post is a strawman argument...
You don't actually know what a strawman argument is do you? A strawman is not a post you disagree with or even one that is objectively or subjectively incorrect. A strawman is where you make a weak argument on behalf of a real or mythical opponent, and then attack that argument. So my post was claiming someone else made what argument, which I then attack how?
There is absolutely no motivation for an insurance company to punish anybody for wrongdoing.
So now you're summarizing my old post? That's the trade off between the evils of profit motivation and the evils of politically motivated restrictions.
Fraud may be quantifiable, but that doesn't give you the money back...
Which is why you need a cost analysis to see which is more efficient, as I already said. You can't just assume one is because of baseless beliefs.
If you don't think it happens, look at how big of a problem prescription drug abuse is.
What's even more enlightening is to look at drug abuse and prescription drug abuse around the world and see how it correlates with healthcare systems.
And when the object in question is worth less than the cost to pursue the issue, it becomes difficult to prevent the fraud without losing incredible amounts of money. They are better off not paying for the phones for this purpose, since human reaction is quite predictable in these circumstances.
You haven't specified weights for false positives. What's the dollar equivalent of a disabled person not getting a device they need? Then you need to actually run the numbers and see if fraud is a significant problem and whether it can be made an insignificant problem with prevention techniques that are still under the cost to society in the analysis.
You seem to have a conclusion based upon your beliefs about society, without any real study or even thought as to what the benefits and drawbacks to society are. By the same logic one could say prohibition on alcohol is a great idea because of the failings of human nature, but that doesn't make it so.
Sure a dedicated app store is a great way to funnel your customers to your door. But that's like saying you only have one store available to you, and you have to pay in Stokessd-town dollars. I'm sure you would have less total customers than if the unit was open to applications from anywhere, although you'll most likely collect more stokessd-town dollars.
You're only seeing half the picture. Having a built in store that collects all the apps in one place is a feature and customers really, really, really like being able to get everything from one place in one consistent way. This leaves phone implementors with three choices:
be lazy don't do anything ignore the feature.
implement a store just like Apple did, so you have feature parity and either:
lock the device to the store down just like Apple, gaining the same disadvantages
don't lock the device to just the store down resulting in multiple ways to get apps, confusing users, and having to support multiple workflows
be innovative and provide a store but set it up so anyone can add things to it from their own hosting, like letting users add their own smaller stores
MS picked the choice that is the least work, least innovative, and works like Windows. For some reason I'm not surprised.
I was directly responding to a previous post and was discussing the point raised.
And further, where did you learn logic and economics?
I originally learned logic from reading two of the Organon while interested in classical greek writing as a youth. Since then I've read many books about formal and informal logic and taken classes on both at a well regarded university. For economics, I was introduced to formal study of it in university classes and went on to read a great many papers and books on the subject.
Did you ever learn either topic?
It's about avoiding fraud.
Fraud is a quantifiable expense in any health care. If the costs do to fraud are dwarfed by the savings benefits it is logical to put up with said alleged increases in fraud. It is illogical, but the norm, to do the opposite because we're more interested in punishing people for wrongdoing than we are in doing what is most beneficial to society.
As a previous poster said, if Medicare actually approved iPhones for speech impairment, we would, overnight, see an epidemic of speech impediments in the US, orders of magnitude over what the base rate is now.
That's called an assertion. It's normally supposed to be backed with some sort of logical and/or statistical support. In any case, the question was about how things would differ in a socialized system than in a capitalist system. Levels of "false positives" versus "false negative" provisions for the disabled and at what rate those are helpful/harmful to society.
Now if Apple made an iPhone with app store, internet, voice, and iPod functionality disabled that could run this application only, then I suspect that Medicare would approve it.
So you're in favor of crippleware? You think it's a good idea to cripple products to make them less useful at an added expense as a way to demotivate fraud. That is one idea, but don't you think just decent fraud screening to catch the low hanging fruit is more effective and efficient? Not many doctors want to risk losing their license for knowingly prescribing an iPhone to someone who isn't really suffering from a disability where the iphone (paired with certain applications) could provide benefit. I think you're just inventing a problem where it is not clear any does or would exist.
Nothing new here. It's the same herd mentality and intellectual laziness that pervades most political discourse.
While most political discourse is wretched, that has not been my experience with requests for citation or facts, on Slashdot, even in previous political discussions. Further, regardless of the topic, I don't generally see that much blatant mismoderation where items are modded offtopic while they directly address the point they are responding to. Now my previous post is clearly offtopic and modding it as such is fine. But asking for a citation without presenting any bias? Maybe I'm giving Slashdot too much credit, be this still strikes me as quite unusual.
So what's up with the modding for this thread. Someone makes an assertion about US law and when people post asking for a citation they are modded down as offtopic or flamebait? Are there astroturfers from political lobbies or healthcare companies active here or is it just a bunch of opinionated people who are trying to abuse the mod system to shout down people who disagree with their party? I find the modding here as interesting as the article.
The original poster claims that MS no longer patching XP is a reason to abandon Microsoft; no, it's a reason to upgrade to an OS that was released in the last few years.
So you propose looking up all the components of the products you buy and only buying products made with recent components? Computers with XP on them are selling today. It is a current product. Computers with OS X 10.4 haven't sold for 4.5 years and they're still getting support. That's why your comparison is garbage.
MS still sells XP licenses because there's a demand for them. There are some people who will continue to demand XP as long as MS keeps supporting it, so the only way to make them upgrade is to stop supporting it.
Sorry that doesn't wash. If MS is going to keep selling it they need to keep supporting it. If they determine they can't support it anymore, they need to stop selling it several years prior to that time. You know normal companies respond to customer demand, rather than dictate terms to customers. MS should have broken up years ago so the market could solve this problem.
I'm sure Apple would still be selling 10.0 if there was a demand for it, but fortunately for them, the incremental style of Apple's releases makes it easy to see that their older OSes are crappy compared to the new ones.
That's because Apple is about creating products to satisfy the demand of their customers, instead of creating products with new mechanisms for extracting money from their customers and then trying to force people to pay for the privilege.
The root problem is MS doesn't care about their customers because they don't have to to make money because they criminally leverage their monopoly as a revenue source.
If you want to have money for people with chronic conditions, make them a federal problem and pay for it with tax money. I recommend taxing intellectual property and imports to come up with the dough.
Why is it that people opposed to socialized healthcare always have the most absurd economic ideas, like protectionism?
What I always thought was the stupid part about using health insurance to redistribute wealth is that it's basically like paying for other people's health insurance with a tax on... health insurance!
Umm, the proposals to date have been about paying for health insurance with an increase in income tax on the high end and paying for it by eliminating tax loopholes for individuals at the high end and corporations. How do you figure it is taxing health insurance?
You can tell I grew up in a country with universal healthcare.
No, but I can tell that you threw in a useless addendum to an otherwise insightful post.
It's not exactly useless. In truth the procurement of items for medical treatment in countries with socialized healthcare is often quite different. Not always, mind you, but often. Without a financial motivation for whether or not patient obtains a device to help them, most people tend to be both compassionate and pragmatic. That is to say, rarely would a person be denied a cane as a medical expense because it is cheap and someone needs help walking. Rarely would someone be granted a power exoskeleton because it is expensive and excessive.
With a profit motive in the US healthcare system insurance companies make more money erecting artificial barriers that prevent people from getting any assistive device. They're in a position to impose arbitrary rules to make providing such devices harder so their issuance is rarer. At the same time medical suppliers an make money by specializing in jumping through the hoops and getting certified products which make them artificially scarce allowing said companies to charge a lot of money. Even with the few expensive payouts, the insurance companies save money so they keep the policies.
Of course you see what is missing from the above scenario. That is the compassion and the pragmatism. A normal person working in healthcare would say, "an iPhone with apps for the blind, yeah that makes sense to help a blind person and is a lot cheaper than a specialty device". Then they approve it. It is the system standing in the way, a system motivated by rules designed to maximize profits. This type of rule is a great deal rarer in socialized medicine
This isn't to say that other healthcare systems are better in this way, just different. Profit is not the only motive that can result in arbitrary rules detrimental to individuals who need healthcare. Government bureaucrats can be just as bad implementing rules to punish groups at the expense of the masses or implement policies to mollify their special interest group in order to get re-elected. For example, rules to make abortion practically unavailable in order to appease a religious lobby or rules to refuse healthcare to overeating overweight people who are actually saving society money overall by their condition, but who much of society wants to punish for their sin.
I think you may be prejudiced by your previous experience.
If his position is based on experience, then by definition it's not prejudice.
You are completely wrong. Prejudice is prejudging a person or thing. If I experience watching a news program where an african american punches a cop, and then the next time I meet an african american I conclude that african american is likely dangerous and violent, I've pre judged them by taking a correlation (well one data point) and assigning a causation.
An experience can lead to a person prejudging based upon illogical assumptions about said experience. Just because you've had an experience involving elm trees doesn't mean you can accurately predict everything that will happen around some other elm tree. That is prejudice based upon experience.
Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?
Apple hasn't sold a computer with Mac OS X 10.4 on it for 4.5 years. They released a security patch for it 5 days ago. How long ago did MS stop licensing WinXP for sale on computers? Oh yeah, you still buy computers with WinXP on them because MS is still selling licenses.
Slashdot Mirror
Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest.
This may be true (in fact my opinion is that most Linux desktop distros ship with only the ASLR in the generic kernel which last I heard was limited) but you still haven't provided any citation for this. You later claim it was somehow a solved question in another Slashdot thread, but don't link to that thread. Google doesn't seem to have much in the way of comparisons either, just a lot of articles on flaws in the Windows implementation and how people bypass it.
However, it is far superior to OSX's, which appears to not really do anything useful...
What's really funny is that Charlie Miller has repeatedly complained that Apple's implementation is only good for stopping the most common kind of return to libc exploits and not other kinds of attacks ASLR is useful for. So claiming it is useless is like claiming seatbelts are useless since they don't protect against anything but the most common kind of injuries from car crashes.
Please try to keep up, or don't comment.
Keep up with what? Your assertions, half of which you haven't been able to back up and half of which are demonstrably wrong. I don't mind people being assertive, opinionated, arrogant creeps, but if you're going to be one, at least be a competent one.
The issue isn't whether the statement was true or not, but rather whether or not the logic used to describe the improvement was correct.
Quicktime has had bugs and those bugs have created vulnerabilities which were security risks. Can we agree to that much? Knowing this and knowing how it was rewritten, to allow each potentially buggy codec to be sandboxed and knowing that it was rewritten as a 64 bit app and that 64 bit apps gain several other security benefits in 10.6; Miller's statement makes complete sense and is logical. The only way it doesn't make sense is if you don't have the facts he outlined at the time and which the article did not bother to recreate.
The iPhone is a ARM processor.....
Yes, but what does that have to do with what we're talking about... getting ARM processors implemented in netbooks? Unless someone takes it and provides an entire solution for netbooks like Apple did for smartphones, it is unlikely to overcome the barriers introduced by Windows domination of the desktop OS market and subsequent influence on current netbook manufacturers.
I think this is incorrect. I don't think they do address randomization at all.
OS X 10.5 and later apply ASLR selectively to some libraries on both PowerPC and Intel processors. 10.6 applies it to most libraries, but does not run on PPC at all and still leaves some things like the dynamic linker without randomization.
As for only working on a 64 bit processor... Maybe you're thinking of the NX bit?
That and a few other techniques were what I was referring to. If you read my post you'll note I said "other security features" were applied based upon whether you were using a 64 bit processor, kernel, or application as different methods apply for different combinations of the above.
There are a lot of barriers to Windows adoption on the ARM processor that go beyond MS not really wanting it. If they really want to gain market share above and beyond cell phones and PDA's, ARM needs a strong partner to create a real, integrated, polished solution. And by solution I don't mean a device. They need to do something akin to the iPhone, in creating a nice device or set of devices with a consistent polished operating system and with an integrated ecosystem of solutions. The project is large in scope and they need a partner that preferably has an existing position to leverage, experience, money, and which is not beholden to Microsoft. A cell phone service company might be a viable partner or Canonical and someone, or RIM or Google or an appliance maker that has not entered the netbook market yet.
If they really want to sell netbooks with ARM processors in them they have to think big. They need to better than hope MS is scared. They need to commit to building a system that bypasses MS's core monopolies through vertical integration. This is no small task. They need the hardware, which has to be cheap and hit a sweet spot. They need an OS and applications. They need dev tools for applications and services. They need Web and network services integrated with the device. More than all those pieces which are out there, they need someone to put it all together in a nice package and usability test the whole user experience from buying to opening the box right up through using it for all the common tasks: Web surfing, E-mail, chat, word processing, potentially phone calls and videophone, playing games, playing music and video, and adding new applications. The problem with a lot attempts at this sort of thing is the assumption that someone else will take care of parts or that blaming someone else somehow makes a failure better.
Others have pointed out why your comments on DEP are a bit off base.
"[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."
bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)
Bugs may be potential holes, but the rewrite included a lot of security additions, such as those 64 bit applications on OS X gain automatically as well as sandboxing for the codecs, making exploitation via overflows in media a lot harder to pull off. While the article doesn't explain why the rewrite was a security improvement, that doesn't mean those reasons don't exist. They relied upon the fact that a security researcher was telling us, as an expert opinion, but nothing stops you from looking it up.
I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters.
There are several parts to this that are interesting. Is Apple slacking off on implementing new security, or are users like you just not learning about the security improvements Apple has made. Do you remember hearing about when Apple's sandboxing made them just about the only vendor to not be vulnerable to a local service exploit a few years back? Have you ever seen a mainstream article mentioning Apple uses sandboxing?
That said, at last some of Apple obviously pays no attention to security, but that's normal in any large organization. It would be great if Apple would devote more resources to trying to hack their own OS and applications and then lock down those holes. It would be great if Apple would go whole hog with ASLR and sandboxing and handle auto updates for third party apps and smoke test third party apps on OS X and do a lot of others things.
So here's why I don't worry too much about security for Linux or OS X compared to Windows. It's all in the motivation. Apple is highly motivated to implement security that is good enough so that their average users are happy. Linux developers have the same motivation. No matter ow the security climate changes, they will quickly adapt because if they don't they're going to lose money. It's the same reason I think security on Windows is so problematic. Sure some smart guys there are implementing some cool security ideas, but as a company MS is not very motivated to fix security because it doesn't really lose them money. It's cheaper to provide the appearance of working towards security or to spend money building more ways to lock in their customers and make it hard to switch than it is to actually create security solutions. Because MS is not really competing due to their monopoly position, they will not be forced to provide effective security by the free market.
Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?
Apple already uses mmap in OS X. Apple has actually borrowed a lot of cool security features from BSD (like the trusted BSD MAC implementation). What people are complaining about is not that Apple doesn't have ASLR, but that they haven't done the work to apply it to the dynamic linker, which is admittedly a tricky thing to do.
I read somewhere that the OSX had ASLR, but only for the PowerPC
This is incorrect. OS X uses ASLR on all chips. Some other security features dealing with memory only work using a 64 bit processor, kernel, or application or combination thereof.
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
What's interesting is how in the same paper where Miller mentioned the ASLR in Leopard, he also praised Apple for getting rid of a lot of the setuid use.
Even so, adding ASLR to the Apple OS is something they could do with relative ease...
...And is something they did years ago. The issue being discussed here is Apple did not use ASLR to randomize the dynamic loader, which is a significant and juicy target. Applying it to the dynamic loader, however, is a nontrivial task.
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
I forgot to point out that the primary example given in the article is about Medicare not paying for the Iphone but paying for a much more expensive device. So, the profit motive of the insurer is not the problem.
How's that reading comprehension? Reread the paragraph ending in "Even with the few expensive payouts, the insurance companies save money so they keep the policies." and try again.
That means that your entire post is a strawman argument...
You don't actually know what a strawman argument is do you? A strawman is not a post you disagree with or even one that is objectively or subjectively incorrect. A strawman is where you make a weak argument on behalf of a real or mythical opponent, and then attack that argument. So my post was claiming someone else made what argument, which I then attack how?
Are you saying that the companies that make medical treatment supplies in countries with soialized[sic] healthcare are not run for a profit?
No. Are you making a strawman argument?
There is absolutely no motivation for an insurance company to punish anybody for wrongdoing.
So now you're summarizing my old post? That's the trade off between the evils of profit motivation and the evils of politically motivated restrictions.
Fraud may be quantifiable, but that doesn't give you the money back...
Which is why you need a cost analysis to see which is more efficient, as I already said. You can't just assume one is because of baseless beliefs.
If you don't think it happens, look at how big of a problem prescription drug abuse is.
What's even more enlightening is to look at drug abuse and prescription drug abuse around the world and see how it correlates with healthcare systems.
And when the object in question is worth less than the cost to pursue the issue, it becomes difficult to prevent the fraud without losing incredible amounts of money. They are better off not paying for the phones for this purpose, since human reaction is quite predictable in these circumstances.
You haven't specified weights for false positives. What's the dollar equivalent of a disabled person not getting a device they need? Then you need to actually run the numbers and see if fraud is a significant problem and whether it can be made an insignificant problem with prevention techniques that are still under the cost to society in the analysis.
You seem to have a conclusion based upon your beliefs about society, without any real study or even thought as to what the benefits and drawbacks to society are. By the same logic one could say prohibition on alcohol is a great idea because of the failings of human nature, but that doesn't make it so.
Sure a dedicated app store is a great way to funnel your customers to your door. But that's like saying you only have one store available to you, and you have to pay in Stokessd-town dollars. I'm sure you would have less total customers than if the unit was open to applications from anywhere, although you'll most likely collect more stokessd-town dollars.
You're only seeing half the picture. Having a built in store that collects all the apps in one place is a feature and customers really, really, really like being able to get everything from one place in one consistent way. This leaves phone implementors with three choices:
MS picked the choice that is the least work, least innovative, and works like Windows. For some reason I'm not surprised.
How did you manage to miss the entire point?
I was directly responding to a previous post and was discussing the point raised.
And further, where did you learn logic and economics?
I originally learned logic from reading two of the Organon while interested in classical greek writing as a youth. Since then I've read many books about formal and informal logic and taken classes on both at a well regarded university. For economics, I was introduced to formal study of it in university classes and went on to read a great many papers and books on the subject.
Did you ever learn either topic?
It's about avoiding fraud.
Fraud is a quantifiable expense in any health care. If the costs do to fraud are dwarfed by the savings benefits it is logical to put up with said alleged increases in fraud. It is illogical, but the norm, to do the opposite because we're more interested in punishing people for wrongdoing than we are in doing what is most beneficial to society.
As a previous poster said, if Medicare actually approved iPhones for speech impairment, we would, overnight, see an epidemic of speech impediments in the US, orders of magnitude over what the base rate is now.
That's called an assertion. It's normally supposed to be backed with some sort of logical and/or statistical support. In any case, the question was about how things would differ in a socialized system than in a capitalist system. Levels of "false positives" versus "false negative" provisions for the disabled and at what rate those are helpful/harmful to society.
Now if Apple made an iPhone with app store, internet, voice, and iPod functionality disabled that could run this application only, then I suspect that Medicare would approve it.
So you're in favor of crippleware? You think it's a good idea to cripple products to make them less useful at an added expense as a way to demotivate fraud. That is one idea, but don't you think just decent fraud screening to catch the low hanging fruit is more effective and efficient? Not many doctors want to risk losing their license for knowingly prescribing an iPhone to someone who isn't really suffering from a disability where the iphone (paired with certain applications) could provide benefit. I think you're just inventing a problem where it is not clear any does or would exist.
Nothing new here. It's the same herd mentality and intellectual laziness that pervades most political discourse.
While most political discourse is wretched, that has not been my experience with requests for citation or facts, on Slashdot, even in previous political discussions. Further, regardless of the topic, I don't generally see that much blatant mismoderation where items are modded offtopic while they directly address the point they are responding to. Now my previous post is clearly offtopic and modding it as such is fine. But asking for a citation without presenting any bias? Maybe I'm giving Slashdot too much credit, be this still strikes me as quite unusual.
So what's up with the modding for this thread. Someone makes an assertion about US law and when people post asking for a citation they are modded down as offtopic or flamebait? Are there astroturfers from political lobbies or healthcare companies active here or is it just a bunch of opinionated people who are trying to abuse the mod system to shout down people who disagree with their party? I find the modding here as interesting as the article.
The original poster claims that MS no longer patching XP is a reason to abandon Microsoft; no, it's a reason to upgrade to an OS that was released in the last few years.
So you propose looking up all the components of the products you buy and only buying products made with recent components? Computers with XP on them are selling today. It is a current product. Computers with OS X 10.4 haven't sold for 4.5 years and they're still getting support. That's why your comparison is garbage.
MS still sells XP licenses because there's a demand for them. There are some people who will continue to demand XP as long as MS keeps supporting it, so the only way to make them upgrade is to stop supporting it.
Sorry that doesn't wash. If MS is going to keep selling it they need to keep supporting it. If they determine they can't support it anymore, they need to stop selling it several years prior to that time. You know normal companies respond to customer demand, rather than dictate terms to customers. MS should have broken up years ago so the market could solve this problem.
I'm sure Apple would still be selling 10.0 if there was a demand for it, but fortunately for them, the incremental style of Apple's releases makes it easy to see that their older OSes are crappy compared to the new ones.
That's because Apple is about creating products to satisfy the demand of their customers, instead of creating products with new mechanisms for extracting money from their customers and then trying to force people to pay for the privilege.
The root problem is MS doesn't care about their customers because they don't have to to make money because they criminally leverage their monopoly as a revenue source.
If you want to have money for people with chronic conditions, make them a federal problem and pay for it with tax money. I recommend taxing intellectual property and imports to come up with the dough.
Why is it that people opposed to socialized healthcare always have the most absurd economic ideas, like protectionism?
What I always thought was the stupid part about using health insurance to redistribute wealth is that it's basically like paying for other people's health insurance with a tax on... health insurance!
Umm, the proposals to date have been about paying for health insurance with an increase in income tax on the high end and paying for it by eliminating tax loopholes for individuals at the high end and corporations. How do you figure it is taxing health insurance?
You can tell I grew up in a country with universal healthcare.
No, but I can tell that you threw in a useless addendum to an otherwise insightful post.
It's not exactly useless. In truth the procurement of items for medical treatment in countries with socialized healthcare is often quite different. Not always, mind you, but often. Without a financial motivation for whether or not patient obtains a device to help them, most people tend to be both compassionate and pragmatic. That is to say, rarely would a person be denied a cane as a medical expense because it is cheap and someone needs help walking. Rarely would someone be granted a power exoskeleton because it is expensive and excessive.
With a profit motive in the US healthcare system insurance companies make more money erecting artificial barriers that prevent people from getting any assistive device. They're in a position to impose arbitrary rules to make providing such devices harder so their issuance is rarer. At the same time medical suppliers an make money by specializing in jumping through the hoops and getting certified products which make them artificially scarce allowing said companies to charge a lot of money. Even with the few expensive payouts, the insurance companies save money so they keep the policies.
Of course you see what is missing from the above scenario. That is the compassion and the pragmatism. A normal person working in healthcare would say, "an iPhone with apps for the blind, yeah that makes sense to help a blind person and is a lot cheaper than a specialty device". Then they approve it. It is the system standing in the way, a system motivated by rules designed to maximize profits. This type of rule is a great deal rarer in socialized medicine
This isn't to say that other healthcare systems are better in this way, just different. Profit is not the only motive that can result in arbitrary rules detrimental to individuals who need healthcare. Government bureaucrats can be just as bad implementing rules to punish groups at the expense of the masses or implement policies to mollify their special interest group in order to get re-elected. For example, rules to make abortion practically unavailable in order to appease a religious lobby or rules to refuse healthcare to overeating overweight people who are actually saving society money overall by their condition, but who much of society wants to punish for their sin.
I think you may be prejudiced by your previous experience.
If his position is based on experience, then by definition it's not prejudice.
You are completely wrong. Prejudice is prejudging a person or thing. If I experience watching a news program where an african american punches a cop, and then the next time I meet an african american I conclude that african american is likely dangerous and violent, I've pre judged them by taking a correlation (well one data point) and assigning a causation.
An experience can lead to a person prejudging based upon illogical assumptions about said experience. Just because you've had an experience involving elm trees doesn't mean you can accurately predict everything that will happen around some other elm tree. That is prejudice based upon experience.
Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?
Apple hasn't sold a computer with Mac OS X 10.4 on it for 4.5 years. They released a security patch for it 5 days ago. How long ago did MS stop licensing WinXP for sale on computers? Oh yeah, you still buy computers with WinXP on them because MS is still selling licenses.