Let's say the chance of a piece of spyware being ran into and executed is X, and N is the number of Macs out there, and Z is the average profit per spyware installation. If the cost of developing the spyware is greater than X*N*Z there's no point in developing the spyware.
Basically if you feel secure then fine. But you're not.:) I just hope no-one actually specifically targets you, because if anyone has a mind to getting access to your Mac you're screwed.
As I said in my previous post, spyware hasn't been written for Macs because there's not a large enough market share. Saying that this makes OS X secure is like saying it's safe to never lock your home when you leave because you live in a good neighborhood. Your home isn't secure, there's just a lack of criminals.
Bush's lie about "saddam having weapons of mass destruction" Cost...
I don't like Bush's policies, but he didn't lie about Hussein having weapons of mass destruction. He was given false information from the CIA, who apparently received false information from unreliable sources. There's no evidence that Bush lied about weapons of mass destruction.
Ironically I find the thought of Bush lying about WMDs (even though it's probably not true) much less concerning than the fact that Bush really believes God told him to invade Iraq.
I'm not sure if I would prefer a cold, calculating, lying, polonium poisoning, ruthless, judo expert running a superpower, or someone who makes decisions affecting hundreds of thousands for centuries to come based on voices in his head. I am sure I'd prefer an adulterer to either..
It is "potentially" worse because the Safari vulnerability now has the potential to be much worse given a "local" vulnerability which can give you admin access to a system.
Suppose I write spyware; using the Safari vulnerability I can get access to a users system via the web pages they visit. This is limited, however, because I'm limited to what the user can do. My spyware cannot exist anywhere other than the user's home folder. If I want the spyware to remain on the user's system, and remain hidden, I have to use tricks like adding the spyware to startup scripts where a user might not think to look. I can't perform excessive surveillance because there are restrictions on what a user can do.
A user can check to see whether any strange processes are running, any checksums have changed, any file modification times are odd, any permissions have been changed, and if the user finds strange processes or connections they can be stopped, and removed, and the system can be trusted again.
Now suppose I write spyware, but I use the Safari vulnerability coupled with the local admin escalation vulnerability. I can now insert the spyware into the kernel. I can make the kernel report that my spyware process isn't running, I can hide the spyware deep within system binaries, I can stop the kernel reporting true last file modification times, I can stop the kernel reporting network connections I start, there are no restrictions on surveillance; I can dump packets, log keystrokes, etc, etc.
The only way to be confident the problem is removed is a complete reinstall of the OS and firmware.
This is very worrying to a user concerned that hackers might be specifically interested in getting into their machine. The only reason it might not be so worrying to an average user is that spyware isn't currently written for OS X, but this is only because of market share. If there were enough Mac users for Mac spyware to be profitable one of the Safari bugs coupled with a remote execution bug could lead to the worst possible rootkit inspired spyware of all.
If you're satisfied that you're only safe because not enough people are interested in breaking into the system you use then so be it, but don't try and make out that OS X is secure because of it.
The point I made in my previous post, which you seem to have ignored, is that this vulnerability, coupled with one of the Safari vulnerabilities, is potentially much, much worse than the Safari vulnerability alone. In this way such a "local" vulnerability has a negative impact for all OS X users that use Safari to connect to the net.
Having read Hard Drive, one of his more popular autobiographies (which I didn't detect any bias in whatsoever), I got the impression that Bill Gates' parents, and his girlfriend at the time whose name I forget, pushed him to start spending his money charitably. I'll see if I can locate the passage..
I can't, maybe someone else knows where it is. Even if it's true this doesn't mean Gates isn't a very generous person of course (ruthless and generous perhaps).
In that case "Participants were given local client access to the target computer and invited to try their luck." Which is a big leg up. No evidence of "hackers exploiting Mac vulnerabilities for months" in the real world.
I don't understand rm-my-mac-mini's most common refutation of "In the real world people aren't given the opportunity to execute code on your system, so why does it matter that if someone can execute any code on your system they can get complete access?"
Shared hosts, for one, cannot use OS X because shared hosts can only be secure if each user can be effectively seperated. If any user can get admin access running a shared server is impossible.
If there's a remote execution bug in Safari an attacker shouldn't be able to get very far with it. Perhaps delete or access some documents or passwords, or perhaps look for binaries and shortcuts which the user can write to. Nothing that can't be detected and undone.
If an attacker can use the Safari remote execution bug coupled with the privilege escalation bug they can access system binaries, and the kernel. This is a much nastier problem; an attacker's code can remain hidden in the kernel for a long time and you can have no way of knowing it. Your Mac is completely at their disposal if they can use a privilege escalation bug together with a remote execution vulnerability.
"Local" privilege escalation vulnerabilities turn otherwise relatively harmless remote code execution vulnerabilities (which could only execute under an unprivileged user account) into critical remote-root vulnerabilities.
THAT is the biggest reason [for all of these OS X holes]. Unixes run far more of the internet than windows does, making it a prime target for someone who wants to cause trouble or steal information.
If you're not including OS X as a UNIX then what point were you trying to make?
A script kiddie can completely take over a critical windows server.
Did you read about the security vulnerabilities? They're practically all privilege escalation! Remember root-my-mac-mini? The script kiddie that breached OS X was probably using one of these vulnerabilities then, six months ago.
THAT is the biggest reason. Unixes run far more of the internet than windows does, making it a prime target for someone who wants to cause trouble or steal information.
Your argument seems to be that OS X runs on loads of servers, which makes it a great target.. First off it doesn't run on loads of servers, it has no presence in the server market. Second the vulnerabilities are mostly all in WiFi drivers, PPPoE code, and Safari. Why would hackers going after servers be looking in client code?
Also you can only apply the fixes to 10.3 and 10.4. Never mind <10.3 users, they can pay $99 for security, and never mind if they have a machine which won't run 10.3, they can buy a new Mac. This is like MS charging for SP1.
If MS came out with a massive load of critical security fixes like this, which had all been around for ages and in use by hackers, they would be quite rightly ridiculed. When Apple comes out with this disgrace
"You can't go by numbers of critical vulnerabilities alone, maybe MS patches loads they don't tell us about",
"Mac OS X runs the internet, hackers are much more interested in breaking OS X than Windows, which no-one runs",
"So what if OS X has had critical, unpatched vulnerabilities which hackers have been exploiting for months? At least OS X doesn't have spyware and viruses!"
I wish I was exaggerating but people really are posting these; it's bizarre the double standards some people on slashdot have.. We should at least like and dislike Apple and Microsoft for the right reasons, there are many reasons to prefer Apple but security just isn't one of them.
What can Microsoft do? Sue Torvalds? Sue some particular programmer with little income that violated their patents? Sue one of the commercial Linux vendors? Who can Microsoft sue or buy to stop Linux? No-one.
All MS can do is spread FUD. Linux isn't dBase, Linux isn't DOS, Linux isn't FoxPro. It can't just be acquired.
Microsoft Corp. vs the one thing they can't buy and actually have to compete with? I fail to see the threat.
I'm not trolling here, but BSD has already been through and won it's legal battles. Linux is looking like it is starting to face some, and many GPL databases engines like BDB and InnoDB are getting bought showing us how dual licensing companies can just be acquired and extinguished.
With the way it's going BSD licensed software, which can't have any commercial motives behind it, is starting to look more appealing and resistant to lawsuits. Maybe the GPL isn't open source enough in the long run.
Artificial flavors are supposed to be chemically similar to natural flavors.. You can produce the ester which makes orange smell like orange very easily in the lab, but that doesn't mean we can taste unnatural chemicals.
Exactly; you can use linkto:mysite.com to find who has been linking to you. Hardly makes finding your attacker any harder; why not just use Tor, go to an internet cafe, or go wardriving?
This seems like something clever and pointless just for the sake of it.
Why? Because you can infer from that statement that the only reason they are moral is because they believe there is an invisible man watching their every move who will drop them in a boiling lake of sulfur if they misbehave. So the other side of that coin is that they would be completely amoral if The Big Guy wasn't watching them. If religion suddenly went away today, first thing these people would do is go berserk and give in to their every urge - since there would be no reason not to.
Maybe religion isn't such a bad idea after all.
The reason all (mentally healthy, well adjusted) humans are moral is simply down to human nature; we all do better working as a group than if we're at each others throats.
If people actually followed the Bible literally people would be into stonings, witch hunts, eyes for eyes, daughters for sale, slavery, etc.
On the flip side religious people are just as often homosexual, masturbate just as much, have affairs just as much, take drugs just as much (okay other than Haggard I can't back these up with evidence, but I'd be surprised to find evidence to the contrary).
If morality was based on religion why are atheists just as moral, and why do all religions have more or less the same moral code?
I also like how he provides no interesting information, walks you through the GNOME desktop's icons, and loads up GNOME as root. Clearly he had to hack away like crazy to get it running on the PS3.
And I like how he expects to get $10,000 for his used PS3 while unused ones are selling for less than $1,000.
I think Apple programmers are more productive than their MS counterparts, but not because they're in any way "better" - I think they have an easier life.
I'd like to see the evidence that they're more productive or that they have an easier life, but I think they probably/have/ to be more productive; having to support two types of processor at once, API changes, Apple adopting Java and then dropping it..
To code a Windows app on your own isn't particularly hard, but I don't think it scales as well to large groups - there's too much cruft in there, and too many ways to screw up with C++ because it's a complicated language. A group of 30 clever people, experts in the language, can be let down by one not-quite-so-expert person not realising some subtle interaction.
C++ isn't the only language for Windows development. With.NET you can let the experts use C++ where needed and use C#, perhaps, or VB,Python,Java,etc, where C++ isn't needed, seamlessly. Where is Apple's Visual Studio? Team development (and supporting software development in general) is probably the one area where Microsoft are dominant.
Apple, on the other hand, don't much care about backwards compatibility (just upgrade, and get all these extras too), have a much cleaner OS (basically unix), and a much simpler object-orientated language to work with. Objective C is 90% as powerful as C++, but it works in a different way and although it's very powerful, it's simple to pick up and use. Apple's guidelines are simple as well, and this helps when group A are relying on something that group B are developing, when groups A and B haven't even ever met.
"90% as powerful"? Where did you get that from? C# is easy to pick up and use, so is VB, so is Python. With.NET at least you have some choice.
Also don't overstate the usefulness of guidelines. The only way you can have group A develop something a separate group B can use is good, thorough documentation. Guidelines are helpful (but less so with a good IDE, which VS.NET is), but they're not nearly as useful as well written documentation.
So, Apple get to leverage lots of frameworks in an easier fashion. I think MS have a complexity-management problem forced on them by their language choice and their commitment to backwards compatibility. If I'm right, it's only going to get harder for MS as time goes by...
"Levarage lots of frameworks in an easier fashion"? What frameworks? Does this even mean anything?
Microsoft's commitment to backwards compatibility means that developers don't have to worry about major changes.. MS are obviously only looking after themselves by keeping things backwards compatible, but I find it hard to believe that as a developer you actually don't want your code to work on future releases of Apple's platform.
When I write code I want it to work on that platform from that point on. This is one of the reasons so many people like UNIX; the POSIX compatible C and shell scripts you coded a couple of decades ago will still work today.
I watched the whole thing though I'm sad to say; what a waste of time. In a nutshell:
Fusion is simple and elegant, it powers the stars, just take a look at the sun to see it work!
The Tomakak is just a problem on top of a problem, it's going nowhere fast.
So we had this ingenious idea for making charged particles go into the center of a load of magnets oriented in a certain way which would solve all the Tomakak's problems.
The first one we tried the particles escaped onto the metal welds which bring the magnets together.
The second one didn't have metal welds, but the particles escaped onto the magnets themselves.
The third one had insulated magnets, but the particles escaped onto the metal stands.
For the nth one we insulated everything, and on *the day* before we lost all funding and had to close the lab down we achieved some fusion! We now know exactly what we're going to do!
It will solve world hunger, create a stable economy, enable space travel, make ethanol viable, stop the oil wars, cure cancer, etc.
It's all in this paper I wrote, it doesn't actually have any formulas or concrete evidence in it "but it does talk about it".
Now all we need is $200M funding to build the final thing *cough*and solve the crippling engineering problems*cough*. Questions?
If you want to prove that you're not full of it why not rebuild the last machine you built, which would be relatively cheap, to recreate the results you got the day before you had to close the labs down?
- Well the $200M will build ones which will be 50x better, one of them will be a dodecahedron.
Why is no-one funding you?
- No-one thinks outside the box. If you let me choose who goes on the panel who gets to decide whether it's worthwhile I'll pick some people who can think outside the box. There are lots of people in China and other countries who can think outside the box, and if I don't get funding here in America I'll give my patents to China for free and you wouldn't want that. (I'm not making this up, he literally threatened the audience with giving the tech to China for free)
How do you get the helium waste products out?
- We have a grid on the outside which lets the helium slowly come to a stop, we haven't tried this yet but it's an engineering problem. There are also serious problems with arcing due to the high voltages, but these are merely engineering problems not physics problems.
We don't have a democracy, in either the pure form (which is an unworkable ideal anyway) or the popular interpretation (which is much more sensible approach in practice).
(Emphasis mine)
The GP is referring to your point that the UK is not a democracy in any sense of the word because Labour has the most MPs, as the GP said the public can still vote them out, so it's still a democracy (I shouldn't have to clarify which version of democracy I'm talking about).
In your response you just say that it's not a democracy in the sense that everyone doesn't vote on every policy, which has nothing to do with your argument that the UK is not a democracy in any sense.
Maybe we just haven't built the machinery to accept them.
Say we used this with a bunch of mirrors or flung a bunch of photons around a black hole, so that the time difference was much greater. Then when the photons get received by the Earth of the future they can change the photons, thus changing our entangled ones at this point in time.
The reason we haven't got any messages from them yet is that we haven't sent them any entangled photons to use yet, not because it isn't possible.
Okay, it's very crackpot, but it's just an example..
The electromagnetic radiation being used isn't directed, so it would dissipate very quickly. I expect this would waste a lot of energy over short distances for handheld electronics, but it would be totally infeasible for cars.
35 years ago this was the best personal computer you could get. Now the same company is bringing us processors which can simulate the entire thing in an interpreted language using a fraction of one percent of the available processing power.
Even though another company would have done the same if Intel hadn't, they deserve some kudos for getting in there first and staying on top. No-one would have thought they'd be able to push x86 to where it is today.
Of course there is no way to disprove the idea of a god or gods. Neither is there a way to prove their existence, either. Hence, believing either that none exist or that there is definitively one or more is demonstrably stupid.
Do you apply this logic to Santa Claus, the Flying Spaghetti Monster, Aphrodite, the teapot in orbit around the Sun, etc?
Slashdot Mirror
Let's say the chance of a piece of spyware being ran into and executed is X, and N is the number of Macs out there, and Z is the average profit per spyware installation. If the cost of developing the spyware is greater than X*N*Z there's no point in developing the spyware.
:) I just hope no-one actually specifically targets you, because if anyone has a mind to getting access to your Mac you're screwed.
Basically if you feel secure then fine. But you're not.
As I said in my previous post, spyware hasn't been written for Macs because there's not a large enough market share. Saying that this makes OS X secure is like saying it's safe to never lock your home when you leave because you live in a good neighborhood. Your home isn't secure, there's just a lack of criminals.
Ironically I find the thought of Bush lying about WMDs (even though it's probably not true) much less concerning than the fact that Bush really believes God told him to invade Iraq.
I'm not sure if I would prefer a cold, calculating, lying, polonium poisoning, ruthless, judo expert running a superpower, or someone who makes decisions affecting hundreds of thousands for centuries to come based on voices in his head. I am sure I'd prefer an adulterer to either..
It is "potentially" worse because the Safari vulnerability now has the potential to be much worse given a "local" vulnerability which can give you admin access to a system.
Suppose I write spyware; using the Safari vulnerability I can get access to a users system via the web pages they visit. This is limited, however, because I'm limited to what the user can do. My spyware cannot exist anywhere other than the user's home folder. If I want the spyware to remain on the user's system, and remain hidden, I have to use tricks like adding the spyware to startup scripts where a user might not think to look. I can't perform excessive surveillance because there are restrictions on what a user can do.
A user can check to see whether any strange processes are running, any checksums have changed, any file modification times are odd, any permissions have been changed, and if the user finds strange processes or connections they can be stopped, and removed, and the system can be trusted again.
Now suppose I write spyware, but I use the Safari vulnerability coupled with the local admin escalation vulnerability. I can now insert the spyware into the kernel. I can make the kernel report that my spyware process isn't running, I can hide the spyware deep within system binaries, I can stop the kernel reporting true last file modification times, I can stop the kernel reporting network connections I start, there are no restrictions on surveillance; I can dump packets, log keystrokes, etc, etc.
The only way to be confident the problem is removed is a complete reinstall of the OS and firmware.
This is very worrying to a user concerned that hackers might be specifically interested in getting into their machine. The only reason it might not be so worrying to an average user is that spyware isn't currently written for OS X, but this is only because of market share. If there were enough Mac users for Mac spyware to be profitable one of the Safari bugs coupled with a remote execution bug could lead to the worst possible rootkit inspired spyware of all.
If you're satisfied that you're only safe because not enough people are interested in breaking into the system you use then so be it, but don't try and make out that OS X is secure because of it.
The point I made in my previous post, which you seem to have ignored, is that this vulnerability, coupled with one of the Safari vulnerabilities, is potentially much, much worse than the Safari vulnerability alone. In this way such a "local" vulnerability has a negative impact for all OS X users that use Safari to connect to the net.
"Bong 4 Free Speech!"
Having read Hard Drive, one of his more popular autobiographies (which I didn't detect any bias in whatsoever), I got the impression that Bill Gates' parents, and his girlfriend at the time whose name I forget, pushed him to start spending his money charitably. I'll see if I can locate the passage..
I can't, maybe someone else knows where it is. Even if it's true this doesn't mean Gates isn't a very generous person of course (ruthless and generous perhaps).
If an attacker can use the Safari remote execution bug coupled with the privilege escalation bug they can access system binaries, and the kernel. This is a much nastier problem; an attacker's code can remain hidden in the kernel for a long time and you can have no way of knowing it. Your Mac is completely at their disposal if they can use a privilege escalation bug together with a remote execution vulnerability.
"Local" privilege escalation vulnerabilities turn otherwise relatively harmless remote code execution vulnerabilities (which could only execute under an unprivileged user account) into critical remote-root vulnerabilities.
Your argument seems to be that OS X runs on loads of servers, which makes it a great target.. First off it doesn't run on loads of servers, it has no presence in the server market. Second the vulnerabilities are mostly all in WiFi drivers, PPPoE code, and Safari. Why would hackers going after servers be looking in client code?
Also you can only apply the fixes to 10.3 and 10.4. Never mind <10.3 users, they can pay $99 for security, and never mind if they have a machine which won't run 10.3, they can buy a new Mac. This is like MS charging for SP1.
If MS came out with a massive load of critical security fixes like this, which had all been around for ages and in use by hackers, they would be quite rightly ridiculed. When Apple comes out with this disgrace
I wish I was exaggerating but people really are posting these; it's bizarre the double standards some people on slashdot have.. We should at least like and dislike Apple and Microsoft for the right reasons, there are many reasons to prefer Apple but security just isn't one of them.
What can Microsoft do? Sue Torvalds? Sue some particular programmer with little income that violated their patents? Sue one of the commercial Linux vendors? Who can Microsoft sue or buy to stop Linux? No-one.
All MS can do is spread FUD. Linux isn't dBase, Linux isn't DOS, Linux isn't FoxPro. It can't just be acquired.
Microsoft Corp. vs the one thing they can't buy and actually have to compete with? I fail to see the threat.
Demand the right to control your own PC -- you paid for it.
Right. I paid for it; crypto processor, DRM, and all. If I don't like them I won't pay for it.
I'm not trolling here, but BSD has already been through and won it's legal battles. Linux is looking like it is starting to face some, and many GPL databases engines like BDB and InnoDB are getting bought showing us how dual licensing companies can just be acquired and extinguished.
With the way it's going BSD licensed software, which can't have any commercial motives behind it, is starting to look more appealing and resistant to lawsuits. Maybe the GPL isn't open source enough in the long run.
Is there any evidence for anything other than the part where he kissed the 5 year old's stomach?
Artificial flavors are supposed to be chemically similar to natural flavors.. You can produce the ester which makes orange smell like orange very easily in the lab, but that doesn't mean we can taste unnatural chemicals.
Exactly; you can use linkto:mysite.com to find who has been linking to you. Hardly makes finding your attacker any harder; why not just use Tor, go to an internet cafe, or go wardriving?
This seems like something clever and pointless just for the sake of it.
If people actually followed the Bible literally people would be into stonings, witch hunts, eyes for eyes, daughters for sale, slavery, etc.
On the flip side religious people are just as often homosexual, masturbate just as much, have affairs just as much, take drugs just as much (okay other than Haggard I can't back these up with evidence, but I'd be surprised to find evidence to the contrary).
If morality was based on religion why are atheists just as moral, and why do all religions have more or less the same moral code?
I also like how he provides no interesting information, walks you through the GNOME desktop's icons, and loads up GNOME as root. Clearly he had to hack away like crazy to get it running on the PS3.
And I like how he expects to get $10,000 for his used PS3 while unused ones are selling for less than $1,000.
C++ isn't the only language for Windows development. With
"90% as powerful"? Where did you get that from? C# is easy to pick up and use, so is VB, so is Python. With
Also don't overstate the usefulness of guidelines. The only way you can have group A develop something a separate group B can use is good, thorough documentation. Guidelines are helpful (but less so with a good IDE, which VS.NET is), but they're not nearly as useful as well written documentation.
"Levarage lots of frameworks in an easier fashion"? What frameworks? Does this even mean anything?
Microsoft's commitment to backwards compatibility means that developers don't have to worry about major changes.. MS are obviously only looking after themselves by keeping things backwards compatible, but I find it hard to believe that as a developer you actually don't want your code to work on future releases of Apple's platform.
When I write code I want it to work on that platform from that point on. This is one of the reasons so many people like UNIX; the POSIX compatible C and shell scripts you coded a couple of decades ago will still work today.
If you want to prove that you're not full of it why not rebuild the last machine you built, which would be relatively cheap, to recreate the results you got the day before you had to close the labs down?
- Well the $200M will build ones which will be 50x better, one of them will be a dodecahedron.
Why is no-one funding you?
- No-one thinks outside the box. If you let me choose who goes on the panel who gets to decide whether it's worthwhile I'll pick some people who can think outside the box. There are lots of people in China and other countries who can think outside the box, and if I don't get funding here in America I'll give my patents to China for free and you wouldn't want that. (I'm not making this up, he literally threatened the audience with giving the tech to China for free)
How do you get the helium waste products out?
- We have a grid on the outside which lets the helium slowly come to a stop, we haven't tried this yet but it's an engineering problem. There are also serious problems with arcing due to the high voltages, but these are merely engineering problems not physics problems.
(Emphasis mine)
The GP is referring to your point that the UK is not a democracy in any sense of the word because Labour has the most MPs, as the GP said the public can still vote them out, so it's still a democracy (I shouldn't have to clarify which version of democracy I'm talking about).
In your response you just say that it's not a democracy in the sense that everyone doesn't vote on every policy, which has nothing to do with your argument that the UK is not a democracy in any sense.
Maybe we just haven't built the machinery to accept them.
Say we used this with a bunch of mirrors or flung a bunch of photons around a black hole, so that the time difference was much greater. Then when the photons get received by the Earth of the future they can change the photons, thus changing our entangled ones at this point in time.
The reason we haven't got any messages from them yet is that we haven't sent them any entangled photons to use yet, not because it isn't possible.
Okay, it's very crackpot, but it's just an example..
The electromagnetic radiation being used isn't directed, so it would dissipate very quickly. I expect this would waste a lot of energy over short distances for handheld electronics, but it would be totally infeasible for cars.
35 years ago this was the best personal computer you could get. Now the same company is bringing us processors which can simulate the entire thing in an interpreted language using a fraction of one percent of the available processing power.
Even though another company would have done the same if Intel hadn't, they deserve some kudos for getting in there first and staying on top. No-one would have thought they'd be able to push x86 to where it is today.
Do you apply this logic to Santa Claus, the Flying Spaghetti Monster, Aphrodite, the teapot in orbit around the Sun, etc?